metasm 1.0.0

data/lib/metasm/pic16c/decode.rb

@@ -0,0 +1,42 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/pic16c/opcodes'
+require 'metasm/decode'
+
+module Metasm
+class Pic16c
+	def build_opcode_bin_mask(op)
+		# bit = 0 if can be mutated by an field value, 1 if fixed by opcode
+		op.bin_mask = Array.new(op.bin.length, 0)
+		op.fields.each { |f, (oct, off)|
+			op.bin_mask[oct] |= (@fields_mask[f] << off)
+		}
+		op.bin_mask.map! { |v| 255 ^ v }
+	end
+	
+	def build_bin_lookaside
+		# sets up a hash byte value => list of opcodes that may match
+		# opcode.bin_mask is built here
+		lookaside = Array.new(256) { [] }
+		@opcode_list.each { |op|
+			
+			build_opcode_bin_mask op
+			
+			b   = op.bin[0]
+			msk = op.bin_mask[0]
+			
+			
+			for i in b..(b | (255^msk))
+				ext if i & msk != b & msk
+				
+				lookaside[i] << op
+			end
+		}
+		lookaside
+	end
+end
+end

data/lib/metasm/pic16c/main.rb

@@ -0,0 +1,17 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/main'
+
+module Metasm
+class Pic16c < CPU
+	def initialize(endianness = :big)
+		super()
+		@endianness = endianness
+		init
+	end
+end
+end

data/lib/metasm/pic16c/opcodes.rb

@@ -0,0 +1,68 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/pic16c/main'
+
+module Metasm
+class Pic16c
+	def addop(name, bin, *l)
+		o = Opcode.new name, bin
+		l.each { |ll|
+			if @props_allowed[ll]
+				o.props[ll] = true
+			else
+				o.args << ll
+				o.fields[ll] = @fields_off[ll]
+			end
+		}
+		@opcode_list << o
+	end
+
+	def init
+		@fields_mask = {:f => 0x7f, :b => 0x7, :k => 0xff, :klong => 0x3ff, :d => 1 }
+		@props_allowed = {:setip => true, :saveip => true, :stopexec => true }
+		@fields_off = { :f => 0, :b => 7, :k => 0, :klong => 0, :d => 7, :d => 7 }
+
+		addop 'addwf', 0b00_0111_0000_0000, :f, :d
+		addop 'andwf', 0b00_0101_0000_0000, :f, :d
+		addop 'clrf',  0b00_0001_1000_0000, :f
+		addop 'clrw',  0b00_0001_0000_0000		# 00_0001_0xxx_xxxx
+		addop 'comf',  0b00_1001_0000_0000, :f, :d
+		addop 'decf',  0b00_0011_0000_0000, :f, :d
+		addop 'decfsz',0b00_1011_0000_0000, :f, :d
+		addop 'incf',  0b00_1010_0000_0000, :f, :d
+		addop 'incfsz',0b00_1111_0000_0000, :f, :d
+		addop 'iorwf', 0b00_0100_0000_0000, :f, :d
+		addop 'movf',  0b00_1000_0000_0000, :f, :d
+		addop 'movwf', 0b00_0000_1000_0000, :f
+		addop 'nop',   0b00_0000_0000_0000		# 00_0000_0xx0_0000
+		addop 'rlf',   0b00_1101_0000_0000, :f, :d
+		addop 'rrf',   0b00_1100_0000_0000, :f, :d
+		addop 'subwf', 0b00_0010_0000_0000, :f, :d
+		addop 'swapf', 0b00_1110_0000_0000, :f, :d
+		addop 'xorwf', 0b00_0110_0000_0000, :f, :d
+
+		addop 'bcf',   0b01_0000_0000_0000, :f, :b
+		addop 'bsf',   0b01_0100_0000_0000, :f, :b
+		addop 'btfsc', 0b01_1000_0000_0000, :f, :b, :setip
+		addop 'btfss', 0b01_1100_0000_0000, :f, :b, :setip
+
+		addop 'addlw', 0b11_1110_0000_0000, :k		# 00_000x_0000_0000
+		addop 'andlw', 0b11_1001_0000_0000, :k
+		addop 'call',  0b10_0000_0000_0000, :klong, :setip, :stopexec, :saveip
+		addop 'clrwdt',0b00_0000_0110_0100
+		addop 'goto',  0b10_1000_0000_0000, :klong, :setip, :stopexec
+		addop 'iorlw', 0b11_1000_0000_0000, :k
+		addop 'movlw', 0b11_0000_0000_0000, :k		# 00_00xx_0000_0000
+		addop 'retfie',0b00_0000_0000_1001, :setip, :stopexec
+		addop 'retlw', 0b11_0100_0000_0000, :k, :setip, :stopexec	# 00_00xx_0000_0000
+		addop 'return',0b00_0000_0000_1000, :setip, :stopexec
+		addop 'sleep', 0b00_0000_0110_0011
+		addop 'sublw', 0b11_1100_0000_0000, :k		# 00_000x_0000_0000
+		addop 'xorlw', 0b11_1010_0000_0000, :k
+	end
+end
+end

