metasm 1.0.0 → 1.0.5

data/samples/dynamic_ruby.rb

@@ -289,12 +289,15 @@ EOS
 		m ? @cp.dump_definition(m) : @cp.to_s
 	end
 
+	@@optim_hint = {}
+	def self.optim_hint; @@optim_hint; end
+
 	attr_accessor :optim_hint
 	def initialize(cp=nil)
 		@cp = cp || DynLdr.host_cpu.new_cparser
 		@cp.parse RUBY_H
 		@iter_break = nil
-		@optim_hint = {}
+		@optim_hint = @@optim_hint.dup
 	end
 
 	# convert a ruby AST to a new C function
@@ -449,8 +452,8 @@ EOS
 	end
 
 	# compile a case/when
-	# create a real C switch() for Fixnums, and put the others === in the default case
-	# XXX will get the wrong order for "case x; when 1; when Fixnum; when 3;" ...
+	# create a real C switch() for Integers, and put the others === in the default case
+	# XXX will get the wrong order for "case x; when 1; when Integer; when 3;" ...
 	def compile_case(ast, scope, want_value)
 		# this generates
 		# var = stuff_to_test()
@@ -469,7 +472,7 @@ EOS
 		#   else {
 		#      default();
 		#   }
-		#      
+		#
 		if want_value == true
 			ret = get_new_tmp_var('case', want_value)
 			want_value = ret
@@ -495,7 +498,7 @@ EOS
 				raise Fail if cs[1][0] != :array
 
 				# numeric case, add a case to body_int
-				if cs[1][1..-1].all? { |cd| cd[0] == :lit and (cd[1].kind_of? Fixnum or cd[1].kind_of? Range) }
+				if cs[1][1..-1].all? { |cd| cd[0] == :lit and (cd[1].kind_of? Integer or cd[1].kind_of? Range) }
 					cs[1][1..-1].each { |cd|
 						if cd[1].kind_of? Range
 							b = cd[1].begin
@@ -517,7 +520,7 @@ EOS
 				else
 					cnd = nil
 					cs[1][1..-1].each { |cd|
-						if (cd[0] == :lit and (cd[1].kind_of?(Fixnum) or cd[1].kind_of?(Symbol))) or
+						if (cd[0] == :lit and (cd[1].kind_of?(Integer) or cd[1].kind_of?(Symbol))) or
 							[:nil, :true, :false].include?(cd[0])
 							# true C equality
 							cd = C::CExpression[var, :==, ast_to_c(cd, scope)]
@@ -538,7 +541,7 @@ EOS
 					cb = C::Block.new(scope)
 					v = ast_to_c(cs[2], cb, want_value)
 					cb.statements << C::CExpression[ret, :'=', v] if want_value and v != ret
-					
+
 					fu = C::If.new(cnd, cb, nil)
 
 					if body_other
@@ -656,7 +659,7 @@ EOS
 	end
 
 	# retrieve the current class, from self->klass
-	# XXX will segfault with self.kind_of? Fixnum/true/false/nil/sym
+	# XXX will segfault with self.kind_of? Integer/true/false/nil/sym
 	def rb_selfclass
 		rb_cast_pvalue(rb_self, 1)
 	end
@@ -807,7 +810,7 @@ EOS
 	# if want_value is a C::Variable, the statements should try to populate this var instead of some random tmp var
 	# eg to simplify :if encoding unless we have 'foo = if 42;..'
 	def ast_to_c(ast, scope, want_value = true)
-		ret = 
+		ret =
 		case ast.to_a[0]
 		when :block
 			if ast[1]
@@ -1082,13 +1085,13 @@ EOS
 			case ast[1][0]
 			when :ivar
 				fcall('rb_ivar_defined', rb_self, rb_intern(ast[1][1]))
-			else 
+			else
 				raise Fail, "unsupported #{ast.inspect}"
 			end
 		when :masgn
 			# parallel assignment: put everything in an Array, then pop everything back?
 			rb_masgn(ast, scope, want_value)
-			
+
 		when :evstr
 			fcall('rb_obj_as_string', ast_to_c(ast[1], scope))
 		when :dot2, :dot3
@@ -1135,15 +1138,15 @@ EOS
 		args = ast[3][1..-1] if ast[3] and ast[3][0] == :array
 		arg0 = args[0] if args and args[0]
 
