RubyGems - metasm - Versions diffs - 1.0.0 - Mend

metasm 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

data/BUGS +11 -0
data/CREDITS +17 -0
data/README +270 -0
data/TODO +114 -0
data/doc/code_organisation.txt +146 -0
data/doc/const_missing.txt +16 -0
data/doc/core_classes.txt +75 -0
data/doc/feature_list.txt +53 -0
data/doc/index.txt +59 -0
data/doc/install_notes.txt +170 -0
data/doc/style.css +3 -0
data/doc/use_cases.txt +18 -0
data/lib/metasm.rb +80 -0
data/lib/metasm/arm.rb +12 -0
data/lib/metasm/arm/debug.rb +39 -0
data/lib/metasm/arm/decode.rb +167 -0
data/lib/metasm/arm/encode.rb +77 -0
data/lib/metasm/arm/main.rb +75 -0
data/lib/metasm/arm/opcodes.rb +177 -0
data/lib/metasm/arm/parse.rb +130 -0
data/lib/metasm/arm/render.rb +55 -0
data/lib/metasm/compile_c.rb +1457 -0
data/lib/metasm/dalvik.rb +8 -0
data/lib/metasm/dalvik/decode.rb +196 -0
data/lib/metasm/dalvik/main.rb +60 -0
data/lib/metasm/dalvik/opcodes.rb +366 -0
data/lib/metasm/decode.rb +213 -0
data/lib/metasm/decompile.rb +2659 -0
data/lib/metasm/disassemble.rb +2068 -0
data/lib/metasm/disassemble_api.rb +1280 -0
data/lib/metasm/dynldr.rb +1329 -0
data/lib/metasm/encode.rb +333 -0
data/lib/metasm/exe_format/a_out.rb +194 -0
data/lib/metasm/exe_format/autoexe.rb +82 -0
data/lib/metasm/exe_format/bflt.rb +189 -0
data/lib/metasm/exe_format/coff.rb +455 -0
data/lib/metasm/exe_format/coff_decode.rb +901 -0
data/lib/metasm/exe_format/coff_encode.rb +1078 -0
data/lib/metasm/exe_format/dex.rb +457 -0
data/lib/metasm/exe_format/dol.rb +145 -0
data/lib/metasm/exe_format/elf.rb +923 -0
data/lib/metasm/exe_format/elf_decode.rb +979 -0
data/lib/metasm/exe_format/elf_encode.rb +1375 -0
data/lib/metasm/exe_format/macho.rb +827 -0
data/lib/metasm/exe_format/main.rb +228 -0
data/lib/metasm/exe_format/mz.rb +164 -0
data/lib/metasm/exe_format/nds.rb +172 -0
data/lib/metasm/exe_format/pe.rb +437 -0
data/lib/metasm/exe_format/serialstruct.rb +246 -0
data/lib/metasm/exe_format/shellcode.rb +114 -0
data/lib/metasm/exe_format/xcoff.rb +167 -0
data/lib/metasm/gui.rb +23 -0
data/lib/metasm/gui/cstruct.rb +373 -0
data/lib/metasm/gui/dasm_coverage.rb +199 -0
data/lib/metasm/gui/dasm_decomp.rb +369 -0
data/lib/metasm/gui/dasm_funcgraph.rb +103 -0
data/lib/metasm/gui/dasm_graph.rb +1354 -0
data/lib/metasm/gui/dasm_hex.rb +543 -0
data/lib/metasm/gui/dasm_listing.rb +599 -0
data/lib/metasm/gui/dasm_main.rb +906 -0
data/lib/metasm/gui/dasm_opcodes.rb +291 -0
data/lib/metasm/gui/debug.rb +1228 -0
data/lib/metasm/gui/gtk.rb +884 -0
data/lib/metasm/gui/qt.rb +495 -0
data/lib/metasm/gui/win32.rb +3004 -0
data/lib/metasm/gui/x11.rb +621 -0
data/lib/metasm/ia32.rb +14 -0
data/lib/metasm/ia32/compile_c.rb +1523 -0
data/lib/metasm/ia32/debug.rb +193 -0
data/lib/metasm/ia32/decode.rb +1167 -0
data/lib/metasm/ia32/decompile.rb +564 -0
data/lib/metasm/ia32/encode.rb +314 -0
data/lib/metasm/ia32/main.rb +233 -0
data/lib/metasm/ia32/opcodes.rb +872 -0
data/lib/metasm/ia32/parse.rb +327 -0
data/lib/metasm/ia32/render.rb +91 -0
data/lib/metasm/main.rb +1193 -0
data/lib/metasm/mips.rb +11 -0
data/lib/metasm/mips/compile_c.rb +7 -0
data/lib/metasm/mips/decode.rb +253 -0
data/lib/metasm/mips/encode.rb +51 -0
data/lib/metasm/mips/main.rb +72 -0
data/lib/metasm/mips/opcodes.rb +443 -0
data/lib/metasm/mips/parse.rb +51 -0
data/lib/metasm/mips/render.rb +43 -0
data/lib/metasm/os/gnu_exports.rb +270 -0
data/lib/metasm/os/linux.rb +1112 -0
data/lib/metasm/os/main.rb +1686 -0
data/lib/metasm/os/remote.rb +527 -0
data/lib/metasm/os/windows.rb +2027 -0
data/lib/metasm/os/windows_exports.rb +745 -0
data/lib/metasm/parse.rb +876 -0
data/lib/metasm/parse_c.rb +3938 -0
data/lib/metasm/pic16c/decode.rb +42 -0
