RubyGems - metasm - Versions diffs - 1.0.0 → 1.0.5 - Mend

metasm 1.0.0 → 1.0.5

Files changed (276) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +3 -0
data/.gitignore +3 -0
data/.hgtags +3 -0
data/Gemfile +3 -0
data/INSTALL +61 -0
data/LICENCE +458 -0
data/README +29 -21
data/Rakefile +10 -0
data/TODO +10 -12
data/doc/code_organisation.txt +3 -1
data/doc/core/DynLdr.txt +247 -0
data/doc/core/ExeFormat.txt +43 -0
data/doc/core/Expression.txt +220 -0
data/doc/core/GNUExports.txt +27 -0
data/doc/core/Ia32.txt +236 -0
data/doc/core/SerialStruct.txt +108 -0
data/doc/core/VirtualString.txt +145 -0
data/doc/core/WindowsExports.txt +61 -0
data/doc/core/index.txt +1 -0
data/doc/style.css +6 -3
data/doc/usage/debugger.txt +327 -0
data/doc/usage/index.txt +1 -0
data/doc/use_cases.txt +2 -2
data/metasm.gemspec +23 -0
data/{lib/metasm.rb → metasm.rb} +15 -3
data/{lib/metasm → metasm}/compile_c.rb +15 -9
data/metasm/cpu/arc.rb +8 -0
data/metasm/cpu/arc/decode.rb +404 -0
data/metasm/cpu/arc/main.rb +191 -0
data/metasm/cpu/arc/opcodes.rb +588 -0
data/metasm/cpu/arm.rb +14 -0
data/{lib/metasm → metasm/cpu}/arm/debug.rb +2 -2
data/{lib/metasm → metasm/cpu}/arm/decode.rb +15 -18
data/{lib/metasm → metasm/cpu}/arm/encode.rb +23 -8
data/{lib/metasm → metasm/cpu}/arm/main.rb +3 -6
data/metasm/cpu/arm/opcodes.rb +324 -0
data/{lib/metasm → metasm/cpu}/arm/parse.rb +25 -13
data/{lib/metasm → metasm/cpu}/arm/render.rb +2 -2
data/metasm/cpu/arm64.rb +15 -0
data/metasm/cpu/arm64/debug.rb +38 -0
data/metasm/cpu/arm64/decode.rb +285 -0
data/metasm/cpu/arm64/encode.rb +41 -0
data/metasm/cpu/arm64/main.rb +105 -0
data/metasm/cpu/arm64/opcodes.rb +232 -0
data/metasm/cpu/arm64/parse.rb +20 -0
data/metasm/cpu/arm64/render.rb +95 -0
data/{lib/metasm/mips/compile_c.rb → metasm/cpu/bpf.rb} +4 -2
data/metasm/cpu/bpf/decode.rb +110 -0
data/metasm/cpu/bpf/main.rb +60 -0
data/metasm/cpu/bpf/opcodes.rb +81 -0
data/metasm/cpu/bpf/render.rb +30 -0
data/{lib/metasm/ppc.rb → metasm/cpu/cy16.rb} +2 -4
data/metasm/cpu/cy16/decode.rb +247 -0
data/metasm/cpu/cy16/main.rb +63 -0
data/metasm/cpu/cy16/opcodes.rb +78 -0
data/metasm/cpu/cy16/render.rb +30 -0
data/metasm/cpu/dalvik.rb +11 -0
data/{lib/metasm → metasm/cpu}/dalvik/decode.rb +34 -34
data/{lib/metasm → metasm/cpu}/dalvik/main.rb +71 -4
data/{lib/metasm → metasm/cpu}/dalvik/opcodes.rb +21 -12
data/{lib/metasm/mips.rb → metasm/cpu/ebpf.rb} +3 -4
data/metasm/cpu/ebpf/debug.rb +61 -0
data/metasm/cpu/ebpf/decode.rb +142 -0
data/metasm/cpu/ebpf/main.rb +58 -0
data/metasm/cpu/ebpf/opcodes.rb +97 -0
data/metasm/cpu/ebpf/render.rb +36 -0
data/metasm/cpu/ia32.rb +17 -0
data/{lib/metasm → metasm/cpu}/ia32/compile_c.rb +23 -9
data/{lib/metasm → metasm/cpu}/ia32/debug.rb +44 -6
data/{lib/metasm → metasm/cpu}/ia32/decode.rb +342 -128
data/{lib/metasm → metasm/cpu}/ia32/decompile.rb +75 -53
data/{lib/metasm → metasm/cpu}/ia32/encode.rb +19 -13
data/{lib/metasm → metasm/cpu}/ia32/main.rb +66 -8
data/metasm/cpu/ia32/opcodes.rb +1424 -0
data/{lib/metasm → metasm/cpu}/ia32/parse.rb +55 -17
data/{lib/metasm → metasm/cpu}/ia32/render.rb +32 -5
data/metasm/cpu/mcs51.rb +8 -0
data/metasm/cpu/mcs51/decode.rb +99 -0
data/metasm/cpu/mcs51/main.rb +87 -0
data/metasm/cpu/mcs51/opcodes.rb +120 -0
data/metasm/cpu/mips.rb +14 -0
data/metasm/cpu/mips/debug.rb +42 -0
data/{lib/metasm → metasm/cpu}/mips/decode.rb +59 -38
data/{lib/metasm → metasm/cpu}/mips/encode.rb +4 -3
data/{lib/metasm → metasm/cpu}/mips/main.rb +13 -6
data/{lib/metasm → metasm/cpu}/mips/opcodes.rb +87 -18
data/{lib/metasm → metasm/cpu}/mips/parse.rb +1 -1
data/{lib/metasm → metasm/cpu}/mips/render.rb +1 -1
data/{lib/metasm/dalvik.rb → metasm/cpu/msp430.rb} +1 -1
data/metasm/cpu/msp430/decode.rb +243 -0
data/metasm/cpu/msp430/main.rb +62 -0
data/metasm/cpu/msp430/opcodes.rb +101 -0
data/metasm/cpu/openrisc.rb +11 -0
data/metasm/cpu/openrisc/debug.rb +106 -0
data/metasm/cpu/openrisc/decode.rb +182 -0
data/metasm/cpu/openrisc/decompile.rb +350 -0
data/metasm/cpu/openrisc/main.rb +70 -0
data/metasm/cpu/openrisc/opcodes.rb +109 -0
data/metasm/cpu/openrisc/render.rb +37 -0
data/{lib/metasm → metasm/cpu}/pic16c/decode.rb +6 -7
data/{lib/metasm → metasm/cpu}/pic16c/main.rb +0 -0
data/{lib/metasm → metasm/cpu}/pic16c/opcodes.rb +1 -1
data/metasm/cpu/ppc.rb +11 -0
data/{lib/metasm → metasm/cpu}/ppc/decode.rb +18 -37
data/{lib/metasm → metasm/cpu}/ppc/decompile.rb +3 -3
data/{lib/metasm → metasm/cpu}/ppc/encode.rb +2 -2
data/{lib/metasm → metasm/cpu}/ppc/main.rb +23 -18
data/{lib/metasm → metasm/cpu}/ppc/opcodes.rb +11 -6
data/metasm/cpu/ppc/parse.rb +55 -0
data/metasm/cpu/python.rb +8 -0
data/metasm/cpu/python/decode.rb +116 -0
data/metasm/cpu/python/main.rb +36 -0
data/metasm/cpu/python/opcodes.rb +180 -0
data/{lib/metasm → metasm/cpu}/sh4.rb +1 -1
data/{lib/metasm → metasm/cpu}/sh4/decode.rb +50 -23
data/{lib/metasm → metasm/cpu}/sh4/main.rb +38 -27
data/{lib/metasm → metasm/cpu}/sh4/opcodes.rb +7 -8
data/metasm/cpu/st20.rb +9 -0
data/metasm/cpu/st20/decode.rb +173 -0
data/metasm/cpu/st20/decompile.rb +283 -0
data/metasm/cpu/st20/main.rb +37 -0
data/metasm/cpu/st20/opcodes.rb +140 -0
data/{lib/metasm/arm.rb → metasm/cpu/webasm.rb} +4 -5
data/metasm/cpu/webasm/debug.rb +31 -0
data/metasm/cpu/webasm/decode.rb +321 -0
data/metasm/cpu/webasm/decompile.rb +386 -0
data/metasm/cpu/webasm/encode.rb +104 -0
data/metasm/cpu/webasm/main.rb +81 -0
data/metasm/cpu/webasm/opcodes.rb +214 -0
data/metasm/cpu/x86_64.rb +15 -0
data/{lib/metasm → metasm/cpu}/x86_64/compile_c.rb +40 -25
data/{lib/metasm → metasm/cpu}/x86_64/debug.rb +4 -4
