metasm 1.0.0 → 1.0.5

data/samples/dasm-plugins/dasm_all.rb

@@ -0,0 +1,70 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin: retrieve a section section, and disassemble everything it can, skipping existing code and nops
+# usage: load the plugin, then call (ruby snipped): dasm.dasm_all_section '.text'
+def dasm_all(addrstart, length, method=:disassemble_fast_deep)
+	s = get_section_at(addrstart)
+	return if not s
+	s = s[0]
+	boff = s.ptr
+	off = 0
+	while off < length
+		if di = di_at(addrstart + off)
+			off += di.bin_length
+		elsif @decoded[addrstart+off]
+			off += 1
+		else
+			s.ptr = boff+off
+			maydi = cpu.decode_instruction(s, 0)
+			if not maydi
+				off += 1
+			elsif maydi.instruction.to_s =~ /nop|lea (.*), \[\1(?:\+0)?\]|mov (.*), \2|int 3/
+				off += maydi.bin_length
+			else
+				puts "dasm_all: found #{Expression[addrstart+off]}" if $VERBOSE
+				send(method, addrstart+off)
+			end
+		end
+		Gui.main_iter if gui and off & 15 == 0
+	end
+
+	count = 0
+	off = 0
+	while off < length
+		addr = addrstart+off
+		if di = di_at(addr)
+			if di.block_head?
+				b = di.block
+				if not @function[addr] and b.from_subfuncret.to_a.empty? and b.from_normal.to_a.empty?
+					l = auto_label_at(addr, 'sub_orph')
+					puts "dasm_all: found orphan function #{l}"
+					@function[addrstart+off] = DecodedFunction.new
+					@function[addrstart+off].finalized = true
+					detect_function_thunk(addr)
+					count += 1
+				end
+			end
+			off += di.bin_length
+		else
+			off += 1
+		end
+		Gui.main_iter if gui and off & 15 == 0
+	end
+
+	puts "found #{count} orphan functions" if $VERBOSE
+
+	gui.gui_update if gui
+end
+
+def dasm_all_section(name, method=:disassemble_fast_deep)
+	section_info.each { |n, a, l, i|
+		if name == n
+			dasm_all(Expression[a].reduce, l, method)
+		end
+	}
+	true
+end

data/samples/dasm-plugins/demangle_cpp.rb

@@ -0,0 +1,31 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin: try to demangle all labels as c++ names, add them as
+# comment if successful
+
+def demangle_all_cppnames
+	cnt = 0
+	prog_binding.each { |name, addr|
+		cname = name.sub(/^thunk_/, '')
+		if dname = demangle_cppname(cname)
+			cnt += 1
+			add_comment(addr, dname)
+			each_xref(addr, :x) { |xr|
+				if di = di_at(xr.origin)
+					di.add_comment dname
+					di.comment.delete "x:#{name}"
+				end
+			}
+		end
+	}
+	cnt
+end
+
+if gui
+	demangle_all_cppnames
+	gui.gui_update
+end

