metasm 1.0.0

data/lib/metasm/x86_64/debug.rb

@@ -0,0 +1,59 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/x86_64/opcodes'
+
+module Metasm
+class X86_64
+	def dbg_register_pc
+		@dbg_register_pc ||= :rip
+	end
+	def dbg_register_flags
+		@dbg_register_flags ||= :rflags
+	end
+
+	def dbg_register_list 
+		@dbg_register_list ||= [:rax, :rbx, :rcx, :rdx, :rsi, :rdi, :rbp, :rsp, :r8, :r9, :r10, :r11, :r12, :r13, :r14, :r15, :rip]
+	end
+
+	def dbg_register_size
+		@dbg_register_size ||= Hash.new(64).update(:cs => 16, :ds => 16, :es => 16, :fs => 16, :gs => 16)
+	end
+
+	def dbg_func_arg(dbg, argnr)
+		if dbg.class.name =~ /win/i
+			list = [:rcx, :rdx, :r8, :r9]
+			off = 0x20
+		else
+			list = [:rdi, :rsi, :rdx, :rcx, :r8, :r9]
+			off = 0
+		end
+		if r = list[argnr]
+			dbg.get_reg_value(r)
+		else
+			argnr -= list.length
+			dbg.memory_read_int(Expression[:esp, :+, off + 8 + 8*argnr])
+		end
+	end
+	def dbg_func_arg_set(dbg, argnr, arg)
+		if dbg.class.name =~ /win/i
+			list = []
+			off = 0x20
+		else
+			list = []
+			off = 0
+		end
+		if r = list[argnr]
+			dbg.set_reg_value(r, arg)
+		else
+			argnr -= list.length
+			dbg.memory_write_int(Expression[:esp, :+, off + 8 + 8*argnr], arg)
+		end
+	end
+
+	# what's left is inherited from Ia32
+end
+end

data/lib/metasm/x86_64/decode.rb

@@ -0,0 +1,268 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/x86_64/opcodes'
+require 'metasm/decode'
+
+module Metasm
+class X86_64
+	class ModRM
+		def self.decode(edata, byte, endianness, adsz, opsz, seg=nil, regclass=Reg, pfx={})
+			m = (byte >> 6) & 3
+			rm = byte & 7
+
+			if m == 3
+				rm |= 8 if pfx[:rex_b]
+				return regclass.new(rm, opsz)
+			end
+
+			adsz ||= 64
+
+			# mod 0/1/2 m 4 => sib
+			# mod 0 m 5 => rip+imm
+			# sib: i 4 => no index, b 5 => no base
+
+			s = i = b = imm = nil
+			if rm == 4
+				sib = edata.get_byte.to_i
+
+				ii = (sib >> 3) & 7
+				ii |= 8 if pfx[:rex_x]
+				if ii != 4
+					s = 1 << ((sib >> 6) & 3)
+					i = Reg.new(ii, adsz)
+				end
+
+				bb = sib & 7
+				if bb == 5 and m == 0
+					m = 2	# :i32 follows
+				else
+					bb |= 8 if pfx[:rex_b]
+					b = Reg.new(bb, adsz)
+				end
+			elsif rm == 5 and m == 0
+				b = Reg.new(16, adsz)
+				m = 2	# :i32 follows
+			else
+				rm |= 8 if pfx[:rex_b]
+				b = Reg.new(rm, adsz)
+			end
+
+			case m
+			when 1; itype = :i8
+			when 2; itype = :i32
+			end
+			imm = Expression[edata.decode_imm(itype, endianness)] if itype
+
+			if imm and imm.reduce.kind_of? Integer and imm.reduce < -0x100_0000
+				# probably a base address -> unsigned
+				imm = Expression[imm.reduce & ((1 << adsz) - 1)]
+			end
+
+			new adsz, opsz, s, i, b, imm, seg
+		end
+	end
+
+	def decode_prefix(instr, byte)
+		x = super(instr, byte)
