metasm 1.0.0 → 1.0.5

data/metasm/cpu/z80/render.rb

@@ -0,0 +1,48 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/z80/opcodes'
+require 'metasm/render'
+
+module Metasm
+class Z80
+	class Reg
+		include Renderable
+		def render ; [self.class.i_to_s[@sz][@i]] end
+	end
+	class Memref
+		include Renderable
+		def render
+			r = ['(']
+			r << @base if @base
+			r << '+' if @base and @offset
+			r << @offset if @offset
+			r << ')'
+		end
+	end
+
+	def gui_hilight_word_regexp_init
+		ret = {}
+
+		# { 'B' => 'B|BC', 'BC' => 'B|C|BC' }
+
+		%w[BC DE HL].each { |w|
+			l0, l1 = w.split(//)
+			ret[l0] = "#{l0}#{l1}?"
+			ret[l1] = "#{l0}?#{l1}"
+			ret[w] = "#{l0}|#{l0}?#{l1}"
+		}
+
+		ret
+	end
+
+	def gui_hilight_word_regexp(word)
+		@gui_hilight_word_hash ||= gui_hilight_word_regexp_init
+		@gui_hilight_word_hash[word] or super(word)
+	end
+
+end
+end

data/{lib/metasm/os/main.rb → metasm/debug.rb}

@@ -3,312 +3,7 @@
 #
 #    Licence is LGPL, see LICENCE in the top-level directory
 