data/{lib/metasm → metasm/cpu}/x86_64/decode.rb +58 -15
data/{lib/metasm → metasm/cpu}/x86_64/encode.rb +59 -28
data/{lib/metasm → metasm/cpu}/x86_64/main.rb +18 -6
data/metasm/cpu/x86_64/opcodes.rb +138 -0
data/{lib/metasm → metasm/cpu}/x86_64/parse.rb +12 -4
data/metasm/cpu/x86_64/render.rb +35 -0
data/metasm/cpu/z80.rb +9 -0
data/metasm/cpu/z80/decode.rb +286 -0
data/metasm/cpu/z80/main.rb +67 -0
data/metasm/cpu/z80/opcodes.rb +224 -0
data/metasm/cpu/z80/render.rb +48 -0
data/{lib/metasm/os/main.rb → metasm/debug.rb} +201 -407
data/{lib/metasm → metasm}/decode.rb +104 -24
data/{lib/metasm → metasm}/decompile.rb +804 -478
data/{lib/metasm → metasm}/disassemble.rb +385 -170
data/{lib/metasm → metasm}/disassemble_api.rb +684 -105
data/{lib/metasm → metasm}/dynldr.rb +231 -138
data/{lib/metasm → metasm}/encode.rb +20 -5
data/{lib/metasm → metasm}/exe_format/a_out.rb +9 -6
data/{lib/metasm → metasm}/exe_format/autoexe.rb +3 -0
data/{lib/metasm → metasm}/exe_format/bflt.rb +57 -27
data/{lib/metasm → metasm}/exe_format/coff.rb +35 -7
data/{lib/metasm → metasm}/exe_format/coff_decode.rb +70 -23
data/{lib/metasm → metasm}/exe_format/coff_encode.rb +24 -22
data/{lib/metasm → metasm}/exe_format/dex.rb +26 -8
data/{lib/metasm → metasm}/exe_format/dol.rb +1 -0
data/{lib/metasm → metasm}/exe_format/elf.rb +108 -58
data/{lib/metasm → metasm}/exe_format/elf_decode.rb +202 -36
data/{lib/metasm → metasm}/exe_format/elf_encode.rb +126 -32
data/metasm/exe_format/gb.rb +65 -0
data/metasm/exe_format/javaclass.rb +424 -0
data/{lib/metasm → metasm}/exe_format/macho.rb +218 -16
data/{lib/metasm → metasm}/exe_format/main.rb +28 -3
data/{lib/metasm → metasm}/exe_format/mz.rb +2 -0
data/{lib/metasm → metasm}/exe_format/nds.rb +7 -4
data/{lib/metasm → metasm}/exe_format/pe.rb +96 -11
data/metasm/exe_format/pyc.rb +167 -0
data/{lib/metasm → metasm}/exe_format/serialstruct.rb +67 -14
data/{lib/metasm → metasm}/exe_format/shellcode.rb +7 -3
data/metasm/exe_format/shellcode_rwx.rb +114 -0
data/metasm/exe_format/swf.rb +205 -0
data/metasm/exe_format/wasm.rb +402 -0
data/{lib/metasm → metasm}/exe_format/xcoff.rb +7 -7
data/metasm/exe_format/zip.rb +335 -0
data/metasm/gui.rb +13 -0
data/{lib/metasm → metasm}/gui/cstruct.rb +35 -41
data/{lib/metasm → metasm}/gui/dasm_coverage.rb +11 -11
data/{lib/metasm → metasm}/gui/dasm_decomp.rb +177 -114
data/{lib/metasm → metasm}/gui/dasm_funcgraph.rb +0 -0
data/metasm/gui/dasm_graph.rb +1754 -0
data/{lib/metasm → metasm}/gui/dasm_hex.rb +16 -12
data/{lib/metasm → metasm}/gui/dasm_listing.rb +43 -28
data/{lib/metasm → metasm}/gui/dasm_main.rb +360 -77
data/{lib/metasm → metasm}/gui/dasm_opcodes.rb +5 -19
data/{lib/metasm → metasm}/gui/debug.rb +109 -34
data/{lib/metasm → metasm}/gui/gtk.rb +174 -44
data/{lib/metasm → metasm}/gui/qt.rb +14 -4
data/{lib/metasm → metasm}/gui/win32.rb +180 -43
data/{lib/metasm → metasm}/gui/x11.rb +59 -59
data/{lib/metasm → metasm}/main.rb +421 -286
data/metasm/os/emulator.rb +175 -0
data/{lib/metasm/os/remote.rb → metasm/os/gdbremote.rb} +146 -54
data/{lib/metasm → metasm}/os/gnu_exports.rb +1 -1
data/{lib/metasm → metasm}/os/linux.rb +628 -151
data/metasm/os/main.rb +335 -0
data/{lib/metasm → metasm}/os/windows.rb +151 -58
data/{lib/metasm → metasm}/os/windows_exports.rb +141 -0
data/{lib/metasm → metasm}/parse.rb +49 -36
data/{lib/metasm → metasm}/parse_c.rb +405 -246
data/{lib/metasm → metasm}/preprocessor.rb +71 -41
data/{lib/metasm → metasm}/render.rb +14 -38
data/misc/hexdump.rb +4 -3
data/misc/lint.rb +58 -0
data/misc/objdiff.rb +4 -1
data/misc/objscan.rb +1 -1
data/misc/openrisc-parser.rb +79 -0
data/misc/txt2html.rb +9 -7
data/samples/bindiff.rb +3 -4
data/samples/dasm-plugins/bindiff.rb +15 -0
data/samples/dasm-plugins/bookmark.rb +133 -0
data/samples/dasm-plugins/c_constants.rb +57 -0
data/samples/dasm-plugins/colortheme_solarized.rb +125 -0
data/samples/dasm-plugins/cppobj_funcall.rb +60 -0
data/samples/dasm-plugins/dasm_all.rb +70 -0
data/samples/dasm-plugins/demangle_cpp.rb +31 -0
data/samples/dasm-plugins/deobfuscate.rb +251 -0
data/samples/dasm-plugins/dump_text.rb +35 -0
data/samples/dasm-plugins/export_graph_svg.rb +86 -0
data/samples/dasm-plugins/findgadget.rb +75 -0
data/samples/dasm-plugins/hl_opcode.rb +32 -0
data/samples/dasm-plugins/hotfix_gtk_dbg.rb +19 -0
data/samples/dasm-plugins/imm2off.rb +34 -0
data/samples/dasm-plugins/match_libsigs.rb +93 -0
data/samples/dasm-plugins/patch_file.rb +95 -0
data/samples/dasm-plugins/scanfuncstart.rb +36 -0
data/samples/dasm-plugins/scanxrefs.rb +29 -0
data/samples/dasm-plugins/selfmodify.rb +197 -0
data/samples/dasm-plugins/stringsxrefs.rb +28 -0
data/samples/dasmnavig.rb +1 -1
data/samples/dbg-apihook.rb +24 -9
data/samples/dbg-plugins/heapscan.rb +283 -0
data/samples/dbg-plugins/heapscan/compiled_heapscan_lin.c +155 -0
data/samples/dbg-plugins/heapscan/compiled_heapscan_win.c +128 -0
data/samples/dbg-plugins/heapscan/graphheap.rb +616 -0
data/samples/dbg-plugins/heapscan/heapscan.rb +709 -0
data/samples/dbg-plugins/heapscan/winheap.h +174 -0
data/samples/dbg-plugins/heapscan/winheap7.h +307 -0
data/samples/dbg-plugins/trace_func.rb +214 -0
data/samples/disassemble-gui.rb +48 -7
data/samples/disassemble.rb +31 -6
data/samples/dump_upx.rb +24 -12
data/samples/dynamic_ruby.rb +35 -27
data/samples/elfencode.rb +15 -0
data/samples/emubios.rb +251 -0
data/samples/emudbg.rb +127 -0
data/samples/exeencode.rb +6 -5
data/samples/factorize-headers-peimports.rb +1 -1
data/samples/lindebug.rb +186 -391
data/samples/metasm-shell.rb +68 -57
data/samples/peldr.rb +2 -2
data/tests/all.rb +1 -1
data/tests/arc.rb +26 -0