+		if instr.prefix.delete :rex
+			# rex ignored if not last
+			instr.prefix.delete :rex_b
+			instr.prefix.delete :rex_x
+			instr.prefix.delete :rex_r
+			instr.prefix.delete :rex_w
+		end
+		if byte & 0xf0 == 0x40
+			x = instr.prefix[:rex] = byte
+			instr.prefix[:rex_b] = 1 if byte & 1 > 0
+			instr.prefix[:rex_x] = 1 if byte & 2 > 0
+			instr.prefix[:rex_r] = 1 if byte & 4 > 0
+			instr.prefix[:rex_w] = 1 if byte & 8 > 0
+		end
+		x
+	end
+
+	def decode_instr_op(edata, di)
+		before_ptr = edata.ptr
+		op = di.opcode
+		di.instruction.opname = op.name
+		bseq = edata.read(op.bin.length).unpack('C*')		# decode_findopcode ensures that data >= op.length
+		pfx = di.instruction.prefix || {}
+
+		field_val = lambda { |f|
+			if fld = op.fields[f]
+				(bseq[fld[0]] >> fld[1]) & @fields_mask[f]
+			end
+		}
+		field_val_r = lambda { |f|
+			v = field_val[f]
+			v |= 8 if v and (op.fields[f][1] == 3 ? pfx[:rex_r] : pfx[:rex_b])	# gruick ?
+			v
+		}
+
+		opsz = op.props[:argsz] || (pfx[:rex_w] ? 64 : (pfx[:opsz] ? 16 : (op.props[:auto64] ? 64 : 32)))
+		adsz = pfx[:adsz] ? 32 : 64
+		mmxsz = (op.props[:xmmx] && pfx[:opsz]) ? 128 : 64
+
+		op.args.each { |a|
+			di.instruction.args << case a
+			when :reg;    Reg.new     field_val_r[a], opsz
+			when :eeec;   CtrlReg.new field_val_r[a]
+			when :eeed;   DbgReg.new  field_val_r[a]
+			when :seg2, :seg2A, :seg3, :seg3A; SegReg.new field_val[a]
+			when :regmmx; SimdReg.new field_val_r[a], mmxsz
+			when :regxmm; SimdReg.new field_val_r[a], 128
+
+			when :farptr; Farptr.decode edata, @endianness, opsz
+			when :i8, :u8, :i16, :u16, :i32, :u32, :i64, :u64; Expression[edata.decode_imm(a, @endianness)]
+			when :i		# 64bit constants are sign-extended from :i32
+				type = (opsz == 64 ? op.props[:imm64] ? :a64 : :i32 : "#{op.props[:unsigned_imm] ? 'a' : 'i'}#{opsz}".to_sym )
+ 				v = edata.decode_imm(type, @endianness)
+				v &= 0xffff_ffff_ffff_ffff if opsz == 64 and op.props[:unsigned_imm] and v.kind_of? Integer
+				Expression[v]
+
+			when :mrm_imm;  ModRM.new(adsz, opsz, nil, nil, nil, Expression[edata.decode_imm("a#{adsz}".to_sym, @endianness)], pfx[:seg])
+			when :modrm, :modrmA; ModRM.decode edata, field_val[a], @endianness, adsz, opsz, pfx[:seg], Reg, pfx
+			when :modrmmmx; ModRM.decode edata, field_val[:modrm], @endianness, adsz, mmxsz, pfx[:seg], SimdReg, pfx
+			when :modrmxmm; ModRM.decode edata, field_val[:modrm], @endianness, adsz, 128, pfx[:seg], SimdReg, pfx
+
+			when :regfp;  FpReg.new   field_val[a]
+			when :imm_val1; Expression[1]
+			when :imm_val3; Expression[3]
+			when :reg_cl;   Reg.new 1, 8
+			when :reg_eax;  Reg.new 0, opsz
+			when :reg_dx;   Reg.new 2, 16
+			when :regfp0;   FpReg.new nil
+			else raise SyntaxError, "Internal error: invalid argument #{a} in #{op.name}"