data/lib/metasm/pic16c/main.rb +17 -0
data/lib/metasm/pic16c/opcodes.rb +68 -0
data/lib/metasm/ppc.rb +11 -0
data/lib/metasm/ppc/decode.rb +264 -0
data/lib/metasm/ppc/decompile.rb +251 -0
data/lib/metasm/ppc/encode.rb +51 -0
data/lib/metasm/ppc/main.rb +129 -0
data/lib/metasm/ppc/opcodes.rb +410 -0
data/lib/metasm/ppc/parse.rb +52 -0
data/lib/metasm/preprocessor.rb +1277 -0
data/lib/metasm/render.rb +130 -0
data/lib/metasm/sh4.rb +8 -0
data/lib/metasm/sh4/decode.rb +336 -0
data/lib/metasm/sh4/main.rb +292 -0
data/lib/metasm/sh4/opcodes.rb +381 -0
data/lib/metasm/x86_64.rb +12 -0
data/lib/metasm/x86_64/compile_c.rb +1025 -0
data/lib/metasm/x86_64/debug.rb +59 -0
data/lib/metasm/x86_64/decode.rb +268 -0
data/lib/metasm/x86_64/encode.rb +264 -0
data/lib/metasm/x86_64/main.rb +135 -0
data/lib/metasm/x86_64/opcodes.rb +118 -0
data/lib/metasm/x86_64/parse.rb +68 -0
data/misc/bottleneck.rb +61 -0
data/misc/cheader-findpppath.rb +58 -0
data/misc/hexdiff.rb +74 -0
data/misc/hexdump.rb +55 -0
data/misc/metasm-all.rb +13 -0
data/misc/objdiff.rb +47 -0
data/misc/objscan.rb +40 -0
data/misc/pdfparse.rb +661 -0
data/misc/ppc_pdf2oplist.rb +192 -0
data/misc/tcp_proxy_hex.rb +84 -0
data/misc/txt2html.rb +440 -0
data/samples/a.out.rb +31 -0
data/samples/asmsyntax.rb +77 -0
data/samples/bindiff.rb +555 -0
data/samples/compilation-steps.rb +49 -0
data/samples/cparser_makestackoffset.rb +55 -0
data/samples/dasm-backtrack.rb +38 -0
data/samples/dasmnavig.rb +318 -0
data/samples/dbg-apihook.rb +228 -0
data/samples/dbghelp.rb +143 -0
data/samples/disassemble-gui.rb +102 -0
data/samples/disassemble.rb +133 -0
data/samples/dump_upx.rb +95 -0
data/samples/dynamic_ruby.rb +1929 -0
data/samples/elf_list_needed.rb +46 -0
data/samples/elf_listexports.rb +33 -0
data/samples/elfencode.rb +25 -0
data/samples/exeencode.rb +128 -0
data/samples/factorize-headers-elfimports.rb +77 -0
data/samples/factorize-headers-peimports.rb +109 -0
data/samples/factorize-headers.rb +43 -0
data/samples/gdbclient.rb +583 -0
data/samples/generate_libsigs.rb +102 -0
data/samples/hotfix_gtk_dbg.rb +59 -0
data/samples/install_win_env.rb +78 -0
data/samples/lindebug.rb +924 -0
data/samples/linux_injectsyscall.rb +95 -0
data/samples/machoencode.rb +31 -0
data/samples/metasm-shell.rb +91 -0
data/samples/pe-hook.rb +69 -0
data/samples/pe-ia32-cpuid.rb +203 -0
data/samples/pe-mips.rb +35 -0
data/samples/pe-shutdown.rb +78 -0
data/samples/pe-testrelocs.rb +51 -0
data/samples/pe-testrsrc.rb +24 -0
data/samples/pe_listexports.rb +31 -0
data/samples/peencode.rb +19 -0
data/samples/peldr.rb +494 -0
data/samples/preprocess-flatten.rb +19 -0
data/samples/r0trace.rb +308 -0
data/samples/rubstop.rb +399 -0
data/samples/scan_pt_gnu_stack.rb +54 -0
data/samples/scanpeexports.rb +62 -0
data/samples/shellcode-c.rb +40 -0
data/samples/shellcode-dynlink.rb +146 -0
data/samples/source.asm +34 -0
data/samples/struct_offset.rb +47 -0
data/samples/testpe.rb +32 -0
data/samples/testraw.rb +45 -0
data/samples/win32genloader.rb +132 -0
data/samples/win32hooker-advanced.rb +169 -0
data/samples/win32hooker.rb +96 -0
data/samples/win32livedasm.rb +33 -0
data/samples/win32remotescan.rb +133 -0
data/samples/wintrace.rb +92 -0
data/tests/all.rb +8 -0
data/tests/dasm.rb +39 -0
data/tests/dynldr.rb +35 -0
data/tests/encodeddata.rb +132 -0
data/tests/ia32.rb +82 -0
data/tests/mips.rb +116 -0
data/tests/parse_c.rb +239 -0
data/tests/preprocessor.rb +269 -0
data/tests/x86_64.rb +62 -0
metadata +255 -0

data/lib/metasm/exe_format/coff_decode.rb ADDED

@@ -0,0 +1,901 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+require 'metasm/decode'
+require 'metasm/exe_format/coff' unless defined? Metasm::COFF
+module Metasm
+class COFF