data/tests/dynldr.rb +22 -4
data/tests/expression.rb +57 -0
data/tests/graph_layout.rb +285 -0
data/tests/ia32.rb +80 -26
data/tests/mcs51.rb +27 -0
data/tests/mips.rb +10 -3
data/tests/preprocessor.rb +18 -0
data/tests/x86_64.rb +66 -18
metadata +465 -219
metadata.gz.sig +2 -0
data/lib/metasm/arm/opcodes.rb +0 -177
data/lib/metasm/gui.rb +0 -23
data/lib/metasm/gui/dasm_graph.rb +0 -1354
data/lib/metasm/ia32.rb +0 -14
data/lib/metasm/ia32/opcodes.rb +0 -872
data/lib/metasm/ppc/parse.rb +0 -52
data/lib/metasm/x86_64.rb +0 -12
data/lib/metasm/x86_64/opcodes.rb +0 -118
data/samples/gdbclient.rb +0 -583
data/samples/rubstop.rb +0 -399

data/{lib/metasm → metasm/cpu}/ia32/debug.rb RENAMED Viewed

@@ -4,7 +4,7 @@
 #    Licence is LGPL, see LICENCE in the top-level directory
-require 'metasm/ia32/opcodes'
+require 'metasm/cpu/ia32/opcodes'
 module Metasm
 class Ia32
@@ -18,7 +18,7 @@ class Ia32
 		@dbg_register_flags ||= :eflags
 	end
-	def dbg_register_list
+	def dbg_register_list
 		@dbg_register_list ||= [:eax, :ebx, :ecx, :edx, :esi, :edi, :ebp, :esp, :eip]
 	end
@@ -46,10 +46,10 @@ class Ia32
 	end
 	def dbg_enable_singlestep(dbg)
-		dbg_set_flag(dbg, :t)
+		dbg_set_flag(dbg, :t) if dbg_get_flag(dbg, :t) == 0
 	end
 	def dbg_disable_singlestep(dbg)
-		dbg_unset_flag(dbg, :t)
+		dbg_unset_flag(dbg, :t) if dbg_get_flag(dbg, :t) != 0
 	end
 	def dbg_enable_bp(dbg, bp)
@@ -66,9 +66,11 @@ class Ia32
 		end
 	end
+	DBG_BPX = "\xcc"
+	DBG_BPX.force_encoding('BINARY') if DBG_BPX.respond_to?(:force_encoding)
 	def dbg_enable_bpx(dbg, bp)
 		bp.internal[:previous] ||= dbg.memory[bp.address, 1]
-		dbg.memory[bp.address, 1] = "\xcc"
+		dbg.memory[bp.address, 1] = DBG_BPX
 	end
 	def dbg_disable_bpx(dbg, bp)
@@ -113,7 +115,7 @@ class Ia32
 		if dbg[:dr6] == 0 and dbg[:dr7] == 0
 			dbg[:dr7] = 0x10000	# some OS (eg Windows) only return dr6 if dr7 != 0
 		end
-		dbg[:dr6] = 0
+		dbg[:dr6] = 0 if dbg[:dr6] & 0x400f != 0
 	end
 	def dbg_evt_bpx(dbg, b)
@@ -189,5 +191,41 @@ class Ia32
 	def dbg_func_arg_set(dbg, argnr, arg)
 		dbg.memory_write_int(Expression[:esp, :+, 4*(argnr+1)], arg)
 	end
+	def dbg_resolve_pc(di, fbd, pc_reg, dbg_ctx)
+		a = di.instruction.args.map { |aa| symbolic(aa) }
+		cond = case di.opcode.name
+		when 'jz', 'je';    dbg_ctx.get_flag(:z)
+		when 'jnz', 'jne'; !dbg_ctx.get_flag(:z)
+		when 'jo';   dbg_ctx.get_flag(:o)
+		when 'jno'; !dbg_ctx.get_flag(:o)
+		when 'js';   dbg_ctx.get_flag(:s)
+		when 'jns'; !dbg_ctx.get_flag(:s)
+		when 'jc', 'jb', 'jnae';   dbg_ctx.get_flag(:c)
+		when 'jnc', 'jnb', 'jae'; !dbg_ctx.get_flag(:c)
+		when 'jbe', 'jna';  dbg_ctx.get_flag(:c) or   dbg_ctx.get_flag(:z)
+		when 'jnbe', 'ja'; !dbg_ctx.get_flag(:c) and !dbg_ctx.get_flag(:z)
+		when 'jl', 'jnge'; dbg_ctx.get_flag(:s) != dbg_ctx.get_flag(:o)
+		when 'jnl', 'jge'; dbg_ctx.get_flag(:s) == dbg_ctx.get_flag(:o)
+		when 'jle', 'jng';  dbg_ctx.get_flag(:z) or  dbg_ctx.get_flag(:s) != dbg_ctx.get_flag(:o)
+		when 'jnle', 'jg'; !dbg_ctx.get_flag(:z) and dbg_ctx.get_flag(:s) == dbg_ctx.get_flag(:o)
+		when 'jp', 'jpe';   dbg_ctx.get_flag(:p)
+		when 'jnp', 'jpo'; !dbg_ctx.get_flag(:p)
+		when 'loop';             dbg_ctx[dbg_register_list[2]] != 0
+		when 'loopz', 'loope';   dbg_ctx[dbg_register_list[2]] != 0 and  dbg_ctx.get_flag(:z)
+		when 'loopnz', 'loopne'; dbg_ctx[dbg_register_list[2]] != 0 and !dbg_ctx.get_flag(:z)
+		when 'jcxz', 'jecxz', 'jrcxz'
+			mask = {?c => 0xffff, ?e => 0xffff_ffff, ?r => -1}[di.opcode.name[1]]
+			dbg_ctx[dbg_register_list[2]] & mask == 0
+		else return super(di, fbd, pc_reg, dbg_ctx)
+		end
+		if cond
+			fbd[pc_reg] = a.last
+		else
+			fbd[pc_reg] = di.next_addr
+		end
+	end
 end
 end

data/{lib/metasm → metasm/cpu}/ia32/decode.rb RENAMED Viewed

@@ -4,13 +4,13 @@
 #    Licence is LGPL, see LICENCE in the top-level directory
-require 'metasm/ia32/opcodes'
+require 'metasm/cpu/ia32/opcodes'
 require 'metasm/decode'
 module Metasm
 class Ia32
 	class ModRM
-		def self.decode(edata, byte, endianness, adsz, opsz, seg=nil, regclass=Reg)
+		def self.decode(edata, byte, endianness, adsz, opsz, seg=nil, regclass=Reg, h = {})
 			m = (byte >> 6) & 3
 			rm = byte & 7
@@ -28,7 +28,11 @@ class Ia32
 						b = Reg.new(a, adsz)
 					else
 						s = 1
-						i = Reg.new(a, adsz)
+						if h[:mrmvex]
+							i = SimdReg.new(a, h[:mrmvex])
+						else
+							i = Reg.new(a, adsz)
+						end
 					end
 				when :sib
@@ -37,7 +41,11 @@ class Ia32
 					ii = ((sib >> 3) & 7)
 					if ii != 4
 						s = 1 << ((sib >> 6) & 3)
-						i = Reg.new(ii, adsz)
+						if h[:mrmvex]
+							i = SimdReg.new(ii, h[:mrmvex])
+						else
+							i = Reg.new(ii, adsz)
+						end
 					end
 					bb = sib & 7
@@ -52,11 +60,12 @@ class Ia32
 				end
 			}
-			if imm and imm.reduce.kind_of? Integer and imm.reduce < -0x10_0000
+			if imm and ir = imm.reduce and ir.kind_of?(Integer) and ir < 0 and (ir < -0x10_0000 or (!b and !i))
 				# probably a base address -> unsigned
 				imm = Expression[imm.reduce & ((1 << (adsz || 32)) - 1)]
 			end
+			opsz = h[:argsz] if h[:argsz]
 			new adsz, opsz, s, i, b, imm, seg
 		end
 	end
@@ -90,8 +99,7 @@ class Ia32
 			msk = op.bin_mask[0]
 			for i in b..(b | (255^msk))
-				next if i & msk != b & msk
-				lookaside[i] << op
+				lookaside[i] << op if i & msk == b & msk
 			end
 		}
 		lookaside
@@ -117,8 +125,6 @@ class Ia32
 				v = byte & 7
 			end
 			instr.prefix[:seg] = SegReg.new(v)
-			instr.prefix[:jmphint] = ((byte & 0x10) == 0x10)
 		else
 			return false
 		end
@@ -133,11 +139,10 @@ class Ia32
 		while edata.ptr < edata.data.length
