RubyGems - metasm - Versions diffs - 1.0.0 → 1.0.5 - Mend

metasm 1.0.0 → 1.0.5

Files changed (276) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +3 -0
data/.gitignore +3 -0
data/.hgtags +3 -0
data/Gemfile +3 -0
data/INSTALL +61 -0
data/LICENCE +458 -0
data/README +29 -21
data/Rakefile +10 -0
data/TODO +10 -12
data/doc/code_organisation.txt +3 -1
data/doc/core/DynLdr.txt +247 -0
data/doc/core/ExeFormat.txt +43 -0
data/doc/core/Expression.txt +220 -0
data/doc/core/GNUExports.txt +27 -0
data/doc/core/Ia32.txt +236 -0
data/doc/core/SerialStruct.txt +108 -0
data/doc/core/VirtualString.txt +145 -0
data/doc/core/WindowsExports.txt +61 -0
data/doc/core/index.txt +1 -0
data/doc/style.css +6 -3
data/doc/usage/debugger.txt +327 -0
data/doc/usage/index.txt +1 -0
data/doc/use_cases.txt +2 -2
data/metasm.gemspec +23 -0
data/{lib/metasm.rb → metasm.rb} +15 -3
data/{lib/metasm → metasm}/compile_c.rb +15 -9
data/metasm/cpu/arc.rb +8 -0
data/metasm/cpu/arc/decode.rb +404 -0
data/metasm/cpu/arc/main.rb +191 -0
data/metasm/cpu/arc/opcodes.rb +588 -0
data/metasm/cpu/arm.rb +14 -0
data/{lib/metasm → metasm/cpu}/arm/debug.rb +2 -2
data/{lib/metasm → metasm/cpu}/arm/decode.rb +15 -18
data/{lib/metasm → metasm/cpu}/arm/encode.rb +23 -8
data/{lib/metasm → metasm/cpu}/arm/main.rb +3 -6
data/metasm/cpu/arm/opcodes.rb +324 -0
data/{lib/metasm → metasm/cpu}/arm/parse.rb +25 -13
data/{lib/metasm → metasm/cpu}/arm/render.rb +2 -2
data/metasm/cpu/arm64.rb +15 -0
data/metasm/cpu/arm64/debug.rb +38 -0
data/metasm/cpu/arm64/decode.rb +285 -0
data/metasm/cpu/arm64/encode.rb +41 -0
data/metasm/cpu/arm64/main.rb +105 -0
data/metasm/cpu/arm64/opcodes.rb +232 -0
data/metasm/cpu/arm64/parse.rb +20 -0
data/metasm/cpu/arm64/render.rb +95 -0
data/{lib/metasm/mips/compile_c.rb → metasm/cpu/bpf.rb} +4 -2
data/metasm/cpu/bpf/decode.rb +110 -0
data/metasm/cpu/bpf/main.rb +60 -0
data/metasm/cpu/bpf/opcodes.rb +81 -0
data/metasm/cpu/bpf/render.rb +30 -0
data/{lib/metasm/ppc.rb → metasm/cpu/cy16.rb} +2 -4
data/metasm/cpu/cy16/decode.rb +247 -0
data/metasm/cpu/cy16/main.rb +63 -0
data/metasm/cpu/cy16/opcodes.rb +78 -0
data/metasm/cpu/cy16/render.rb +30 -0
data/metasm/cpu/dalvik.rb +11 -0
data/{lib/metasm → metasm/cpu}/dalvik/decode.rb +34 -34
data/{lib/metasm → metasm/cpu}/dalvik/main.rb +71 -4
data/{lib/metasm → metasm/cpu}/dalvik/opcodes.rb +21 -12
data/{lib/metasm/mips.rb → metasm/cpu/ebpf.rb} +3 -4
data/metasm/cpu/ebpf/debug.rb +61 -0
data/metasm/cpu/ebpf/decode.rb +142 -0
data/metasm/cpu/ebpf/main.rb +58 -0
data/metasm/cpu/ebpf/opcodes.rb +97 -0
data/metasm/cpu/ebpf/render.rb +36 -0
data/metasm/cpu/ia32.rb +17 -0
data/{lib/metasm → metasm/cpu}/ia32/compile_c.rb +23 -9
data/{lib/metasm → metasm/cpu}/ia32/debug.rb +44 -6
data/{lib/metasm → metasm/cpu}/ia32/decode.rb +342 -128
data/{lib/metasm → metasm/cpu}/ia32/decompile.rb +75 -53
data/{lib/metasm → metasm/cpu}/ia32/encode.rb +19 -13
data/{lib/metasm → metasm/cpu}/ia32/main.rb +66 -8
data/metasm/cpu/ia32/opcodes.rb +1424 -0
data/{lib/metasm → metasm/cpu}/ia32/parse.rb +55 -17
data/{lib/metasm → metasm/cpu}/ia32/render.rb +32 -5
data/metasm/cpu/mcs51.rb +8 -0
data/metasm/cpu/mcs51/decode.rb +99 -0
data/metasm/cpu/mcs51/main.rb +87 -0
data/metasm/cpu/mcs51/opcodes.rb +120 -0
data/metasm/cpu/mips.rb +14 -0
data/metasm/cpu/mips/debug.rb +42 -0
data/{lib/metasm → metasm/cpu}/mips/decode.rb +59 -38
data/{lib/metasm → metasm/cpu}/mips/encode.rb +4 -3
data/{lib/metasm → metasm/cpu}/mips/main.rb +13 -6
data/{lib/metasm → metasm/cpu}/mips/opcodes.rb +87 -18
data/{lib/metasm → metasm/cpu}/mips/parse.rb +1 -1
data/{lib/metasm → metasm/cpu}/mips/render.rb +1 -1
data/{lib/metasm/dalvik.rb → metasm/cpu/msp430.rb} +1 -1
data/metasm/cpu/msp430/decode.rb +243 -0
data/metasm/cpu/msp430/main.rb +62 -0
data/metasm/cpu/msp430/opcodes.rb +101 -0
data/metasm/cpu/openrisc.rb +11 -0
data/metasm/cpu/openrisc/debug.rb +106 -0
data/metasm/cpu/openrisc/decode.rb +182 -0
data/metasm/cpu/openrisc/decompile.rb +350 -0
data/metasm/cpu/openrisc/main.rb +70 -0
data/metasm/cpu/openrisc/opcodes.rb +109 -0
data/metasm/cpu/openrisc/render.rb +37 -0
data/{lib/metasm → metasm/cpu}/pic16c/decode.rb +6 -7
data/{lib/metasm → metasm/cpu}/pic16c/main.rb +0 -0
data/{lib/metasm → metasm/cpu}/pic16c/opcodes.rb +1 -1