+	class OptionalHeader
+		decode_hook(:entrypoint) { |coff, ohdr|
+			coff.bitsize = (ohdr.signature == 'PE+' ? 64 : 32)
+		}
+		# decodes a COFF optional header from coff.cursection
+		# also decodes directories in coff.directory
+		def decode(coff)
+			return set_default_values(coff) if coff.header.size_opthdr == 0
+			super(coff)
+			nrva = @numrva
+			if @numrva > DIRECTORIES.length
+				puts "W: COFF: Invalid directories count #{@numrva}" if $VERBOSE
+				nrva = DIRECTORIES.length
+			end
+			coff.directory = {}
+			DIRECTORIES[0, nrva].each { |dir|
+				rva = coff.decode_word
+				sz  = coff.decode_word
+				if rva != 0 or sz != 0
+					coff.directory[dir] = [rva, sz]
+				end
+			}
+		end
+	end
+	class Symbol
+		def decode(coff, strtab='')
+			n0, n1 = coff.decode_word, coff.decode_word
+			coff.encoded.ptr -= 8
+			super(coff)
+			if n0 == 0 and ne = strtab.index(?\0, n1)
+				@name = strtab[n1...ne]
+			end
+			return if @nr_aux == 0
+			@aux = []
+			@nr_aux.times { @aux << coff.encoded.read(18) }
+		end
+	end
+	class Section
+		def decode(coff)
+			super(coff)
+			coff.decode_section_body(self)
+		end
+	end
+	class RelocObj
+		def decode(coff)
+			super(coff)
+			@sym = coff.symbols[@symidx]
+		end
+	end
+	class ExportDirectory
+		# decodes a COFF export table from coff.cursection
+		def decode(coff)
+			super(coff)
+			if coff.sect_at_rva(@libname_p)
+				@libname = coff.decode_strz
+			end
+			if coff.sect_at_rva(@func_p)
+				@exports = []
+				addrs = []
+				@num_exports.times { addrs << coff.decode_word }
+				@num_exports.times { |i|
+					e = Export.new
+					e.ordinal = i + @ordinal_base
+					addr = addrs[i]
+					if addr >= coff.directory['export_table'][0] and addr < coff.directory['export_table'][0] + coff.directory['export_table'][1] and coff.sect_at_rva(addr)
+						name = coff.decode_strz
+						e.forwarder_lib, name = name.split('.', 2)
+						if name[0] == ?#
+							e.forwarder_ordinal = name[1..-1].to_i
+						else
+							e.forwarder_name = name
+						end
+					else
+						e.target = e.target_rva = addr
+					end
+					@exports << e
+				}
+			end
+			if coff.sect_at_rva(@names_p)
+				namep = []
+				num_names.times { namep << coff.decode_word }
+			end
+			if coff.sect_at_rva(@ord_p)
+				ords = []
+				num_names.times { ords << coff.decode_half }
+			end
+			if namep and ords
+				namep.zip(ords).each { |np, oi|
+					@exports[oi].name_p = np
+					if coff.sect_at_rva(np)
+						@exports[oi].name = coff.decode_strz
+					end
+				}
+			end
+		end
+	end
+	class ImportDirectory
+		# decodes all COFF import directories from coff.cursection
+		def self.decode_all(coff)
+			ret = []
+			loop do
+				idata = decode(coff)
+				break if [idata.ilt_p, idata.libname_p].uniq == [0]
+				ret << idata
+			end
+			ret.each { |idata| idata.decode_inner(coff) }
+			ret
+		end
+		# decode the tables referenced
+		def decode_inner(coff)
+			if coff.sect_at_rva(@libname_p)
+				@libname = coff.decode_strz
+			end
+			if coff.sect_at_rva(@ilt_p) || coff.sect_at_rva(@iat_p)
+				addrs = []
+				while (a_ = coff.decode_xword) != 0
+					addrs << a_
+				end
+				@imports = []
+				ord_mask = 1 << (coff.bitsize-1)
+				addrs.each { |a|
+					i = Import.new
+					if (a & ord_mask) != 0
+						i.ordinal = a & (~ord_mask)
+					else
+						i.hintname_p = a
+						if coff.sect_at_rva(a)
+							i.hint = coff.decode_half
+							i.name = coff.decode_strz
+						end
+					end
+					@imports << i
+				}
+			end
+			if coff.sect_at_rva(@iat_p)
+				@iat = []
+				while (a = coff.decode_xword) != 0
+					@iat << a
+				end
+			end
+		end
+	end
+	class ResourceDirectory
+		def decode(coff, edata = coff.curencoded, startptr = edata.ptr)