-require 'metasm/main'
-
 module Metasm
-# this module regroups OS-related functions
-# (eg. find_process, inject_shellcode)
-# a 'class' just to be able to inherit from it...
-class OS
-	# represents a running process with a few information, and defines methods to get more interaction (#memory, #debugger)
-	class Process
-		attr_accessor :pid, :path, :modules
-		class Module
-			attr_accessor :path, :addr, :size
-		end
-
-		def initialize(pid=nil)
-			@pid = pid
-		end
-
-		def to_s
-			mod = File.basename(path) rescue nil
-			"#{pid}: ".ljust(6) << (mod || '<unknown>')
-		end
-		def inspect
-			'<Process:' + ["pid: #@pid", modules.to_a.map { |m| " #{'%X' % m.addr} #{m.path}" }].join("\n") + '>'
-		end
-	end
-
-	# returns the Process whose pid is name (if name is an Integer) or first module path includes name (string)
-	def self.find_process(name)
-		case name
-		when nil
-		when Integer
-			list_processes.find { |pr| pr.pid == name }
-		else
-			list_processes.find { |pr| pr.path.to_s.include? name.to_s } or
-				(find_process(Integer(name)) if name =~ /^(0x[0-9a-f]+|[0-9]+)$/i)
-		end
-	end
-
-	# create a new debuggee process stopped at start
-	def self.create_process(path)
-		dbg = create_debugger(path)
-		pr = open_process(dbg.pid)
-		pr.debugger = dbg
-		pr.memory = dbg.memory
-		pr
-	end
-
-	# return the platform-specific version
-	def self.current
-		case RUBY_PLATFORM
-		when /mswin|mingw|cygwin/i; WinOS
-		when /linux/i; LinOS
-		end
-	end
-end
-
-# This class implements an objects that behaves like a regular string, but
-# whose real data is dynamically fetched or generated on demand
-# its size is immutable
-# implements a page cache
-# substrings are Strings (small substring) or another VirtualString
-# (a kind of 'window' on the original VString, when the substring length is > 4096)
-class VirtualString
-	# formats parameters for reading
-	def [](from, len=nil)
-		if not len and from.kind_of? Range
-			b = from.begin
-			e = from.end
-			b = b + length if b < 0
-			e = e + length if e < 0
-			len = e - b
-			len += 1 if not from.exclude_end?
-			from = b
-		end
-		from = from + length if from < 0
-
-		return nil if from > length or (from == length and not len)
-		len = length - from if len and from + len > length
-		return '' if len == 0
-
-		read_range(from, len)
-	end
-
-	# formats parameters for overwriting portion of the string
-	def []=(from, len, val=nil)
-		raise TypeError, 'cannot modify frozen virtualstring' if frozen?
-
-		if not val
-			val = len
-			len = nil
-		end
-		if not len and from.kind_of? Range
-			b = from.begin
-			e = from.end
-			b = b + length if b < 0
-			e = e + length if e < 0
-			len = e - b
-			len += 1 if not from.exclude_end?
-			from = b
-		elsif not len
-			len = 1
-			val = val.chr
-		end
-		from = from + length if from < 0
-
-		raise IndexError, 'Index out of string' if from > length
-		raise IndexError, 'Cannot modify virtualstring length' if val.length != len or from + len > length
-
-		write_range(from, val)
-	end
-
-	# returns the full raw data
-	def realstring
-		ret = ''
-		addr = 0
-		len = length
-		while len > @pagelength
-			ret << self[addr, @pagelength]
-			addr += @pagelength
-			len -= @pagelength
-		end
-		ret << self[addr, len]
-	end
-
-	# alias to realstring
-	# for bad people checking respond_to? :to_str (like String#<<)
-	# XXX alias does not work (not virtual (a la C++))
-	def to_str
-		realstring
-	end
-
-	# forwards unhandled messages to a frozen realstring
-	def method_missing(m, *args, &b)
-		if ''.respond_to? m
-			puts "Using VirtualString.realstring for #{m} from:", caller if $DEBUG
-			realstring.freeze.send(m, *args, &b)
-		else
-			super(m, *args, &b)
-		end
-	end
-
-	# avoid triggering realstring from method_missing if possible
-	def empty?
-		length == 0
-	end
-
-	# avoid triggering realstring from method_missing if possible
-	# heavily used in to find 0-terminated strings in ExeFormats
-	def index(chr, base=0)
-		return if base >= length or base <= -length
-		if i = self[base, 64].index(chr) or i = self[base, @pagelength].index(chr)
-			base + i
-		else
-			realstring.index(chr, base)
-		end
-	end
-
-	# '=~' does not go through method_missing
-	def =~(o)
-		realstring =~ o
-	end
-
-	# implements a read page cache
-
-	# the real address of our first byte
-	attr_accessor :addr_start
-	# our length
-	attr_accessor :length
-	# array of [addr, raw data], sorted by first == last accessed
-	attr_accessor :pagecache
-	# maximum length of self.pagecache (number of cached pages)
-	attr_accessor :pagecache_len
-	def initialize(addr_start, length)
-		@addr_start = addr_start
-		@length = length
-		@pagecache = []
-		@pagecache_len = 4
-		@pagelength ||= 4096	# must be (1 << x)
-	end
-
-	# returns wether a page is valid or not
-	def page_invalid?(addr)
-		cache_get_page(@addr_start+addr)[2]
-	end
-
-	# invalidates the page cache
-	def invalidate
-		@pagecache.clear
-	end
-
-	# returns the @pagelength-bytes page starting at addr
-	# return nil if the page is invalid/inaccessible
-	# addr is page-aligned by the caller
-	# addr is absolute
-	#def get_page(addr, len=@pagelength)
-	#end
-
-	# searches the cache for a page containing addr, updates if not found
-	def cache_get_page(addr)
-		addr &= ~(@pagelength-1)
-		i = 0
-		@pagecache.each { |c|
-			if addr == c[0]
-				# most recently used first
-				@pagecache.unshift @pagecache.delete_at(i) if i != 0
-				return c
-			end
-			i += 1
-		}
-		@pagecache.pop if @pagecache.length >= @pagecache_len
-		c = [addr]
-		p = get_page(addr)
-		c << p.to_s.ljust(@pagelength, "\0")
-		c << true if not p
-		@pagecache.unshift c
-		c
-	end
-
-	# reads a range from the page cache
-	# returns a new VirtualString (using dup) if the request is bigger than @pagelength bytes
-	def read_range(from, len)
-		from += @addr_start
-		if not len
-			base, page = cache_get_page(from)
-			page[from - base]
-		elsif len <= @pagelength
-			base, page = cache_get_page(from)
-			s = page[from - base, len]
-			if from+len-base > @pagelength		# request crosses a page boundary
-				base, page = cache_get_page(from+len)
-				s << page[0, from+len-base]
-			end
-			s
-		else
-			# big request: return a new virtual page
-			dup(from, len)
-		end
-	end
-
-	# rewrites a segment of data
-	# the length written is the length of the content (a VirtualString cannot grow/shrink)
-	def write_range(from, content)
-		invalidate
-		rewrite_at(from + @addr_start, content)
-	end
-
-	# overwrites a section of the original data
-	#def rewrite_at(addr, content)
-	#end
-end
-
-# on-demand reading of a file
-class VirtualFile < VirtualString
-	# returns a new VirtualFile of the whole file content (defaults readonly)
-	# returns a String if the file is small (<4096o) and readonly access
-	def self.read(path, mode='rb')
-		raise 'no filename specified' if not path
-		if sz = File.size(path) <= 4096 and (mode == 'rb' or mode == 'r')
-			File.open(path, mode) { |fd| fd.read }
-		else
-			File.open(path, mode) { |fd| new fd, 0, sz }
-		end
-	end
-
-	# the underlying file descriptor
-	attr_accessor :fd
-
-	# creates a new virtual mapping of a section of the file
-	# the file descriptor must be seekable
-	def initialize(fd, addr_start = 0, length = nil)
-		@fd = fd.dup
-		if not length
-			@fd.seek(0, File::SEEK_END)
-			length = @fd.tell - addr_start
-		end
-		super(addr_start, length)
-	end
-
-	def dup(addr = @addr_start, len = @length)
-		self.class.new(@fd, addr, len)
-	end
-
-	# reads an aligned page from the file, at file offset addr
-	def get_page(addr, len=@pagelength)
-		@fd.pos = addr
-		@fd.read len
-	end
-
-	def page_invalid?(addr)
-		false
-	end
-
-	# overwrite a section of the file
-	def rewrite_at(addr, data)
-		@fd.pos = addr
-		@fd.write data
-	end
-
-	# returns the full content of the file
-	def realstring
-		@fd.pos = @addr_start
-		@fd.read(@length)
-	end
-end
-
 # this class implements a high-level debugging API (abstract superclass)
 class Debugger
 	class Breakpoint
@@ -319,9 +14,9 @@ class Debugger
 			:oneshot,
 			# current bp state: :active, :inactive (internal use), :disabled (user-specified)
 			:state,
-			# type: type of breakpoint (:bpx = soft, :hw = hard)
+			# type: type of breakpoint (:bpx = soft, :hwbp = hard, :bpm = memory)
 			:type,
-			# Expression if this is a conditionnal bp
+			# Expression if this is a conditional bp
 			# may be a Proc, String or Expression, evaluated every time the breakpoint hits
 			# if it returns 0 or false, the breakpoint is ignored
 			:condition,
@@ -329,6 +24,7 @@ class Debugger
 			:action,
 			# Proc to run to emulate the overwritten instr behavior
 			# used to avoid unset/singlestep/re-set, more multithread friendly
+			# may be a DecodedInstruction for lazy initialization, see Debugger#init_bpx/has_emul_instr(bpx)
 			:emul_instr,
 			# internal data, cpu-specific (overwritten byte for a softbp, memory type/size for hwbp..)
 			:internal,
@@ -383,7 +79,7 @@ class Debugger
 			return del_bpm if @type == :bpm
 			@hash_shared.delete self
 			if @hash_shared.empty?
-  				@hash_owner.delete @hash_key
+				@hash_owner.delete @hash_key
 			elsif @hash_owner[@hash_key] == self
 				@hash_owner[@hash_key] = @hash_shared.first
 			end
@@ -432,7 +128,7 @@ class Debugger
 