data/metasm/cpu/ppc.rb +11 -0
data/{lib/metasm → metasm/cpu}/ppc/decode.rb +18 -37
data/{lib/metasm → metasm/cpu}/ppc/decompile.rb +3 -3
data/{lib/metasm → metasm/cpu}/ppc/encode.rb +2 -2
data/{lib/metasm → metasm/cpu}/ppc/main.rb +23 -18
data/{lib/metasm → metasm/cpu}/ppc/opcodes.rb +11 -6
data/metasm/cpu/ppc/parse.rb +55 -0
data/metasm/cpu/python.rb +8 -0
data/metasm/cpu/python/decode.rb +116 -0
data/metasm/cpu/python/main.rb +36 -0
data/metasm/cpu/python/opcodes.rb +180 -0
data/{lib/metasm → metasm/cpu}/sh4.rb +1 -1
data/{lib/metasm → metasm/cpu}/sh4/decode.rb +50 -23
data/{lib/metasm → metasm/cpu}/sh4/main.rb +38 -27
data/{lib/metasm → metasm/cpu}/sh4/opcodes.rb +7 -8
data/metasm/cpu/st20.rb +9 -0
data/metasm/cpu/st20/decode.rb +173 -0
data/metasm/cpu/st20/decompile.rb +283 -0
data/metasm/cpu/st20/main.rb +37 -0
data/metasm/cpu/st20/opcodes.rb +140 -0
data/{lib/metasm/arm.rb → metasm/cpu/webasm.rb} +4 -5
data/metasm/cpu/webasm/debug.rb +31 -0
data/metasm/cpu/webasm/decode.rb +321 -0
data/metasm/cpu/webasm/decompile.rb +386 -0
data/metasm/cpu/webasm/encode.rb +104 -0
data/metasm/cpu/webasm/main.rb +81 -0
data/metasm/cpu/webasm/opcodes.rb +214 -0
data/metasm/cpu/x86_64.rb +15 -0
data/{lib/metasm → metasm/cpu}/x86_64/compile_c.rb +40 -25
data/{lib/metasm → metasm/cpu}/x86_64/debug.rb +4 -4
data/{lib/metasm → metasm/cpu}/x86_64/decode.rb +58 -15
data/{lib/metasm → metasm/cpu}/x86_64/encode.rb +59 -28
data/{lib/metasm → metasm/cpu}/x86_64/main.rb +18 -6
data/metasm/cpu/x86_64/opcodes.rb +138 -0
data/{lib/metasm → metasm/cpu}/x86_64/parse.rb +12 -4
data/metasm/cpu/x86_64/render.rb +35 -0
data/metasm/cpu/z80.rb +9 -0
data/metasm/cpu/z80/decode.rb +286 -0
data/metasm/cpu/z80/main.rb +67 -0
data/metasm/cpu/z80/opcodes.rb +224 -0
data/metasm/cpu/z80/render.rb +48 -0
data/{lib/metasm/os/main.rb → metasm/debug.rb} +201 -407
data/{lib/metasm → metasm}/decode.rb +104 -24
data/{lib/metasm → metasm}/decompile.rb +804 -478
data/{lib/metasm → metasm}/disassemble.rb +385 -170
data/{lib/metasm → metasm}/disassemble_api.rb +684 -105
data/{lib/metasm → metasm}/dynldr.rb +231 -138
data/{lib/metasm → metasm}/encode.rb +20 -5
data/{lib/metasm → metasm}/exe_format/a_out.rb +9 -6
data/{lib/metasm → metasm}/exe_format/autoexe.rb +3 -0
data/{lib/metasm → metasm}/exe_format/bflt.rb +57 -27
data/{lib/metasm → metasm}/exe_format/coff.rb +35 -7
data/{lib/metasm → metasm}/exe_format/coff_decode.rb +70 -23
data/{lib/metasm → metasm}/exe_format/coff_encode.rb +24 -22
data/{lib/metasm → metasm}/exe_format/dex.rb +26 -8
data/{lib/metasm → metasm}/exe_format/dol.rb +1 -0
data/{lib/metasm → metasm}/exe_format/elf.rb +108 -58
data/{lib/metasm → metasm}/exe_format/elf_decode.rb +202 -36
data/{lib/metasm → metasm}/exe_format/elf_encode.rb +126 -32
data/metasm/exe_format/gb.rb +65 -0
data/metasm/exe_format/javaclass.rb +424 -0
data/{lib/metasm → metasm}/exe_format/macho.rb +218 -16
data/{lib/metasm → metasm}/exe_format/main.rb +28 -3
data/{lib/metasm → metasm}/exe_format/mz.rb +2 -0
data/{lib/metasm → metasm}/exe_format/nds.rb +7 -4
data/{lib/metasm → metasm}/exe_format/pe.rb +96 -11
data/metasm/exe_format/pyc.rb +167 -0
data/{lib/metasm → metasm}/exe_format/serialstruct.rb +67 -14
data/{lib/metasm → metasm}/exe_format/shellcode.rb +7 -3
data/metasm/exe_format/shellcode_rwx.rb +114 -0
data/metasm/exe_format/swf.rb +205 -0
data/metasm/exe_format/wasm.rb +402 -0
data/{lib/metasm → metasm}/exe_format/xcoff.rb +7 -7
data/metasm/exe_format/zip.rb +335 -0
data/metasm/gui.rb +13 -0
data/{lib/metasm → metasm}/gui/cstruct.rb +35 -41
data/{lib/metasm → metasm}/gui/dasm_coverage.rb +11 -11
data/{lib/metasm → metasm}/gui/dasm_decomp.rb +177 -114
data/{lib/metasm → metasm}/gui/dasm_funcgraph.rb +0 -0
data/metasm/gui/dasm_graph.rb +1754 -0
data/{lib/metasm → metasm}/gui/dasm_hex.rb +16 -12
data/{lib/metasm → metasm}/gui/dasm_listing.rb +43 -28
data/{lib/metasm → metasm}/gui/dasm_main.rb +360 -77
data/{lib/metasm → metasm}/gui/dasm_opcodes.rb +5 -19
data/{lib/metasm → metasm}/gui/debug.rb +109 -34
data/{lib/metasm → metasm}/gui/gtk.rb +174 -44
data/{lib/metasm → metasm}/gui/qt.rb +14 -4
data/{lib/metasm → metasm}/gui/win32.rb +180 -43
data/{lib/metasm → metasm}/gui/x11.rb +59 -59
data/{lib/metasm → metasm}/main.rb +421 -286