 			pfx = di.instruction.prefix || {}
 			byte = edata.data[edata.ptr]
-			byte = byte.unpack('C').first if byte.kind_of? ::String	# 1.9
+			byte = byte.unpack('C').first if byte.kind_of?(::String)
 			return di if di.opcode = @bin_lookaside[byte].find { |op|
 				# fetch the relevant bytes from edata
 				bseq = edata.data[edata.ptr, op.bin.length].unpack('C*')
-				di.opcode = op if op.props[:opsz]	# needed by opsz(di)
 				# check against full opcode mask
 				op.bin.zip(bseq, op.bin_mask).all? { |b1, b2, m| b2 and ((b1 & m) == (b2 & m)) } and
@@ -147,12 +152,17 @@ class Ia32
 				  (fld = op.fields[:seg2A]  and (bseq[fld[0]] >> fld[1]) & @fields_mask[:seg2A] == 1) or
 				  (fld = op.fields[:seg3A]  and (bseq[fld[0]] >> fld[1]) & @fields_mask[:seg3A] < 4) or
 				  (fld = op.fields[:seg3A] || op.fields[:seg3] and (bseq[fld[0]] >> fld[1]) & @fields_mask[:seg3] > 5) or
-				  (fld = op.fields[:modrmA] and (bseq[fld[0]] >> fld[1]) & 0xC0 == 0xC0) or
-				  (sz = op.props[:opsz] and opsz(di) != sz) or
+				  (op.props[:modrmA] and fld = op.fields[:modrm] and (bseq[fld[0]] >> fld[1]) & 0xC0 == 0xC0) or
+				  (op.props[:modrmR] and fld = op.fields[:modrm] and (bseq[fld[0]] >> fld[1]) & 0xC0 != 0xC0) or
+				  (fld = op.fields[:vex_vvvv] and @size != 64 and (bseq[fld[0]] >> fld[1]) & @fields_mask[:vex_vvvv] < 8) or
+				  (sz = op.props[:opsz] and opsz(di, op) != sz) or
+				  (sz = op.props[:adsz] and adsz(di, op) != sz) or
 				  (ndpfx = op.props[:needpfx] and not pfx[:list].to_a.include? ndpfx) or
+				  (pfx[:adsz] and op.props[:adsz] and op.props[:adsz] == @size) or
 				  # return non-ambiguous opcode (eg push.i16 in 32bit mode) / sync with addop_post in opcode.rb
-				  (pfx[:opsz] and (op.args == [:i] or op.args == [:farptr] or op.name[0, 3] == 'ret') and not op.props[:opsz]) or
-				  (pfx[:adsz] and op.props[:adsz] and op.props[:adsz] == @size)
+				  (pfx[:opsz] and not op.props[:opsz] and (op.args == [:i] or op.args == [:farptr] or op.name == 'ret')) or
+				  (pfx[:adsz] and not op.props[:adsz] and (op.props[:strop] or op.props[:stropz] or op.args.include?(:mrm_imm) or op.args.include?(:modrm) or op.name =~ /loop|xlat/)) or
+				  (op.name == 'nop' and op.bin[0] == 0x90 and di.instruction.prefix and di.instruction.prefix[:rex_b])
 				 )
 			}
@@ -174,19 +184,21 @@ class Ia32
 		when 0xF2, 0xF3; pfx.delete :rep
 		end
+		if op.props[:setip] and not op.props[:stopexec] and pfx[:seg]
+			case pfx.delete(:seg).val
+			when 1; pfx[:jmphint] = 'hintnojmp'
+			when 3; pfx[:jmphint] = 'hintjmp'
+			end
+		end
 		field_val = lambda { |f|
 			if fld = op.fields[f]
 				(bseq[fld[0]] >> fld[1]) & @fields_mask[f]
 			end
 		}
-		opsz = opsz(di)
-		if pfx[:adsz]
-			adsz = 48 - @size
-		else
-			adsz = @size
-		end
+		opsz = op.props[:argsz] || opsz(di)
+		adsz = (pfx[:adsz] ? 48 - @size : @size)
 		mmxsz = ((op.props[:xmmx] && pfx[:opsz]) ? 128 : 64)
 		op.args.each { |a|
@@ -194,19 +206,28 @@ class Ia32
 			when :reg;    Reg.new     field_val[a], opsz
 			when :eeec;   CtrlReg.new field_val[a]
 			when :eeed;   DbgReg.new  field_val[a]
+			when :eeet;   TstReg.new  field_val[a]
 			when :seg2, :seg2A, :seg3, :seg3A; SegReg.new field_val[a]
 			when :regfp;  FpReg.new   field_val[a]
 			when :regmmx; SimdReg.new field_val[a], mmxsz
 			when :regxmm; SimdReg.new field_val[a], 128
+			when :regymm; SimdReg.new field_val[a], 256
 			when :farptr; Farptr.decode edata, @endianness, opsz
 			when :i8, :u8, :u16; Expression[edata.decode_imm(a, @endianness)]
 			when :i; Expression[edata.decode_imm("#{op.props[:unsigned_imm] ? 'a' : 'i'}#{opsz}".to_sym, @endianness)]
-			when :mrm_imm;  ModRM.decode edata, (adsz == 16 ? 6 : 5), @endianness, adsz, opsz, pfx[:seg]
-			when :modrm, :modrmA; ModRM.decode edata, field_val[a], @endianness, adsz, opsz, pfx[:seg]
-			when :modrmmmx; ModRM.decode edata, field_val[:modrm], @endianness, adsz, mmxsz, pfx[:seg], SimdReg
-			when :modrmxmm; ModRM.decode edata, field_val[:modrm], @endianness, adsz, 128, pfx[:seg], SimdReg
+			when :mrm_imm;  ModRM.decode edata, (adsz == 16 ? 6 : 5), @endianness, adsz, opsz, pfx.delete(:seg)
+			when :modrm; ModRM.decode edata, field_val[:modrm], @endianness, adsz, opsz, pfx.delete(:seg)
+			when :modrmmmx; ModRM.decode edata, field_val[:modrm], @endianness, adsz, mmxsz, pfx.delete(:seg), SimdReg, :argsz => op.props[:argsz]
+			when :modrmxmm; ModRM.decode edata, field_val[:modrm], @endianness, adsz, 128, pfx.delete(:seg), SimdReg, :argsz => op.props[:argsz], :mrmvex => op.props[:mrmvex]
+			when :modrmymm; ModRM.decode edata, field_val[:modrm], @endianness, adsz, 256, pfx.delete(:seg), SimdReg, :argsz => op.props[:argsz], :mrmvex => op.props[:mrmvex]
+			when :vexvreg; Reg.new((field_val[:vex_vvvv] ^ 0xf), opsz)
+			when :vexvxmm; SimdReg.new((field_val[:vex_vvvv] ^ 0xf), 128)
+			when :vexvymm; SimdReg.new((field_val[:vex_vvvv] ^ 0xf), 256)
+			when :i4xmm; SimdReg.new((edata.decode_imm(:u8, @endianness) >> 4) & 7, 128)
+			when :i4ymm; SimdReg.new((edata.decode_imm(:u8, @endianness) >> 4) & 7, 256)
 			when :imm_val1; Expression[1]
 			when :imm_val3; Expression[3]
@@ -220,6 +241,8 @@ class Ia32
 		di.bin_length += edata.ptr - before_ptr
+		return false if edata.ptr > edata.length
 		if op.name == 'movsx' or op.name == 'movzx'
 			if di.opcode.props[:argsz] == 8
 				di.instruction.args[1].sz = 8
@@ -231,9 +254,10 @@ class Ia32
 			else
 				di.instruction.args[0].sz = @size
 			end
+		elsif op.name == 'crc32'
+			di.instruction.args[0].sz = 32
 		end
-		pfx.delete :seg
 		case pfx.delete(:rep)
 		when :nz
 			if di.opcode.props[:strop]
