metasm 1.0.1 → 1.0.2

data/{lib/metasm → metasm/cpu}/x86_64/main.rb

@@ -5,19 +5,27 @@
 
 
 require 'metasm/main'
-require 'metasm/ia32'
+require 'metasm/cpu/ia32'
 
 module Metasm
 
 # The x86_64, 64-bit extension of the x86 CPU (x64, em64t, amd64...)
 class X86_64 < Ia32
 	# FpReg, SegReg, Farptr unchanged
-	# XXX ST(15) ?
 
-	# Simd extended to 16 regs, xmm only (mmx gone with 80387)
+	# XMM extended to 16 regs, YMM
 	class SimdReg < Ia32::SimdReg
-		double_map  64 => (0..15).map { |n| "mm#{n}" },
-   			   128 => (0..15).map { |n| "xmm#{n}" }
+		double_map  64 => (0..7).map { |n| "mm#{n}" },
+			   128 => (0..15).map { |n| "xmm#{n}" },
+			   256 => (0..15).map { |n| "ymm#{n}" }
+
+		def val_enc
+			@val & 7
+		end
+
+		def val_rex
+			@val >> 3
+		end
 	end
 
 	# general purpose registers, all sizes
@@ -125,7 +133,7 @@ class X86_64 < Ia32
 
 	def str_to_reg(str)
 		# X86_64::Reg != Ia32::Reg
-		Reg.from_str(str) if Reg.s_to_i.has_key? str
+		Reg.s_to_i.has_key?(str) ? Reg.from_str(str) : SimdReg.s_to_i.has_key?(str) ? SimdReg.from_str(str) : nil
 	end
 