data/metasm/os/emulator.rb +175 -0
data/{lib/metasm/os/remote.rb → metasm/os/gdbremote.rb} +146 -54
data/{lib/metasm → metasm}/os/gnu_exports.rb +1 -1
data/{lib/metasm → metasm}/os/linux.rb +628 -151
data/metasm/os/main.rb +335 -0
data/{lib/metasm → metasm}/os/windows.rb +151 -58
data/{lib/metasm → metasm}/os/windows_exports.rb +141 -0
data/{lib/metasm → metasm}/parse.rb +49 -36
data/{lib/metasm → metasm}/parse_c.rb +405 -246
data/{lib/metasm → metasm}/preprocessor.rb +71 -41
data/{lib/metasm → metasm}/render.rb +14 -38
data/misc/hexdump.rb +4 -3
data/misc/lint.rb +58 -0
data/misc/objdiff.rb +4 -1
data/misc/objscan.rb +1 -1
data/misc/openrisc-parser.rb +79 -0
data/misc/txt2html.rb +9 -7
data/samples/bindiff.rb +3 -4
data/samples/dasm-plugins/bindiff.rb +15 -0
data/samples/dasm-plugins/bookmark.rb +133 -0
data/samples/dasm-plugins/c_constants.rb +57 -0
data/samples/dasm-plugins/colortheme_solarized.rb +125 -0
data/samples/dasm-plugins/cppobj_funcall.rb +60 -0
data/samples/dasm-plugins/dasm_all.rb +70 -0
data/samples/dasm-plugins/demangle_cpp.rb +31 -0
data/samples/dasm-plugins/deobfuscate.rb +251 -0
data/samples/dasm-plugins/dump_text.rb +35 -0
data/samples/dasm-plugins/export_graph_svg.rb +86 -0
data/samples/dasm-plugins/findgadget.rb +75 -0
data/samples/dasm-plugins/hl_opcode.rb +32 -0
data/samples/dasm-plugins/hotfix_gtk_dbg.rb +19 -0
data/samples/dasm-plugins/imm2off.rb +34 -0
data/samples/dasm-plugins/match_libsigs.rb +93 -0
data/samples/dasm-plugins/patch_file.rb +95 -0
data/samples/dasm-plugins/scanfuncstart.rb +36 -0
data/samples/dasm-plugins/scanxrefs.rb +29 -0
data/samples/dasm-plugins/selfmodify.rb +197 -0
data/samples/dasm-plugins/stringsxrefs.rb +28 -0
data/samples/dasmnavig.rb +1 -1
data/samples/dbg-apihook.rb +24 -9
data/samples/dbg-plugins/heapscan.rb +283 -0
data/samples/dbg-plugins/heapscan/compiled_heapscan_lin.c +155 -0
data/samples/dbg-plugins/heapscan/compiled_heapscan_win.c +128 -0
data/samples/dbg-plugins/heapscan/graphheap.rb +616 -0
data/samples/dbg-plugins/heapscan/heapscan.rb +709 -0
data/samples/dbg-plugins/heapscan/winheap.h +174 -0
data/samples/dbg-plugins/heapscan/winheap7.h +307 -0
data/samples/dbg-plugins/trace_func.rb +214 -0
data/samples/disassemble-gui.rb +48 -7
data/samples/disassemble.rb +31 -6
data/samples/dump_upx.rb +24 -12
data/samples/dynamic_ruby.rb +35 -27
data/samples/elfencode.rb +15 -0
data/samples/emubios.rb +251 -0
data/samples/emudbg.rb +127 -0
data/samples/exeencode.rb +6 -5
data/samples/factorize-headers-peimports.rb +1 -1
data/samples/lindebug.rb +186 -391
data/samples/metasm-shell.rb +68 -57
data/samples/peldr.rb +2 -2
data/tests/all.rb +1 -1
data/tests/arc.rb +26 -0
data/tests/dynldr.rb +22 -4
data/tests/expression.rb +57 -0
data/tests/graph_layout.rb +285 -0
data/tests/ia32.rb +80 -26
data/tests/mcs51.rb +27 -0
data/tests/mips.rb +10 -3
data/tests/preprocessor.rb +18 -0
data/tests/x86_64.rb +66 -18
metadata +465 -219
metadata.gz.sig +2 -0
data/lib/metasm/arm/opcodes.rb +0 -177
data/lib/metasm/gui.rb +0 -23
data/lib/metasm/gui/dasm_graph.rb +0 -1354
data/lib/metasm/ia32.rb +0 -14
data/lib/metasm/ia32/opcodes.rb +0 -872
data/lib/metasm/ppc/parse.rb +0 -52
data/lib/metasm/x86_64.rb +0 -12
data/lib/metasm/x86_64/opcodes.rb +0 -118
data/samples/gdbclient.rb +0 -583
data/samples/rubstop.rb +0 -399

data/{lib/metasm → metasm}/encode.rb RENAMED Viewed

@@ -42,7 +42,7 @@ class ExeFormat
 		edata
 	end
-	# chose among multiple possible sub-EncodedData
+	# choose among multiple possible sub-EncodedData
 	# assumes all ambiguous edata have the equivallent relocations in the same order
 	def assemble_resolve(ary)
 		startlabel = new_label('section_start')
@@ -167,7 +167,7 @@ class ExeFormat
 		# for linear expressions of internal variables (ie differences of labels from the ary):
 		#  - calc target numeric bounds, and reject relocs not accepting worst case value
 		#  - else reject all but largest place available
-		# then chose the shortest overall EData left
+		# then choose the shortest overall EData left
 		ary.map! { |elem|
 			case elem
 			when Array
@@ -214,8 +214,14 @@ class ExeFormat
 				raise EncodeError, "cannot find candidate in #{elem.inspect}, immediate too big #{wantsize.inspect} #{target_bounds.inspect}" if acceptable.empty?