data/lib/metasm/ppc.rb

@@ -0,0 +1,11 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/main'
+require 'metasm/ppc/parse'
+require 'metasm/ppc/encode'
+require 'metasm/ppc/decode'
+require 'metasm/ppc/decompile'

data/lib/metasm/ppc/decode.rb

@@ -0,0 +1,264 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/ppc/opcodes'
+require 'metasm/decode'
+
+module Metasm
+class PowerPC
+	def build_opcode_bin_mask(op)
+		# bit = 0 if can be mutated by an field value, 1 if fixed by opcode
+		return if not op.bin.kind_of? Integer
+		op.bin_mask = 0
+		op.args.each { |f|
+			op.bin_mask |= @fields_mask[f] << @fields_shift[f]
+		}
+		op.bin_mask = 0xffff_ffff ^ op.bin_mask
+	end
+
+	def build_bin_lookaside
+		lookaside = Array.new(256) { [] }
+		opcode_list.each { |op|
+			next if not op.bin.kind_of? Integer
+			build_opcode_bin_mask op
+
+			b   = op.bin >> 24
+			msk = op.bin_mask >> 24
+
+			for i in b..(b | (255^msk))
+				next if i & msk != b & msk
+				lookaside[i] << op
+			end
+		}
+		lookaside
+	end
+
+	def decode_findopcode(edata)
+		return if edata.ptr >= edata.data.length
+		di = DecodedInstruction.new(self)
+		val = edata.decode_imm(:u32, @endianness)
+		edata.ptr -= 4
+		di if di.opcode = @bin_lookaside[val >> 24].find { |op|
+			(op.bin & op.bin_mask) == (val & op.bin_mask)
+		}
+	end
+
+	def decode_instr_op(edata, di)
+		before_ptr = edata.ptr
+		op = di.opcode
+		di.instruction.opname = op.name
+		val = edata.decode_imm(:u32, @endianness)
+
+		field_val = lambda { |f|
+			r = (val >> @fields_shift[f]) & @fields_mask[f]
+			case f
+			when :bd, :d, :ds, :dq, :si, :ui; r = Expression.make_signed(r<<@fields_shift[f], 16)
+			when :li; r = Expression.make_signed(r<<@fields_shift[f], 26)
+			else r
+			end
+		}
+
+		op.args.each { |a|
+			di.instruction.args << case a
+			when :ra, :rb, :rs, :rt; GPR.new field_val[a]
+			when :fra, :frb, :frc, :frs, :frt; FPR.new field_val[a]
+			when :ra_i16, :ra_i16s, :ra_i16q
+				i = field_val[{:ra_i16 => :d, :ra_i16s => :ds, :ra_i16q => :dq}[a]]
+			       	Memref.new GPR.new(field_val[:ra]), Expression[i]
+			when :bd, :d, :ds, :dq, :si, :ui, :li, :sh, :ma, :mb, :me, :ma_, :mb_, :me_; Expression[field_val[a]]
+			when :ign_bo_zzz, :ign_bo_z, :ign_bo_at, :ign_bo_at2, :ign_bi, :aa, :lk, :oe, :rc, :l; next
+			else raise SyntaxError, "Internal error: invalid argument #{a} in #{op.name}"
+			end
+		}
+		di.bin_length += edata.ptr - before_ptr
+
+		decode_aliases(di.instruction)
+
+		di
+	end
+
+	def decode_aliases(i)
+		case i.opname
+		when /^n?or\.?$/
+			if i.args[1] == i.args[2]
+	 			i.args.pop
+	 			i.opname = {'or' => 'mr', 'or.' => 'mr.', 'nor' => 'not', 'nor.' => 'not.'}[i.opname]
+			end
+		when /^addi/
+			if a = i.args[2].reduce and a.kind_of? Integer and a < 0
+				i.args[2] = Expression[-a]
