{FFI::UDis86} provides Ruby FFI bindings for the udis86 library, a x86 and x86-64 disassembler.
- Supports x86 and x86-64 instructions.
- Supports 16 and 32 disassembly modes.
- Supports Intel and ATT syntax output.
- Supports disassembling files and arbitrary input.
- Supports using input buffers.
- Supports using input callbacks.
- Supports fully disassembling instructions and operands.
Create a new disassembler:
include FFI::UDis86
ud = UD.create(:syntax => :att, :mode => 64)Set the input buffer:
ud.input_buffer = "\x90\x90\xc3"Add an input callback:
ud.input_callback { |ud| ops.shift || -1 }Read from a file:
UD.open(path) do |ud|
...
endDisassemble and print instructions:
ud.disas do |insn|
puts insn
endDisassemble and print information about the instruction and operands:
asm = "\x75\x62\x48\x83\xc4\x20\x5b\xc3\x48\x8d\x0d\x23\x0c\x01\x00\x49\x89\xf0"
ud = FFI::UDis86::UD.create(
:buffer => asm,
:mode => 64,
:vendor => :amd,
:syntax => :att
)
ud.disas do |insn|
puts insn
puts " * Offset: #{insn.insn_offset}"
puts " * Length: #{insn.insn_length}"
puts " * Mnemonic: #{insn.mnemonic}"
operands = insn.operands.reverse.map do |operand|
if operand.is_mem?
ptr = [operand.base]
ptr << operand.index if operand.index
ptr << operand.scale if operand.scale
"Memory Access (#{ptr.join(',')})"
elsif operand.is_imm?
'Immediate Data'
elsif operand.is_jmp_imm?
'Relative Offset'
elsif operand.is_const?
'Constant'
elsif operand.is_reg?
"Register (#{operand.reg})"
end
end
puts ' * Operands: ' + operands.join(' -> ')
end$ sudo gem install ffi-udis86udis86.cr is a Crystal port of this library.
See {file:LICENSE.txt} for license information.