+			super(coff, edata)
+			@entries = []
+			nrnames = @nr_names if $DEBUG
+			(@nr_names+@nr_id).times {
+ 				e = Entry.new
+ 				e_id = coff.decode_word(edata)
+ 				e_ptr = coff.decode_word(edata)
+				if not e_id.kind_of? Integer or not e_ptr.kind_of? Integer
+					puts 'W: COFF: relocs in the rsrc directory?' if $VERBOSE
+					next
+				end
+				tmp = edata.ptr
+				if (e_id >> 31) == 1
+					if $DEBUG
+						nrnames -= 1
+						puts "W: COFF: rsrc has invalid id #{e_id}" if nrnames < 0
+					end
+					e.name_p = e_id & 0x7fff_ffff
+					edata.ptr = startptr + e.name_p
+					namelen = coff.decode_half(edata)
+					e.name_w = edata.read(2*namelen)
+					if (chrs = e.name_w.unpack('v*')).all? { |c| c >= 0 and c <= 255 }
+						e.name = chrs.pack('C*')
+					end
+				else
+					if $DEBUG
+						puts "W: COFF: rsrc has invalid id #{e_id}" if nrnames > 0
+					end
+					e.id = e_id
+				end
+				if (e_ptr >> 31) == 1	# subdir
+					e.subdir_p = e_ptr & 0x7fff_ffff
+					if startptr + e.subdir_p >= edata.length
+						puts 'W: COFF: invalid resource structure: directory too far' if $VERBOSE
+					else
+						edata.ptr = startptr + e.subdir_p
+						e.subdir = ResourceDirectory.new
+						e.subdir.decode coff, edata, startptr
+					end
+				else
+					e.dataentry_p = e_ptr
+					edata.ptr = startptr + e.dataentry_p
+					e.data_p = coff.decode_word(edata)
+					sz = coff.decode_word(edata)
+					e.codepage = coff.decode_word(edata)
+					e.reserved = coff.decode_word(edata)
+					if coff.sect_at_rva(e.data_p)
+						e.data = coff.curencoded.read(sz)
+					else
+						puts 'W: COFF: invalid resource body offset' if $VERBOSE
+						break
+					end
+				end
+				edata.ptr = tmp
+				@entries << e
+			}
+		end
+		def decode_version(coff, lang=nil)
+			vers = {}
+			decode_tllv = lambda { |ed, state|
+				sptr = ed.ptr
+				len, vlen, type = coff.decode_half(ed), coff.decode_half(ed), coff.decode_half(ed)
+				tagname = ''
+				while c = coff.decode_half(ed) and c != 0
+					tagname << (c&255)
+				end
+				ed.ptr = (ed.ptr + 3) / 4 * 4
+				case state
+				when 0
+					raise if tagname != 'VS_VERSION_INFO'
+					dat = ed.read(vlen)
+					dat.unpack('V*').zip([:signature, :strucversion, :fileversionm, :fileversionl, :prodversionm, :prodversionl, :fileflagsmask, :fileflags, :fileos, :filetype, :filesubtype, :filedatem, :filedatel]) { |v, k| vers[k] = v }
+					raise if vers[:signature] != 0xfeef04bd
+					vers.delete :signature
+					vers[:fileversion] = (vers.delete(:fileversionm) << 32) | vers.delete(:fileversionl)
+					vers[:prodversion] = (vers.delete(:prodversionm) << 32) | vers.delete(:prodversionl)
+					vers[:filedate] = (vers.delete(:filedatem) << 32) | vers.delete(:filedatel)
+					nstate = 1
+				when 1
+					nstate = case tagname
+					when 'StringFileInfo'; :strtable
+					when 'VarFileInfo'; :var
+					else raise
+					end
+				when :strtable
+					nstate = :str
+				when :str
+					val = ed.read(vlen*2).unpack('v*')
+					val.pop if val[-1] == 0
+					val = val.pack('C*') if val.all? { |c_| c_ > 0 and  c_ < 256 }
+					vers[tagname] = val
+				when :var
+					val = ed.read(vlen).unpack('V*')
+					vers[tagname] = val
+				end
+				ed.ptr = (ed.ptr + 3) / 4 * 4
+				len = ed.length-sptr if len > ed.length-sptr
+				while ed.ptr < sptr+len
+					decode_tllv[ed, nstate]
+					ed.ptr = (ed.ptr + 3) / 4 * 4
+				end
+			}
+			return if not e = @entries.find { |e_| e_.id == TYPE.index('VERSION') }
+			e = e.subdir.entries.first.subdir
+			e = e.entries.find { |e_| e_.id == lang } || e.entries.first
+			ed = EncodedData.new(e.data)
+			decode_tllv[ed, 0]
+			vers
+		#rescue
+		end
+	end
+	class RelocationTable
