提供一个早年写的一个小工具,一直在用,赶紧很顺手,特推荐给大家。

欢迎垂询。


1,在OD正在跟踪分析某个保护壳的一段code的时候,感觉似曾相识,好像在哪里见过,好像是某个API。----这个时候你就需要用【fosomAPI速查】,快速找到这个API。

2,在用OD手动Hook的时候,jmp长跳之后,用汇编写一个小小的Call的时候,需要用一个API,但是IAT被破坏了。---这个时候,你就需要用【fosomAPI速查】,快速查到API,然后把机器码直接copy到OD里面,就OK了。

3,随便一个Dll,需要查一下EAT,并且看看某个导出函数的汇编,---这个时候,你就需要用【fosomAPI速查】。

4,几个机器码,可以查看对应的汇编。

5,根据Call首地址,快速查找API Name。或者,反之。

API速查.rar.


Code First character after #:
      A: Direct Address.
      C: Reg field in ModRm specifies Control register.
      D: Reg field in ModRm specifies Debug register.
      E: General purpose register or memory address specified in the ModRM byte.
      F: EFlags register
      G: Reg field in ModRM specifies a general register
      H: Signed immidiate data
      I: Imidiate data
      J: Relative jump Offset
      M: memory address spcified in the ModRM byte.
      O: Relative Offset Word or DWord
      P: Reg field in ModRM specifies a MMX register
      Q: MMX register or memory address specified in the ModRM byte.
      R: general purpose register specified in the ModRM byte.
      S: Reg field in ModRM specifies a Segment register
      T: Reg field in ModRM specifies a MMX register
      P: Seg prefix override.

  Second character after #
      a: two Word or two DWord, only used by BOUND
      b: Byte.
      c: Byte or word
      d: DWord
      p: 32 or 16 bit pointer
      q: QWord
      s: 6Byte
      v: Word or DWord
      w: Word
      t: Tera byte

  Third character after #
      j: jump Operand (Relative or absolute)

  First character after @
      e: used by register (@eax, @esp ..) return e with the character following when
         operand size = 4 ortherwise only the following character.
      g: Group, return the group insruction specified by OperandType
         and the reg field of the ModRM byte.
      h: Operand for group, return operands for the group insruction specified
         by OperandType and the reg field of the ModRM byte.
      m: Must have size, Size indicator always set.
      o: Operand size, returns the name (bwdq) of the number following, divided
         by two when operand size <> 4.
      p: Seg prefix override. Sets the prefix to the following charchter + 's'
      s: Size override (address or operand).
         follow by o: operand size override
                   a: address size override

  First character after %
      c: Use the opcode instead in addition to the assembler instruction


今天发布源码。留着也没什么意思。

http://pan.baidu.com/share/link?shareid=3624365833&uk=3895584076

posted on 2013-08-22 20:30  5t4rk  阅读(765)  评论(0编辑  收藏  举报