@@ -256,7 +280,7 @@ class Ia32
 	# adds the eip delta to the offset +off+ of the instruction (may be an Expression) + its bin_length
 	# do not call twice on the same di !
 	def decode_instr_interpret(di, addr)
-		if di.opcode.props[:setip] and di.instruction.args.last.kind_of? Expression and di.instruction.opname[0, 3] != 'ret'
+		if di.opcode.props[:setip] and di.instruction.args.last.kind_of? Expression and di.instruction.opname !~ /^i?ret/
 			delta = di.instruction.args.last.reduce
 			arg = Expression[[addr, :+, di.bin_length], :+, delta].reduce
 			di.instruction.args[-1] = Expression[arg]
@@ -299,17 +323,16 @@ class Ia32
 		end
 	end
-	# hash opcode_name => lambda { |dasm, di, *symbolic_args| instr_binding }
-	def backtrace_binding
-		@backtrace_binding ||= init_backtrace_binding
+	def opsz(di, op=nil)
+		if di and di.instruction.prefix and di.instruction.prefix[:opsz] and (op || di.opcode).props[:needpfx] != 0x66; 48-@size
+		else @size
+		end
 	end
-	def backtrace_binding=(b) @backtrace_binding = b end
-	def opsz(di)
-		ret = @size
-		ret = di.opcode.props[:argsz] if di and di.opcode.props[:argsz]
-		ret = 48 - ret if di and not di.opcode.props[:argsz] and di.instruction.prefix and di.instruction.prefix[:opsz]
-		ret
+	def adsz(di, op=nil)
+		if di and di.instruction.prefix and di.instruction.prefix[:adsz] and (op || di.opcode).props[:needpfx] != 0x67; 48-@size
+		else @size
+		end
 	end
 	# populate the @backtrace_binding hash with default values
@@ -317,15 +340,37 @@ class Ia32
 		@backtrace_binding ||= {}
 		eax, ecx, edx, ebx, esp, ebp, esi, edi = register_symbols
+		ebx = ebx
 		mask = lambda { |di| (1 << opsz(di))-1 }	# 32bits => 0xffff_ffff
 		sign = lambda { |v, di| Expression[[[v, :&, mask[di]], :>>, opsz(di)-1], :'!=', 0] }
 		opcode_list.map { |ol| ol.basename }.uniq.sort.each { |op|
 			binding = case op
-			when 'mov', 'movsx', 'movzx', 'movsxd', 'movd', 'movq'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
+			when 'mov', 'movzx', 'movd', 'movq'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
+			when 'movsx', 'movsxd'
+				lambda { |di, a0, a1|
+					sz1 = di.instruction.args[1].sz
+					sign1 = Expression[[a1, :>>, sz1-1], :&, 1]
+					{ a0 => Expression[[a1, :|, [sign1, :*, (-1 << sz1)]], :&, mask[di]] }
+				}
 			when 'lea'; lambda { |di, a0, a1| { a0 => a1.target } }
-			when 'xchg'; lambda { |di, a0, a1| { a0 => Expression[a1], a1 => Expression[a0] } }
+			when 'xchg'; lambda { |di, a0, a1|
+				# specialcase xchg al, ah (conflict on eax not handled in get_backtrace_binding)
+				if a0.kind_of?(Expression) and a1.kind_of?(Expression) and
+						a0.op == :& and a0.rexpr == 255 and
+						a1.op == :& and a1.rexpr == 255 and
+						((a0.lexpr.kind_of?(Expression) and a0.lexpr.lexpr == a1.lexpr and a0.lexpr.op == :>> and a0.lexpr.rexpr == 8) or
+						 (a1.lexpr.kind_of?(Expression) and a1.lexpr.lexpr == a0.lexpr and a1.lexpr.op == :>> and a1.lexpr.rexpr == 8))
+					tgreg = a0.lexpr.kind_of?(Expression) ? a1.lexpr : a0.lexpr
+					invmask = (@size == 64 ? 0xffff_ffff_ffff_0000 : 0xffff_0000)
+					{ tgreg => Expression[[tgreg, :&, invmask], :|,
+					   [[[tgreg, :>>, 8], :&, 0x00ff], :|,
+					    [[tgreg, :<<, 8], :&, 0xff00]]] }
+				else
+					{ a0 => Expression[a1], a1 => Expression[a0] }
+				end
+			}
 			when 'add', 'sub', 'or', 'xor', 'and', 'pxor', 'adc', 'sbb'
 				lambda { |di, a0, a1|
 					e_op = { 'add' => :+, 'sub' => :-, 'or' => :|, 'and' => :&, 'xor' => :^, 'pxor' => :^, 'adc' => :+, 'sbb' => :- }[op]
@@ -345,13 +390,28 @@ class Ia32
 				lambda { |di, a0, a1|
 					e_op = (op[2] == ?r ? :>> : :<<)
 					inv_op = {:<< => :>>, :>> => :<< }[e_op]
-					sz = [a1, :%, opsz(di)]
-					isz = [[opsz(di), :-, a1], :%, opsz(di)]
+					operandsize = di.instruction.args[0].sz
+					operandmask = (1 << operandsize) - 1
+					sz = [a1, :%, operandsize]
+					isz = [[operandsize, :-, a1], :%, operandsize]
 					# ror a, b  =>  (a >> b) | (a << (32-b))
-					{ a0 => Expression[[[a0, e_op, sz], :|, [a0, inv_op, isz]], :&, mask[di]] }
+					{ a0 => Expression[[[[a0, :&, operandmask], e_op, sz], :|, [[a0, :&, operandmask], inv_op, isz]], :&, operandmask] }
 				}
-			when 'sar', 'shl', 'sal'; lambda { |di, a0, a1| { a0 => Expression[a0, (op[-1] == ?r ? :>> : :<<), [a1, :%, [opsz(di), 32].max]] } }
+			when 'shl', 'sal'; lambda { |di, a0, a1| { a0 => Expression[a0, (op[-1] == ?r ? :>> : :<<), [a1, :%, [opsz(di), 32].max]] } }
+			when 'sar'; lambda { |di, a0, a1|
+				sz = [opsz(di), 32].max
+				a1 = [a1, :%, sz]
+				{ a0 => Expression[[a0, :>>, a1], :|,
+						   [[[mask[di], :*, sign[a0, di]], :<<, [sz, :-, a1]], :&, mask[di]]] } }
 			when 'shr'; lambda { |di, a0, a1| { a0 => Expression[[a0, :&, mask[di]], :>>, [a1, :%, opsz(di)]] } }
+			when 'shrd'
+				lambda { |di, a0, a1, a2|
+					{ a0 => Expression[[a0, :>>, [a2, :%, opsz(di)]], :|, [a1, :<<, [[opsz(di), :-, a2], :%, opsz(di)]]] }
+				}
+			when 'shld'
+				lambda { |di, a0, a1, a2|
+					{ a0 => Expression[[a0, :<<, [a2, :%, opsz(di)]], :|, [a1, :>>, [[opsz(di), :-, a2], :%, opsz(di)]]] }
+				}
 			when 'cwd', 'cdq', 'cqo'; lambda { |di| { Expression[edx, :&, mask[di]] => Expression[mask[di], :*, sign[eax, di]] } }
 			when 'cbw', 'cwde', 'cdqe'; lambda { |di|
 				o2 = opsz(di)/2 ; m2 = (1 << o2) - 1
@@ -362,7 +422,7 @@ class Ia32
 			when 'pop'
 				lambda { |di, a0| { esp => Expression[esp, :+, opsz(di)/8],
 					a0 => Indirection[esp, opsz(di)/8, di.address] } }
-			when 'pushfd'
+			when 'pushfd', 'pushf', 'pushfq'
 				# TODO Unknown per bit
 				lambda { |di|
 					efl = Expression[0x202]
@@ -372,12 +432,12 @@ class Ia32
 					bts[7, :eflag_s]
 					bts[11, :eflag_o]
 					{ esp => Expression[esp, :-, opsz(di)/8], Indirection[esp, opsz(di)/8, di.address] => efl }
-			       	}
-			when 'popfd'
+				}
+			when 'popfd', 'popf', 'popfq'
 				lambda { |di| bt = lambda { |pos| Expression[[Indirection[esp, opsz(di)/8, di.address], :>>, pos], :&, 1] }
 					{ esp => Expression[esp, :+, opsz(di)/8], :eflag_c => bt[0], :eflag_z => bt[6], :eflag_s => bt[7], :eflag_o => bt[11] } }
 			when 'sahf'
-				lambda { |di| bt = lambda { |pos| Expression[[eax, :>>, pos], :&, 1] }
+				lambda { |di| bt = lambda { |pos| Expression[[eax, :>>, 8+pos], :&, 1] }
 					{ :eflag_c => bt[0], :eflag_z => bt[6], :eflag_s => bt[7] } }
 			when 'lahf'
 				lambda { |di|
@@ -386,7 +446,7 @@ class Ia32
 					bts[0, :eflag_c] #bts[2, :eflag_p] #bts[4, :eflag_a]
 					bts[6, :eflag_z]
 					bts[7, :eflag_s]
-					{ eax => efl }
+					{ Expression[[eax, :>>, 8], :&, 0xff] => efl }
 				}
 			when 'pushad'
 				lambda { |di|
@@ -411,9 +471,25 @@ class Ia32
 					ret
 				}
 			when 'call'
-				lambda { |di, a0| { esp => Expression[esp, :-, opsz(di)/8],
-					Indirection[esp, opsz(di)/8, di.address] => Expression[di.next_addr] } }
+				lambda { |di, a0|
+					sz = opsz(di)/8
+					if a0.kind_of? Farptr
+						{ esp => Expression[esp, :-, 2*sz],
+						  Indirection[esp, sz, di.address] => Expression[di.next_addr],
+						  Indirection[[esp, :+, sz], sz, di.address] => Expression::Unknown }
+					else
+						{ esp => Expression[esp, :-, sz],