 	# global debugger callbacks, called whenever such event occurs
 	attr_accessor :callback_singlestep, :callback_bpx, :callback_hwbp, :callback_bpm,
-	       	:callback_exception, :callback_newthread, :callback_endthread,
+		:callback_exception, :callback_newthread, :callback_endthread,
 		:callback_newprocess, :callback_endprocess, :callback_loadlibrary
 
 	# global switches, specify wether to break on exception/thread event
@@ -456,15 +152,17 @@ class Debugger
 		@pid_stuff_list = [:memory, :cpu, :disassembler, :symbols, :symbols_len,
 			:modulemap, :breakpoint, :breakpoint_memory, :tid, :tid_stuff,
 			:dead_process]
-		@tid_stuff_list = [:state, :info, :breakpoint_thread, :singlestep_cb, 
+		@tid_stuff_list = [:state, :info, :breakpoint_thread, :singlestep_cb,
 			:run_method, :run_args, :breakpoint_cause, :dead_thread]
 		@callback_loadlibrary = lambda { |h| loadsyms(h[:address]) ; continue }
-		@callback_newprocess = lambda { |h| log "process #{@pid} created" }
+		@callback_newprocess = lambda { |h| log "process #{@pid} attached" }
 		@callback_endprocess = lambda { |h| log "process #{@pid} died" }
 		initialize_newpid
 		initialize_newtid
 	end
 
+	def dasm; disassembler; end
+
 	def shortname; self.class.name.split('::').last.downcase; end
 
 	attr_reader :pid
@@ -582,21 +280,27 @@ class Debugger
 	end
 
 	# delete references to the current thread
-	# calls del_pid if no tid left
 	def del_tid
 		@tid_stuff.delete @tid
 		if @tid = @tid_stuff.keys.first
 			swapin_tid
 		else
-			del_pid
+			del_tid_notid
 		end
 	end
 