-		if arg0 and arg0[0] == :lit and arg0[1].kind_of? Fixnum
+		if arg0 and arg0[0] == :lit and arg0[1].kind_of?(Integer) and %w[== > < >= <= + -].include?(op)
+			# TODO or @optim_hint[ast[1]] == 'fixnum'
 			# optimize 'x==42', 'x+42', 'x-42'
 			o2 = arg0[1]
-			return if not %w[== > < >= <= + -].include? op
 			if o2 < 0 and ['+', '-'].include? op
 				# need o2 >= 0 for overflow detection
 				op = {'+' => '-', '-' => '+'}[op]
 				o2 = -o2
-				return if not o2.kind_of? Fixnum	# -0x40000000
+				return if not o2.kind_of? Integer	# -0x40000000
 			end
 
 			int_v = o2.object_id
@@ -1156,11 +1159,11 @@ EOS
 
 			case op
 			when '=='
-				# XXX assume == only return true for full equality: if not Fixnum, then always false
+				# XXX assume == only return true for full equality: if not Integer, then always false
 				# which breaks 1.0 == 1 and maybe others, but its ok
 				scope.statements << C::If.new(ce[recv, :'==', [int_v]], ce[tmp, :'=', rb_true], ce[tmp, :'=', rb_false])
 			when '>', '<', '>=', '<='
-				# do the actual comparison on signed >>1 if both Fixnum
+				# do the actual comparison on signed >>1 if both Integer
 				t = C::If.new(
 					ce[[[[recv], int], :>>, [1]], op.to_sym, [[[int_v], int], :>>, [1]]],
 					ce[tmp, :'=', rb_true],
@@ -1191,7 +1194,7 @@ EOS
 				end
 			end
 			tmp
-		
+
 		# Symbol#==
 		elsif arg0 and arg0[0] == :lit and arg0[1].kind_of? Symbol and op == '=='
 			s_v = ast_to_c(arg0, scope)
@@ -1241,13 +1244,13 @@ EOS
 
 			ar = C::Block.new(scope)
 			ar.statements << ce[idx, :'=', [[[arg], int], :>>, [1]]]
-			ar.statements << C::If.new(ce[idx, :<, [0]], ce[idx, :'=', [idx, :+, rb_ary_len(recv)]], nil) 
+			ar.statements << C::If.new(ce[idx, :<, [0]], ce[idx, :'=', [idx, :+, rb_ary_len(recv)]], nil)
 			ar.statements << C::If.new(ce[[idx, :<, [0]], :'||', [idx, :>=, [[rb_ary_len(recv)], int]]],
 					ce[tmp, :'=', rb_nil],
 					ce[tmp, :'=', rb_ary_ptr(recv, idx)])
 			st = C::Block.new(scope)
 			st.statements << ce[idx, :'=', [[[arg], int], :>>, [1]]]
-			st.statements << C::If.new(ce[idx, :<, [0]], ce[idx, :'=', [idx, :+, rb_str_len(recv)]], nil) 
+			st.statements << C::If.new(ce[idx, :<, [0]], ce[idx, :'=', [idx, :+, rb_str_len(recv)]], nil)
 			st.statements << C::If.new(ce[[idx, :<, [0]], :'||', [idx, :>=, [[rb_str_len(recv)], int]]],
 					ce[tmp, :'=', rb_nil],
 					ce[tmp, :'=', [[[[rb_str_ptr(recv, idx), :&, [0xff]], :<<, [1]], :|, [1]], value]])
@@ -1301,8 +1304,7 @@ EOS
 			when 'Symbol'
 				tmp = get_new_tmp_var('kindof', want_value)
 				ce[[ast_to_c(ast[1], scope, tmp), :'&', [0xf]], :'==', [0xe]]
-			#when 'Numeric', 'Integer'
-			when 'Fixnum'
+			when 'Integer'
 				tmp = get_new_tmp_var('kindof', want_value)
 				ce[ast_to_c(ast[1], scope, tmp), :'&', [0x1]]
 			when 'Array'
@@ -1500,7 +1502,7 @@ puts "shortcut may be incorrect for #{ast.inspect}" if arg0[0] == :const
 		elsif b_recv[0] == :call and not b_recv[3] and b_recv[2] == 'times'
 			limit = get_new_tmp_var('limit')
 			recv = ast_to_c(b_recv[1], scope, limit)
-			scope.statements << C::If.new(C::CExpression[:'!', [recv, :&, 1]], rb_raise('only Fixnum#times handled'), nil)
+			scope.statements << C::If.new(C::CExpression[:'!', [recv, :&, 1]], rb_raise('only Integer#times handled'), nil)
 			if want_value
 				scope.statements << C::CExpression[@iter_break, :'=', recv]
 			end
@@ -1550,7 +1552,7 @@ puts "shortcut may be incorrect for #{ast.inspect}" if arg0[0] == :const
 				body.statements << C::CExpression[dvar(b_args[1]), :'=', [rb_ary_ptr(ary), :'[]', [cntr]]]
 			end
 			# same as #each up to this point (except default retval), now add a 'if (body_value) break ary[cntr];'
-			# XXX 'find { next true }' 
+			# XXX 'find { next true }'
 