-				# keep the shortest
-				acceptable.sort_by { |edata| edata.virtsize }.first
+				# keep the shortest, use a hack make sort consistent in all cases
+				# see https://8thlight.com/blog/will-warner/2013/03/26/stable-sorting-in-ruby.html
+				n = 0
+				mod_map = acceptable.map { |edata| n += 1 ; [[edata.virtsize, n], edata] }
+				interm_sort = mod_map.sort { |left, right| left[0] <=> right[0] }
+				mod_sort_result = interm_sort.collect { |edata| edata[1] }
+				result = mod_sort_result.first
+				result
 			else
 				elem
 			end
@@ -271,7 +277,16 @@ class Expression
 	def encode(type, endianness, backtrace=nil)
 		case val = reduce
 		when Integer; EncodedData.new Expression.encode_imm(val, type, endianness, backtrace)
-		else          EncodedData.new([0].pack('C')*(INT_SIZE[type]/8), :reloc => {0 => Relocation.new(self, type, endianness, backtrace)})
+		else
+			str = case INT_SIZE[type]
+			      when  8; "\0"
+			      when 16; "\0\0"
+			      when 32; "\0\0\0\0"
+			      when 64; "\0\0\0\0\0\0\0\0"
+			      else [0].pack('C')*(INT_SIZE[type]/8)
+			      end
+			str = str.force_encoding('BINARY') if str.respond_to?(:force_encoding)
+			EncodedData.new(str, :reloc => {0 => Relocation.new(self, type, endianness, backtrace)})
 		end
 	end

data/{lib/metasm → metasm}/exe_format/a_out.rb RENAMED Viewed

@@ -58,7 +58,7 @@ class AOut < ExeFormat
 	class Relocation < SerialStruct
 		word :address
 		bitfield :word, 0 => :symbolnum, 24 => :pcrel, 25 => :length,
- 			27 => :extern, 28 => :baserel, 29 => :jmptable, 30 => :relative, 31 => :rtcopy
+			27 => :extern, 28 => :baserel, 29 => :jmptable, 30 => :relative, 31 => :rtcopy
 		fld_enum :length, 0 => 1, 1 => 2, 2 => 4, 3 => 8
 		fld_default :length, 4
 	end
@@ -68,7 +68,7 @@ class AOut < ExeFormat
 		bitfield :byte, 0 => :extern, 1 => :type, 5 => :stab
 		byte :other
 		half :desc
- 		word :value
+		word :value
 		attr_accessor :name
 		def decode(aout, strings=nil)
@@ -93,6 +93,9 @@ class AOut < ExeFormat
 	def encode_byte(w) Expression[w].encode(:u8 , @endianness) end
 	def encode_half(w) Expression[w].encode(:u16, @endianness) end
 	def encode_word(w) Expression[w].encode(:u32, @endianness) end
+	def sizeof_byte ; 1 ; end
+	def sizeof_half ; 2 ; end
+	def sizeof_word ; 4 ; end
 	def initialize(cpu = nil)
 		@endianness = cpu ? cpu.endianness : :little
@@ -119,11 +122,11 @@ class AOut < ExeFormat
 		@data = EncodedData.new << @encoded.read(@header.data)
-		textrel = @encoded.read @header.trsz
-		datarel = @encoded.read @header.drsz
-		syms    = @encoded.read @header.syms
-		strings = @encoded.read
 		# TODO
+		#textrel = @encoded.read @header.trsz
+		#datarel = @encoded.read @header.drsz
+		#syms    = @encoded.read @header.syms
+		#strings = @encoded.read
 	end
 	def encode

data/{lib/metasm → metasm}/exe_format/autoexe.rb RENAMED Viewed

@@ -37,6 +37,7 @@ end
 # register a new binary file signature
 def self.register_signature(sig, exe=nil, &b)
+	sig.force_encoding('binary') if sig.respond_to?(:force_encoding)
 	(@signatures ||= []) << [sig, exe || b]
 end
@@ -58,6 +59,8 @@ register_signature("\xca\xfe\xba\xbe") { UniversalBinary }
 register_signature("dex\n") { DEX }
 register_signature("dey\n") { DEY }
 register_signature("\xfa\x70\x0e\x1f") { FatELF }
+register_signature("\x50\x4b\x03\x04") { ZIP }
+register_signature("\0asm") { WasmFile }
 register_signature('Metasm.dasm') { Disassembler }
 # replacement for AutoExe where #load defaults to a Shellcode of the specified CPU

data/{lib/metasm → metasm}/exe_format/bflt.rb RENAMED Viewed

@@ -9,6 +9,7 @@ require 'metasm/decode'
 module Metasm
 # BFLT is the binary flat format used by the uClinux
+# from examining a v4 binary, it looks like the header is discarded and the file is mapped from 0x40 to memory address 0 (wrt relocations)
 class Bflt < ExeFormat
 	MAGIC = 'bFLT'
 	FLAGS = { 1 => 'RAM', 2 => 'GOTPIC', 4 => 'GZIP' }
@@ -29,13 +30,20 @@ class Bflt < ExeFormat
 			when MAGIC
 			else raise InvalidExeFormat, "Bad bFLT signature #@magic"
 			end