+						  Indirection[esp, sz, di.address] => Expression[di.next_addr] }
+					end
+				}
+			when 'callf'
+				lambda { |di, a0|
+					sz = opsz(di)/8
+					{ esp => Expression[esp, :-, 2*sz],
+					  Indirection[esp, sz, di.address] => Expression[di.next_addr],
+					  Indirection[[esp, :+, sz], sz, di.address] => Expression::Unknown } }
 			when 'ret'; lambda { |di, *a| { esp => Expression[esp, :+, [opsz(di)/8, :+, a[0] || 0]] } }
+			when 'retf';lambda { |di, *a| { esp => Expression[esp, :+, [opsz(di)/4, :+, a[0] || 0]] } }
 			when 'loop', 'loopz', 'loopnz'; lambda { |di, a0| { ecx => Expression[ecx, :-, 1] } }
 			when 'enter'
 				lambda { |di, a0, a1|
@@ -426,7 +502,7 @@ class Ia32
 					(1..depth).each { |i|
 						b[Indirection[[esp, :+, a0.reduce+i*sz], sz, di.address]] =
 						b[Indirection[[ebp, :-, i*sz], sz, di.address]] =
-						       	Expression::Unknown # TODO Indirection[[ebp, :-, i*sz], sz, di.address]
+							Expression::Unknown # TODO Indirection[[ebp, :-, i*sz], sz, di.address]
 					}
 					b
 				}
@@ -434,22 +510,47 @@ class Ia32
 			when 'aaa'; lambda { |di| { eax => Expression::Unknown, :incomplete_binding => Expression[1] } }
 			when 'imul'
 				lambda { |di, *a|
-					# 1 operand form == same as 'mul' (ax:dx stuff)
-					next { eax => Expression::Unknown, edx => Expression::Unknown, :incomplete_binding => Expression[1] } if not a[1]
+					if not a[1]
+						# 1 operand from: store result in edx:eax
+						bd = {}
+						m = mask[di]
+						s = opsz(di)
+						e = Expression[Expression.make_signed(Expression[a[0], :&, m], s), :*, Expression.make_signed(Expression[eax, :&, m], s)]
+						if s == 8
+							bd[Expression[eax, :&, 0xffff]] = e
+						else
+							bd[Expression[eax, :&, m]] = Expression[e, :&, m]
+							bd[Expression[edx, :&, m]] = Expression[[e, :>>, opsz(di)], :&, m]
+						end
+						# XXX eflags?
+						next bd
+					end
 					if a[2]; e = Expression[a[1], :*, a[2]]
 					else e = Expression[[a[0], :*, a[1]], :&, (1 << (di.instruction.args.first.sz || opsz(di))) - 1]
 					end
 					{ a[0] => e }
 				}
-			when 'mul', 'div', 'idiv'; lambda { |di, *a| { eax => Expression::Unknown, edx => Expression::Unknown, :incomplete_binding => Expression[1] } }
+			when 'mul'
+				lambda { |di, *a|
+					m = mask[di]
+					e = Expression[a, :*, [eax, :&, m]]
+					if opsz(di) == 8
+						{ Expression[eax, :&, 0xffff] => e }
+					else
+						{ Expression[eax, :&, m] => Expression[e, :&, m],
+						  Expression[edx, :&, m] => Expression[[e, :>>, opsz(di)], :&, m] }
+					end
+				}
+			when 'div', 'idiv'; lambda { |di, *a| { eax => Expression::Unknown, edx => Expression::Unknown, :incomplete_binding => Expression[1] } }
 			when 'rdtsc'; lambda { |di| { eax => Expression::Unknown, edx => Expression::Unknown, :incomplete_binding => Expression[1] } }
-			when /^(stos|movs|lods|scas|cmps)[bwd]$/
-				lambda { |di|
-					op =~ /^(stos|movs|lods|scas|cmps)([bwd])$/
+			when /^(stos|movs|lods|scas|cmps)[bwdq]$/
+				lambda { |di, *a|
+					next {:incomplete_binding => 1} if di.opcode.args.include?(:regxmm)	# XXX movsd xmm0, xmm1...
+					op =~ /^(stos|movs|lods|scas|cmps)([bwdq])$/
 					e_op = $1
-					sz = { 'b' => 1, 'w' => 2, 'd' => 4 }[$2]
-					eax_ = Reg.new(0, 8*sz).symbolic
+					sz = { 'b' => 1, 'w' => 2, 'd' => 4, 'q' => 8 }[$2]
+					eax_ = self.class::Reg.new(0, 8*sz).symbolic
 					dir = :+
 					if di.block and (di.block.list.find { |ddi| ddi.opcode.name == 'std' } rescue nil)
 						dir = :-
@@ -476,7 +577,7 @@ class Ia32
 						end
 					when 'scas'
 						case pfx[:rep]
-						when nil; { edi => Expression[edi, dir, sz] }
+						when nil; { edi => Expression[edi, dir, sz], :eflag_z => Expression[pedi, :==, Expression[eax, :&, (1 << (sz*8))-1]] }
 						else { edi => Expression::Unknown, ecx => Expression::Unknown }
 						end
 					when 'cmps'
@@ -505,7 +606,7 @@ class Ia32
 					ret
 				}
 			when 'fstenv', 'fnstenv'
-			       	lambda { |di, a0|
+				lambda { |di, a0|
 					# stores the address of the last non-control fpu instr run
 					lastfpuinstr = di.block.list[0...di.block.list.index(di)].reverse.find { |pdi|
 						case pdi.opcode.name
@@ -534,7 +635,8 @@ class Ia32
 				a0 => Expression[a0, :^, [1, :<<, [a1, :%, opsz(di)]]] } }
 			when 'bswap'
 				lambda { |di, a0|
-					if opsz(di) == 64
+					case opsz(di)
+					when 64
 						{ a0 => Expression[
 							[[[[a0, :&, 0xff000000_00000000], :>>, 56],   :|,
 							  [[a0, :&, 0x00ff0000_00000000], :>>, 40]],  :|,
@@ -544,14 +646,35 @@ class Ia32
 							  [[a0, :&, 0x00000000_00ff0000], :<<, 24]],  :|,
 							 [[[a0, :&, 0x00000000_0000ff00], :<<, 40],   :|,
 							  [[a0, :&, 0x00000000_000000ff], :<<, 56]]]] }
-					else	# XXX opsz != 32 => undef
+					when 32
 						{ a0 => Expression[
 							[[[a0, :&, 0xff000000], :>>, 24],  :|,
 							 [[a0, :&, 0x00ff0000], :>>,  8]], :|,
 							[[[a0, :&, 0x0000ff00], :<<,  8],  :|,
 							 [[a0, :&, 0x000000ff], :<<, 24]]] }
+					when 16
+						# bswap ax => mov ax, 0
+						{ a0 => 0 }
 					end
 				}
+			when 'movdqa', 'movdqu', 'movaps', 'movups'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
+			when 'cmpxchg'; lambda { |di, a0, a1|	# eax == a0 ? a0 <= a1, zf <= 1 : eax <= a0, zf <= 0
+				eax_ = self.class::Reg.new(0, opsz(di)).symbolic
+				cmp = Expression[eax_, :==, a0]
+				{ :eflag_z => cmp,
+				  eax_ => Expression[[cmp, :*, eax_], :|, [[1, :-, cmp], :*, a0]],
+				  a0 => Expression[[cmp, :*, a1], :|, [[1, :-, cmp], :*, a0]] } }
+			when 'cmpxchg8b', 'cmpxchg16b'; lambda { |di, a0|	# edx:eax == mem ? mem <= ecx:ebx, zf <= 1 : edx:eax <= mem, zf <= 0
+				sz = (di.opcode.name =~ /8b/ ? 32 : 64)
+				eax_ = self.class::Reg.new(0, sz).symbolic
+				ecx_ = self.class::Reg.new(1, sz).symbolic
+				edx_ = self.class::Reg.new(2, sz).symbolic
+				ebx_ = self.class::Reg.new(3, sz).symbolic
+				cmp = Expression[[[edx_, :<<, sz], :|, eax_], :==, a0]
+				{ :eflag_z => cmp,
+				  eax_ => Expression[[cmp, :*, eax_], :|, [[1, :-, cmp], :*, [a0, :&, (1 << sz) - 1]]],
+				  edx_ => Expression[[cmp, :*, edx_], :|, [[1, :-, cmp], :*, [a0, :>>, sz]]],
+				  a0 => Expression[[cmp, :*, [[ecx_, :<<, sz], :|, ebx_]], :|, [[1, :-, cmp], :*, a0]] } }
 			when 'nop', 'pause', 'wait', 'cmp', 'test'; lambda { |di, *a| {} }
 			end
@@ -579,7 +702,7 @@ class Ia32
 						end
 					ret
 				}
-			when 'inc', 'dec', 'neg', 'shl', 'shr', 'sar', 'ror', 'rol', 'rcr', 'rcl', 'shld', 'shrd'
+			when 'inc', 'dec', 'neg', 'shl', 'shr', 'sal', 'sar', 'ror', 'rol', 'rcr', 'rcl', 'shld', 'shrd'
 				lambda { |di, a0, *a|
 					ret = (binding ? binding[di, a0, *a] : {})
 					res = ret[a0] || Expression::Unknown
@@ -588,6 +711,8 @@ class Ia32
 					case op
 					when 'neg'; ret[:eflag_c] = Expression[[res, :&, mask[di]], :'!=', 0]
 					when 'inc', 'dec'	# don't touch carry flag
+					when 'shr', 'sar', 'shrd'; ret[:eflag_c] = Expression[[a0, :>>, [a[0], :-, 1]], :&, 1]	# XXX shr 0 => no touch flag
+					when 'shl', 'sal', 'shld'; ret[:eflag_c] = Expression[[a0, :>>, [di.instruction.args[0].sz, :-, a[0]]], :&, 1]
 					else ret[:eflag_c] = Expression::Unknown	# :incomplete_binding ?
