RubyGems - metasm - Versions diffs - 1.0.1 → 1.0.2 - Mend

metasm 1.0.1 → 1.0.2

Files changed (235) hide show

checksums.yaml +7 -0
data/.gitignore +1 -0
data/.hgtags +3 -0
data/Gemfile +1 -0
data/INSTALL +61 -0
data/LICENCE +458 -0
data/README +29 -21
data/Rakefile +10 -0
data/TODO +10 -12
data/doc/code_organisation.txt +2 -0
data/doc/core/DynLdr.txt +247 -0
data/doc/core/ExeFormat.txt +43 -0
data/doc/core/Expression.txt +220 -0
data/doc/core/GNUExports.txt +27 -0
data/doc/core/Ia32.txt +236 -0
data/doc/core/SerialStruct.txt +108 -0
data/doc/core/VirtualString.txt +145 -0
data/doc/core/WindowsExports.txt +61 -0
data/doc/core/index.txt +1 -0
data/doc/style.css +6 -3
data/doc/usage/debugger.txt +327 -0
data/doc/usage/index.txt +1 -0
data/doc/use_cases.txt +2 -2
data/metasm.gemspec +22 -0
data/{lib/metasm.rb → metasm.rb} +11 -3
data/{lib/metasm → metasm}/compile_c.rb +13 -7
data/metasm/cpu/arc.rb +8 -0
data/metasm/cpu/arc/decode.rb +425 -0
data/metasm/cpu/arc/main.rb +191 -0
data/metasm/cpu/arc/opcodes.rb +588 -0
data/{lib/metasm → metasm/cpu}/arm.rb +7 -5
data/{lib/metasm → metasm/cpu}/arm/debug.rb +2 -2
data/{lib/metasm → metasm/cpu}/arm/decode.rb +13 -12
data/{lib/metasm → metasm/cpu}/arm/encode.rb +23 -8
data/{lib/metasm → metasm/cpu}/arm/main.rb +0 -3
data/metasm/cpu/arm/opcodes.rb +324 -0
data/{lib/metasm → metasm/cpu}/arm/parse.rb +25 -13
data/{lib/metasm → metasm/cpu}/arm/render.rb +2 -2
data/metasm/cpu/arm64.rb +15 -0
data/metasm/cpu/arm64/debug.rb +38 -0
data/metasm/cpu/arm64/decode.rb +289 -0
data/metasm/cpu/arm64/encode.rb +41 -0
data/metasm/cpu/arm64/main.rb +105 -0
data/metasm/cpu/arm64/opcodes.rb +232 -0
data/metasm/cpu/arm64/parse.rb +20 -0
data/metasm/cpu/arm64/render.rb +95 -0
data/{lib/metasm/ppc.rb → metasm/cpu/bpf.rb} +2 -4
data/metasm/cpu/bpf/decode.rb +142 -0
data/metasm/cpu/bpf/main.rb +60 -0
data/metasm/cpu/bpf/opcodes.rb +81 -0
data/metasm/cpu/bpf/render.rb +41 -0
data/metasm/cpu/cy16.rb +9 -0
data/metasm/cpu/cy16/decode.rb +253 -0
data/metasm/cpu/cy16/main.rb +63 -0
data/metasm/cpu/cy16/opcodes.rb +78 -0
data/metasm/cpu/cy16/render.rb +41 -0
data/metasm/cpu/dalvik.rb +11 -0
data/{lib/metasm → metasm/cpu}/dalvik/decode.rb +35 -13
data/{lib/metasm → metasm/cpu}/dalvik/main.rb +51 -2
data/{lib/metasm → metasm/cpu}/dalvik/opcodes.rb +19 -11
data/metasm/cpu/ia32.rb +17 -0
data/{lib/metasm → metasm/cpu}/ia32/compile_c.rb +5 -7
data/{lib/metasm → metasm/cpu}/ia32/debug.rb +5 -5
data/{lib/metasm → metasm/cpu}/ia32/decode.rb +246 -59
data/{lib/metasm → metasm/cpu}/ia32/decompile.rb +7 -7
data/{lib/metasm → metasm/cpu}/ia32/encode.rb +19 -13
data/{lib/metasm → metasm/cpu}/ia32/main.rb +51 -8
data/metasm/cpu/ia32/opcodes.rb +1424 -0
data/{lib/metasm → metasm/cpu}/ia32/parse.rb +47 -16
data/{lib/metasm → metasm/cpu}/ia32/render.rb +31 -4
data/metasm/cpu/mips.rb +14 -0
data/{lib/metasm → metasm/cpu}/mips/compile_c.rb +1 -1
data/metasm/cpu/mips/debug.rb +42 -0
data/{lib/metasm → metasm/cpu}/mips/decode.rb +46 -16
data/{lib/metasm → metasm/cpu}/mips/encode.rb +4 -3