+	# wipe the whole process when no TID is left
+	# XXX we may have a pending evt_newthread...
+	def del_tid_notid
+		del_pid
+	end
+
+
 	# change the debugger to a specific pid/tid
 	# if given a block, run the block and then restore the original pid/tid
 	# pid may be an object that respond to #pid/#tid
-	def switch_context(npid, ntid=nil)
-		if npid.respond_to? :pid
+	def switch_context(npid, ntid=nil, &b)
+		if npid.respond_to?(:pid)
 			ntid ||= npid.tid
 			npid = npid.pid
 		end
@@ -604,12 +308,12 @@ class Debugger
 		oldtid = tid
 		set_pid npid
 		set_tid ntid if ntid
-		if block_given?
+		if b
 			# shortcut begin..ensure overhead
-			return yield if oldpid == pid and oldtid == tid
+			return b.call if oldpid == pid and oldtid == tid
 
 			begin
-				yield
+				b.call
 			ensure
 				set_pid oldpid
 				set_tid oldtid
@@ -619,31 +323,31 @@ class Debugger
 	alias set_context switch_context
 
 	# iterate over all pids, yield in the context of this pid
-	def each_pid
+	def each_pid(&b)
 		# ensure @pid is last, so that we finish in the current context
 		lst = @pid_stuff.keys - [@pid]
 		lst << @pid
-		return lst if not block_given?
+		return lst if not b
 		lst.each { |p|
 			set_pid p
-			yield
+			b.call
 		}
 	end
 
 	# iterate over all tids of the current process, yield in its context
-	def each_tid
+	def each_tid(&b)
 		lst = @tid_stuff.keys - [@tid]
 		lst << @tid
-		return lst if not block_given?
+		return lst if not b
 		lst.each { |t|
-			set_tid t
-			yield
+			set_tid t rescue next
+			b.call
 		}
 	end
 
 	# iterate over all tids of all pids, yield in their context
-	def each_pid_tid
-		each_pid { each_tid { yield } }
+	def each_pid_tid(&b)
+		each_pid { each_tid { b.call } }
 	end
 
 
@@ -655,7 +359,8 @@ class Debugger
 	# returns the Breakpoint object
 	def add_bp(addr, info={})
 		info[:pid] ||= @pid
-		info[:tid] ||= @tid if info[:pid] == @pid
+		# dont define :tid for bpx, otherwise on del_bp we may switch_context to this thread that may not be stopped -> cant ptrace_write
+		info[:tid] ||= @tid if info[:pid] == @pid and info[:type] == :hwbp
 
 		b = Breakpoint.new
 		info.each { |k, v|
@@ -740,45 +445,69 @@ class Debugger
 	end
 
 	# called in the context of the target when a bpx is to be initialized
-	# will disassemble the code pointed, and try to initialize #emul_instr
+	# may (lazily) initialize b.emul_instr for virtual singlestep
 	def init_bpx(b)
-		@disassembler.disassemble_fast_block(b.address)		# XXX configurable dasm method
-		if di = @disassembler.di_at(b.address) and
-				fdbd = @disassembler.get_fwdemu_binding(di, register_pc) and
-				not fdbd[:incomplete_binding] and not fdbd.index(Expression::Unknown) and
-				fdbd.keys.all? { |k| k.kind_of?(Symbol) or k.kind_of?(Indirection) }
-
-puts di.instruction, fdbd.inspect
-			b.emul_instr = lambda { |dbg|
-				resv = lambda { |e|
-					r = e
-					flags = Expression[r].externals.uniq.find_all { |f| f.to_s =~ /flags?_(.+)/ }
-					if flags.first
-						bd = {}
-						flags.each { |f|
-							f.to_s =~ /flags?_(.+)/
-							bd[f] = dbg.get_flag_value($1.downcase.to_sym)
-						}
-						r = r.bind(bd)
-					end
-					dbg.resolve(r)
+		# dont bother setting stuff up if it is never to be used
+		return if b.oneshot and not b.condition
+
+		# lazy setup of b.emul_instr: delay building emulating lambda to if/when actually needed
+		# we still need to disassemble now and update @disassembler, before we patch the memory for the bpx
+		di = init_bpx_disassemble(b.address)
+		b.hash_shared.each { |bb| bb.emul_instr = di }
+	end
+
+	# retrieve the di at a given address, disassemble if needed
+	# TODO make it so this doesn't interfere with other 'real' disassembler later commands, eg disassemble() or disassemble_fast_deep()
+	# (right now, when they see the block already present they stop all processing)
+	def init_bpx_disassemble(addr)
+		@disassembler.disassemble_fast(addr)
+		@disassembler.di_at(addr)
+	end
+
+	# checks if bp has an emul_instr
+	# do the lazy initialization if needed
+	def has_emul_instr(bp)
+		if bp.emul_instr.kind_of?(DecodedInstruction)
+			if di = bp.emul_instr and fdbd = @disassembler.get_fwdemu_binding(di, register_pc) and
+					fdbd.all? { |k, v| (k.kind_of?(Symbol) or k.kind_of?(Indirection)) and
+						k != :incomplete_binding and v != Expression::Unknown }
+				# setup a lambda that will mimic, using the debugger primitives, the actual execution of the instruction
+				bp.emul_instr = lambda {
+					fdbd.map { |k, v|
+						k = Indirection[emulinstr_resv(k.pointer), k.len] if k.kind_of?(Indirection)
+						[k, emulinstr_resv(v)]
+					}.each { |k, v|
+						if k.to_s =~ /flags?_(.+)/i
+							f = $1.downcase.to_sym
+							set_flag_value(f, v)
+						elsif k.kind_of?(Symbol)
+							set_reg_value(k, v)
+						elsif k.kind_of?(Indirection)
+							memory_write_int(k.pointer, v, k.len)
+						end
+					}
 				}
+				bp.hash_shared.each { |bb| bb.emul_instr = bp.emul_instr }
+			else
+				bp.hash_shared.each { |bb| bb.emul_instr = nil }
+			end
+		end
 