 					end
 					ret[:eflag_o] = case op
@@ -601,7 +726,11 @@ class Ia32
 			when 'imul', 'mul', 'idiv', 'div', /^(scas|cmps)[bwdq]$/
 				lambda { |di, *a|
 					ret = (binding ? binding[di, *a] : {})
-					ret[:eflag_z] = ret[:eflag_s] = ret[:eflag_c] = ret[:eflag_o] = Expression::Unknown	# :incomplete_binding ?
+					ret[:eflag_z] ||= Expression::Unknown
+					ret[:eflag_s] ||= Expression::Unknown
+					ret[:eflag_c] ||= Expression::Unknown
+					ret[:eflag_o] ||= Expression::Unknown
+					# :incomplete_binding ?
 					ret
 				}
 			end
@@ -611,8 +740,8 @@ class Ia32
 		@backtrace_binding
 	end
-	# returns the condition (bool Expression) under which a conditionnal jump is taken
-	# returns nil if not a conditionnal jump
+	# returns the condition (bool Expression) under which a conditional jump is taken
+	# returns nil if not a conditional jump
 	# backtrace for the condition must include the jump itself (eg loop -> ecx--)
 	def get_jump_condition(di)
 		ecx = register_symbols[1]
@@ -627,12 +756,7 @@ class Ia32
 	end
 	def get_backtrace_binding(di)
-		a = di.instruction.args.map { |arg|
-			case arg
-			when ModRM, Reg, SimdReg; arg.symbolic(di)
-			else arg
-			end
-		}
+		a = di.instruction.args.map { |arg| symbolic(arg, di) }
 		if binding = backtrace_binding[di.opcode.basename]
 			bd = binding[di, *a]
@@ -674,6 +798,40 @@ class Ia32
 		end
 	end
+	# patch a forward binding from the backtrace binding
+	# fixes fwdemu for push/pop/call/ret
+	def fix_fwdemu_binding(di, fbd)
+		if di.instruction.args.grep(ModRM).find { |m| m.seg and m.symbolic(di).target.lexpr =~ /^segment_base_/ }
+			fbd = fbd.dup
+			fbd[:incomplete_binding] = Expression[1]
+		end
+		case di.opcode.name
+		when /^push/, 'call'
+			ori = fbd
+			fbd = {}
+			sz = opsz(di)/8
+			esp = register_symbols[4]
+			if ori[esp] and ori[Indirection[esp, sz]]
+				ori.each { |k, v|
+					if k.kind_of?(Indirection)
+						fbd[k.bind(esp => ori[esp]).reduce_rec] = v
+					else
+						fbd[k] = v
+					end
+				}
+			else
+				fbd = ori.dup
+				fbd[:incomplete_binding] = Expression[1]	# TODO
+			end
+		when /^pop/, 'ret' # nothing to do
+		when /^(push|pop|call|ret|enter|leave|stos|movs|lods|scas|cmps)/
+			fbd = fbd.dup
+			fbd[:incomplete_binding] = Expression[1]	# TODO
+		end
+		fbd
+	end
 	def get_xrefs_x(dasm, di)
 		return [] if not di.opcode.props[:setip]
@@ -681,9 +839,8 @@ class Ia32
 		case di.opcode.basename
 		when 'ret'; return [Indirection[register_symbols[4], sz/8, di.address]]
 		when 'jmp', 'call'
-			a = di.instruction.args.first
-			if dasm and a.kind_of?(ModRM) and a.imm and a.s == sz/8 and not a.b and dasm.get_section_at(a.imm)
-				return get_xrefs_x_jmptable(dasm, di, a, sz)
+			if dasm and not di.instruction.args.first.kind_of?(Expression) and switch_table = get_xrefs_x_jmptable(dasm, di)
+				return switch_table
 			end
 		end
@@ -695,57 +852,57 @@ class Ia32
 		when Expression, ::Integer; [Expression[tg]]
 		when Farptr; tg.seg.reduce < 0x30 ? [tg.addr] : [Expression[[tg.seg, :*, 0x10], :+, tg.addr]]
 		else
-			puts "unhandled setip at #{di.address} #{di.instruction}" if $DEBUG
+			puts "unhandled setip at #{Expression[di.address]} #{di.instruction}" if $DEBUG
 			[]
 		end
 	end
-	# we detected a jmp table (jmp [base+4*idx])
-	# try to return an accurate dest list
-	def get_xrefs_x_jmptable(dasm, di, mrm, sz)
-		# include the symbolic dest for backtrack stuff
-		ret = [Expression[mrm.symbolic(di)]]
-		i = mrm.i
-		if di.block.list.length == 2 and di.block.list[0].opcode.name =~ /^mov/ and a0 = di.block.list[0].instruction.args[0] and
-				a0.respond_to? :symbolic and a0.symbolic == i.symbolic
-			i = di.block.list[0].instruction.args[1]
-		end
-		pb = di.block.from_normal.to_a
-		if pb.length == 1 and pdi = dasm.decoded[pb[0]] and pdi.opcode.name =~ /^jn?be?/ and ppdi = pdi.block.list[-2] and ppdi.opcode.name == 'cmp' and
-				ppdi.instruction.args[0].symbolic == i.symbolic and lim = Expression[ppdi.instruction.args[1]].reduce and lim.kind_of? Integer
-			# cmp eax, 42 ; jbe switch ; switch: jmp [base+4*eax]
-			s = dasm.get_section_at(mrm.imm)
-			lim += 1 if pdi.opcode.name[-1] == ?e
-			lim.times { |v|
-				dasm.add_xref(s[1]+s[0].ptr, Xref.new(:r, di.address, sz/8))
-				ret << Indirection[[mrm.imm, :+, v*sz/8], sz/8, di.address]
-				s[0].read(sz/8)
+	# indirect call, try to match a switch table pattern (eg jmp [base+4*idx])
+	# return a list of target addresses if found, nil otherwise
+	def get_xrefs_x_jmptable(dasm, di)
+		puts "search jmptable for #{Expression[di.address]} #{di.instruction}" if $DEBUG
+		arg0 = di.instruction.args.first.symbolic(di)
+		bt_log = []
+		dasm.backtrace(arg0, di.address, :maxdepth => 3, :log => bt_log)
+		expr = nil
+		index = nil
+		index_max = nil
+		bt_log.each { |btl|
+			next if btl[0] != :up
+			last = dasm.di_at(btl[4])
+			break if not last or last.block.to_normal.length > 2
+			next if last.block.to_normal.length != 2
+			# search cmp eax, 42 ; ja too_big ; jmp [base+4*eax]
+			# XXX 256 cases switch => no cmp...