+				i.opname = i.opname.sub('addi', 'subi')
+			end
+		end
+
+		case i.opname
+		when /^(add|sub|xor|and|or|div|mul|nand)/
+			if i.args.length == 3 and i.args[0] == i.args[1]
+				i.args.shift
+			end
+		end
+
+	end
+
+	# converts relative branch offsets to absolute addresses
+	# else just add the offset +off+ of the instruction + its length (off may be an Expression)
+	# assumes edata.ptr points just after the instruction (as decode_instr_op left it)
+	# do not call twice on the same di !
+ 	def decode_instr_interpret(di, addr)
+		if di.opcode.props[:setip] and di.instruction.args.last.kind_of? Expression and di.opcode.name[0] != ?t and di.opcode.name[-1] != ?a
+			arg = Expression[addr, :+, di.instruction.args.last].reduce
+			di.instruction.args[-1] = Expression[arg]
+		end
+
+		di
+	end
+
+	# TODO
+	def backtrace_update_function_binding(dasm, faddr, f, retaddrlist, *wantregs)
+		retaddrlist.to_a.map! { |retaddr| dasm.decoded[retaddr] ? dasm.decoded[retaddr].block.list.last.address : retaddr }
+		b = f.backtrace_binding
+
+		bt_val = lambda { |r|
+			bt = []
+			retaddrlist.to_a.each { |retaddr|
+				bt |= dasm.backtrace(Expression[r], retaddr,
+					:include_start => true, :snapshot_addr => faddr, :origin => retaddr)
+			}
+			b[r] = ((bt.length == 1) ? bt.first : Expression::Unknown)
+		}
+		wantregs = GPR::Sym if wantregs.empty?
+		wantregs.map { |r| r.to_sym }.each(&bt_val)
+
+		#puts "update_func_bind: #{Expression[faddr]} has sp -> #{b[:$sp]}" if not Expression[b[:$sp], :-, :$sp].reduce.kind_of?(::Integer) if $VERBOSE
+	end
+
+	def backtrace_is_function_return(expr, di=nil)
+		expr.reduce_rec == :lr
+	end
+
+	def backtrace_is_stack_address(expr)
+		Expression[expr].expr_externals.include? :sp
+	end
+
+	def replace_instr_arg_immediate(i, old, new)
+		i.args.map! { |a|
+			case a
+			when Expression; a == old ? new : Expression[a.bind(old => new).reduce]
+			when Memref
+				a.offset = (a.offset == old ? new : Expression[a.offset.bind(old => new).reduce]) if a.offset.kind_of? Expression
+				a
+			else a
+			end
+		}
+	end
+
+	def disassembler_default_func
+		df = DecodedFunction.new
+		df.backtrace_binding = (0..31).inject({}) { |h, r| r != 1 ? h.update("r#{r}".to_sym => Expression::Unknown) : h }
+		df.backtracked_for = [BacktraceTrace.new(Expression[:lr], :default, Expression[:lr], :x)]
+		df.btfor_callback = lambda { |dasm, btfor, funcaddr, calladdr|
+			if funcaddr != :default
+				btfor
+			elsif di = dasm.decoded[calladdr] and di.opcode.props[:saveip]
+				btfor
+			else []
+			end
+		}
+		df
+	end
+
+	# hash opname => lambda { |di, *sym_args| binding }
+	def backtrace_binding
+		@backtrace_binding ||= init_backtrace_binding
+	end
+	def backtrace_binding=(b) @backtrace_binding = b end
+
+	def init_backtrace_binding
+		@backtrace_binding ||= {}