 	def shortname

data/metasm/cpu/x86_64/opcodes.rb

@@ -0,0 +1,136 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/x86_64/main'
+require 'metasm/cpu/ia32/opcodes'
+
+module Metasm
+class X86_64
+	def init_cpu_constants
+		super()
+		[:i32, :u32, :i64, :u64].each { |a| @valid_args[a] = true }
+	end
+
+	def init_386_common_only
+		super()
+		# :imm64 => accept a real int64 as :i argument
+		# :auto64 => ignore rex_w, always 64-bit op
+		# :op32no64 => if write to a 32-bit reg, dont zero the top 32-bits of dest
+		[:imm64, :auto64, :op32no64].each { |a| @valid_props[a] = true }
+		@opcode_list.delete_if { |o| o.bin[0].to_i & 0xf0 == 0x40 }	# now REX prefix
+		@opcode_list.each { |o|
+			o.props[:imm64] = true if o.bin == [0xB8]	# mov reg, <true imm64>
+			o.props[:auto64] = true if o.name =~ /^(j.*|loop.*|call|enter|leave|push|pop|ret)$/
+		}
+		addop 'movsxd', [0x63], :mrm
+		addop('cdqe', [0x98]) { |o| o.props[:opsz] = 64 }
+		addop('cqo',  [0x99]) { |o| o.props[:opsz] = 64 }
+	end
+
+	# all x86_64 cpu understand <= sse2 instrs
+	def init_x8664_only
+		init_386_common_only
+		init_386_only
+		init_387_only
+		init_486_only
+		init_pentium_only
+		init_p6_only
+		init_sse_only
+		init_sse2_only
+
+		@opcode_list.delete_if { |o|
+			o.args.include?(:seg2) or
+			o.args.include?(:seg2A) or
+			o.args.include?(:farptr) or
+			%w[aaa aad aam aas bound daa das into jcxz jecxz
+			 lds les loadall arpl pusha pushad popa
+			 popad].include?(o.name.split('.')[0])
+			 # split needed for lds.a32
+		}
+
+		@opcode_list.each { |o|
+			o.props[:auto64] = true if o.name =~ /^(enter|leave|[sl]gdt|[sl]idt|[sl]ldt|[sl]tr|push|pop|syscall)$/
+		}
+
+		addop('cmpxchg16b', [0x0F, 0xC7], 1) { |o| o.props[:opsz] = 64 ; o.props[:argsz] = 128 }
+		addop('iretq', [0xCF], nil, :stopexec, :setip) { |o| o.props[:opsz] = 64 } ; opcode_list.unshift opcode_list.pop
+		addop 'swapgs', [0x0F, 0x01, 0xF8]
+
+		addop('movq',  [0x0F, 0x6E], :mrmmmx, {:d => [1, 4]}) { |o| o.args = [:regmmx, :modrm] ; o.props[:opsz] = o.props[:argsz] = 64 }
+		addop('movq',  [0x0F, 0x6E], :mrmxmm, {:d => [1, 4]}) { |o| o.args = [:regxmm, :modrm] ; o.props[:opsz] = o.props[:argsz] = 64 ; o.props[:needpfx] = 0x66 }
+		addop('jecxz', [0xE3], nil, :setip, :i8) { |o| o.props[:adsz] = 32 }
+		addop('jrcxz', [0xE3], nil, :setip, :i8) { |o| o.props[:adsz] = 64 }
+	end
+
+	def init_sse3
+		init_x8664_only
+		init_sse3_only
+	end
+
+	def init_sse41_only
+		super()
+		addop('pextrq', [0x0F, 0x3A, 0x16], :mrmxmm, :u8) { |o| o.props[:needpfx] = 0x66; o.args[o.args.index(:modrmxmm)] = :modrm; o.props[:opsz] = o.props[:argsz] = 64 }
+		addop('pinsrq', [0x0F, 0x3A, 0x22], :mrmxmm, :u8) { |o| o.props[:needpfx] = 0x66; o.args[o.args.index(:modrmxmm)] = :modrm; o.props[:opsz] = o.props[:argsz] = 64 }
+	end
+
+	def init_avx_only
+		super()
+		addop('rdfsbase', [0x0F, 0xAE], 0, :modrmR) { |o| o.props[:needpfx] = 0xF3 }
+		addop('rdgsbase', [0x0F, 0xAE], 1, :modrmR) { |o| o.props[:needpfx] = 0xF3 }
+		addop('wrfsbase', [0x0F, 0xAE], 2, :modrmR) { |o| o.props[:needpfx] = 0xF3 }
+		addop('wrgsbase', [0x0F, 0xAE], 3, :modrmR) { |o| o.props[:needpfx] = 0xF3 }
+	end
+
+	def addop_macrostr(name, bin, type)
+		super(name, bin, type)
+		bin = bin.dup
+		bin[0] |= 1
+		addop(name+'q', bin) { |o| o.props[:opsz] = 64 ; o.props[type] = true }
+	end
+
+	def addop_macroret(name, bin, *args)
+		addop(name + '.i64', bin, nil, :stopexec, :setip, *args) { |o| o.props[:opsz] = 64 }
+		super(name, bin, *args)
+	end
+
+	def addop_post(op)
+		if op.fields[:d] or op.fields[:w] or op.fields[:s] or op.args.first == :regfp0
+			return super(op)
+		end
+
+		if op.props[:needpfx]
+			@opcode_list.unshift op
+		else
+			@opcode_list << op
+		end
+
+		if op.args == [:i] or op.name == 'ret'
+			# define opsz-override version for ambiguous opcodes
+			op16 = op.dup
+			op16.name << '.i16'
+			op16.props[:opsz] = 16
+			@opcode_list << op16
+			# push call ret jz  can't 32bit
+			op64 = op.dup
+			op64.name << '.i64'
+			op64.props[:opsz] = 64
+			@opcode_list << op64
+		elsif op.props[:strop] or op.props[:stropz] or op.args.include? :mrm_imm or
+				op.args.include? :modrm or op.name =~ /loop|xlat/
+			# define adsz-override version for ambiguous opcodes (movsq)
+			# XXX loop pfx 67 = rip+ecx, 66/rex ignored
+			op32 = op.dup
+			op32.name << '.a32'
+			op32.props[:adsz] = 32
+			@opcode_list << op32
+			op64 = op.dup
+			op64.name << '.a64'
+			op64.props[:adsz] = 64
+			@opcode_list << op64
+		end
+	end
+end
+end