+		# decodes a relocation table from coff.encoded.ptr
+		def decode(coff)
+			super(coff)
+			len = coff.decode_word
+			len -= 8
+			if len < 0 or len % 2 != 0
+				puts "W: COFF: Invalid relocation table length #{len+8}" if $VERBOSE
+				coff.curencoded.read(len) if len > 0
+				@relocs = []
+				return
+			end
+			@relocs = coff.curencoded.read(len).unpack(coff.endianness == :big ? 'n*' : 'v*').map { |r| Relocation.new(r&0xfff, r>>12) }
+			#(len/2).times { @relocs << Relocation.decode(coff) }	# tables may be big, this is too slow
+		end
+	end
+	class TLSDirectory
+		def decode(coff)
+			super(coff)
+			if coff.sect_at_va(@callback_p)
+				@callbacks = []
+				while (ptr = coff.decode_xword) != 0
+					# __stdcall void (*ptr)(void* dllhandle, dword reason, void* reserved)
+					# (same as dll entrypoint)
+					@callbacks << (ptr - coff.optheader.image_base)
+				end
+			end
+		end
+	end
+	class LoadConfig
+		def decode(coff)
+			super(coff)
+			if @sehcount >= 0 and @sehcount < 100 and (@signature == 0x40 or @signature == 0x48) and coff.sect_at_va(@sehtable_p)
+				@safeseh = []
+				@sehcount.times { @safeseh << coff.decode_xword }
+			end
+		end
+	end
+	class DelayImportDirectory
+		def self.decode_all(coff)
+			ret = []
+			loop do
+				didata = decode(coff)
+				break if [didata.libname_p, didata.handle_p, didata.iat_p].uniq == [0]
+				ret << didata
+			end
+			ret.each { |didata| didata.decode_inner(coff) }
+			ret
+		end
+		def decode_inner(coff)
+			if coff.sect_at_rva(@libname_p)
+				@libname = coff.decode_strz
+			end
+			# TODO
+		end
+	end
+	class Cor20Header
+		def decode_all(coff)
+			if coff.sect_at_rva(@metadata_rva)
+				@metadata = coff.curencoded.read(@metadata_sz)
+			end
+			if coff.sect_at_rva(@resources_rva)
+				@resources = coff.curencoded.read(@resources_sz)
+			end
+			if coff.sect_at_rva(@strongnamesig_rva)
+				@strongnamesig = coff.curencoded.read(@strongnamesig_sz)
+			end
+			if coff.sect_at_rva(@codemgr_rva)
+				@codemgr = coff.curencoded.read(@codemgr_sz)
+			end
+			if coff.sect_at_rva(@vtfixup_rva)
+				@vtfixup = coff.curencoded.read(@vtfixup_sz)
+			end
+			if coff.sect_at_rva(@eatjumps_rva)
+				@eatjumps = coff.curencoded.read(@eatjumps_sz)
+			end
+			if coff.sect_at_rva(@managednativehdr_rva)
+				@managednativehdr = coff.curencoded.read(@managednativehdr_sz)
+			end
+		end
+	end
+	class DebugDirectory
+		def decode_inner(coff)
+			case @type
+			when 'CODEVIEW'
+				# XXX what is @pointer?
+				return if not coff.sect_at_rva(@addr)
+				sig = coff.curencoded.read(4)
+				case sig
+				when 'NB09'	# CodeView 4.10
+				when 'NB10'	# external pdb2.0
+					@data = NB10.decode(coff)
+				when 'NB11'	# CodeView 5.0
+				when 'RSDS'	# external pdb7.0
+					@data = RSDS.decode(coff)
+				end
+			end
+		end
+	end
+	attr_accessor :cursection
+	def curencoded
+		@cursection.encoded
+	end
+	def decode_byte( edata = curencoded) ; edata.decode_imm(:u8,  @endianness) end
+	def decode_half( edata = curencoded) ; edata.decode_imm(:u16, @endianness) end
+	def decode_word( edata = curencoded) ; edata.decode_imm(:u32, @endianness) end
+	def decode_xword(edata = curencoded) ; edata.decode_imm((@bitsize == 32 ? :u32 : :u64), @endianness) end
+	def decode_strz( edata = curencoded) ; super(edata) ; end
+	# converts an RVA (offset from base address of file when loaded in memory) to the section containing it using the section table
+	# updates @cursection and @cursection.encoded.ptr to point to the specified address
+	# may return self when rva points to the coff header
+	# returns nil if none match, 0 never matches
+	def sect_at_rva(rva)
+		return if not rva or rva <= 0
+		if sections and not @sections.empty?