-				fdbd.map { |k, v|
-					k = Indirection[resv[k.pointer], k.len] if k.kind_of?(Indirection)
-					[k, resv[v]]
-				}.each { |k, v|
-					if k.to_s =~ /flags?_(.+)/
-						dbg.set_flag_value($1.downcase.to_sym, v)
-					elsif k.kind_of?(Symbol)
-						dbg.set_reg_value(k, v)
-					elsif k.kind_of?(Indirection)
-						dbg.memory_write_int(k.pointer, v, k.len)
-					end
-				}
+		bp.emul_instr
+	end
+
+	def emulinstr_resv(e)
+		r = e
+		flags = Expression[r].externals.uniq.find_all { |f| f.to_s =~ /flags?_(.+)/i }
+		if flags.first
+			bd = {}
+			flags.each { |f|
+				f.to_s =~ /flags?_(.+)/i
+				bd[f] = get_flag_value($1.downcase.to_sym)
 			}
-			b.hash_shared.each { |bb| bb.emul_instr = b.emul_instr }
+			r = r.bind(bd)
 		end
+		resolve(r)
 	end
 
 	# sets a breakpoint on execution
@@ -798,6 +527,7 @@ puts di.instruction, fdbd.inspect
 		h = { :type => :hwbp }
 		h[:hash_owner] = @breakpoint_thread
 		addr = resolve_expr(addr) if not addr.kind_of? ::Integer
+		mtype = mtype.to_sym
 		h[:hash_key] = [addr, mtype, mlen]
 		h[:internal] = { :type => mtype, :len => mlen }
 		h[:oneshot] = true if oneshot
@@ -813,7 +543,7 @@ puts di.instruction, fdbd.inspect
 		h = { :type => :bpm }
 		addr = resolve_expr(addr) if not addr.kind_of? ::Integer
 		h[:hash_key] = addr & -4096	# XXX actually referenced at addr, addr+4096, ... addr+len
-		h[:internal] = { :type => type, :len => mlen }
+		h[:internal] = { :type => mtype, :len => mlen }
 		h[:oneshot] = true if oneshot
 		h[:condition] = cond if cond
 		h[:action] = action if action
@@ -821,7 +551,7 @@ puts di.instruction, fdbd.inspect
 	end
 
 
-	# define the lambda to use to log stuff (used by #puts)
+	# define the lambda to use to log stuff
 	def set_log_proc(l=nil, &b)
 		@log_proc = l || b
 	end
@@ -831,7 +561,7 @@ puts di.instruction, fdbd.inspect
 		if @log_proc
 			a.each { |aa| @log_proc[aa] }
 		else
-			puts(*a)
+			puts(*a) if $VERBOSE
 		end
 	end
 
@@ -843,7 +573,7 @@ puts di.instruction, fdbd.inspect
 
 	# invalidates the EncodedData backend for the dasm sections
 	def dasm_invalidate
-		disassembler.sections.each_value { |s| s.data.invalidate if s.data.respond_to? :invalidate }
+		disassembler.sections.each_value { |s| s.data.invalidate if s.data.respond_to?(:invalidate) } if disassembler
 	end
 