data/{lib/metasm → metasm/cpu}/x86_64/parse.rb

@@ -4,8 +4,8 @@
 #    Licence is LGPL, see LICENCE in the top-level directory
 
 
-require 'metasm/x86_64/opcodes'
-require 'metasm/x86_64/encode'
+require 'metasm/cpu/x86_64/opcodes'
+require 'metasm/cpu/x86_64/encode'
 require 'metasm/parse'
 
 module Metasm
@@ -52,6 +52,8 @@ class X86_64
 		return if arg.kind_of? ModRM and ((arg.b and arg.b.val == 16 and arg.i) or (arg.i and arg.i.val == 16 and (arg.b or arg.s != 1)))
 		return if arg.kind_of? Reg and arg.sz >= 32 and arg.val == 16	# eip/rip only in modrm
 		return if o.props[:auto64] and arg.respond_to? :sz and arg.sz == 32
+		# vex c4/c5
+		return if o.fields[:vex_r] and not o.fields[:vex_b] and (spec == :modrm or spec == :modrmxmm or spec == :modrmymm) and (((arg.kind_of?(SimdReg) or arg.kind_of?(Reg)) and arg.val >= 8) or (arg.kind_of?(ModRM) and ((arg.b and arg.b.val >= 8) or (arg.i and arg.i.val >= 8))))
 		if o.name == 'movsxd'
 			return if not arg.kind_of? Reg and not arg.kind_of? ModRM
 			arg.sz ||= 32
@@ -62,7 +64,13 @@ class X86_64
 				return arg.sz == 32
 			end
 		end
+		return if o.name == 'xchg' and spec == :reg and o.args.include?(:reg_eax) and arg.kind_of?(Reg) and arg.sz == 32 and arg.val == 0
+
 		super(o, spec, arg)
 	end
+
+	def check_reserved_name(name)
+		Reg.s_to_i[name]
+	end
 end
 end

data/metasm/cpu/x86_64/render.rb

@@ -0,0 +1,35 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/x86_64/opcodes'
+require 'metasm/render'
+
+module Metasm
+class X86_64
+	def gui_hilight_word_regexp_init
+		ret = {}
+
+		%w[a b c d].each { |r|
+			ret["#{r}l"] = "[re]?#{r}x|#{r}l"
+			ret["#{r}h"] = "[re]?#{r}x|#{r}h"
+			ret["#{r}x"] = ret["e#{r}x"] = ret["r#{r}x"] = "[re]?#{r}x|#{r}[hl]"
+		}
+
+		%w[sp bp si di].each { |r|
+			ret["#{r}l"] = ret[r] = ret["e#{r}"] = ret["r#{r}"] = "[re]?#{r}|#{r}l"
+		}
+
+		(8..15).each { |i|
+			r = "r#{i}"
+			ret[r+'b'] = ret[r+'w'] = ret[r+'d'] = ret[r] = "#{r}[bwd]?"
+		}
+
+		ret['eip'] = ret['rip'] = '[re]ip'
+
+		ret
+	end
+end
+end

data/metasm/cpu/z80.rb

@@ -0,0 +1,9 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/main'
+require 'metasm/cpu/z80/decode'
+require 'metasm/cpu/z80/render'