+			valign = lambda { |l| EncodedData.align_size(l, @optheader.sect_align) }
+			if s = @sections.find { |s_| s_.virtaddr <= rva and s_.virtaddr + valign[s_.virtsize] > rva }
+				s.encoded.ptr = rva - s.virtaddr
+				@cursection = s
+			elsif rva < @sections.map { |s_| s_.virtaddr }.min
+				@encoded.ptr = rva
+				@cursection = self
+			end
+		elsif rva <= @encoded.length
+			@encoded.ptr = rva
+			@cursection = self
+		end
+	end
+	def sect_at_va(va)
+		sect_at_rva(va - @optheader.image_base)
+	end
+	def label_rva(name)
+		if name.kind_of? Integer
+			name
+		elsif s = @sections.find { |s_| s_.encoded.export[name] }
+			s.virtaddr + s.encoded.export[name]
+		else
+		       @encoded.export[name]
+		end
+	end
+	# address -> file offset
+	# handles LoadedPE
+	def addr_to_fileoff(addr)
+		addr -= @load_address ||= @optheader.image_base
+		return 0 if addr == 0	# sect_at_rva specialcases 0
+		if s = sect_at_rva(addr)
+			if s.respond_to? :virtaddr
+				addr - s.virtaddr + s.rawaddr
+			else	# header
+				addr
+			end
+		end
+	end
+	# file offset -> memory address
+	# handles LoadedPE
+	def fileoff_to_addr(foff)
+		if s = @sections.find { |s_| s_.rawaddr <= foff and s_.rawaddr + s_.rawsize > foff }
+			s.virtaddr + foff - s.rawaddr + (@load_address ||= @optheader.image_base)
+		elsif foff >= 0 and foff < @optheader.headers_size
+			foff + (@load_address ||= @optheader.image_base)
+		end
+	end
+	def each_section
+		if @header.size_opthdr == 0
+			@sections.each { |s|
+				next if not s.encoded
+				l = new_label(s.name)
+				s.encoded.add_export(l, 0)
+				yield s.encoded, l
+			}
+			return
+		end
+		base = @optheader.image_base
+		base = 0 if not base.kind_of? Integer
+		yield @encoded[0, @optheader.headers_size], base
+		@sections.each { |s| yield s.encoded, base + s.virtaddr }
+	end
+	# decodes the COFF header, optional header, section headers
+	# marks entrypoint and directories as edata.expord
+	def decode_header
+		@cursection ||= self
+		@encoded.ptr ||= 0
+		@sections = []
+		@header.decode(self)
+		optoff = @encoded.ptr
+		@optheader.decode(self)
+		decode_symbols if @header.num_sym != 0 and not @header.characteristics.include? 'DEBUG_STRIPPED'
+		curencoded.ptr = optoff + @header.size_opthdr
+		decode_sections
+		if sect_at_rva(@optheader.entrypoint)
+			curencoded.add_export new_label('entrypoint')
+		end
+		(DIRECTORIES - ['certificate_table']).each { |d|
+			if @directory[d] and sect_at_rva(@directory[d][0])
+				curencoded.add_export new_label(d)
+			end
+		}
+	end
+	# decode the COFF symbol table (obj only)
+	def decode_symbols
+		endptr = @encoded.ptr = @header.ptr_sym + 18*@header.num_sym
+		strlen = decode_word
+		@encoded.ptr = endptr
+		strtab = @encoded.read(strlen)
+		@encoded.ptr = @header.ptr_sym
+		@symbols = []
+		@header.num_sym.times {
+			break if @encoded.ptr >= endptr or @encoded.ptr >= @encoded.length
+			@symbols << Symbol.decode(self, strtab)
+			# keep the reloc.sym_idx accurate
+			@symbols.last.nr_aux.times { @symbols << nil }
+		}
+	end
+	# decode the COFF sections
+	def decode_sections
+		@header.num_sect.times {
+			@sections << Section.decode(self)
+		}
+		# now decode COFF object relocations
+		@sections.each { |s|
+			next if s.relocnr == 0
+			curencoded.ptr = s.relocaddr
+			s.relocs = []
+			s.relocnr.times { s.relocs << RelocObj.decode(self) }
+			new_label 'pcrel'
+			s.relocs.each { |r|
+				case r.type
+				when 'DIR32'
+					s.encoded.reloc[r.va] = Metasm::Relocation.new(Expression[r.sym.name], :u32, @endianness)
+				when 'REL32'
+					l = new_label('pcrel')
+					s.encoded.add_export(l, r.va+4)
+					s.encoded.reloc[r.va] = Metasm::Relocation.new(Expression[r.sym.name, :-, l], :u32, @endianness)
+				end
+			}
+		} if not @header.characteristics.include?('RELOCS_STRIPPED')
+		symbols.to_a.compact.each { |sym|
+			next if not sym.sec_nr.kind_of? Integer
+			next if sym.storage != 'EXTERNAL' and (sym.storage != 'STATIC' or sym.value == 0)
+			next if not s = @sections[sym.sec_nr-1]
+			s.encoded.add_export new_label(sym.name), sym.value
+		}
+	end
+	# decodes a section content (allows simpler LoadedPE override)
+	def decode_section_body(s)
+		raw = EncodedData.align_size(s.rawsize, @optheader.file_align)
+		virt = EncodedData.align_size(s.virtsize, @optheader.sect_align)
+		virt = raw = s.rawsize if @header.size_opthdr == 0
+		s.encoded = @encoded[s.rawaddr, [raw, virt].min] || EncodedData.new
+		s.encoded.virtsize = virt
+	end
+	# decodes COFF export table from directory
+	# mark exported names as encoded.export
+	def decode_exports
+		if @directory['export_table'] and sect_at_rva(@directory['export_table'][0])
+			@export = ExportDirectory.decode(self)
+			@export.exports.to_a.each { |e|
+				if e.name and sect_at_rva(e.target)
+					name = e.name
+				elsif e.ordinal and sect_at_rva(e.target)
+					name = "ord_#{@export.libname}_#{e.ordinal}"
+				end
+				e.target = curencoded.add_export new_label(name) if name
+			}
+		end
+	end
+	# decodes COFF import tables from directory
+	# mark iat entries as encoded.export
+	def decode_imports
