DEC_xxx

Constants DEC_xxx describe types and grouping of commands and data in the Debuggee's memory, as detected by the Analyser.

Description of commands and data

The first byte of the command or data is marked with one of the following constants (only one is allowed, use DEC_TYPEMASK to extract):

DEC_INT First byte of the integer. May be followed by 0, 1, 3, 7 or 15 DEC_NEXTDATA items
DEC_SWITCH First byte of the switch table item. If DEC_SWITCH is followed by 3 DEC_NEXTDATA items, this is the switch address. Otherwise, this is the element of the byte table in the two-stage switches
DEC_DATA First byte of integer data, similar to DEC_INT. Items of type DEC_DATA are usually special constants or bit combinations and can't be decoded as ordinals or addresses
DEC_DB First byte of the unstructured data block. May be followed by up to 15 DEC_NEXTDATA items. If data block is longer that 16 bytes, OllyDbg cuts it into the 16-byte chunks and starts each subsequent chunk with DEC_DB
DEC_DUMP Same as DEC_DB, but requests OllyDbg to add ASCII comment when data is decoded
DEC_ASCII First byte of the ASCII string. May be followed by up to 15 DEC_NEXTDATA items. If string is longer than 16 bytes, OllyDbg cuts it into the 16-byte chunks and starts each subsequent chunk with DEC_ASCCNT. Strings are not necessarily null-terminated, but if null character is present, it is considered part of the string
DEC_ASCCNT Continuation of ASCII string, see DEC_ASCII
DEC_UNICODE Start of the UNICODE string (least significant byte of the first wide character). May be followed by up to 15 DEC_NEXTDATA items. If string is longer than 8 wide characters (16 bytes), OllyDbg cuts it into the 8-character chunks and starts each subsequent chunk with DEC_UNICNT. Strings are not necessarily null-terminated, but if null character is present, it is considered part of the string
DEC_UNICNT Continuation of UNICODE string, see DEC_UNICODE
DEC_FLOAT First byte of the floating-point number. May be followed by 3, 7 or 9 DEC_NEXTDATA items
DEC_GUID First byte of the GUID (Globally Unique Identifier). Followed by 15 DEC_NEXTDATA items
DEC_NETCMD First byte of the MSIL command in .NET applications without recognized jumps or calls to this command. May be followed by several DEC_NEXTDATA items
DEC_JMPNET First byte of the MSIL command in .NET applications with one or more recognized jumps, but no calls, to this command. May be followed by several DEC_NEXTDATA items
DEC_CALLNET First byte of the MSIL command in .NET applications with recognized calls to this command. May be followed by several DEC_NEXTDATA items. Note that MSIL allows calls only to the first command of the method
DEC_COMMAND First byte of the native 80x86 command without recognized jumps or calls to this command. May be followed by several DEC_NEXTCODE items
DEC_JMPDEST First byte of the native 80x86 command with one or more recognized jumps but no calls to this command. May be followed by several DEC_NEXTCODE items
DEC_CALLDEST First byte of the native 80x86 command with one or more recognized calls to this command. May be followed by several DEC_NEXTCODE items
DEC_FILLING First byte of the native 80x86 command used to fill alignment gaps between the procesures and variables. May be followed by several DEC_NEXTDATA items
DEC_FILLDATA Data used to fill alignment gaps between the procesures and variables
DEC_UNKNOWN Parts of memory with removed or nonexisting analysis
DEC_NEXTCODE Second and subsequent bytes of native 80x86 commands (except for those used as a filling)
DEC_NEXTDATA Second and subsequent bytes of recognized data items

For example, command CMP EAX,3 (binary code 83F8 03) without jumps or calls will be decoded as:

83 F8 03  
DEC_COMMAND DEC_NEXTCODE DEC_NEXTCODE  

Null-terminated ASCII string "This is a string!" will have the following decoding:

'T' 'h' 'i' 's'
DEC_ASCII DEC_NEXTDATA DEC_NEXTDATA DEC_NEXTDATA
 
' ' 'i' 's' ' '
DEC_NEXTDATA DEC_NEXTDATA DEC_NEXTDATA DEC_NEXTDATA
 
'a' ' ' 's' 't'
DEC_NEXTDATA DEC_NEXTDATA DEC_NEXTDATA DEC_NEXTDATA
 
'r' 'i' 'n' 'g'
DEC_NEXTDATA DEC_NEXTDATA DEC_NEXTDATA DEC_NEXTDATA
 
'!' '\0'     
DEC_ASCCNT  DEC_NEXTDATA    


Description of procedures

Procedure brackets are defined by the following bits (use DEC_PROCMASK to extract):

DEC_NOPROC This item is not part of the recognized procedure, structure or block
DEC_PROC First byte of the recognized procedure, structure or block
DEC_PBODY Intermediate byte of the recognized procedure, structure or block
DEC_PROC Last byte of the recognized procedure, structure or block. It marks the first byte of the last item, remaining bytes are marked as DEC_NOPROC

Example: a simple function

8B44E4 04   MOV EAX,[ESP+4]
C2 0400     RETN 4

will be decoded as

8B 44 E4 04 
DEC_PROC |
DEC_CALLDEST
DEC_PBODY |
DEC_NEXTCODE
DEC_PBODY |
DEC_NEXTCODE
DEC_PBODY |
DEC_NEXTCODE
 
 
C2 04 00  
DEC_PEND |
DEC_COMMAND
DEC_NOPROC |
DEC_NEXTCODE
DEC_NOPROC |
DEC_NEXTCODE
 


Hit trace

Bit DEC_TRACED marks commands that were hit in the hit trace:

DEC_TRACED Command was executed by the hit trace


See also:

Analysis, Disasm(), Finddecode()