data/samples/dasm-plugins/deobfuscate.rb

@@ -0,0 +1,251 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# To use your own patterns, create a script that defines Deobfuscate::Patterns, then eval() this file.
+# Use your script as argument to --plugin
+#
+# This script is to be used with the --plugin option of samples/disassemble(-gtk).rb
+# It holds methods to ease the definition of instruction patterns that are to be replaced
+# by another arbitrary instruction sequence, using mostly a regexp syntax
+#
+# The pattern search&replace is done every time the disassembler
+# finds a new instruction, through the callback_newinstr callback.
+#
+# The patterns can use shortcuts for frequently-used regexps (like 'any machine registers'),
+# defined in the PatternMacros hash.
+#
+# The patterns are matched first against the sequence of instruction opcode names, then
+# each instruction is rendered as text (using Instruction#to_s), and the global regexp
+# is checked.
+# Backreferences can be used in the substitution instruction sequence, through the %1 ... %9
+# special values.
+#
+# A pattern consists of a sequence of regexp for instructions, separated by ' ; '
+# Each subregexps should not match multiple instructions (ie a patterns matches a fixed-length
+# instruction sequence, whose length equals the number of ' ; '-separated regexps)
+# The first word of each regexp should match only the instruction opcode name.
+#
+# The substitution may be a Proc, which will receive |dasm object, matched decodedinstr list| as
+# arguments, and should return:
+# a String, holding a sequence of instructions separated by ' ; ', which will be parsed by the CPU (no labels allowed)
+# nil if the pattern did not match, continue searching
+# an Array of Instruction/DecodedInstruction. If the array is the original di list, same as returning nil
+#
+# If the substitution array is different from the matched sequence, the new instructions are passed
+# to dasm.replace_instrs, which will patch the disassembler decoded instruction graph ; and each
+# new instruction is passed through the callback once more, allowing for recursive patterns.
+#
+
+module Deobfuscate
+
+
+# special constructs : %i => an integer (immediate/standard label)
+#                      %r => standard x86 register (except esp), all sizes
+#                      %m => modr/m 32 (memory indirection or reg)
+PatternMacros = {
+	'%i' => '(?:-|loc_|sub_|xref_)?[0-9][0-9a-fA-F]*h?',
+	'%r' => '(?:[re]?[abcd]x|[re]?[sd]i|[re]?bp|[abcd][lh])',
+	'%m' => '(?:(?:dword ptr )?\[.*?\]|eax|ebx|ecx|edx|edi|esi|ebp)',
+} if not defined? PatternMacros
+
+
+
+
+# instructions are separated by ' ; '
+# instruction must be '<simple regexp matching opcode> <arbitrary regexp>'
+# in the pattern target, %1-%9 are used for backreferences from the regexp match
+Patterns = {
+	'nop ; (.*)' => '%1',	# concat 'nop' into following instruction
+	'mov (%r|esp), \1' => 'nop',
+	'lea (%r|esp), (?:dword ptr )?\[\1(?:\+0)?\]' => 'nop',
+	'(.*)' => lambda { |dasm, list| # remove 'jmp imm' preceding us without interfering with running dasm
+		if pdi = prev_di(dasm, list.last) and pdi.opcode.name == 'jmp' and
+				pdi.instruction.args[0].kind_of? Metasm::Expression
+			dasm.replace_instrs(pdi.address, pdi.address, [])
+		end
+		nil
+	},
+	#'call %i ; pop (%r)' => lambda { |dasm, list| "mov %1, #{list.first.next_addr}" },
+} if not defined? Patterns
+
+
+
+
+# returns an array of strings matching the regexp (only |,?,[], non-nested allowed, no special chars)
+# expand_regexp['a[bcd]?(ef|gh)'] => [abef acef adef aef abgh acgh adgh agh]
+def self.expand_regexp(str)
+	case str
+	when nil, '', '.*'; return [str.to_s]
+	when /^\\\./
+		l1, p2 = ['.'], $'
+	when /^(\w+)(\?)?/
+ 		s1, q, p2 = $1, $2, $'
+		l1 = (q ? [s1, s1.chop] : [s1])
+	when /^\[(.*?)\](\?)?/
+		p1, q, p2 = $1, $2, $'
+		l1 = p1.split(//)
+		l1 << '' if q
+	when /^\((?:\?:)?(.*?)\)(\?)?/
+		p1, q, p2 = $1, $2, $'
+		l1 = p1.split('|').map { |p| expand_regexp(p) }.flatten
+		l1 << '' if q
+	else raise "bad pattern #{str.inspect}"
+	end
+ 	expand_regexp(p2).map { |s2| l1.map { |s1_| s1_ + s2 } }.flatten.uniq
+end
+
+# find the instr preceding adi ; follows from_normal if it is a single element array
+def self.prev_di(dasm, di)
+	if di.block.list.first != di
+		di.block.list[di.block.list.index(di)-1]
+	elsif di.block.from_normal.to_a.length == 1
+		dasm.decoded[di.block.from_normal.first]
+	end
+end
+
+# preprocess the pattern list to optimize matching on each new instruction
+# last pattern instr opname => prev instr opname => prev instr opname => :pattern => [patterns]
+def self.generate_precalc(next_hash, next_ops, pattern)
+	if next_ops.empty?
+		next_hash[:pattern] ||= []
+		next_hash[:pattern] << pattern
+	else
+		(expand_regexp(next_ops[-1]) rescue ['.*']).each { |op|
+			nh = next_hash[op] ||= {}