data/metasm/cpu/z80/decode.rb

@@ -0,0 +1,313 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/z80/opcodes'
+require 'metasm/decode'
+
+module Metasm
+class Z80
+	def build_opcode_bin_mask(op)
+		# bit = 0 if can be mutated by an field value, 1 if fixed by opcode
+		op.bin_mask = Array.new(op.bin.length, 0)
+		op.fields.each { |f, (oct, off)|
+			op.bin_mask[oct] |= (@fields_mask[f] << off)
+		}
+		op.bin_mask.map! { |v| 255 ^ v }
+	end
+
+	def build_bin_lookaside
+		# sets up a hash byte value => list of opcodes that may match
+		# opcode.bin_mask is built here
+		lookaside = Array.new(256) { [] }
+		opcode_list.each { |op|
+			build_opcode_bin_mask op
+			b   = op.bin[0]
+			msk = op.bin_mask[0]
+			next @unknown_opcode = op if not b
+			for i in b..(b | (255^msk))
+				lookaside[i] << op if i & msk == b & msk
+			end
+		}
+		lookaside
+	end
+
+	def decode_prefix(instr, byte)
+		case byte
+		when 0xDD; instr.prefix = 0xDD
+		when 0xFD; instr.prefix = 0xFD
+		# implicit 'else return false'
+		end
+	end
+
+	# tries to find the opcode encoded at edata.ptr
+	# if no match, tries to match a prefix (update di.instruction.prefix)
+	# on match, edata.ptr points to the first byte of the opcode (after prefixes)
+	def decode_findopcode(edata)
+		di = DecodedInstruction.new self
+		while edata.ptr < edata.data.length
+			byte = edata.data[edata.ptr]
+			byte = byte.unpack('C').first if byte.kind_of?(::String)
+			return di if di.opcode = @bin_lookaside[byte].find { |op|
+				# fetch the relevant bytes from edata
+				bseq = edata.data[edata.ptr, op.bin.length].unpack('C*')
+				# check against full opcode mask
+				op.bin.zip(bseq, op.bin_mask).all? { |b1, b2, m| b2 and ((b1 & m) == (b2 & m)) }
+			}
+
+			if decode_prefix(di.instruction, edata.get_byte)
+				nb = edata.data[edata.ptr]
+				nb = nb.unpack('C').first if nb.kind_of?(::String)
+				case nb
+				when 0xCB
+					# DD CB <disp8> <opcode_pfxCB> [<args>]
+					di.instruction.prefix |= edata.get_byte	<< 8
+					di.bin_length += 2
+					opc = edata.data[edata.ptr+1]
+					opc = opc.unpack('C').first if opc.kind_of?(::String)
+					bseq = [0xCB, opc]
+					# XXX in decode_instr_op, byte[0] is the immediate displacement instead of cb
+					return di if di.opcode = @bin_lookaside[nb].find { |op|
+						op.bin.zip(bseq, op.bin_mask).all? { |b1, b2, m| b2 and ((b1 & m) == (b2 & m)) }
+					}
+				when 0xED
+					di.instruction.prefix = nil
+				end
+			else
+				di.opcode = @unknown_opcode
+				return di
+			end
+			di.bin_length += 1
+		end
+	end
+
+
+	def decode_instr_op(edata, di)
+		before_ptr = edata.ptr
+		op = di.opcode
+		di.instruction.opname = op.name
+		bseq = edata.read(op.bin.length).unpack('C*')		# decode_findopcode ensures that data >= op.length
+		pfx = di.instruction.prefix
+
+		field_val = lambda { |f|
+			if fld = op.fields[f]
+				(bseq[fld[0]] >> fld[1]) & @fields_mask[f]
+			end
+		}
+
+		op.args.each { |a|
+			di.instruction.args << case a
+			when :i8, :u8, :i16, :u16; Expression[edata.decode_imm(a, @endianness)]
+			when :iy; Expression[field_val[a]]
+			when :iy8; Expression[field_val[a]*8]
+
+			when :rp
+				v = field_val[a]
+				Reg.new(16, v)
+			when :rp2
+				v = field_val[a]