 			found = ast_to_c(b_body, body)
 			t = C::Block.new(body)
@@ -1577,7 +1579,7 @@ puts "shortcut may be incorrect for #{ast.inspect}" if arg0[0] == :const
 				body.statements << C::CExpression[dvar(b_args[1]), :'=', [rb_ary_ptr(ary), :'[]', [cntr]]]
 			end
 			# same as #each up to this point (except default retval), now add a '@iter_break << body_value'
-			# XXX 'next' unhandled 
+			# XXX 'next' unhandled
 
 			val = ast_to_c(b_body, body)
 			body.statements << fcall('rb_ary_push', @iter_break, val)
@@ -1639,7 +1641,7 @@ static void do_init_once(void) {
 	// rb_define_method(const_Lol, "method", method, 2);
 }
 
-int Init_compiledruby(void) __attribute__((export)) { 
+int Init_compiledruby(void) __attribute__((export)) {
 	// use a separate func to avoid having to append statements before the 'return'
 	do_init_once();
 	return 0;
@@ -1661,7 +1663,7 @@ EOS
 		@compiled_func_cache[[klass, method.to_s, singleton]] = @cur_cfunc
 
 		cls = rb_const(nil, klass)
-		
+
 		init.statements << fcall("rb_define#{'_singleton' if singleton}_method", cls, method.to_s, @cur_cfunc, method_arity)
 
 		mname
@@ -1696,7 +1698,7 @@ EOS
 		@cp.toplevel.symbol[n] || declare_newtopvar(n, fcall('rb_intern', sym.to_s), C::BaseType.new(:int, :unsigned))
 	end
 
-	# rb_const 'FOO', Bar::Baz  ==> 
+	# rb_const 'FOO', Bar::Baz  ==>
 	#  const_Bar = rb_const_get(rb_cObject, rb_intern("Bar"));
 	#  const_Bar_Baz = rb_const_get(const_Bar, rb_intern("Baz"));
 	#  const_Bar_Baz_FOO = rb_const_get(const_Bar_Baz, rb_intern("FOO"));
@@ -1819,6 +1821,12 @@ end
 
 if __FILE__ == $0 or ARGV.delete('ignore_argv0')
 
+while i = ARGV.index('-e')
+	# setup optim_hint etc
+	ARGV.delete_at(i)
+	eval ARGV.delete_at(i)
+end
+
 demo = case ARGV.first
        when nil;        :test_jit
        when 'asm';      :inlineasm

data/samples/elfencode.rb

@@ -14,12 +14,27 @@ __END__
 // .nointerp    // to disable the dynamic section, eg for stuff with int80 only
 .text
 .entrypoint
+#if defined __i386__
 push bla
 push fmt
 call printf
+
 push 0
 call exit
 