+		if @directory['import_table'] and sect_at_rva(@directory['import_table'][0])
+			@imports = ImportDirectory.decode_all(self)
+			iatlen = @bitsize/8
+			@imports.each { |id|
+				if sect_at_rva(id.iat_p)
+					ptr = curencoded.ptr
+					id.imports.each { |i|
+						if i.name
+							name = new_label i.name
+						elsif i.ordinal
+							name = new_label "ord_#{id.libname}_#{i.ordinal}"
+						end
+						if name
+							i.target ||= name
+							r = Metasm::Relocation.new(Expression[name], "u#@bitsize".to_sym, @endianness)
+							curencoded.reloc[ptr] = r
+							curencoded.add_export new_label('iat_'+name), ptr, true
+						end
+						ptr += iatlen
+					}
+				end
+			}
+		end
+	end
+	# decodes resources from directory
+	def decode_resources
+		if @directory['resource_table'] and sect_at_rva(@directory['resource_table'][0])
+			@resource = ResourceDirectory.decode(self)
+		end
+	end
+	# decode the VERSION information from the resources (file version, os, copyright etc)
+	def decode_version(lang=0x409)
+		decode_resources if not resource
+		resource.decode_version(self, lang)
+	end
+	# decodes certificate table
+	def decode_certificates
+		if ct = @directory['certificate_table']
+			@certificates = []
+			@cursection = self
+			@encoded.ptr = ct[0]
+			off_end = ct[0]+ct[1]
+			while @encoded.ptr < off_end
+				certlen = decode_word
+				certrev = decode_half
+				certtype = decode_half
+				certdat = @encoded.read(certlen)
+				@certificates << [certrev, certtype, certdat]
+			end
+		end
+	end
+	# decode the COM Cor20 header
+	def decode_com
+		if @directory['com_runtime'] and sect_at_rva(@directory['com_runtime'][0])
+			@com_header = Cor20Header.decode(self)
+			if sect_at_rva(@com_header.entrypoint)
+				curencoded.add_export new_label('com_entrypoint')
+			end
+			@com_header.decode_all(self)
+		end
+	end
+	# decode COFF relocation tables from directory
+	def decode_relocs
+		if @directory['base_relocation_table'] and sect_at_rva(@directory['base_relocation_table'][0])
+			end_ptr = curencoded.ptr + @directory['base_relocation_table'][1]
+			@relocations = []
+			while curencoded.ptr < end_ptr
+				@relocations << RelocationTable.decode(self)
+			end
+			# interpret as EncodedData relocations
+			relocfunc = ('decode_reloc_' << @header.machine.downcase).to_sym
+			if not respond_to? relocfunc
+				puts "W: COFF: unsupported relocs for architecture #{@header.machine}" if $VERBOSE
+				return
+			end
+			@relocations.each { |rt|
+				rt.relocs.each { |r|
+					if s = sect_at_rva(rt.base_addr + r.offset)
+						e, p = s.encoded, s.encoded.ptr
+						rel = send(relocfunc, r)
+						e.reloc[p] = rel if rel
+					end
+				}
+			}
+		end
+	end
+	# decodes an I386 COFF relocation pointing to encoded.ptr
+	def decode_reloc_i386(r)
+		case r.type
+		when 'ABSOLUTE'
+		when 'HIGHLOW'
+			addr = decode_word
+			if s = sect_at_va(addr)
+				label = label_at(s.encoded, s.encoded.ptr, "xref_#{Expression[addr]}")
+				Metasm::Relocation.new(Expression[label], :u32, @endianness)
+			end
+		when 'DIR64'
+			addr = decode_xword
+			if s = sect_at_va(addr)
+				label = label_at(s.encoded, s.encoded.ptr, "xref_#{Expression[addr]}")
+				Metasm::Relocation.new(Expression[label], :u64, @endianness)
+			end
+		else puts "W: COFF: Unsupported i386 relocation #{r.inspect}" if $VERBOSE
+		end
+	end
+	def decode_debug
+		if dd = @directory['debug'] and sect_at_rva(dd[0])
+			@debug = []
+			p0 = curencoded.ptr
+			while curencoded.ptr < p0 + dd[1]
+				@debug << DebugDirectory.decode(self)
+			end
+			@debug.each { |dbg| dbg.decode_inner(self) }
+		end
+	end
+	# decode TLS directory, including tls callback table
+	def decode_tls
+		if @directory['tls_table'] and sect_at_rva(@directory['tls_table'][0])
+			@tls = TLSDirectory.decode(self)
+		       	if s = sect_at_va(@tls.callback_p)
+				s.encoded.add_export 'tls_callback_table'
+				@tls.callbacks.each_with_index { |cb, i|
+					@tls.callbacks[i] = curencoded.add_export "tls_callback_#{i}" if sect_at_rva(cb)
+			       	}
+			end
+		end
+	end
+	def decode_loadconfig
+		if lc = @directory['load_config'] and sect_at_rva(lc[0])
+			@loadconfig = LoadConfig.decode(self)
+		end
+	end
+	def decode_delayimports
+		if di = @directory['delay_import_table'] and sect_at_rva(di[0])
+			@delayimports = DelayImportDirectory.decode_all(self)
+		end
+	end
+	# decodes a COFF file (headers/exports/imports/relocs/sections)
+	# starts at encoded.ptr
+	def decode
+		decode_header
+		decode_exports
+		decode_imports
+		decode_resources
+		decode_certificates
+		decode_debug
+		decode_tls
+		decode_loadconfig
+		decode_delayimports
+		decode_com
+		decode_relocs unless nodecode_relocs or ENV['METASM_NODECODE_RELOCS']	# decode relocs last
+	end
+	# returns a metasm CPU object corresponding to +header.machine+
+	def cpu_from_headers
+		case @header.machine
+		when 'I386'; Ia32.new
+		when 'AMD64'; X86_64.new
+		when 'R4000'; MIPS.new(:little)
+		else raise "unknown cpu #{@header.machine}"
+		end
+	end
+	# returns an array including the PE entrypoint and the exported functions entrypoints
+	# TODO filter out exported data, include safeseh ?