data/{lib/metasm → metasm/cpu}/mips/main.rb +11 -4
data/{lib/metasm → metasm/cpu}/mips/opcodes.rb +86 -17
data/{lib/metasm → metasm/cpu}/mips/parse.rb +1 -1
data/{lib/metasm → metasm/cpu}/mips/render.rb +1 -1
data/{lib/metasm/dalvik.rb → metasm/cpu/msp430.rb} +1 -1
data/metasm/cpu/msp430/decode.rb +247 -0
data/metasm/cpu/msp430/main.rb +62 -0
data/metasm/cpu/msp430/opcodes.rb +101 -0
data/{lib/metasm → metasm/cpu}/pic16c/decode.rb +6 -7
data/{lib/metasm → metasm/cpu}/pic16c/main.rb +0 -0
data/{lib/metasm → metasm/cpu}/pic16c/opcodes.rb +1 -1
data/{lib/metasm/mips.rb → metasm/cpu/ppc.rb} +4 -4
data/{lib/metasm → metasm/cpu}/ppc/decode.rb +18 -12
data/{lib/metasm → metasm/cpu}/ppc/decompile.rb +3 -3
data/{lib/metasm → metasm/cpu}/ppc/encode.rb +2 -2
data/{lib/metasm → metasm/cpu}/ppc/main.rb +17 -12
data/{lib/metasm → metasm/cpu}/ppc/opcodes.rb +11 -5
data/metasm/cpu/ppc/parse.rb +55 -0
data/metasm/cpu/python.rb +8 -0
data/metasm/cpu/python/decode.rb +136 -0
data/metasm/cpu/python/main.rb +36 -0
data/metasm/cpu/python/opcodes.rb +180 -0
data/{lib/metasm → metasm/cpu}/sh4.rb +1 -1
data/{lib/metasm → metasm/cpu}/sh4/decode.rb +48 -17
data/{lib/metasm → metasm/cpu}/sh4/main.rb +13 -4
data/{lib/metasm → metasm/cpu}/sh4/opcodes.rb +7 -8
data/metasm/cpu/x86_64.rb +15 -0
data/{lib/metasm → metasm/cpu}/x86_64/compile_c.rb +28 -17
data/{lib/metasm → metasm/cpu}/x86_64/debug.rb +4 -4
data/{lib/metasm → metasm/cpu}/x86_64/decode.rb +57 -15
data/{lib/metasm → metasm/cpu}/x86_64/encode.rb +55 -26
data/{lib/metasm → metasm/cpu}/x86_64/main.rb +14 -6
data/metasm/cpu/x86_64/opcodes.rb +136 -0
data/{lib/metasm → metasm/cpu}/x86_64/parse.rb +10 -2
data/metasm/cpu/x86_64/render.rb +35 -0
data/metasm/cpu/z80.rb +9 -0
data/metasm/cpu/z80/decode.rb +313 -0
data/metasm/cpu/z80/main.rb +67 -0
data/metasm/cpu/z80/opcodes.rb +224 -0
data/metasm/cpu/z80/render.rb +59 -0
data/{lib/metasm/os/main.rb → metasm/debug.rb} +160 -401
data/{lib/metasm → metasm}/decode.rb +35 -4
data/{lib/metasm → metasm}/decompile.rb +15 -16
data/{lib/metasm → metasm}/disassemble.rb +201 -45
data/{lib/metasm → metasm}/disassemble_api.rb +651 -87
data/{lib/metasm → metasm}/dynldr.rb +220 -133
data/{lib/metasm → metasm}/encode.rb +10 -1
data/{lib/metasm → metasm}/exe_format/a_out.rb +9 -6
data/{lib/metasm → metasm}/exe_format/autoexe.rb +1 -0
data/{lib/metasm → metasm}/exe_format/bflt.rb +57 -27
data/{lib/metasm → metasm}/exe_format/coff.rb +11 -3
data/{lib/metasm → metasm}/exe_format/coff_decode.rb +53 -20
data/{lib/metasm → metasm}/exe_format/coff_encode.rb +11 -13
data/{lib/metasm → metasm}/exe_format/dex.rb +13 -5
data/{lib/metasm → metasm}/exe_format/dol.rb +1 -0
data/{lib/metasm → metasm}/exe_format/elf.rb +93 -57
data/{lib/metasm → metasm}/exe_format/elf_decode.rb +143 -34
data/{lib/metasm → metasm}/exe_format/elf_encode.rb +122 -31
data/metasm/exe_format/gb.rb +65 -0
data/metasm/exe_format/javaclass.rb +424 -0
data/{lib/metasm → metasm}/exe_format/macho.rb +204 -16