+			end
+		}
+
+		di.bin_length += edata.ptr - before_ptr
+
+		if op.name == 'movsx' or op.name == 'movzx' or op.name == 'movsxd'
+			if op.name == 'movsxd'
+				di.instruction.args[1].sz = 32
+			elsif opsz == 8
+				di.instruction.args[1].sz = 8
+			else
+				di.instruction.args[1].sz = 16
+			end
+			if pfx[:rex_w]
+				di.instruction.args[0].sz = 64
+			elsif pfx[:opsz]
+				di.instruction.args[0].sz = 16
+			else
+				di.instruction.args[0].sz = 32
+			end
+		end
+
+		# sil => bh
+		di.instruction.args.each { |a| a.val += 12 if a.kind_of? Reg and a.sz == 8 and not pfx[:rex] and a.val >= 4 and a.val <= 8 }
+
+		pfx.delete :seg
+		case pfx.delete(:rep)
+		when :nz
+			if di.opcode.props[:strop]
+				pfx[:rep] = 'rep'
+			elsif di.opcode.props[:stropz]
+				pfx[:rep] = 'repnz'
+			end
+		when :z
+			if di.opcode.props[:strop]
+				pfx[:rep] = 'rep'
+			elsif di.opcode.props[:stropz]
+				pfx[:rep] = 'repz'
+			end
+		end
+
+		di
+	end
+
+	def decode_instr_interpret(di, addr)
+		super(di, addr)
+
+		# [rip + 42] => [rip - addr + foo]
+		if m = di.instruction.args.grep(ModRM).first and
+				((m.b and m.b.val == 16) or (m.i and m.i.val == 16)) and
+				m.imm and m.imm.reduce.kind_of?(Integer)
+			m.imm = Expression[[:-, di.address + di.bin_length], :+, di.address+di.bin_length+m.imm.reduce]
+		end
+
+		di
+	end
+
+	def opsz(di)
+		if di and di.instruction.prefix and di.instruction.prefix[:rex_w]; 64
+		elsif di and di.instruction.prefix and di.instruction.prefix[:opsz]; 16
+		elsif di and di.opcode.props[:auto64]; 64
+		else 32
+		end
+	end
+
+	def register_symbols
+		[:rax, :rcx, :rdx, :rbx, :rsp, :rbp, :rsi, :rdi, :r8, :r9, :r10, :r11, :r12, :r13, :r14, :r15]
+	end
+	
+	# returns a DecodedFunction from a parsed C function prototype
+	def decode_c_function_prototype(cp, sym, orig=nil)
+		sym = cp.toplevel.symbol[sym] if sym.kind_of?(::String)
+		df = DecodedFunction.new
+		orig ||= Expression[sym.name]
+
+		new_bt = lambda { |expr, rlen|
+			df.backtracked_for << BacktraceTrace.new(expr, orig, expr, rlen ? :r : :x, rlen)
+		}
+
+		# return instr emulation
+		if sym.has_attribute 'noreturn' or sym.has_attribute '__noreturn__'
+			df.noreturn = true
+		else
+			new_bt[Indirection[:rsp, @size/8, orig], nil]
+		end
+
+		# register dirty (MS standard ABI)
+		[:rax, :rcx, :rdx, :r8, :r9, :r10, :r11].each { |r|
+			df.backtrace_binding.update r => Expression::Unknown
+		}
+
+		if cp.lexer.definition['__MS_X86_64_ABI__']
+			reg_args = [:rcx, :rdx, :r8, :r9]
+		else
+			reg_args = [:rdi, :rsi, :rdx, :rcx, :r8, :r9]
+		end
+
+		al = cp.typesize[:ptr]
+		df.backtrace_binding[:rsp] = Expression[:rsp, :+, al]
+
+		# scan args for function pointers
+		# TODO walk structs/unions..