+			if @rev >= 0x01000000 and (@rev & 0x00f0ffff) == 0
+				puts "Bflt: probable wrong endianness, retrying" if $VERBOSE
+				exe.endianness = { :big => :little, :little => :big }[exe.endianness]
+				exe.encoded.ptr -= 4*16
+				super(exe)
+			end
 		end
 		def set_default_values(exe)
 			@magic ||= MAGIC
 			@rev ||= 4
 			@entry ||= 0x40
-			@data_start ||= @entry + exe.text.length if exe.text
+			@data_start ||= 0x40 + exe.text.length if exe.text
 			@data_end ||= @data_start + exe.data.data.length if exe.data
 			@bss_end ||= @data_start + exe.data.length if exe.data
 			@stack_size ||= 0x1000
@@ -49,7 +57,9 @@ class Bflt < ExeFormat
 	def decode_word(edata = @encoded) edata.decode_imm(:u32, @endianness) end
 	def encode_word(w) Expression[w].encode(:u32, @endianness) end
+	def sizeof_word ; 4 ; end
+	attr_accessor :endianness
 	def initialize(cpu = nil)
 		@endianness = cpu ? cpu.endianness : :little
 		@header = Header.new
@@ -61,17 +71,17 @@ class Bflt < ExeFormat
 	def decode_header
 		@encoded.ptr = 0
 		@header.decode(self)
+		@encoded.add_export(new_label('entrypoint'), @header.entry)
 	end
 	def decode
 		decode_header
-		@encoded.ptr = @header.entry
-		@text = EncodedData.new << @encoded.read(@header.data_start - @header.entry)
-		@data = EncodedData.new << @encoded.read(@header.data_end - @header.data_start)
-		@data.virtsize += (@header.bss_end - @header.data_end)
+		@text = @encoded[0x40...@header.data_start]
+		@data = @encoded[@header.data_start...@header.data_end]
+		@data.virtsize += @header.bss_end - @header.data_end
-		if @header.flags.include? 'GZIP'
+		if @header.flags.include?('GZIP')
 			# TODO gzip
 			raise 'bFLT decoder: gzip format not supported'
 		end
@@ -79,7 +89,7 @@ class Bflt < ExeFormat
 		@reloc = []
 		@encoded.ptr = @header.reloc_start
 		@header.reloc_count.times { @reloc << decode_word }
-		if @header.version == 2
+		if @header.rev == 2
 			@reloc.map! { |r| r & 0x3fff_ffff }
 		end
@@ -87,32 +97,29 @@ class Bflt < ExeFormat
 	end
 	def decode_interpret_relocs
+		textsz = @header.data_start-0x40
 		@reloc.each { |r|
 			# where the reloc is
-			if r >= @header.entry and r < @header.data_start
+			if r < textsz
 				section = @text
-				base = @header.entry
-			elsif r >= @header.data_start and r < @header.data_end
-				section = @data
-				base = @header.data_start
+				off = section.ptr = r
 			else
-				puts "out of bounds reloc at #{Expression[r]}" if $VERBOSE
-				next
+				section = @data
+				off = section.ptr = r-textsz
 			end
 			# what it points to
-			section.ptr = r-base
 			target = decode_word(section)
-			if target >= @header.entry and target < @header.data_start
-				target = label_at(@text, target - @header.entry, "xref_#{Expression[target]}")
-			elsif target >= @header.data_start and target < @header.bss_end
-				target = label_at(@data, target - @header.data_start, "xref_#{Expression[target]}")
+			if target < textsz
+				target = label_at(@text, target, "xref_#{Expression[target]}")
+			elsif target < @header.bss_end-0x40
+				target = label_at(@data, target-textsz, "xref_#{Expression[target]}")
 			else
-				puts "out of bounds reloc target at #{Expression[r]}" if $VERBOSE
+				puts "out of bounds reloc target #{Expression[target]} at #{Expression[r]}" if $VERBOSE
 				next
 			end
-			@text.reloc[r-base] = Relocation.new(Expression[target], :u32, @endianness)
+			section.reloc[off] = Relocation.new(Expression[target], :u32, @endianness)
 		}
 	end
@@ -127,8 +134,8 @@ class Bflt < ExeFormat
 		@encoded = EncodedData.new
 		@encoded << @header.encode(self)
-		binding = @text.binding(@header.entry).merge(@data.binding(@header.data_start))
+		binding = @text.binding(0x40).merge(@data.binding(@header.data_start))
 		@encoded << @text << @data.data
 		@encoded.fixup! binding
 		@encoded.reloc.clear
@@ -143,7 +150,7 @@ class Bflt < ExeFormat
 		mapaddr = new_label('mapaddr')
 		binding = @text.binding(mapaddr).merge(@data.binding(mapaddr))
 		[@text, @data].each { |section|
-			base = @header.entry || 0x40
+			base = 0x40	# XXX maybe 0 ?