+		opcode_list.map { |ol| ol.name }.uniq.each { |op|
+			binding = case op
+			when 'mr', 'li', 'la'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
+			when 'lis'; lambda { |di, a0, a1| { a0 => Expression[a1, :<<, 16] } }
+			when 'mtctr'; lambda { |di, a0| { :ctr => Expression[a0] } }
+			when 'mfctr'; lambda { |di, a0| { a0 => Expression[:ctr] } }
+			when 'mtlr'; lambda { |di, a0| { :lr => Expression[a0] } }
+			when 'mflr'; lambda { |di, a0| { a0 => Expression[:lr] } }
+			when 'lwzu'; lambda { |di, a0, m|
+				ret = { a0 => Expression[m] }
+				ptr = m.pointer.externals.grep(Symbol).first
+				ret[ptr] = m.pointer if ptr != a0
+				ret
+		       	}
+			when 'lwz'; lambda { |di, a0, m| { a0 => Expression[m] } }
+			when 'stwu'; lambda { |di, a0, m|
+				{ m => Expression[a0], m.pointer.externals.grep(Symbol).first => m.pointer }
+		       	}
+			when 'stw'; lambda { |di, a0, m| { m => Expression[a0] } }
+			when 'rlwinm'; lambda { |di, a0, a1, sh, mb, me|
+				mb, me = mb.reduce, me.reduce
+				cpmsk = (1<<@size) - 1
+				a1 = Expression[a1, :&, cpmsk]
+				rol = Expression[[a1, :<<, sh], :|, [a1, :>>, [@size, :-, sh]]]
+				if mb == me+1
+					msk = cpmsk
+				elsif mb < me+1
+					msk = (((1 << ((me+1)-mb)) - 1) << (@size-(me+1)))
+				else
+					msk = (((1 << (mb-(me+1))) - 1) << (@size-mb)) ^ cpmsk
+				end
+				{ a0 => Expression[Expression[rol, :&, msk].reduce] }
+			}
+
+			when 'add', 'addi', 'add.', 'addi.'; lambda { |di, *a| { a[0] => Expression[a[-2], :+, a[-1]] } }
+			when 'addis', 'addis.'; lambda { |di, *a| { a[0] => Expression[a[-2], :+, [a[-1], :<<, 16]] } }
+			when 'sub', 'subi', 'sub.', 'subi.'; lambda { |di, *a| { a[0] => Expression[a[-2], :-, a[-1]] } }
+			when 'subis', 'subis.'; lambda { |di, *a| { a[0] => Expression[a[-2], :-, [a[-1], :<<, 16]] } }
+			when /^b.*la?$/; lambda { |di, *a| { :lr => Expression[di.next_addr] } }
+			when 'nop', /^cmp/, /^b/; lambda { |di, *a| {} }
+			end
+
+			@backtrace_binding[op] ||= binding if binding
+		}
+		@backtrace_binding
+	end
+
+	def get_backtrace_binding(di)
+		a = di.instruction.args.map { |arg|
+			case arg
+			when Memref; arg.symbolic(di.address)
+			when Reg; arg.symbolic
+			else arg
+			end
+		}
+
+		binding = if binding = backtrace_binding[di.instruction.opname]
+			binding[di, *a]
+		else
+			puts "unknown instruction to emu #{di}" if $VERBOSE
+			{}
+		end
+
+		binding
+	end
+
+	def get_xrefs_x(dasm, di)
+		return [] if not di.opcode.props[:setip]
+
+		arg = case di.instruction.opname
+		      when 'bctr', 'bctrl'; :ctr
+		      when 'blr', 'blrl'; :lr
+		      else di.instruction.args.last
+		      end
+
+		[Expression[
+		case arg
+		when Memref; Indirection[[arg.base.to_s.to_sym, :+, arg.offset], @size/8, di.address]
+		when Reg; arg.to_s.to_sym
+		else arg
+		end]]
+	end
+end
+end