data/{lib/metasm → metasm}/exe_format/main.rb +26 -3
data/{lib/metasm → metasm}/exe_format/mz.rb +1 -0
data/{lib/metasm → metasm}/exe_format/nds.rb +7 -4
data/{lib/metasm → metasm}/exe_format/pe.rb +71 -8
data/metasm/exe_format/pyc.rb +167 -0
data/{lib/metasm → metasm}/exe_format/serialstruct.rb +67 -14
data/{lib/metasm → metasm}/exe_format/shellcode.rb +7 -3
data/metasm/exe_format/shellcode_rwx.rb +114 -0
data/metasm/exe_format/swf.rb +205 -0
data/{lib/metasm → metasm}/exe_format/xcoff.rb +7 -7
data/metasm/exe_format/zip.rb +335 -0
data/metasm/gui.rb +13 -0
data/{lib/metasm → metasm}/gui/cstruct.rb +35 -41
data/{lib/metasm → metasm}/gui/dasm_coverage.rb +11 -11
data/{lib/metasm → metasm}/gui/dasm_decomp.rb +7 -20
data/{lib/metasm → metasm}/gui/dasm_funcgraph.rb +0 -0
data/metasm/gui/dasm_graph.rb +1695 -0
data/{lib/metasm → metasm}/gui/dasm_hex.rb +12 -8
data/{lib/metasm → metasm}/gui/dasm_listing.rb +43 -28
data/{lib/metasm → metasm}/gui/dasm_main.rb +310 -53
data/{lib/metasm → metasm}/gui/dasm_opcodes.rb +5 -19
data/{lib/metasm → metasm}/gui/debug.rb +93 -27
data/{lib/metasm → metasm}/gui/gtk.rb +162 -40
data/{lib/metasm → metasm}/gui/qt.rb +12 -2
data/{lib/metasm → metasm}/gui/win32.rb +179 -42
data/{lib/metasm → metasm}/gui/x11.rb +59 -59
data/{lib/metasm → metasm}/main.rb +389 -264
data/{lib/metasm/os/remote.rb → metasm/os/gdbremote.rb} +146 -54
data/{lib/metasm → metasm}/os/gnu_exports.rb +1 -1
data/{lib/metasm → metasm}/os/linux.rb +628 -151
data/metasm/os/main.rb +330 -0
data/{lib/metasm → metasm}/os/windows.rb +132 -42
data/{lib/metasm → metasm}/os/windows_exports.rb +141 -0
data/{lib/metasm → metasm}/parse.rb +26 -24
data/{lib/metasm → metasm}/parse_c.rb +221 -116
data/{lib/metasm → metasm}/preprocessor.rb +55 -40
data/{lib/metasm → metasm}/render.rb +14 -38
data/misc/hexdump.rb +2 -1
data/misc/lint.rb +58 -0
data/misc/txt2html.rb +9 -7
data/samples/bindiff.rb +3 -4
data/samples/dasm-plugins/bindiff.rb +15 -0
data/samples/dasm-plugins/bookmark.rb +133 -0
data/samples/dasm-plugins/c_constants.rb +57 -0
data/samples/dasm-plugins/colortheme_solarized.rb +125 -0
data/samples/dasm-plugins/cppobj_funcall.rb +60 -0
data/samples/dasm-plugins/dasm_all.rb +70 -0
data/samples/dasm-plugins/demangle_cpp.rb +31 -0
data/samples/dasm-plugins/deobfuscate.rb +251 -0
data/samples/dasm-plugins/dump_text.rb +35 -0
data/samples/dasm-plugins/export_graph_svg.rb +86 -0
data/samples/dasm-plugins/findgadget.rb +75 -0
data/samples/dasm-plugins/hl_opcode.rb +32 -0
data/samples/dasm-plugins/hotfix_gtk_dbg.rb +19 -0
data/samples/dasm-plugins/imm2off.rb +34 -0
data/samples/dasm-plugins/match_libsigs.rb +93 -0
data/samples/dasm-plugins/patch_file.rb +95 -0
data/samples/dasm-plugins/scanfuncstart.rb +36 -0
data/samples/dasm-plugins/scanxrefs.rb +26 -0
data/samples/dasm-plugins/selfmodify.rb +197 -0
data/samples/dasm-plugins/stringsxrefs.rb +28 -0
data/samples/dasmnavig.rb +1 -1
data/samples/dbg-apihook.rb +24 -9
data/samples/dbg-plugins/heapscan.rb +283 -0
data/samples/dbg-plugins/heapscan/compiled_heapscan_lin.c +155 -0