+		stackoff = al
+		sym.type.args.to_a.zip(reg_args).each { |a, r|
+			if not r
+				r = Indirection[[:rsp, :+, stackoff], al, orig]
+				stackoff += (cp.sizeof(a) + al - 1) / al * al
+			end
+			if a.type.untypedef.kind_of? C::Pointer
+				pt = a.type.untypedef.type.untypedef
+				if pt.kind_of? C::Function
+					new_bt[r, nil]
+					df.backtracked_for.last.detached = true
+				elsif pt.kind_of? C::Struct
+					new_bt[r, al]
+				else
+					new_bt[r, cp.sizeof(nil, pt)]
+				end
+			end
+		}
+
+		df
+	end
+
+	def backtrace_update_function_binding_check(dasm, faddr, f, b)
+		# TODO save regs according to ABI
+	end
+end
+end

data/lib/metasm/x86_64/encode.rb

@@ -0,0 +1,264 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/x86_64/opcodes'
+require 'metasm/encode'
+
+module Metasm
+class X86_64
+	class ModRM
+		def self.encode_reg(reg, mregval = 0)
+			v = reg.kind_of?(Reg) ? reg.val_enc : reg.val & 7
+			0xc0 | (mregval << 3) | v
+		end
+
+		def encode(reg = 0, endianness = :little)
+			reg = reg.val if reg.kind_of? Ia32::Argument
+
+			ret = EncodedData.new << (reg << 3)
+
+			# add bits in the first octet of ret.data (1.9 compatibility layer)
+			or_bits = lambda { |v|	# rape me
+				if ret.data[0].kind_of? Integer
+					ret.data[0] |= v
+				else
+					ret.data[0] = (ret.data[0].unpack('C').first | v).chr
+				end
+			}
+
+			if not self.b and not self.i
+				# imm only, use sib
+				or_bits[4]
+				imm = self.imm || Expression[0]
+				[ret << ((4 << 3) | 5) << imm.encode(:i32, endianness)]
+
+			elsif (self.b and self.b.val == 16) or (self.i and self.i.val == 16)	# rip+imm	(rip == addr of the octet after the current instr)
+				# should have been filtered by #parse, but just in case
+				raise "invalid rip addressing #{self}" if (self.i and self.b) or (self.s and self.s != 1)
+				or_bits[5]
+				imm = self.imm || Expression[0]
+				[ret << imm.encode(:i32, endianness)]
+
+			elsif not self.b and self.s != 1
+				# sib with no b
+				raise EncodeError, "Invalid ModRM #{self}" if @i.val == 4	# XXX 12 ?
+				or_bits[4]
+				s = {8=>3, 4=>2, 2=>1}[@s]
+				imm = self.imm || Expression[0]
+				fu = (s << 6) | (@i.val_enc << 3) | 5
+				fu = fu.chr if s >= 2	# rb1.9 encoding fix
+				[ret << fu << imm.encode(:i32, endianness)]
+			else
+				imm = @imm.reduce if self.imm
+				imm = nil if imm == 0
+
+				if not self.i or (not self.b and self.s == 1)
+					# no sib byte (except for [esp])
+					@s, @i, @b = nil, nil, @s if not self.b
+					or_bits[@b.val_enc]
+					ret << 0x24 if @b.val_enc == 4	# XXX val_enc ?