 	# return all breakpoints set on a specific address (or all bp)
@@ -862,7 +592,7 @@ puts di.instruction, fdbd.inspect
 			ret |= bb.hash_shared
 		}
 
-		@breakpoint_memory.each_value { |m|
+		@breakpoint_memory.each_value { |bb|
 			next if addr and (bb.address+bb.internal[:len] <= addr or bb.address > addr)
 			ret |= bb.hash_shared
 		}
@@ -870,9 +600,10 @@ puts di.instruction, fdbd.inspect
 		ret
 	end
 
-	def find_breakpoint(addr=nil)
-		return @breakpoint[addr] if @breakpoint[addr] and (not block_given? or yield(@breakpoint[addr]))
-		all_breakpoints(addr).find { |b| yield b }
+	# return on of the breakpoints at address addr
+	def find_breakpoint(addr=nil, &b)
+		return @breakpoint[addr] if @breakpoint[addr] and (not b or b.call(@breakpoint[addr]))
+		all_breakpoints(addr).find { |bp| b.call bp }
 	end
 
 
@@ -881,10 +612,10 @@ puts di.instruction, fdbd.inspect
 	# due to a side-effect of the debugger (bpx with wrong condition etc)
 	# returns nil if the execution should be avoided (just deleted the dead thread/process)
 	def check_pre_run(run_m, *run_a)
-		if @dead_process
+		if @dead_process ||= nil
 			del_pid
 			return
-		elsif @dead_thread
+		elsif @dead_thread ||= nil
 			del_tid
 			return
 		elsif @state == :running
@@ -894,7 +625,6 @@ puts di.instruction, fdbd.inspect
 		@breakpoint_cause = nil
 		@run_method = run_m
 		@run_args = run_a
-		@state = :running
 		@info = nil
 		true
 	end
@@ -922,10 +652,12 @@ puts di.instruction, fdbd.inspect
 		return @cpu.dbg_find_singlestep(self) if @cpu.respond_to?(:dbg_find_singlestep)
 		@run_method == :singlestep
 	end
-	
+
 	# called when the target stops due to a soft breakpoint exception
 	def evt_bpx(b=nil)
 		b ||= find_bp_bpx
+		# TODO handle race:
+		# bpx foo ; thread hits foo ; we bc foo ; os notify us of bp hit but we already cleared everything related to 'bpx foo' -> unhandled bp exception
 		return evt_exception(:type => 'breakpoint') if not b
 
 		@state = :stopped
@@ -959,7 +691,7 @@ puts di.instruction, fdbd.inspect
 
 	# return the breakpoint that is responsible for the evt_hwbp
 	def find_bp_hwbp
-		return @cpu.dbg_find_hwbp(self) if @cpu.respond_to?(:dbg_find_bpx)
+		return @cpu.dbg_find_hwbp(self) if @cpu.respond_to?(:dbg_find_hwbp)
 		@breakpoint_thread.find { |b| b.address == pc }
 	end
 
@@ -995,9 +727,9 @@ puts di.instruction, fdbd.inspect
 		return if b.address+b.internal[:len] <= info[:fault_addr]
 		return if b.address >= info[:fault_addr] + info[:fault_len]
 		case b.internal[:type]
-		when :x; info[:fault_addr] == pc	# XXX
-		when :r; info[:fault_access] == :r 
+		when :r; info[:fault_access] == :r	# or info[:fault_access] == :x
 		when :w; info[:fault_access] == :w
+		when :x; info[:fault_access] == :x	# XXX non-NX cpu => check pc is in bpm range ?
 		when :rw; true
 		end
 	end
@@ -1008,8 +740,10 @@ puts di.instruction, fdbd.inspect
 
 		found_valid_active = false
 
+		pre_callback_pc = pc
+
 		# XXX may have many active bps with callback that continue/singlestep/singlestep{}...
-		b.hash_shared.dup.map { |bb|
+		b.hash_shared.dup.find_all { |bb|
 			# ignore inactive bps
 			next if bb.state != :active
 
@@ -1030,9 +764,11 @@ puts di.instruction, fdbd.inspect
 			# oneshot
 			del_bp(bb) if bb.oneshot
 
-			# callback
 			bb.action
-		}.compact.each { |cb| cb.call }
+		}.each { |bb| bb.action.call }
+
+		# discard @breakpoint_cause if a bp callback did modify register_pc
+		@breakpoint_cause = nil if pc != pre_callback_pc
 