data/samples/dbg-plugins/heapscan/compiled_heapscan_win.c +128 -0
data/samples/dbg-plugins/heapscan/graphheap.rb +616 -0
data/samples/dbg-plugins/heapscan/heapscan.rb +709 -0
data/samples/dbg-plugins/heapscan/winheap.h +174 -0
data/samples/dbg-plugins/heapscan/winheap7.h +307 -0
data/samples/dbg-plugins/trace_func.rb +214 -0
data/samples/disassemble-gui.rb +35 -5
data/samples/disassemble.rb +31 -6
data/samples/dump_upx.rb +24 -12
data/samples/dynamic_ruby.rb +12 -3
data/samples/exeencode.rb +6 -5
data/samples/factorize-headers-peimports.rb +1 -1
data/samples/lindebug.rb +175 -381
data/samples/metasm-shell.rb +1 -2
data/samples/peldr.rb +2 -2
data/tests/all.rb +1 -1
data/tests/arc.rb +26 -0
data/tests/dynldr.rb +22 -4
data/tests/expression.rb +55 -0
data/tests/graph_layout.rb +285 -0
data/tests/ia32.rb +79 -26
data/tests/mips.rb +9 -2
data/tests/x86_64.rb +66 -18
metadata +330 -218
data/lib/metasm/arm/opcodes.rb +0 -177
data/lib/metasm/gui.rb +0 -23
data/lib/metasm/gui/dasm_graph.rb +0 -1354
data/lib/metasm/ia32.rb +0 -14
data/lib/metasm/ia32/opcodes.rb +0 -873
data/lib/metasm/ppc/parse.rb +0 -52
data/lib/metasm/x86_64.rb +0 -12
data/lib/metasm/x86_64/opcodes.rb +0 -118
data/samples/gdbclient.rb +0 -583
data/samples/rubstop.rb +0 -399

data/{lib/metasm → metasm}/exe_format/pe.rb RENAMED

@@ -215,7 +215,7 @@ EOS
 	# TODO seh prototype (args => context)
 	# TODO hook on (non)resolution of :w xref
 	def get_xrefs_x(dasm, di)
-		if @cpu.shortname =~ /ia32|x64/ and a = di.instruction.args.first and a.kind_of? Ia32::ModRM and a.seg and a.seg.val == 4 and
+		if @cpu.shortname =~ /^ia32|^x64/ and a = di.instruction.args.first and a.kind_of?(Ia32::ModRM) and a.seg and a.seg.val == 4 and
 				w = get_xrefs_rw(dasm, di).find { |type, ptr, len| type == :w and ptr.externals.include? 'segment_base_fs' } and
 				dasm.backtrace(Expression[w[1], :-, 'segment_base_fs'], di.address).to_a.include?(Expression[0])
 			sehptr = w[1]
@@ -225,7 +225,7 @@ EOS
 			puts "backtrace seh from #{di} => #{a.map { |addr| Expression[addr] }.join(', ')}" if $VERBOSE
 			a.each { |aa|
 				next if aa == Expression::Unknown
-				l = dasm.auto_label_at(aa, 'seh', 'loc', 'sub')
+				dasm.auto_label_at(aa, 'seh', 'loc', 'sub')
 				dasm.addrs_todo << [aa]
 			}
 			super(dasm, di)
@@ -243,17 +243,19 @@ EOS
 			old_cp = d.c_parser
 			d.c_parser = nil
 			d.parse_c '__stdcall void *GetProcAddress(int, char *);'
-			d.c_parser.lexer.define_weak('__MS_X86_64_ABI__') if @cpu.kind_of? X86_64
+			d.parse_c '__stdcall void ExitProcess(int) __attribute__((noreturn));'
+			d.c_parser.lexer.define_weak('__MS_X86_64_ABI__') if @cpu.shortname == 'x64'
 			gpa = @cpu.decode_c_function_prototype(d.c_parser, 'GetProcAddress')
+			epr = @cpu.decode_c_function_prototype(d.c_parser, 'ExitProcess')
 			d.c_parser = old_cp
 			d.parse_c ''
-			d.c_parser.lexer.define_weak('__MS_X86_64_ABI__') if @cpu.kind_of? X86_64
+			d.c_parser.lexer.define_weak('__MS_X86_64_ABI__') if @cpu.shortname == 'x64'