+			generate_precalc(nh, next_ops[0...-1], pattern)
+		}
+	end
+end
+
+PrecalcPatterns = {} if not defined? PrecalcPatterns
+
+# replace Macros in patterns, do some precalc to speedup pattern matching
+def self.init
+	PrecalcPatterns.clear
+	Patterns.keys.each { |pat|
+		# replace PatternMacros in patterns
+		newp = pat.dup
+		PatternMacros.each { |mk, mv| newp.gsub!(mk, mv) }
+		Patterns[newp] = Patterns.delete(pat) if pat != newp
+		pat = newp
+
+		# TODO handle instructions with prefix (lock/rep), conditional regexp over multiple instructions..
+		ops = pat.split(' ; ').map { |instr| instr[/^\S+/] }
+
+		generate_precalc(PrecalcPatterns, ops, pat)
+	}
+end
+
+# the actual disassembler callback
+# checks the current instruction opname against the end of patterns using precomputed tree, then check  previous instr etc
+# once full pattern may match, convert each instr to string, and run the regexp match
+# on match, reuse the captures in the pattern target, parse the target, generate decoded instrs, and replace in the dasm graph.
+# on match, rerun the callback on each replaced instruction (for recursive patterns)
+def self.newinstr_callback(dasm, di)
+	# compute the merged subtree of t1 and t2
+	# merges patterns if found
+	mergetree = lambda { |t1, t2|
+		if t1 and t2
+			case t1
+			when Array; t1 + t2
+			when Hash; (t1.keys | t2.keys).inject({}) { |t, k| t.update k => mergetree[t1[k], t2[k]] }
+			end
+		else t1 || t2
+		end
+	}
+
+	di_seq = [di]
+	lastdi = di
+	tree = PrecalcPatterns
+	tree = mergetree[tree['.*'], tree[lastdi.instruction.opname]]
+	newinstrs = match = nil
+	# walk the Precalc tree
+	while tree
+		if tree[:pattern]
+			strs = di_seq.map { |pdi| pdi.instruction.to_s }
+			break if tree[:pattern].find { |pat|
+				if match = /^#{pat}$/.match(strs.join(' ; '))
+					newinstrs = Patterns[pat]
+					newinstrs = newinstrs[dasm, di_seq] if newinstrs.kind_of? Proc
+					newinstrs = nil if newinstrs == di_seq
+				else newinstrs = nil
+				end
+				newinstrs
+			} or tree.length == 1
+		end
+
+		if lastdi = prev_di(dasm, lastdi)
+			di_seq.unshift lastdi
+			tree = mergetree[tree['.*'], tree[lastdi.instruction.opname]]
+		else break
+		end
+	end
+
+	# match found : create instruction stream, replace in dasm, recurse
+	if newinstrs
+		# replace %1-%9 by the matched substrings
+		newinstrs = newinstrs.gsub(/%(\d)/) { match.captures[$1.to_i-1] }.split(' ; ').map { |str| dasm.cpu.parse_instruction(str) } if newinstrs.kind_of? String
+		if newinstrs.last.kind_of? Metasm::Instruction and newinstrs.last.opname != 'jmp' and
+				lastdi.address + di_seq.inject(-di.bin_length) { |len, i| len + i.bin_length } != di.address
+			# ensure that the last instr ends the same place as the original last instr (to allow disassemble_block to continue)
+			newinstrs << dasm.cpu.parse_instruction("jmp #{Metasm::Expression[di.next_addr]}")
+			# nop ; jmp => jmp
+			newinstrs.shift if newinstrs.length >= 2 and newinstrs.first.kind_of? Metasm::Instruction and newinstrs.first.opname == 'nop'
+		end
+
+		# remove instructions from the match to have only 2 linked blocks passed to replace_instrs
+		unused = di_seq[1..-2] || []
+		unused.delete_if { |udi| udi.block.address == di_seq[0].block.address or udi.block.address == di_seq[-1].block.address }
+		dasm.replace_instrs(unused.shift.address, unused.shift.address, []) while unused.length > 1
+		dasm.replace_instrs(unused.first.address, unused.first.address, []) if not unused.empty?
+
+		# patch the dasm graph
+		if dasm.replace_instrs(lastdi.address, di.address, newinstrs, true)
+			puts ' deobfuscate', di_seq, ' into', newinstrs, ' ---' if $DEBUG
+			# recurse, keep the last generated di to return to caller as replacement
+			newinstrs.each { |bdi| di = newinstr_callback(dasm, bdi) || di }
+		else
+			di = nil
+		end
+	end
+
+	di
+end
+
+# call newinstr_callback on all existing instructions of dasm
+def self.deobfuscate_existing(dasm)
+	dasm.each_instructionblock { |b|
+		b.list.dup.each { |di| newinstr_callback(dasm, di) }
+	}
+end
+
+# calls dasm.merge_blocks(true) on all instruction blocks to merge sequences of blocks
+def self.merge_blocks(dasm)
+	dasm.each_instructionblock { |b|
+		if pv = dasm.di_at(b.from_normal.to_a.first) and not pv.block.list.last.opcode.props[:setip] and
+				b.from_normal.length == 1 and pv.block.to_normal.to_a.length == 1
+			dasm.merge_blocks(pv.block, b, true)
+		end
+	}
+end
+end
+
+if $DEBUG
+# update DecodedInstr.to_s to include instr length
+class Metasm::DecodedInstruction
+	def to_s ; "#{Metasm::Expression[address] if address} +#{bin_length} #{instruction}" end
+end
+end
+
+# do the pattern precalc
+Deobfuscate.init
+
+if self.kind_of? Metasm::Disassembler
+dasm = self
+# setup the newinstr callback
+dasm.callback_newinstr = lambda { |di| Deobfuscate.newinstr_callback(dasm, di) }
+end