+				v = 4 if v == 3
+				Reg.new(16, v)
+			when :ry, :rz
+				v = field_val[a]
+				if v == 6
+					Memref.new(Reg.from_str('HL'), nil, 1)
+				else
+					Reg.new(8, v)
+				end
+
+			when :r_a;   Reg.from_str('A')
+			when :r_af;  Reg.from_str('AF')
+			when :r_hl;  Reg.from_str('HL')
+			when :r_de;  Reg.from_str('DE')
+			when :r_sp;  Reg.from_str('SP')
+			when :r_i;   Reg.from_str('I')
+
+			when :m16;  Memref.new(nil, edata.decode_imm(:u16, @endianness), nil)
+			when :m_bc; Memref.new(Reg.from_str('BC'), nil, 1)
+			when :m_de; Memref.new(Reg.from_str('DE'), nil, 1)
+			when :m_sp; Memref.new(Reg.from_str('SP'), nil, 2)
+			when :m_hl; Memref.new(Reg.from_str('HL'), nil, 1)
+			when :mf8;  Memref.new(nil, 0xff00 + edata.decode_imm(:u8, @endianness), 1)
+			when :mfc;  Memref.new(Reg.from_str('C'), 0xff00, 1)
+
+			else raise SyntaxError, "Internal error: invalid argument #{a} in #{op.name}"
+			end
+		}
+
+		case pfx
+		when 0xDD
+		when 0xFD
+		when 0xCBDD
+		when 0xCBFD
+		end
+
+		di.bin_length += edata.ptr - before_ptr
+
+		return if edata.ptr > edata.length
+
+		di
+	end
+
+	# hash opcode_name => lambda { |dasm, di, *symbolic_args| instr_binding }
+	def backtrace_binding
+		@backtrace_binding ||= init_backtrace_binding
+	end
+	def backtrace_binding=(b) @backtrace_binding = b end
+
+	# populate the @backtrace_binding hash with default values
+	def init_backtrace_binding
+		@backtrace_binding ||= {}
+
+		mask = 0xffff
+
+		opcode_list.map { |ol| ol.basename }.uniq.sort.each { |op|
+			binding = case op
+			when 'ld'; lambda { |di, a0, a1, *aa| a2 = aa[0] ; a2 ? { a0 => Expression[a1, :+, a2] } : { a0 => Expression[a1] } }
+			when 'ldi'; lambda { |di, a0, a1| hl = (a0 == :a ? a1 : a0) ; { a0 => Expression[a1], hl => Expression[hl, :+, 1] } }
+			when 'ldd'; lambda { |di, a0, a1| hl = (a0 == :a ? a1 : a0) ; { a0 => Expression[a1], hl => Expression[hl, :-, 1] } }
+			when 'add', 'adc', 'sub', 'sbc', 'and', 'xor', 'or'
+				lambda { |di, a0, a1|
+					e_op = { 'add' => :+, 'adc' => :+, 'sub' => :-, 'sbc' => :-, 'and' => :&, 'xor' => :^, 'or' => :| }[op]
+					ret = Expression[a0, e_op, a1]
+					ret = Expression[ret, e_op, :flag_c] if op == 'adc' or op == 'sbc'
+					ret = Expression[ret.reduce] if not a0.kind_of? Indirection
+					{ a0 => ret }
+				}
+			when 'cp', 'cmp'; lambda { |di, *a| {} }
+			when 'inc'; lambda { |di, a0| { a0 => Expression[a0, :+, 1] } }
+			when 'dec'; lambda { |di, a0| { a0 => Expression[a0, :-, 1] } }
+			when 'not'; lambda { |di, a0| { a0 => Expression[a0, :^, mask] } }
+			when 'push'
+				lambda { |di, a0| { :sp => Expression[:sp, :-, 2],
+					Indirection[:sp, 2, di.address] => Expression[a0] } }
+			when 'pop'
+				lambda { |di, a0| { :sp => Expression[:sp, :+, 2],
+					a0 => Indirection[:sp, 2, di.address] } }
+			when 'call'
+				lambda { |di, a0| { :sp => Expression[:sp, :-, 2],
+					  Indirection[:sp, 2, di.address] => Expression[di.next_addr] }
+				}
+			when 'ret', 'reti'; lambda { |di, *a| { :sp => Expression[:sp, :+, 2] } }
+			# TODO callCC, retCC ...
+			when 'bswap'
+				lambda { |di, a0| { a0 => Expression[
+						[[a0, :&, 0xff00], :>>,  8], :|,
+						[[a0, :&, 0x00ff], :<<,  8]] } }