 			base = @header.data_start || base+@text.length if section == @data
 			section.reloc.each { |o, r|
 				if r.endianness == @endianness and [:u32, :a32, :i32].include? r.type and
@@ -167,7 +174,16 @@ class Bflt < ExeFormat
 		case instr.raw.downcase
 		when '.text'; @cursource = @textsrc
 		when '.data'; @cursource = @datasrc
-		# entrypoint is the 1st byte of .text
+		when '.entrypoint'
+			# ".entrypoint <somelabel/expression>" or ".entrypoint" (here)
+			@lexer.skip_space
+			if tok = @lexer.nexttok and tok.type == :string
+				raise instr if not entrypoint = Expression.parse(@lexer)
+			else
+				entrypoint = new_label('entrypoint')
+				@cursource << Label.new(entrypoint, instr.backtrace.dup)
+			end
+			@header.entry = entrypoint
 		else super(instr)
 		end
 	end
@@ -181,9 +197,23 @@ class Bflt < ExeFormat
 		self
 	end
+	def get_default_entrypoints
+		['entrypoint']
+	end
 	def each_section
-		yield @text, @header.entry
-		yield @data, @header.data_start
+		yield @text, 0
+		yield @data, @header.data_start - @header.entry
+	end
+	def section_info
+		[['.text', 0, @text.length, 'rx'],
+		 ['.data', @header.data_addr-0x40, @data.data.length, 'rw'],
+		 ['.bss',  @header.data_end-0x40,  @data.length-@data.data.length, 'rw']]
+	end
+	def module_symbols
+		['entrypoint', @header.entry-0x40]
 	end
 end
 end

data/{lib/metasm → metasm}/exe_format/coff.rb RENAMED Viewed

@@ -46,9 +46,11 @@ class COFF < ExeFormat
 	}
 	DLL_CHARACTERISTIC_BITS = {
+		0x20 => 'HIGH_ENTROPY_VA',
 		0x40 => 'DYNAMIC_BASE', 0x80 => 'FORCE_INTEGRITY', 0x100 => 'NX_COMPAT',
 		0x200 => 'NO_ISOLATION', 0x400 => 'NO_SEH', 0x800 => 'NO_BIND',
-		0x2000 => 'WDM_DRIVER', 0x8000 => 'TERMINAL_SERVER_AWARE'
+		0x1000 => 'APPCONTAINER', 0x2000 => 'WDM_DRIVER',
+		0x4000 => 'GUARD_CF', 0x8000 => 'TERMINAL_SERVER_AWARE'
 	}
 	BASE_RELOCATION_TYPE = { 0 => 'ABSOLUTE', 1 => 'HIGH', 2 => 'LOW', 3 => 'HIGHLOW',
@@ -81,7 +83,7 @@ class COFF < ExeFormat
 		11 => 'UNION_MEMBER', 12 => 'UNION_TAG', 13 => 'TYPEDEF', 14 => 'UNDEF_STATIC',
 		15 => 'ENUM_TAG', 16 => 'ENUM_MEMBER', 17 => 'REG_PARAM', 18 => 'BIT_FIELD',
 		100 => 'BLOCK', 101 => 'FUNCTION', 102 => 'END_STRUCT',
-	       	103 => 'FILE', 104 => 'SECTION', 105 => 'WEAK_EXT',
+		103 => 'FILE', 104 => 'SECTION', 105 => 'WEAK_EXT',
 	}
 	DEBUG_TYPE = { 0 => 'UNKNOWN', 1 => 'COFF', 2 => 'CODEVIEW', 3 => 'FPO', 4 => 'MISC',
@@ -140,7 +142,7 @@ class COFF < ExeFormat
 		bytes :link_ver_maj, :link_ver_min
 		words :code_size, :data_size, :udata_size, :entrypoint, :base_of_code
 		# base_of_data does not exist in 64-bit
-		new_field(:base_of_data, lambda { |exe, hdr| exe.decode_word if exe.bitsize != 64 }, lambda { |exe, hdr, val| exe.encode_word(val) if exe.bitsize != 64 }, 0)
+		new_field(:base_of_data, lambda { |exe, hdr| exe.decode_word if exe.bitsize != 64 }, lambda { |exe, hdr, val| exe.encode_word(val) if exe.bitsize != 64 }, lambda { |exe, hdr| exe.bitsize != 64 ? 4 : 0 }, 0)
 		# NT-specific fields
 		xword :image_base
 		words :sect_align, :file_align
@@ -211,7 +213,7 @@ class COFF < ExeFormat
 	end
 	# tree-like structure, holds all misc data the program might need (icons, cursors, version information)
-	# conventionnally structured in a 3-level depth structure:
+	# conventionally structured in a 3-level depth structure:
 	#  I resource type (icon/cursor/etc, see +TYPES+)
 	#  II resource id (icon n1, icon 'toto', ...)
 	#  III language-specific version (icon n1 en, icon n1 en-dvorak...)
@@ -228,6 +230,12 @@ class COFF < ExeFormat
 		end
 	end
+	# unwind info
+	class ExceptionEntry < SerialStruct
+		# function start RVA, function end RVA, UNWIND_INFO RVA
+		words :func, :func_end, :unwind
+	end
 	# array of relocations to apply to an executable file
 	# when it is loaded at an address that is not its preferred_base_address
 	class RelocationTable < SerialStruct
@@ -256,15 +264,26 @@ class COFF < ExeFormat
 		end
 		class RSDS < SerialStruct
-			mem :guid, 16
+			word :guid_03
+			halfs :guid_45, :guid_67
+			bytes :guid_8, :guid_9, :guid_a, :guid_b, :guid_c, :guid_d, :guid_e, :guid_f
 			word :age
 			strz :pdbfilename
+			def guid
+				"%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X" % [guid_03, guid_45, guid_67, guid_8, guid_9, guid_a, guid_b, guid_c, guid_d, guid_e, guid_f]
+			end
+			# http path to pdb (compressed)
+			def msdl_url
+				"http://msdl.microsoft.com/download/symbols/#{pdbfilename}/#{guid.delete("-")}#{age}/#{pdbfilename.chop}_"
+			end
 		end
 	end
 	class TLSDirectory < SerialStruct
 		xwords :start_va, :end_va, :index_addr, :callback_p
- 		words :zerofill_sz, :characteristics
+		words :zerofill_sz, :characteristics
 		attr_accessor :callbacks
 	end
@@ -394,7 +413,8 @@ class COFF < ExeFormat
 	end
 	attr_accessor :header, :optheader, :directory, :sections, :endianness, :symbols, :bitsize,
-		:export, :imports, :resource, :certificates, :relocations, :debug, :tls, :loadconfig, :delayimports, :com_header
+		:export, :imports, :resource, :exception_table, :certificates,
+		:relocations, :debug, :tls, :loadconfig, :delayimports, :com_header
 	# boolean, set to true to have #decode() ignore the base_relocs directory
 	attr_accessor :nodecode_relocs
@@ -413,6 +433,11 @@ class COFF < ExeFormat
 	end
 	def shortname; 'coff'; end
+	def sizeof_byte ; 1 ; end
+	def sizeof_half ; 2 ; end
+	def sizeof_word ; 4 ; end
+	def sizeof_xword ; @bitsize == 32 ? 4 : 8 ; end
 end
 # the COFF archive file format
@@ -448,6 +473,9 @@ class COFFArchive < ExeFormat
 	def member(name)
 		@members.find { |m| m.name == name }
 	end
+	def sizeof_half ; 2 ; end
+	def sizeof_word ; 4 ; end
 end
 end

data/{lib/metasm → metasm}/exe_format/coff_decode.rb RENAMED Viewed

@@ -17,13 +17,15 @@ class COFF
 		# decodes a COFF optional header from coff.cursection
 		# also decodes directories in coff.directory
 		def decode(coff)
-			return set_default_values(coff) if coff.header.size_opthdr == 0
+			return set_default_values(coff) if coff.header.size_opthdr == 0 and not coff.header.characteristics.include?('EXECUTABLE_IMAGE')
+			off = coff.curencoded.ptr
 			super(coff)
+			nrva = (coff.header.size_opthdr - (coff.curencoded.ptr - off)) / 8
+			nrva = @numrva if nrva < 0
-			nrva = @numrva
-			if @numrva > DIRECTORIES.length
-				puts "W: COFF: Invalid directories count #{@numrva}" if $VERBOSE
-				nrva = DIRECTORIES.length
+			if nrva > DIRECTORIES.length or nrva != @numrva
+				puts "W: COFF: Weird directories count #{@numrva}" if $VERBOSE
+				nrva = DIRECTORIES.length if nrva > DIRECTORIES.length
 			end
 			coff.directory = {}
@@ -64,7 +66,7 @@ class COFF
 	class RelocObj
 		def decode(coff)
 			super(coff)
-			@sym = coff.symbols[@symidx]
+			@sym = coff.symbols[@symidx] if coff.symbols
 		end
 	end
@@ -87,7 +89,7 @@ class COFF
 					addr = addrs[i]
 					if addr >= coff.directory['export_table'][0] and addr < coff.directory['export_table'][0] + coff.directory['export_table'][1] and coff.sect_at_rva(addr)
 						name = coff.decode_strz
-						e.forwarder_lib, name = name.split('.', 2)
+						e.forwarder_lib, name = name.split('.', 2) if name.index('.')
 						if name[0] == ?#
 							e.forwarder_ordinal = name[1..-1].to_i
 						else
@@ -109,6 +111,7 @@ class COFF
 			end
 			if namep and ords
 				namep.zip(ords).each { |np, oi|
+					next if not @exports[oi]
 					@exports[oi].name_p = np
 					if coff.sect_at_rva(np)
 						@exports[oi].name = coff.decode_strz
@@ -171,17 +174,17 @@ class COFF
 	end
 	class ResourceDirectory
-		def decode(coff, edata = coff.curencoded, startptr = edata.ptr)
+		def decode(coff, edata = coff.curencoded, startptr = edata.ptr, maxdepth=3)
 			super(coff, edata)
 			@entries = []
 			nrnames = @nr_names if $DEBUG
 			(@nr_names+@nr_id).times {
- 				e = Entry.new
+				e = Entry.new
- 				e_id = coff.decode_word(edata)
- 				e_ptr = coff.decode_word(edata)
+				e_id = coff.decode_word(edata)
+				e_ptr = coff.decode_word(edata)
 				if not e_id.kind_of? Integer or not e_ptr.kind_of? Integer
 					puts 'W: COFF: relocs in the rsrc directory?' if $VERBOSE
@@ -213,10 +216,12 @@ class COFF
 					e.subdir_p = e_ptr & 0x7fff_ffff
 					if startptr + e.subdir_p >= edata.length
 						puts 'W: COFF: invalid resource structure: directory too far' if $VERBOSE
-					else
+					elsif maxdepth > 0
 						edata.ptr = startptr + e.subdir_p
 						e.subdir = ResourceDirectory.new
-						e.subdir.decode coff, edata, startptr
+						e.subdir.decode coff, edata, startptr, maxdepth-1
+					else
+						puts 'W: COFF: recursive resource section' if $VERBOSE
 					end
 				else
 					e.dataentry_p = e_ptr
@@ -244,7 +249,8 @@ class COFF
 			decode_tllv = lambda { |ed, state|
 				sptr = ed.ptr
-				len, vlen, type = coff.decode_half(ed), coff.decode_half(ed), coff.decode_half(ed)
+				len, vlen = coff.decode_half(ed), coff.decode_half(ed)
+				coff.decode_half(ed)	# type
 				tagname = ''
 				while c = coff.decode_half(ed) and c != 0
 					tagname << (c&255)
@@ -273,7 +279,7 @@ class COFF
 				when :str
 					val = ed.read(vlen*2).unpack('v*')
 					val.pop if val[-1] == 0
-					val = val.pack('C*') if val.all? { |c_| c_ > 0 and  c_ < 256 }
+					val = val.pack('C*') if val.all? { |c_| c_ > 0 and  c_ < 256 }
 					vers[tagname] = val
 				when :var
 					val = ed.read(vlen).unpack('V*')
@@ -424,10 +430,9 @@ class COFF
 	# may return self when rva points to the coff header
 	# returns nil if none match, 0 never matches
 	def sect_at_rva(rva)
-		return if not rva or rva <= 0
+		return if not rva or not rva.kind_of?(::Integer) or rva <= 0
 		if sections and not @sections.empty?