+	def get_default_entrypoints
+		ep = []
+		ep.concat @tls.callbacks.to_a if tls
+		ep << (@optheader.image_base + label_rva(@optheader.entrypoint))
+		@export.exports.to_a.each { |e|
+			next if e.forwarder_lib or not e.target
+			ep << (@optheader.image_base + label_rva(e.target))
+		} if export
+		ep
+	end
+	def dump_section_header(addr, edata)
+		s = @sections.find { |s_| s_.virtaddr == addr-@optheader.image_base }
+		s ? "\n.section #{s.name.inspect} base=#{Expression[addr]}" :
+		addr == @optheader.image_base ? "// exe header at #{Expression[addr]}" : super(addr, edata)
+	end
+	# returns an array of [name, addr, length, info]
+	def section_info
+		[['header', @optheader.image_base, @optheader.headers_size, nil]] +
+		@sections.map { |s|
+			[s.name, @optheader.image_base + s.virtaddr, s.virtsize, s.characteristics.join(',')]
+		}
+	end
+end
+class COFFArchive
+	class Member
+		def decode(ar)
+			@offset = ar.encoded.ptr
+			super(ar)
+			raise 'bad member header' + self.inspect if @eoh != "`\n"
+			@name.strip!
+			@date = @date.to_i
+			@uid = @uid.to_i
+			@gid = @gid.to_i
+			@mode = @mode.to_i(8)
+			@size = @size.to_i
+			@encoded = ar.encoded[ar.encoded.ptr, @size]
+			ar.encoded.ptr += @size
+			ar.encoded.ptr += 1 if @size & 1 == 1
+		end
+		def decode_half ; @encoded.decode_imm(:u16, :big) end
+		def decode_word ; @encoded.decode_imm(:u32, :big) end
+		def exe; AutoExe.decode(@encoded) ; end
+	end
+	def decode_half(edata = @encoded) ; edata.decode_imm(:u16, :little) end
+	def decode_word(edata = @encoded) ; edata.decode_imm(:u32, :little) end
+	def decode_strz(edata = @encoded)
+		i = edata.data.index(?\0, edata.ptr) || edata.data.index(?\n, edata.ptr) || (edata.length+1)
+		edata.read(i+1-edata.ptr).chop
+	end
+	def decode_first_linker(m)
+		offsets = []
+		names = []
+		m.encoded.ptr = 0
+		numsym = m.decode_word
+		numsym.times { offsets << m.decode_word }
+		numsym.times { names << decode_strz(m.encoded) }
+		# names[42] is found in object at file offset offsets[42]
+		# offsets are sorted by object index (all syms from 1st object, then 2nd etc)
+		@first_linker = names.zip(offsets) #.inject({}) { |h, (n, o)| h.update n => o }
+	end
+	def decode_second_linker(m)
+		names = []
+		mboffsets = []
+		indices = []
+		m = @members[1]
+		m.encoded.ptr = 0
+		nummb = decode_word(m.encoded)
+		nummb.times { mboffsets << decode_word(m.encoded) }
+		numsym = decode_word(m.encoded)
+		numsym.times { indices << decode_half(m.encoded) }
+		numsym.times { names << decode_strz(m.encoded) }
+		# names[42] is found in object at file offset mboffsets[indices[42]]
+		# symbols sorted by symbol name (supposed to be more efficient, but no index into string table...)
+		#names.zip(indices).inject({}) { |h, (n, i)| h.update n => mboffsets[i] }
+		@second_linker = [names, mboffsets, indices]
+	end
+	def decode_longnames(m)
+		@longnames = m.encoded
+	end
+	# set real name to archive members
+	# look it up in the name table member if needed, or just remove the trailing /
+	def fixup_names
+		@members.each { |m|
+			case m.name
+			when '/'
+			when '//'
+			when /^\/(\d+)/
+				@longnames.ptr = $1.to_i
+				m.name = decode_strz(@longnames).chomp("/")
+			else m.name.chomp! "/"
+			end
+		}
+	end
+	def decode
+		@encoded.ptr = 0
+		@signature = @encoded.read(8)
+		raise InvalidExeFormat, "Invalid COFF Archive signature #{@signature.inspect}" if @signature != "!<arch>\n"
+		@members = []
+		while @encoded.ptr < @encoded.virtsize
+			@members << Member.decode(self)
+		end
+		@members.each { |m|
+			case m.name
+			when '/'; @first_linker ? decode_second_linker(m) : decode_first_linker(m)
+			when '//'; decode_longnames(m)
+			else break
+			end
+		}
+		fixup_names
+	end
+end
+end