data/lib/metasm/ppc/decompile.rb

@@ -0,0 +1,251 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/ppc/main'
+
+module Metasm
+class PowerPC
+	# temporarily setup dasm.address_binding so that backtracking
+	# stack-related offsets resolve in :frameptr (relative to func start)
+	def decompile_makestackvars(dasm, funcstart, blocks)
+		oldfuncbd = dasm.address_binding[funcstart]
+		dasm.address_binding[funcstart] = { :sp => :frameptr }	# this would suffice, the rest here is just optimisation
+
+		blocks.each { |block|
+			yield block
+		}
+
+		dasm.address_binding[funcstart] = oldfuncbd if oldfuncbd
+	end
+
+	# list variable dependency for each block, remove useless writes
+	# returns { blockaddr => [list of vars that are needed by a following block] }
+	def decompile_func_finddeps(dcmp, blocks, func)
+		deps_r = {} ; deps_w = {} ; deps_to = {}
+		deps_subfunc = {} 	# things read/written by subfuncs
+
+		# find read/writes by each block
+		blocks.each { |b, to|
+			deps_r[b] = [] ; deps_w[b] = [] ; deps_to[b] = to
+			deps_subfunc[b] = []
+
+			blk = dcmp.dasm.decoded[b].block
+			blk.list.each { |di|
+				a = di.backtrace_binding.values
+				w = []
+				di.backtrace_binding.keys.each { |k|
+					case k
+					when ::Symbol; w |= [k]
+					else a |= Expression[k].externals	# if dword [eax] <- 42, eax is read
+					end
+				}
+				#a << :eax if di.opcode.name == 'ret'		# standard ABI
+				
+				deps_r[b] |= a.map { |ee| Expression[ee].externals.grep(::Symbol) }.flatten - [:unknown] - deps_w[b]
+				deps_w[b] |= w.map { |ee| Expression[ee].externals.grep(::Symbol) }.flatten - [:unknown]
+			}
+			stackoff = nil
+			blk.each_to_normal { |t|
+				t = dcmp.backtrace_target(t, blk.list.last.address)
+				next if not t = dcmp.c_parser.toplevel.symbol[t]
+				t.type = C::Function.new(C::BaseType.new(:int)) if not t.type.kind_of? C::Function	# XXX this may seem a bit extreme, and yes, it is.
+				stackoff ||= Expression[dcmp.dasm.backtrace(:sp, blk.list.last.address, :snapshot_addr => blocks.first[0]).first, :-, :sp].reduce
+			}
+			if stackoff	# last block instr == subfunction call
+				deps_r[b] |= deps_subfunc[b] - deps_w[b]
+				#deps_w[b] |= [:eax, :ecx, :edx]			# standard ABI
+			end
+		}
+
+
+
+		# find regs read and never written (must have been set by caller and are part of the func ABI)
+		uninitialized = lambda { |b, r, done|
+			from = deps_to.keys.find_all { |f| deps_to[f].include? b } - done
+			from.empty? or from.find { |f|
+				!deps_w[f].include?(r) and uninitialized[f, r, done + [b]]
+			}
+		}
+
+		# remove writes from a block if no following block read the value
+		dw = {}
+		deps_w.each { |b, deps|
+			dw[b] = deps.reject { |dep|
+				ret = true
+				done = []
+				todo = deps_to[b].dup
+				while a = todo.pop
+					next if done.include? a
+					done << a
+					if not deps_r[a] or deps_r[a].include? dep
+						ret = false
+						break
+					elsif not deps_w[a].include? dep
+						todo.concat deps_to[a]
+					end
+				end
+				ret
+			}
+		}
+
+		dw
+	end
+
+	def decompile_blocks(dcmp, myblocks, deps, func, nextaddr = nil)
+		scope = func.initializer
+		func.type.args.each { |a| scope.symbol[a.name] = a }
+		stmts = scope.statements
+		func_entry = myblocks.first[0]
+		until myblocks.empty?
+			b, to = myblocks.shift
+			if l = dcmp.dasm.get_label_at(b)
+				stmts << C::Label.new(l)
+			end
+
+			# list of assignments [[dest reg, expr assigned]]
+			ops = []
+			# reg binding (reg => value, values.externals = regs at block start)
+			binding = {}
+			# Expr => CExpr
+			ce  = lambda { |*e| dcmp.decompile_cexpr(Expression[Expression[*e].reduce], scope) }
+			# Expr => Expr.bind(binding) => CExpr
+			ceb = lambda { |*e| ce[Expression[*e].bind(binding)] }
+
+			# dumps a CExprs that implements an assignment to a reg (uses ops[], patches op => [reg, nil])
+			commit = lambda {
+				deps[b].map { |k|
+					[k, ops.rindex(ops.reverse.find { |r, v| r == k })]
+				}.sort_by { |k, i| i.to_i }.each { |k, i|