-			valign = lambda { |l| EncodedData.align_size(l, @optheader.sect_align) }
-			if s = @sections.find { |s_| s_.virtaddr <= rva and s_.virtaddr + valign[s_.virtsize] > rva }
+			if s = @sections.find { |s_| s_.virtaddr <= rva and s_.virtaddr + EncodedData.align_size((s_.virtsize == 0 ? s_.rawsize : s_.virtsize), @optheader.sect_align) > rva }
 				s.encoded.ptr = rva - s.virtaddr
 				@cursection = s
 			elsif rva < @sections.map { |s_| s_.virtaddr }.min
@@ -479,7 +484,7 @@ class COFF
 	end
 	def each_section
-		if @header.size_opthdr == 0
+		if @header.size_opthdr == 0 and not @header.characteristics.include?('EXECUTABLE_IMAGE')
 			@sections.each { |s|
 				next if not s.encoded
 				l = new_label(s.name)
@@ -490,7 +495,9 @@ class COFF
 		end
 		base = @optheader.image_base
 		base = 0 if not base.kind_of? Integer
-		yield @encoded[0, @optheader.headers_size], base
+		sz = @optheader.headers_size
+		sz = EncodedData.align_size(@optheader.image_size, 4096) if @sections.empty?
+		yield @encoded[0, sz], base
 		@sections.each { |s| yield s.encoded, base + s.virtaddr }
 	end
@@ -545,6 +552,7 @@ class COFF
 			s.relocnr.times { s.relocs << RelocObj.decode(self) }
 			new_label 'pcrel'
 			s.relocs.each { |r|
+				next if not r.sym
 				case r.type
 				when 'DIR32'
 					s.encoded.reloc[r.va] = Metasm::Relocation.new(Expression[r.sym.name], :u32, @endianness)
@@ -566,8 +574,10 @@ class COFF
 	# decodes a section content (allows simpler LoadedPE override)
 	def decode_section_body(s)
 		raw = EncodedData.align_size(s.rawsize, @optheader.file_align)
-		virt = EncodedData.align_size(s.virtsize, @optheader.sect_align)
+		virt = s.virtsize
 		virt = raw = s.rawsize if @header.size_opthdr == 0
+		virt = raw if virt == 0
+		virt = EncodedData.align_size(virt, @optheader.sect_align)
 		s.encoded = @encoded[s.rawaddr, [raw, virt].min] || EncodedData.new
 		s.encoded.virtsize = virt
 	end
@@ -629,13 +639,29 @@ class COFF
 		resource.decode_version(self, lang)
 	end
+	# decode the exception table, holding the start and end of every function in the binary (x64)
+	# includes a pointer to the UNWIND_INFO structure for exception handling
+	def decode_exception_table
+		if et = @directory['exception_table'] and sect_at_rva(et[0])
+			@exception_table = []
+			(et[1]/12).times {
+				@exception_table << ExceptionEntry.decode(self)
+			}
+		end
+	end
 	# decodes certificate table
 	def decode_certificates
 		if ct = @directory['certificate_table']
 			@certificates = []
 			@cursection = self
+			if ct[0] > @encoded.length or ct[1] > @encoded.length - ct[0]
+				puts "W: COFF: invalid certificate_table #{'0x%X+0x%0X' % ct}" if $VERBOSE
+				ct = [ct[0], 1]
+			end
 			@encoded.ptr = ct[0]
 			off_end = ct[0]+ct[1]
+			off_end = @encoded.length if off_end > @encoded.length
 			while @encoded.ptr < off_end
 				certlen = decode_word
 				certrev = decode_half
@@ -704,6 +730,25 @@ class COFF
 		end
 	end
+	def decode_reloc_amd64(r)
+		case r.type
+		when 'ABSOLUTE'
+		when 'HIGHLOW'
+			addr = decode_word
+			if s = sect_at_va(addr)
+				label = label_at(s.encoded, s.encoded.ptr, "xref_#{Expression[addr]}")
+				Metasm::Relocation.new(Expression[label], :u32, @endianness)
+			end
+		when 'DIR64'
+			addr = decode_xword
+			if s = sect_at_va(addr)
+				label = label_at(s.encoded, s.encoded.ptr, "xref_#{Expression[addr]}")
+				Metasm::Relocation.new(Expression[label], :u64, @endianness)
+			end
+		else puts "W: COFF: Unsupported amd64 relocation #{r.inspect}" if $VERBOSE
+		end
+	end
 	def decode_debug
 		if dd = @directory['debug'] and sect_at_rva(dd[0])
 			@debug = []
@@ -719,11 +764,11 @@ class COFF
 	def decode_tls
 		if @directory['tls_table'] and sect_at_rva(@directory['tls_table'][0])
 			@tls = TLSDirectory.decode(self)
-		       	if s = sect_at_va(@tls.callback_p)
+			if s = sect_at_va(@tls.callback_p)
 				s.encoded.add_export 'tls_callback_table'
 				@tls.callbacks.each_with_index { |cb, i|
 					@tls.callbacks[i] = curencoded.add_export "tls_callback_#{i}" if sect_at_rva(cb)
-			       	}
+				}
 			end
 		end
 	end
@@ -748,6 +793,7 @@ class COFF
 		decode_exports
 		decode_imports
 		decode_resources
+		decode_exception_table
 		decode_certificates
 		decode_debug
 		decode_tls
@@ -815,6 +861,7 @@ class COFFArchive
 			ar.encoded.ptr += 1 if @size & 1 == 1
 		end
+		# TODO XXX are those actually used ?
 		def decode_half ; @encoded.decode_imm(:u16, :big) end
 		def decode_word ; @encoded.decode_imm(:u32, :big) end