+#elif defined __amd64__
+lea rsi, [rip+bla-$_]
+lea rdi, [rip+fmt-$_]
+xor rax, rax
+call printf
+
+mov rdi, 0
+call exit
+
+#else
+unsupported architecture!
+#endif
+
 .data
 bla db "world", 0
 fmt db "Hello, %s !\n", 0

data/samples/emubios.rb

@@ -0,0 +1,251 @@
+#!/usr/bin/ruby
+
+# Sample to show the EmuDebugger working on X86 16bit realmode code (eg hard disk MBR)
+
+require 'metasm'
+include Metasm
+
+# use global vars for read_sector()
+$dasm = $dbg = nil
+
+$rawname = ARGV.shift || 'mbr.bin'
+cpu = Ia32.new(16)
+# add register tracking for the segment registers
+cpu.dbg_register_list << :cs << :ds << :es << :fs << :gs << :ss
+$dasm = dasm = Shellcode.new(Ia32.new(16), 0).disassembler
+dasm.backtrace_maxblocks_data = -1
+
+# initial memory
+dasm.add_section(EncodedData.new("\x00"*0x40000), 0)
+
+# read one sector from the drive to memory, invalidate already disassembled instruction from the address range
+def read_sector(addr, fileoff, len)
+	e, o = $dasm.get_section_at(addr)
+	$dasm.decoded.keys.grep(addr..(addr+len)).each { |k| $dasm.decoded.delete k }
+	raw_chunk = File.open($rawname, 'rb') { |fd| fd.pos = fileoff ; fd.read len } || ''
+	raw_chunk << 0.chr until raw_chunk.length >= len
+	e[e.ptr, len] = raw_chunk
+	$dbg.invalidate if $dbg
+end
+
+# load as BIOS MBR code
+read_sector(0x7c00, 0, 0x200)
+
+# buffer used for int 16h read keyboard
+$stdin_buf = "moo\r\n"
+
+$dbg = dbg = Metasm::EmuDebugger.new(dasm)
+dbg.set_reg_value(:eip, 0x7c00)
+dbg.set_reg_value(:esp, 0x7c00)
+
+# reset trace file
+File.open('emudbg.trace', 'w') {}
+def trace(thing)
+	File.open('emudbg.trace', 'a') { |fd| fd.puts thing }
+end
+def puts_trace(str)
+	trace str
+	puts str
+end
+
+# custom emulation of various instrs for realmode-specific behavior
+# this is a very bad realmode emulator
+# eg segment selectors are mostly ignored except for a few specific cases described here
+# seems to work for the few crackme i worked on !
+dbg.callback_emulate_di = lambda { |di|
+	puts di if $VERBOSE
+	trace di
+	case di.opcode.name
+	when 'jmp'
+		tg = di.instruction.args.first
+		if di.address == dbg.resolve(tg)
+			# break from simulation on ebfe
+			puts "EB FE !"
+			dbg.bpx(di.address)
+			break true
+		elsif tg.kind_of?(Ia32::Farptr)
+			# handle far jumps
+			dbg.pc = dbg.resolve(Expression[[tg.seg, :<<, 4], :+, tg.addr])
+			break true
+		end
+	when 'retf.i16'
+		# XXX really ss:esp, but we'd need to fix push/pop etc too, so keep to 0:esp for now
+		w1 = dbg.memory_read_int(:esp, 2)
+		dbg.set_reg_value(:esp, dbg.resolve(Expression[:esp, :+, 2]))
+		w2 = dbg.memory_read_int(:esp, 2)
+		dbg.set_reg_value(:esp, dbg.resolve(Expression[:esp, :+, 2]))
+		dbg.set_reg_value(:cs, w2)
+		dbg.pc = dbg.resolve(Expression[[w2, :<<, 4], :+, w1])
+		break true
+	when 'ret'
+		w1 = dbg.memory_read_int(:esp, 2)
+		dbg.set_reg_value(:esp, dbg.resolve(Expression[:esp, :+, 2]))
+		dbg.pc = dbg.resolve(Expression[[:cs, :<<, 4], :+, w1])