+					next if not i or not binding[k]
+					e = k
+					final = []
+					ops[0..i].reverse_each { |r, v|
+						final << r if not v
+						e = Expression[e].bind(r => v).reduce if not final.include? r
+					}
+					ops[i][1] = nil
+					binding.delete k
+					stmts << ce[k, :'=', e] if k != e
+				}
+			}
+
+			# go !
+			dcmp.dasm.decoded[b].block.list.each_with_index { |di, didx|
+				a = di.instruction.args
+				if di.opcode.props[:setip] and not di.opcode.props[:stopexec]
+					# conditional jump
+					commit[]
+					n = dcmp.backtrace_target(get_xrefs_x(dcmp.dasm, di).first, di.address)
+					#cc = ceb[decode_cc_to_expr(di.opcode.name[1..-1])]
+					cc = ceb[:condjmp]
+					stmts << C::If.new(C::CExpression[cc], C::Goto.new(n))
+					to.delete dcmp.dasm.normalize(n)
+					next
+				end
+
+				case di.opcode.name
+				when 'blr'
+					commit[]
+					stmts << C::Return.new(nil)
+				when 'bl'	# :saveip
+					n = dcmp.backtrace_target(get_xrefs_x(dcmp.dasm, di).first, di.address)
+					args = []
+					if t = dcmp.c_parser.toplevel.symbol[n] and t.type.args
+						stackoff = Expression[dcmp.dasm.backtrace(:sp, di.address, :snapshot_addr => func_entry), :-, :sp].bind(:sp => :frameptr).reduce rescue nil
+						args_todo = t.type.args.dup
+						args = []
+						args_todo.each {
+							if stackoff.kind_of? Integer
+								var = Indirection[[:frameptr, :+, stackoff], @size/8]
+								stackoff += @size/8
+							else
+								var = 0
+							end
+							args << ceb[var]
+							binding.delete var
+						}
+					end
+					commit[]
+					#next if not di.block.to_subfuncret
+
+					if n.kind_of? ::String
+						if not f = dcmp.c_parser.toplevel.symbol[n]
+							# internal functions are predeclared, so this one is extern
+							f = dcmp.c_parser.toplevel.symbol[n] = C::Variable.new
+							f.name = n
+							f.type = C::Function.new(C::BaseType.new(:int))
+							dcmp.c_parser.toplevel.statements << C::Declaration.new(f)
+						end
+						commit[]
+					else
+						# indirect funcall
+						fptr = ceb[n]
+						binding.delete n
+						commit[]
+						proto = C::Function.new(C::BaseType.new(:int))
+						f = C::CExpression[[fptr], proto]
+					end
+					binding.delete :eax
+					e = C::CExpression[f, :funcall, args]
+					e = C::CExpression[ce[:eax], :'=', e, f.type.type] if deps[b].include? :eax and f.type.type != C::BaseType.new(:void)
+					stmts << e
+				when 'b'
+					a = di.instruction.args.first
+					if a.kind_of? Expression
+					else
+						# indirect jmp, convert to return (*fptr)();
+						n = di.instruction.args.first.symbolic
+						fptr = ceb[n]
+						binding.delete n
+						commit[]
+						proto = C::Function.new(C::BaseType.new(:void))
+						ret = C::Return.new(C::CExpression[[[fptr], C::Pointer.new(proto)], :funcall, []])
+						class << ret ; attr_accessor :from_instr end
+						ret.from_instr = di
+						stmts << ret
+						to = []
+					end
+				else
+					bd = get_fwdemu_binding(di)
+					if di.backtrace_binding[:incomplete_binding]
+						commit[]
+						stmts << C::Asm.new(di.instruction.to_s, nil, nil, nil, nil, nil)
+					else
+						bd.each { |k, v|
+							if k.kind_of? ::Symbol
+								ops << [k, v]
+							else	# memory
+								stmts << ceb[k, :'=', v]
+								binding.delete k
+							end
+						}
+						update = {}
+						bd.each { |k, v|
+							next if not k.kind_of? ::Symbol
+							update[k] = Expression[Expression[v].bind(binding).reduce]
+						}
+						binding.update update
+					end
+				end
+			}
+			commit[]
+
+			case to.length
+			when 0
+				if not myblocks.empty? and not %w[ret jmp].include? dcmp.dasm.decoded[b].block.list.last.instruction.opname
+					puts "  block #{Expression[b]} has no to and don't end in ret"
+				end
+			when 1
+				if (myblocks.empty? ? nextaddr != to[0] : myblocks.first.first != to[0])
+					stmts << C::Goto.new(dcmp.dasm.auto_label_at(to[0], 'unknown_goto'))
+				end
+			else
+				puts "  block #{Expression[b]} with multiple to"
+			end
+		end
+	end
+end
+end