+				else
+					# sib
+					or_bits[4]
+
+					@b, @i = @i, @b if @s == 1 and (@i.val_enc == 4 or @b.val_enc == 5)
+
+					raise EncodeError, "Invalid ModRM #{self}" if @i.val == 4
+
+					s = {8=>3, 4=>2, 2=>1, 1=>0}[@s]
+					fu = (s << 6) | (@i.val_enc << 3) | @b.val_enc
+					fu = fu.chr if s >= 2	# rb1.9 encoding fix
+					ret << fu
+				end
+
+				imm ||= 0 if @b.val_enc == 5
+				if imm
+					case Expression.in_range?(imm, :i8)
+					when true
+						or_bits[1<<6]
+						[ret << Expression.encode_imm(imm, :i8, endianness)]
+					when false
+						or_bits[2<<6]
+						[ret << Expression.encode_imm(imm, :a32, endianness)]
+					when nil
+						rets = ret.dup
+						or_bits[1<<6]
+						ret << @imm.encode(:i8, endianness)
+						rets, ret = ret, rets	# or_bits[] modifies ret directly
+						or_bits[2<<6]
+						ret << @imm.encode(:a32, endianness)
+						[ret, rets]
+					end
+				else
+					[ret]
+				end
+			end
+		end
+	end
+
+	# returns all forms of the encoding of instruction i using opcode op
+	# program may be used to create a new label for relative jump/call
+	def encode_instr_op(program, i, op)
+		base      = op.bin.dup
+		oi        = op.args.zip(i.args)
+		set_field = lambda { |f, v|
+			fld = op.fields[f]
+			base[fld[0]] |= v << fld[1]
+		}
+
+		#
+		# handle prefixes and bit fields
+		#
+		pfx = i.prefix.map { |k, v|
+			case k
+			when :jmp;  {:jmp => 0x3e, :nojmp => 0x2e}[v]
+			when :lock; 0xf0
+			when :rep;  {'repnz' => 0xf2, 'repz' => 0xf3, 'rep' => 0xf2}[v] # TODO
+			end
+		}.compact.pack 'C*'
+		pfx << op.props[:needpfx] if op.props[:needpfx]
+
+		rex_w = rex_r = rex_x = rex_b = nil
+		if op.name == 'movsx' or op.name == 'movzx' or op.name == 'movsxd'
+			case i.args[0].sz
+			when 64; rex_w = 1
+			when 32
+			when 16; pfx << 0x66
+			end
+		else
+			opsz = op.props[:argsz] || i.prefix[:sz]
+			oi.each { |oa, ia|
+				case oa
+				when :reg, :reg_eax, :modrm, :modrmA, :mrm_imm
+					raise EncodeError, "Incompatible arg size in #{i}" if ia.sz and opsz and opsz != ia.sz
+					opsz = ia.sz
+				end
+			}
+			opsz ||= 64 if op.props[:auto64]
+			opsz = op.props[:opsz] if op.props[:opsz]	# XXX ?
+			case opsz
+			when 64; rex_w = 1 if not op.props[:auto64]
+			when 32; raise EncodeError, "Incompatible arg size in #{i}" if op.props[:auto64]
+			when 16; pfx << 0x66
+			end
+		end
+		opsz ||= @size
+
+		# addrsize override / segment override / rex_bx
+		if mrm = i.args.grep(ModRM).first
+			mrm.encode(0, @endianness) if mrm.b or mrm.i	# may reorder b/i, which must be correct for rex
+			rex_b = 1 if mrm.b and mrm.b.val_rex.to_i > 0
+			rex_x = 1 if mrm.i and mrm.i.val_rex.to_i > 0
+			pfx << 0x67 if (mrm.b and mrm.b.sz == 32) or (mrm.i and mrm.i.sz == 32) or op.props[:adsz] == 32
+			pfx << [0x26, 0x2E, 0x36, 0x3E, 0x64, 0x65][mrm.seg.val] if mrm.seg
+		elsif op.props[:adsz] == 32
+			pfx << 0x67
+		end
+
+
+		#
+		# encode embedded arguments
+		#
+		postponed = []
+		oi.each { |oa, ia|
+			case oa
+			when :reg
+				set_field[oa, ia.val_enc]
+				if op.fields[:reg][1] == 3
+					rex_r = ia.val_rex
+				else
+					rex_b = ia.val_rex
+				end
+			when :seg3, :seg3A, :seg2, :seg2A, :eeec, :eeed, :regfp, :regxmm, :regmmx
+				set_field[oa, ia.val & 7]
+				rex_r = 1 if ia.val > 7
+				pfx << 0x66 if oa == :regmmx and op.props[:xmmx] and ia.sz == 128
+			when :imm_val1, :imm_val3, :reg_cl, :reg_eax, :reg_dx, :regfp0
+				# implicit
+			when :modrm, :modrmA, :modrmmmx, :modrmxmm
+				# postpone, but we must set rex now
+				case ia
+				when ModRM
+					ia.encode(0, @endianness)	# could swap b/i
+					rex_x = ia.i.val_rex if ia.i
+					rex_b = ia.b.val_rex if ia.b
+				when Reg
+					rex_b = ia.val_rex
+				else
+					rex_b = ia.val >> 3
+				end
+				postponed << [oa, ia]
+			else
+				postponed << [oa, ia]
+			end
+		}
+
+		if !(op.args & [:modrm, :modrmA, :modrmxmm, :modrmmmx]).empty?