+		break true
+	when 'lodsb'
+		# read from ds:si instead of 0:esi
+		# XXX rep
+		dbg.set_reg_value(:eax, dbg.resolve(Expression[[:eax, :&, 0xffffff00], :|, Indirection[[[:ds, :<<, 4], :+, [:esi, :&, 0xffff]], 1]]))
+		dbg.set_reg_value(:esi, dbg.resolve(Expression[[:esi, :&, 0xffff0000], :|, [[:esi, :&, 0xffff], :+, 1]]))
+		dbg.pc += di.bin_length
+		true
+	when 'lodsd'
+		# read from ds:si instead of 0:esi
+		# XXX rep
+		dbg.set_reg_value(:eax, dbg.resolve(Expression[Indirection[[[:ds, :<<, 4], :+, [:esi, :&, 0xffff]], 4]]))
+		dbg.set_reg_value(:esi, dbg.resolve(Expression[[:esi, :&, 0xffff0000], :|, [[:esi, :&, 0xffff], :+, 4]]))
+		dbg.pc += di.bin_length
+		true
+	when 'stosd'
+		# write to es:di instead of 0:edi
+		# XXX rep
+		dbg.memory_write_int(Expression[[:es, :<<, 4], :+, [:edi, :&, 0xffff]], :eax, 4)
+		dbg.set_reg_value(:edi, dbg.resolve(Expression[[:edi, :&, 0xffff0000], :|, [[:edi, :&, 0xffff], :+, 4]]))
+		dbg.pc += di.bin_length
+		true
+	when /movs([bwdq])/
+		sz = { 'b' => 1, 'w' => 2, 'd' => 4, 'q' => 8 }[$1]
+		# XXX repz
+		if di.instruction.prefix[:rep]
+			count = dbg[:ecx] & 0xffff
+		else
+			count = 1
+		end
+		count.times {
+			val = dbg.resolve(Expression[Indirection[[[:ds, :<<, 4], :+, [:esi, :&, 0xffff]], sz]])
+			dbg.memory_write_int(Expression[[:es, :<<, 4], :+, [:edi, :&, 0xffff]], val, sz)
+			dbg[:esi] = (dbg[:esi] + sz) & 0xffff
+			dbg[:edi] = (dbg[:edi] + sz) & 0xffff
+			dbg[:ecx] -= 1 if di.instruction.prefix[:rep]
+		}
+		dbg.pc += di.bin_length
+		true
+	when 'les'
+		dst = di.instruction.args[0].symbolic(di)
+		dst = dst.externals.first if dst.kind_of?(Expression)
+		src = di.instruction.args[1].symbolic(di)
+		dbg.set_reg_value(dst, dbg.resolve(Indirection[[[:es, :<<, 4], :+, src.pointer], 2]))
+		dbg.pc += di.bin_length
+		true
+	when 'div'
+		op = di.instruction.args[0].symbolic(di)
+		sz = op.kind_of?(Expression) ? { 0xff => 1, 0xffff => 2 }[op.rexpr] : 4
+		dv = dbg.resolve(op)
+		case sz
+		when 1
+			dv2 = dbg[:eax] & 0xffff
+			dbg[:eax] = ((dv2 / dv) & 0xff) | (((dv2 % dv) & 0xff) << 8)
+		when 2
+			dv2 = ((dbg[:edx] & 0xffff) << 16) | (dbg[:eax] & 0xffff)
+			dbg[:eax] = (dv2 / dv) & 0xffff
+			dbg[:edx] = (dv2 % dv) & 0xffff
+		when 4
+			dv2 = (dbg[:edx] << 32) | dbg[:eax]
+			dbg[:eax] = (dv2 / dv)
+			dbg[:edx] = (dv2 % dv)
+		end
+		dbg.pc += di.bin_length
+		true
+	when 'loop'
+		# movzx ecx, cx
+		dbg.set_reg_value(:ecx, dbg.resolve(Expression[:ecx, :&, 0xffff]))
+		false
+	when 'int'
+		intnr = di.instruction.args.first.reduce
+		eax = dbg[:eax]
+		ah = (eax >> 8) & 0xff
+		al = eax & 0xff
+		case intnr
+		when 0x10
+			# print screen interrupt
+			$screenbuf ||= []
+			$screenx ||= 0
+			$screeny ||= 0
+			case ah
+			when 0x00
+				$screenbuf = []
+				$screenx = 0
+				$screeny = 0
+			when 0x02
+				dh = (dbg[:edx] >> 8) & 0xff
+				dl = dbg[:edx] & 0xff
+				puts_trace "movc(#{dh}, #{dl})"
+				puts $screenbuf
+				$screenx = dl