 			@getprocaddr_unknown = []
 			gpa.btbind_callback = lambda { |dasm, bind, funcaddr, calladdr, expr, origin, maxdepth|
 				break bind if @getprocaddr_unknown.include? [dasm, calladdr] or not Expression[expr].externals.include? :eax
 				sz = @cpu.size/8
 				break bind if not dasm.decoded[calladdr]
-				if @cpu.kind_of? X86_64
+				if @cpu.shortname == 'x64'
 					arg2 = :rdx
 				else
 					arg2 = Indirection[[:esp, :+, 2*sz], sz, calladdr]
@@ -268,6 +270,7 @@ EOS
 				bind
 			}
 			d.function[Expression['GetProcAddress']] = gpa
+			d.function[Expression['ExitProcess']] = epr
 			d.function[:default] = @cpu.disassembler_default_func
 		end
 		d
@@ -294,6 +297,62 @@ EOS
 		} if export
 		syms
 	end
+	# compute the pe-sha1 or pe-sha256 of the binary
+	# argument should be a Digest::SHA1 (from digest/sha1) or a Digest::SHA256 (from digest/sha2)
+	# returns the hex checksum
+	def pehash(digest)
+		off0 = 0
+		off1 = @coff_offset + @header.sizeof(self) + @optheader.offsetof(self, :checksum)
+		dir_ct_idx = DIRECTORIES.index('certificate_table')
+		if @optheader.numrva > dir_ct_idx
+			off2 = @coff_offset + @header.sizeof(self) + @optheader.sizeof(self) + 8*dir_ct_idx
+			ct_size = @encoded.data[off2, 8].unpack('V*')[1]
+			off3 = @encoded.length - ct_size
+		else
+			off4 = @encoded.length
+		end
+		digest << @encoded.data[off0 ... off1].to_str
+		digest << @encoded.data[off1+4 ... off2].to_str if off2
+		digest << @encoded.data[off2+8 ... off3].to_str if off2 and off3 > off2+8
+		digest << @encoded.data[off1+4 ... off4].to_str if off4
+		digest << ("\0" * (8 - (@encoded.length & 7))) if @encoded.length & 7 != 0
+		digest.hexdigest
+	end
+	def self.pehash(path, digest)
+		decode_file_header(path).pehash(digest)
+	end
+	# compute Mandiant "importhash"
+	def imphash
+		lst = []
+		@imports.each { |id|
+			ln = id.libname.downcase.sub(/.(dll|sys|ocx)$/, '')
+			id.imports.each { |i|
+				if not i.name and ordtable = WindowsExports::IMPORT_HASH[ln]
+					iname = ordtable[i.ordinal]
+				else
+					iname = i.name
+				end
+				iname ||= "ord#{i.ordinal}"
+				lst << "#{ln}.#{iname}"
+			}
+		}
+		require 'digest/md5'
+		Digest::MD5.hexdigest(lst.join(',').downcase)
+	end
+	def self.imphash(path)
+		pe = decode_file_header(path)
+		pe.decode_imports
+		pe.imphash
+	end
 end
 # an instance of a PE file, loaded in memory
@@ -312,7 +371,7 @@ class LoadedPE < PE
 	# reads a loaded PE from memory, returns a PE object
 	# dumps the header, optheader and all sections ; try to rebuild IAT (#memdump_imports)
-	def self.memdump(memory, baseaddr, entrypoint = nil, iat_p=nil)
+	def self.memdump(memory, baseaddr, entrypoint=nil, iat_p=nil)
 		loaded = LoadedPE.load memory[baseaddr, 0x1000_0000]
 		loaded.load_address = baseaddr
 		loaded.decode
@@ -372,7 +431,6 @@ class LoadedPE < PE
 			else
 				# read imported pointer from the import structure
 				while not ptr = imports.first.iat.shift
-					load_dll = nil
 					imports.shift
 					break if imports.empty?