+			when 'nop', /^j/; lambda { |di, *a| {} }
+			end
+
+			# TODO flags ?
+
+			@backtrace_binding[op] ||= binding if binding
+		}
+		@backtrace_binding
+	end
+
+	def get_backtrace_binding(di)
+		a = di.instruction.args.map { |arg|
+			case arg
+			when Memref, Reg; arg.symbolic(di)
+			else arg
+			end
+		}
+
+		if binding = backtrace_binding[di.opcode.basename]
+			binding[di, *a]
+		else
+			puts "unhandled instruction to backtrace: #{di}" if $VERBOSE
+			# assume nothing except the 1st arg is modified
+			case a[0]
+			when Indirection, Symbol; { a[0] => Expression::Unknown }
+			when Expression; (x = a[0].externals.first) ? { x => Expression::Unknown } : {}
+			else {}
+			end.update(:incomplete_binding => Expression[1])
+		end
+	end
+
+	# patch a forward binding from the backtrace binding
+	def fix_fwdemu_binding(di, fbd)
+		case di.opcode.name
+		when 'push', 'call'; fbd[Indirection[[:sp, :-, 2], 2]] = fbd.delete(Indirection[:sp, 2])
+		end
+		fbd
+	end
+
+	def get_xrefs_x(dasm, di)
+		return [] if not di.opcode.props[:setip]
+
+		case di.opcode.basename
+		when 'ret', 'reti'
+			return [Indirection[:sp, 2, di.address]]
+		when /^jr|^djnz/
+			# jmp/call are absolute addrs, only jr/djnz are relative
+			# also, the asm source should display the relative offset
+			return [Expression[[di.address, :+, di.bin_length], :+, di.instruction.args.first]]
+		end
+
+		case tg = di.instruction.args.first
+		when Memref; [Expression[tg.symbolic(di)]]
+		when Reg; [Expression[tg.symbolic(di)]]
+		when Expression, ::Integer; [Expression[tg]]
+		else
+			puts "unhandled setip at #{di.address} #{di.instruction}" if $DEBUG
+			[]
+		end
+	end
+
+	# checks if expr is a valid return expression matching the :saveip instruction
+	def backtrace_is_function_return(expr, di=nil)
+		expr = Expression[expr].reduce_rec
+		expr.kind_of?(Indirection) and expr.len == 2 and expr.target == Expression[:sp]
+	end
+
+	# updates the function backtrace_binding
+	# if the function is big and no specific register is given, do nothing (the binding will be lazily updated later, on demand)
+	def backtrace_update_function_binding(dasm, faddr, f, retaddrlist, *wantregs)
+		b = f.backtrace_binding
+
+		bt_val = lambda { |r|
+			next if not retaddrlist
+			b[r] = Expression::Unknown
+			bt = []
+			retaddrlist.each { |retaddr|
+				bt |= dasm.backtrace(Expression[r], retaddr, :include_start => true,
+					     :snapshot_addr => faddr, :origin => retaddr)
+			}
+			if bt.length != 1
+				b[r] = Expression::Unknown
+			else
+				b[r] = bt.first
+			end
+		}
+
+		if not wantregs.empty?
+			wantregs.each(&bt_val)
+		else
+			bt_val[:sp]
+		end
+
+		b
+	end
+
+	# returns true if the expression is an address on the stack
+	def backtrace_is_stack_address(expr)
+		Expression[expr].expr_externals.include?(:sp)
+	end
+
+	# updates an instruction's argument replacing an expression with another (eg label renamed)
+	def replace_instr_arg_immediate(i, old, new)
+		i.args.map! { |a|
+			case a
+			when Expression; a == old ? new : Expression[a.bind(old => new).reduce]
+			when Memref
+				a.offset = (a.offset == old ? new : Expression[a.offset.bind(old => new).reduce]) if a.offset
+				a
+			else a
+			end
+		}
+	end
+end
+end