+				$screeny = dh
+			when 0x0e
+				puts_trace "putc(#{[al].pack('C*').inspect})"
+				$screenbuf << '' until $screenbuf.length > $screeny
+				$screenbuf[$screeny] << '.' until $screenbuf[$screeny].length > $screenx
+				$screenbuf[$screeny][$screenx, 1] = [al].pack('C*')
+				$screenx += 1
+			else
+				puts_trace "unk int #{'%02xh' % intnr} #{'%02x' % ah}"
+			end
+		when 0x13
+			# read disk interrupt
+			drive_nr = dbg[:edx] & 0xff
+			case ah
+			when 0x00
+				dbg.unset_flag(:c)
+				puts_trace "reset_disk_drive #{'%x' % drive_nr}"
+			when 0x02
+				sect_cnt = al
+				sect_c = ((dbg[:ecx] >> 8) & 0xff) | ((dbg[:ecx] << 2) & 0x300)
+				sect_h = (dbg[:edx] >> 8) & 0xff
+				sect_s = (dbg[:ecx] & 0x3f)
+				sect_lba = (sect_c * 16 + sect_h) * 63 + sect_s - 1
+				sect_drv = dbg[:edx] & 0xff
+				dst_addr = dbg[:es] * 16 + dbg[:ebx]
+				puts_trace "read #{sect_cnt} sect at #{'%03X:%02X:%02X' % [sect_c, sect_h, sect_s]} (#{'0x%X' % sect_lba}) to #{'0x%X' % dst_addr} drv #{'%x' % drive_nr}"
+				read_sector(dst_addr, sect_lba * 512, sect_cnt * 512)
+			when 0x08
+				dbg.unset_flag(:c)
+				dbg[:eax] = 0		# ah = return code
+				dbg[:ebx] = 0		# bl = drive type
+				dbg[:ecx] = 0x1010	# ch = cyl_max, cl >> 6 = cyl_max_hi, cl & 3f = sector_per_track
+				dbg[:edx] = 0x1001	# dh = head_max, dl = nr_of_drives
+				puts_trace "read_drive_parameters #{'%x' % drive_nr}"
+			when 0x41
+				dbg.unset_flag(:c)
+				dbg[:ebx] = 0xaa55
+				dbg[:ecx] = 1		# 1: device access through packet structure (cf 42), 2: lock & eject, 4: enhanced drive support
+				puts_trace "drive_check_extension_present #{'%x' % drive_nr}"
+			when 0x42
+				sect_cnt = dbg.memory_read_int(Expression[[:ds, :<<, 4], :+, [[:esi, :+, 2], :&, 0xffff]], 2)
+				dst_addr = dbg.memory_read_int(Expression[[:ds, :<<, 4], :+, [[:esi, :+, 4], :&, 0xffff]], 2)
+				dst_seg  = dbg.memory_read_int(Expression[[:ds, :<<, 4], :+, [[:esi, :+, 6], :&, 0xffff]], 2)
+				sect_lba = dbg.memory_read_int(Expression[[:ds, :<<, 4], :+, [[:esi, :+, 8], :&, 0xffff]], 8)
+				dst_addr += dst_seg << 4
+				puts_trace "read extended #{sect_cnt} sect at #{'0x%X' % sect_lba} to #{'0x%X' % dst_addr} drv #{'%x' % drive_nr}"
+				read_sector(dst_addr, sect_lba * 512, sect_cnt * 512)
+			else
+				puts_trace "unk int #{'%02xh' % intnr} #{'%02x' % ah}"
+			end
+		when 0x16
+			# read keyboard interrupt
+			case ah
+			when 0x00
+				al = $stdin_buf.unpack('C').first || 0
+				$stdin_buf[0, 1] = ''
+				dbg[:eax] = al
+				puts_trace "getc => #{[al].pack('C*').inspect}"
+			else
+				puts_trace "unk int #{'%02xh' % intnr} #{'%02x' % ah}"
+			end
+		else
+			puts_trace "unk int #{'%02xh' % intnr} #{'%02x' % ah}"
+		end
+		dbg.pc += di.bin_length
+		true
+	end
+}
+
+# Start the GUI
+Gui::DbgWindow.new.display(dbg)
+# some pretty settings for the initial view
+dbg.gui.run_command('wd 16')
+dbg.gui.run_command('wp 6')
+dbg.gui.parent.code.toggle_view(:graph)
+
+Gui.main