+			# reg field of modrm
+			regval = (base[-1] >> 3) & 7
+			base.pop
+		end
+
+		# convert label name for jmp/call/loop to relative offset
+		if op.props[:setip] and op.name[0, 3] != 'ret' and i.args.first.kind_of? Expression
+			postlabel = program.new_label('post'+op.name)
+			target = postponed.first[1]
+			target = target.rexpr if target.kind_of? Expression and target.op == :+ and not target.lexpr
+			postponed.first[1] = Expression[target, :-, postlabel]
+		end
+
+		if rex_w == 1 or rex_r == 1 or rex_b == 1 or rex_x == 1 or i.args.grep(Reg).find { |r| r.sz == 8 and r.val >= 4 and r.val < 8 }
+			rex ||= 0x40
+			rex |= 1 if rex_b.to_i > 0
+			rex |= 2 if rex_x.to_i > 0
+			rex |= 4 if rex_r.to_i > 0
+			rex |= 8 if rex_w.to_i > 0
+		end
+		pfx << rex if rex
+		ret = EncodedData.new(pfx + base.pack('C*'))
+
+		postponed.each { |oa, ia|
+			case oa
+			when :farptr; ed = ia.encode(@endianness, "a#{opsz}".to_sym)
+			when :modrm, :modrmA, :modrmmmx, :modrmxmm
+				if ia.kind_of? ModRM
+					ed = ia.encode(regval, @endianness)
+					if ed.kind_of?(::Array)
+						if ed.length > 1
+							# we know that no opcode can have more than 1 modrm
+							ary = []
+							ed.each { |m| ary << (ret.dup << m) }
+							ret = ary
+							next
+						else
+							ed = ed.first
+						end
+					end
+				else
+					ed = ModRM.encode_reg(ia, regval)
+				end
+			when :mrm_imm; ed = ia.imm.encode("a#{op.props[:adsz] || 64}".to_sym, @endianness)
+			when :i8, :u8, :i16, :u16, :i32, :u32, :i64, :u64; ed = ia.encode(oa, @endianness)
+			when :i
+				type = (opsz == 64 ? op.props[:imm64] ? :a64 : :i32 : "#{op.props[:unsigned_imm] ? 'a' : 'i'}#{opsz}".to_sym)
+			       	ed = ia.encode(type, @endianness)
+			else raise SyntaxError, "Internal error: want to encode field #{oa.inspect} as arg in #{i}"
+			end
+
+			if ret.kind_of?(::Array)
+				ret.each { |e| e << ed }
+			else
+				ret << ed
+			end
+		}
+
+		# we know that no opcode with setip accept both modrm and immediate arg, so ret is not an ::Array
+		ret.add_export(postlabel, ret.virtsize) if postlabel
+
+		ret
+	end
+end
+end