data/samples/dasm-plugins/dump_text.rb

@@ -0,0 +1,35 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm GUI plugin: dumps the text of the current widget to a text file on 'D' keypress
+# the dump is appended to the file if it exists
+# works on the listing view (current screen),
+# on the decompiled view (current function),
+# on the graph view (selected blocks, in selection order)
+
+if gui
+	gui.keyboard_callback[?D] = lambda { |a|
+		cv = gui.curview
+		if t = cv.instance_variable_get('@line_text')
+			gui.savefile('dump file') { |f|
+				File.open(f, 'a') { |fd| fd.puts t }
+			}
+		elsif s = cv.instance_variable_get('@selected_boxes')
+			if s.empty?
+				gui.messagebox('select boxes (ctrl+click)')
+				next
+			end
+			gui.savefile('dump file') { |f|
+				File.open(f, 'a') { |fd|
+					s.each { |box|
+						fd.puts box[:line_text_col].map { |strc| strc.transpose[0].join }
+					}
+					fd.puts
+				}
+			}
+		end
+	}
+end

data/samples/dasm-plugins/export_graph_svg.rb

@@ -0,0 +1,86 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin: create a function to export the currently displayed
+# dasm graph to a .svg file
+# in the gui, type E to export. Tested only for graph-style view, *may* work in other cases
+
+raise 'gui only' if not gui
+
+def graph_to_svg
+	gw = gui.curview.dup
+	class << gw
+		attr_accessor :svgbuf, :svgcol
+		def draw_color(col)
+			col = @default_color_association.fetch(col, col)
+			col = BasicColor.fetch(col, col)
+			@svgcol = "##{col}"
+		end
+
+		def draw_line(x1, y1, x2, y2)
+			bb(x1, y1, x2, y2)
+			svgbuf << %Q{<line x1="#{x1}" y1="#{y1}" x2="#{x2}" y2="#{y2}" stroke="#{@svgcol}" />\n}
+		end
+		def draw_rectangle(x, y, w, h)
+			bb(x, y, x+w, y+h)
+			svgbuf << %Q{<rect x="#{x}" y="#{y}" width="#{w}" height="#{h}" fill="#{@svgcol}" />\n}
+		end
+		def draw_string(x, y, str)
+			bb(x, y, x+str.length*@font_width, y+@font_height)
+			stre = str.gsub('<', '&lt;').gsub('>', '&gt;')
+			svgbuf << %Q{<text x="#{(0...str.length).map { |i| x+i*@font_width }.join(',')}" y="#{y+@font_height*0.7}" stroke="#{@svgcol}">#{stre}</text>\n}
+		end
+
+		def draw_rectangle_color(c, *a)
+			draw_color(c)
+			draw_rectangle(*a)
+		end
+		def draw_line_color(c, *a)
+			draw_color(c)
+			draw_line(*a)
+		end
+		def draw_string_color(c, *a)
+			draw_color(c)
+			draw_string(*a)
+		end
+
+		def focus?; false; end
+		def view_x; @svgvx ||= @curcontext.boundingbox[0]-20; end
+		def view_y; @svgvy ||= @curcontext.boundingbox[1]-20; end
+		def width;  @svgvw ||= (@curcontext ? (@curcontext.boundingbox[2]-@curcontext.boundingbox[0])*@zoom+20 : 800); end
+		def height; @svgvh ||= (@curcontext ? (@curcontext.boundingbox[3]-@curcontext.boundingbox[1])*@zoom+20 : 600); end
+		def svgcuraddr; @curcontext ? @curcontext.root_addrs.first : current_address; end
+
+		# drawing bounding box (for the background rectangle)
+		attr_accessor :bbx, :bby, :bbxm, :bbym
+		def bb(x1, y1, x2, y2)
+			@bbx  = [x1, x2, @bbx].compact.min
+			@bbxm = [x1, x2, @bbxm].compact.max
+			@bby  = [y1, y2, @bby].compact.min
+			@bbym = [y1, y2, @bbym].compact.max
+		end
+	end
+	ret = gw.svgbuf = ''
+	gw.paint
+
+	ret[0, 0] = <<EOS
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN" 
+  "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" font-family="courier, monospace">
+<desc>Graph of #{get_label_at(gw.svgcuraddr) || Expression[gw.svgcuraddr]}</desc>
+<rect x="#{gw.bbx-10}" y="#{gw.bby-10}" width="#{gw.bbxm-gw.bbx+20}" height="#{gw.bbym-gw.bby+20}" fill="#{gw.draw_color(:background)}" />"
+EOS
+	ret << %Q{</svg>}
+end
+
+gui.keyboard_callback[?E] = lambda { |*a|
+	gui.savefile('svg target') { |f|
+		svg = graph_to_svg
+		File.open(f, 'w') { |fd| fd.write svg }
+	}
+	true
+}