 		# we did break due to a bp whose condition is not true: resume
 		# (unless a callback already resumed)
@@ -1118,13 +854,13 @@ puts di.instruction, fdbd.inspect
 	# resume execution as if we never stopped
 	# disable offending bp + singlestep if needed
 	def resume_badbreak(b=nil)
-		# ensure we didn't delete b 
+		# ensure we didn't delete b
 		if b and b.hash_shared.find { |bb| bb.state == :active }
 			rm = @run_method
 			if rm == :singlestep
 				singlestep_bp(b)
 			else
-				@run_args = ra
+				ra = @run_args
 				singlestep_bp(b) { send rm, *ra }
 			end
 		else
@@ -1136,10 +872,10 @@ puts di.instruction, fdbd.inspect
 	# if the breakpoint provides an emulation stub, run that, otherwise
 	# disable the breakpoint, singlestep, and re-enable
 	def singlestep_bp(bp, &b)
-		if be = bp.hash_shared.find { |bb| bb.emul_instr }
+		if has_emul_instr(bp)
 			@state = :stopped
-			be.emul_instr[self]
-			yield if block_given?
+			bp.emul_instr.call
+			b.call if b
 		else
 			bp.hash_shared.each { |bb|
 				disable_bp(bb, :temp_inactive) if bb.state == :active
@@ -1151,13 +887,23 @@ puts di.instruction, fdbd.inspect
 					enable_bp(bb) if bb.state == :temp_inactive
 				}
 				prev_sscb[] if prev_sscb
-				yield if block_given?
+				b.call if b
 			}
 		end
 	end
 
+	# checks if @breakpoint_cause is valid, or was obsoleted by the user changing pc
+	def check_breakpoint_cause
+		if bp = breakpoint_cause and
+				(bp.type == :bpx or (bp.type == :hwbp and bp.internal[:type] == :x)) and
+				pc != bp.address
+			bp = @breakpoint_cause = nil
+		end
+		bp
+	end
 
 	# checks if the running target has stopped (nonblocking)
+	# returns false if no debug event happened
 	def check_target
 		do_check_target
 	end
@@ -1171,7 +917,7 @@ puts di.instruction, fdbd.inspect
 	# bypasses a software breakpoint on pc if needed
 	# thread breakpoints must be manually disabled before calling continue
 	def continue
-		if b = @breakpoint_cause and b.hash_shared.find { |bb| bb.state == :active }
+		if b = check_breakpoint_cause and b.hash_shared.find { |bb| bb.state == :active }
 			singlestep_bp(b) {
 				next if not check_pre_run(:continue)
 				do_continue
@@ -1192,11 +938,11 @@ puts di.instruction, fdbd.inspect
 	# resume execution of the target one instruction at a time
 	def singlestep(&b)
 		@singlestep_cb = b
-		bp = @breakpoint_cause
+		bp = check_breakpoint_cause
 		return if not check_pre_run(:singlestep)
-		if bp and bp.hash_shared.find { |bb| bb.state == :active } and be = bp.hash_shared.find { |bb| bb.emul_instr }
+		if bp and bp.hash_shared.find { |bb| bb.state == :active } and has_emul_instr(bp)
 			@state = :stopped
-			be.emul_instr[self]
+			bp.emul_instr.call
 			invalidate
 			evt_singlestep(true)
 		else
@@ -1248,6 +994,11 @@ puts di.instruction, fdbd.inspect
 		do_singlestep
 	end
 
+	def stepout_wait
+		stepout
+		wait_target
+	end
+
 	# set a singleshot breakpoint, run the process, and wait
 	def go(target, cond=nil)
 		bpx(target, true, cond)
@@ -1432,9 +1183,9 @@ puts di.instruction, fdbd.inspect
 	end
 
 	# load symbols from all libraries found by the OS module
-	def loadallsyms
+	def loadallsyms(&b)
 		modules.each { |m|
-			yield m.addr if block_given?
+			b.call(m.addr) if b
 			loadsyms(m.addr, m.path)
 		}
 	end
@@ -1466,7 +1217,7 @@ puts di.instruction, fdbd.inspect
 	end
 