+			prelast = last.block.list.reverse.find { |pl| pl.opcode.name == 'cmp' }
+			break unless prelast and cmp_value = prelast.instruction.args.last and cmp_value.kind_of?(Expression) and cmp_value.reduce.kind_of?(::Integer)
+			cmp_value = cmp_value.reduce % (1 << prelast.instruction.args.first.sz)	# cmp al, -12h ; jnbe => -12h is unsigned 0eeh
+			index = prelast.instruction.args.first.symbolic(prelast)
+			index = index.externals.first if index.kind_of?(Expression)	# cmp bl, 13 => ebx
+			expr = Expression[btl[1], :&, ((1 << @size) - 1)]		# XXX without the mask, additions may overflow (this breaks elsewhere too, need Expr32)
+			(expr.externals.grep(Symbol) - [index]).uniq.each { |r|
+				rv = dasm.backtrace(r, prelast.address, :maxdepth => 3)
+				expr = expr.bind(r => rv[0]) if rv.length == 1
 			}
-			l = dasm.auto_label_at(mrm.imm, 'jmp_table', 'xref')
-			replace_instr_arg_immediate(di.instruction, mrm.imm, Expression[l])
-			return ret
-		end
-		puts "unrecognized jmp table pattern, using wild guess for #{di}" if $VERBOSE
-		di.add_comment 'wildguess'
-		if s = dasm.get_section_at(mrm.imm - 3*sz/8)
-			v = -3
-		else
-			s = dasm.get_section_at(mrm.imm)
-			v = 0
-		end
-		loop do
-			ptr = dasm.normalize s[0].decode_imm("u#{sz}".to_sym, @endianness)
-			diff = Expression[ptr, :-, di.address].reduce
-			if (diff.kind_of? ::Integer and diff.abs < 4096) or (di.opcode.basename == 'call' and ptr != 0 and dasm.get_section_at(ptr))
-				dasm.add_xref(s[1]+s[0].ptr-sz/8, Xref.new(:r, di.address, sz/8))
-				ret << Indirection[[mrm.imm, :+, v*sz/8], sz/8, di.address]
-			elsif v > 0
-				break
+			cmp_value = prelast.instruction.args.last.reduce % (1 << prelast.instruction.args.first.sz)
+			case last.opcode.name
+			when 'jae', 'jb', 'jnae', 'jnb'; index_max = cmp_value-1
+			when 'ja', 'jbe', 'jna', 'jnbe'; index_max = cmp_value
+			else; expr = nil
 			end
-			v += 1
+			break
+		}
+		if expr and expr.externals.grep(Symbol).uniq == [index]
+			# yay !
+			# include the symbolic dest for backtrace stuff
+			puts "found jmptable for #{Expression[di.address]} #{di.instruction} (#{index_max+1} entries)" if $VERBOSE
+			# TODO add labels / tables / xrefs etc
+			[Expression[arg0]] + (0..index_max).map { |i| expr.bind(index => i) }
 		end
-		ret
 	end
 	# checks if expr is a valid return expression matching the :saveip instruction
@@ -1087,11 +1244,15 @@ class Ia32
 	# the binding will not include memory access from subfunctions
 	# entry should be an entrypoint of the disassembler if finish is nil
 	# the code sequence must have only one end, with no to_normal
-	def code_binding(dasm, entry, finish=nil)
+	# options:
+	#  :include_flags => include EFLAGS in the returned binding
+	def code_binding(dasm, entry, finish=nil, nargs={})
+		include_flags = nargs.delete :include_flags
 		entry = dasm.normalize(entry)
 		finish = dasm.normalize(finish) if finish
 		lastdi = nil
-		binding = {}
+		bd = {}
 		bt = lambda { |from, expr, inc_start|
 			ret = dasm.backtrace(Expression[expr], from, :snapshot_addr => entry, :include_start => inc_start)
 			ret.length == 1 ? ret.first : Expression::Unknown
@@ -1116,7 +1277,7 @@ class Ia32
 					get_xrefs_w(dasm, di).each { |waddr, len|
 						# we want the ptr expressed with reg values at entry
 						ptr = bt[a, waddr, false]
-						binding[Indirection[ptr, len, a]] = bt[a, Indirection[waddr, len, a], true]
+						bd[Indirection[ptr, len, a]] = bt[a, Indirection[waddr, len, a], true]
 					}
 					false
 				end
@@ -1139,13 +1300,13 @@ class Ia32
 				if lastdi.opcode.props[:setip]
 					e = get_xrefs_x(dasm, lastdi)
 					raise 'bad code_binding ending' if e.to_a.length != 1 or not lastdi.opcode.props[:stopexec]
-					binding[:ip] = bt[lastdi.address, e.first, false]
+					bd[:ip] = bt[lastdi.address, e.first, false]
 				elsif not lastdi.opcode.props[:stopexec]
-					binding[:ip] = lastdi.next_addr
+					bd[:ip] = lastdi.next_addr
 				end
 			end
 		end
-		binding.delete_if { |k, v| Expression[k] == Expression[v] }
+		bd.delete_if { |k, v| Expression[k] == Expression[v] }
 		# add register binding
 		raise "no code_binding end" if not lastdi and not finish
@@ -1158,10 +1319,63 @@ class Ia32
 			mask = 0xffff_ffff	# dont use 1<<@size, because 16bit code may use e.g. edi (through opszoverride)
 			mask = 0xffff_ffff_ffff_ffff if @size == 64
 			val = Expression[val, :&, mask].reduce
-			binding[reg] = Expression[val]
+			bd[reg] = Expression[val]
 		}
-		binding
+		# add EFLAGS binding
+		if include_flags
+			[:eflag_z, :eflag_s, :eflag_c, :eflag_o].each { |eflag|
+				val =
+					if lastdi; bt[lastdi.address, eflag, true]
+					else bt[finish, eflag, false]
+					end
+				next if val == Expression[eflag]
+				bd[eflag] = Expression[val.reduce]
+			}
+		end
+		bd
+	end
+	# trace the stack pointer register across a function, rename occurences of esp+XX to esp+var_XX
+	def name_local_vars(dasm, funcaddr)
+		esp = register_symbols[4]
+		func = dasm.function[funcaddr]
+		subs = []
+		dasm.trace_function_register(funcaddr, esp => 0) { |di, r, off, trace|
+			next if r.to_s =~ /flag/
+			if di.opcode.name == 'call' and tf = di.block.to_normal.find { |t| dasm.function[t] and dasm.function[t].localvars }
+				subs << [trace[esp], dasm.function[tf].localvars]
+			end
+			di.instruction.args.grep(ModRM).each { |mrm|
+				b = mrm.b || (mrm.i if mrm.s == 1)
+				# its a modrm => b is read, so ignore r/off (not yet applied), use trace only
+				stackoff = trace[b.symbolic] if b
+				next if not stackoff
+				imm = mrm.imm || Expression[0]
+				frameoff = imm + stackoff
+				if frameoff.kind_of?(::Integer)
+					# XXX register args ? non-ABI standard register args ? (eg optimized x64)
+					str = 'var_%X' % (-frameoff)
+					str = 'arg_%X' % (frameoff-@size/8) if frameoff > 0
+					str = func.get_localvar_stackoff(frameoff, di, str) if func
+					imm = imm.expr if imm.kind_of?(ExpressionString)
+					mrm.imm = ExpressionString.new(imm, str, :stackvar)
+				end
+			}
+			off = off.reduce if off.kind_of?(Expression)
+			next unless off.kind_of?(Integer)
+			off
+		}
+		# if subfunctions are called at a fixed stack offset, rename var_3c -> subarg_0
+		if func and func.localvars and not subs.empty? and subs.all? { |sb| sb[0] == subs.first[0] }
+			func.localvars.each { |varoff, varname|
+				subargnames = subs.map { |o, sb| sb[varoff-o+@size/8] }.compact
+				if subargnames.uniq.length == 1
+					varname.replace 'sub'+subargnames[0]
+				end
+			}
+		end
 	end
 end
 end