I have yet to find a decent disassembler for Win64 and needed to be able to have a look at the mnemonic code produced by a couple of different 64 bit assemblers, POASM and JWASM. I have put together a tool that accepts a PODUMP dump of a 64 bit object module that converts it from a very rudimentary form to something like human readable assembler.
The reason for disassembling the object module rather than the executable is the object module has a lot more useful information in it including procedure names and variable names. The PHUN part was resolving the procedure call addresses and the jumps to label address resolution then locating the hex numbers that don't have a trailing "h" and converting them to unsigned decimal numbers, both in and outside of complex addressing mode.
The attached zip file has the tool and 2 dumps from PODUMP, one of a very simple dump of a POASM obj, the other from a JWASM obj. Either use the command line or just drop either dump file onto the tool. If you install it on the same drive as MASM32, QE will display the results which are saved to a file first. If you place on a different drive you can view the output file.
NOTE : You run PODUMP with the following command line or in a batch file.
yourpath\podump.exe /disasm:NOCODEBYTES test.obj > dump.txt
The JWASM formatted dump looks like this.
Dump of Win64_3.obj
File type: OBJ
Can't synchronize source and assembly code
fn_WinMainCRTStartup:
sub rsp, 40
mov ecx, 0
call GetModuleHandleA
mov qword ptr [hInstance], rax
call GetCommandLineA
mov qword ptr [CommandLine], rax
mov rcx, qword ptr [hInstance]
mov rdx, 0
mov r8, qword ptr [CommandLine]
mov r9d, 10
call fn_WinMain
mov ecx, eax
call ExitProcess
fn_WinMain:
push rbp
mov rbp, rsp
sub rsp, 240
mov qword ptr [rbp+16], rcx
mov qword ptr [rbp+24], rdx
mov qword ptr [rbp+32], r8
mov dword ptr [rbp+40], r9d
mov dword ptr [rbp-80], 50
mov dword ptr [rbp-76], 3
lea rax, [WndProc]
mov qword ptr [rbp-72], rax
mov dword ptr [rbp-64], 0
mov dword ptr [rbp-60], 0
mov qword ptr [rbp-56], rcx
mov qword ptr [rbp-32], 6
mov qword ptr [rbp-24], 0
lea rax, [ClassName]
mov qword ptr [rbp-16], rax
mov ecx, 0
mov edx, 32512
call LoadIconA
mov qword ptr [rbp-48], rax
mov qword ptr [rbp-8], rax
mov ecx, 0
mov edx, 32512
call LoadCursorA
mov qword ptr [rbp-40], rax
lea rcx, [rbp-80]
call RegisterClassExA
mov ecx, 0
lea rdx, [ClassName]
lea r8, [AppName]
mov r9d, 13565952
mov dword ptr [rsp+32], 80000000
mov dword ptr [rsp+40], 80000000
mov dword ptr [rsp+48], 80000000
mov dword ptr [rsp+56], 80000000
mov qword ptr [rsp+64], 0
mov qword ptr [rsp+72], 0
mov rax, qword ptr [rbp+16]
mov qword ptr [rsp+80], rax
mov qword ptr [rsp+88], 0
call CreateWindowExA
mov qword ptr [rbp-136], rax
mov rcx, qword ptr [rbp-136]
mov edx, 1
call ShowWindow
mov rcx, qword ptr [rbp-136]
call UpdateWindow
lbl_1:
lea rcx, [rbp-128]
mov rdx, 0
mov r8, 0
mov r9, 0
call GetMessageA
and rax, rax
je lbl_0
lea rcx, [rbp-128]
call TranslateMessage
lea rcx, [rbp-128]
call DispatchMessageA
jmp lbl_1
lbl_0:
mov rax, qword ptr [rbp-112]
add rsp, 240
pop rbp
ret
fn_WndProc:
sub rsp, 40
cmp edx, 2
jne lbl_2
mov ecx, 0
call PostQuitMessage
xor rax, rax
jmp lbl_3
lbl_2:
call DefWindowProcA
lbl_3:
add rsp, 40
ret
SUMMARY
10 .bss
20 .data
4A .drectve
24 .pdata
1CC .text
1C .xdata