 	# parses the expression contained in arg, updates arg to point after the expr
-	def parse_expr!(arg)
+	def parse_expr!(arg, &b)
 		return if not e = IndExpression.parse_string!(arg) { |s|
 			# handle 400000 -> 0x400000
 			# XXX no way to override and force decimal interpretation..
@@ -1481,7 +1232,7 @@ puts di.instruction, fdbd.inspect
 		bd = {}
 		e.externals.grep(::String).each { |ex|
 			if not v = register_list.find { |r| ex.downcase == r.to_s.downcase } ||
-						(block_given? && yield(ex)) || symbols.index(ex)
+						(b && b.call(ex)) || symbols.index(ex)
 				lst = symbols.values.find_all { |s| s.downcase.include? ex.downcase }
 				case lst.length
 				when 0
@@ -1516,14 +1267,14 @@ puts di.instruction, fdbd.inspect
 			next if bd[ex]
 			case ex
 			when ::Symbol; bd[ex] = get_reg_value(ex)
-			when ::String; bd[ex] = @symbols.index(ex) || 0
+			when ::String; bd[ex] = @symbols.index(ex) || @disassembler.prog_binding[ex] || 0
 			end
 		}
 		Expression[e].bind(bd).reduce { |i|
 			if i.kind_of? Indirection and p = i.pointer.reduce and p.kind_of? ::Integer
 				i.len ||= @cpu.size/8
 				p &= (1 << @cpu.size) - 1 if p < 0
-				Expression.decode_imm(@memory, i.len, @cpu, p)
+				@memory.decode_imm(p, i.len, @cpu)
 			end
 		}
 	end
@@ -1539,11 +1290,11 @@ puts di.instruction, fdbd.inspect
 		if arg1
 			arg0 = resolve_expr(arg0) if not arg0.kind_of? ::Integer
 			arg1 = resolve_expr(arg1) if not arg1.kind_of? ::Integer
-			@memory[arg0, arg1].to_str
+			(@memory[arg0, arg1] || '').to_str
 		elsif arg0.kind_of? ::Range
 			arg0.begin = resolve_expr(arg0.begin) if not arg0.begin.kind_of? ::Integer	# cannot happen, invalid ruby Range
 			arg0.end = resolve_expr(arg0.end) if not arg0.end.kind_of? ::Integer
-			@memory[arg0].to_str
+			(@memory[arg0] || '').to_str
 		else
 			get_reg_value(arg0)
 		end
@@ -1619,7 +1370,7 @@ puts di.instruction, fdbd.inspect
 				plugin_filename = pf + '.rb'
 			end
 		end
-		if not File.exist?(plugin_filename) and File.exist?(plugin_filename + '.rb')
+		if (not File.exist?(plugin_filename) or File.directory?(plugin_filename)) and File.exist?(plugin_filename + '.rb')
 			plugin_filename += '.rb'
 		end
 
@@ -1669,18 +1420,61 @@ puts di.instruction, fdbd.inspect
 
 	# see EData#pattern_scan
 	# scans only mapped areas of @memory, using os_process.mappings
-	def pattern_scan(pat, start=0, len=@memory.length-start)
+	def pattern_scan(pat, start=0, len=@memory.length-start, &b)
 		ret = []
-		mappings.each { |a, l, *o_|
-			a = start if a < start
-			l = start+len-a if a+l > start+len
-			next if l <= 0
-			EncodedData.new(@memory[a, l]).pattern_scan(pat) { |o|
-				o += a
-				ret << o if not block_given? or yield(o)
+		mappings.each { |maddr, mlen, perm, *o_|
+			next if perm !~ /r/i
+			mlen -= start-maddr if maddr < start
+			maddr = start if maddr < start
+			mlen = start+len-maddr if maddr+mlen > start+len
+			next if mlen <= 0
+			EncodedData.new(read_mapped_range(maddr, mlen)).pattern_scan(pat) { |off|
+				off += maddr
+				ret << off if not b or b.call(off)
 			}
 		}
 		ret
 	end
+
+	def read_mapped_range(addr, len)
+		# try to use a single get_page call
+		s = @memory.get_page(addr, len) || ''
+		s.length == len ? s : (s = @memory[addr, len] ? s.to_str : nil)
+	end
+end
+
+class CPU
+	# return the CPU register used to store the current instruction pointer
+	def dbg_register_pc
+		@dbg_register_pc ||= :pc
+	end
+
+	# return the list of CPU registers
+	def dbg_register_list
+		@dbg_register_list ||= [dbg_register_pc]
+	end
+
+	# return the list of flags for the CPU
+	def dbg_flag_list
+		@dbg_flag_list ||= []
+	end
+
+	# return a hash with register name => register size in bits
+	def dbg_register_size
+		@dbg_register_size ||= Hash.new(@size)
+	end
+
+	# returns true if stepover is different from stepinto for this instruction
+	def dbg_need_stepover(dbg, addr, di)
+		di and di.opcode.props[:saveip]
+	end
+
+	# activate a software breakpoint
+	def dbg_enable_bp(dbg, bp)
+	end
+
+	# deactivate a software breakpoint
+	def dbg_disable_bp(dbg, bp)
+	end
 end
 end