 					iat_p = imports.first.iat_p
@@ -415,6 +473,7 @@ class LoadedPE < PE
 					puts 'unknown ptr %x' % ptr if $DEBUG
 					# allow holes in the unk_iat_p table
 					break if not unk_iat_p or failcnt > 4
+					loaded_dll = nil
 					failcnt += 1
 					next
 				end
@@ -422,7 +481,7 @@ class LoadedPE < PE
 			end
 			# dumped last importdirectory is correct, append the import field
- 			i = ImportDirectory::Import.new
+			i = ImportDirectory::Import.new
 			if e.name
 				puts e.name if $DEBUG
 				i.name = e.name
@@ -433,5 +492,9 @@ class LoadedPE < PE
 			dump.imports.last.imports << i
 		end
 	end
+	def pehash(digest)
+		raise "cannot compute a PEhash from memory image"
+	end
 end
 end

data/metasm/exe_format/pyc.rb ADDED

@@ -0,0 +1,167 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+require 'metasm/exe_format/main'
+require 'metasm/encode'
+require 'metasm/decode'
+module Metasm
+# Python preparsed module (.pyc)
+class PYC < ExeFormat
+	# 1 magic per python version...
+	# file = MAGIC(u16) \r \n timestamp(u32) data
+	MAGICS = [
+		62211 # 62211 = python2.7a0
+	]
+	class Header < SerialStruct
+		half :version
+		half :rn
+		word :timestamp
+	end
+	def decode_half(edata=@encoded) edata.decode_imm(:u16, @endianness) end
+	def decode_word(edata=@encoded) edata.decode_imm(:u32, @endianness) end
+	def decode_long(edata=@encoded) edata.decode_imm(:i32, @endianness) end
+	def sizeof_half ; 2 ; end
+	def sizeof_word ; 4 ; end
+	def sizeof_long ; 4 ; end
+	# file header
+	attr_accessor :header
+	# the marshalled object
+	attr_accessor :root
+	# list of all code objects
+	attr_accessor :all_code
+	def initialize()
+		@endianness = :little
+		@encoded = EncodedData.new
+		super()
+	end
+	def decode_header
+		@header = Header.decode(self)
+	end
+	def decode_pymarshal
+		case c = @encoded.read(1)
+		when '0' # NULL
+			:null
+		when 'N' # None
+			nil
+		when 'F' # False
+			false
+		when 'T' # True
+			true
+		#when 'S' # stopiter TODO
+		#when '.' # ellipsis TODO
+		when 'i' # long (i32)
+			decode_long
+		when 'I' # long (i64)
+			decode_word | (decode_long << 32)
+		when 'f' # float (ascii)
+			@encoded.read(@encoded.read(1).unpack('C').first).to_f
+		when 'g' # float (binary)
+			@encoded.read(8).unpack('d').first	# XXX check
+		when 'x' # complex (f f)
+			{ :type => :complex,
+			  :real => @encoded.read(@encoded.read(1).unpack('C').first).to_f,
+			  :imag => @encoded.read(@encoded.read(1).unpack('C').first).to_f }
+		when 'y' # complex (g g)
+			{ :type => :complex,
+			  :real => @encoded.read(8).unpack('d').first,
+			  :imag => @encoded.read(8).unpack('d').first }
+		when 'l' # long (i32?)
+			decode_long
+		when 's' # string: len (long), data
+			@encoded.read(decode_long)
+		when 't' # 'interned': string with possible backreference later
+			s = @encoded.read(decode_long)
+			@references << s
+			s
+		when 'R' # stringref (see 't')
+			@references[decode_long]
+		when '(' # tuple (frozen Array): length l*objs
+			obj = []
+			decode_long.times { obj << decode_pymarshal }
+			obj
+		when '[' # list (Array)
+			obj = []
+			decode_long.times { obj << decode_pymarshal }
+			obj
+		when '{' # dict (Hash)
+			obj = {}
+			loop do
+				k = decode_pymarshal
+				break if k == :null
+				obj[k] = decode_pymarshal
+			end
+			{ :type => hash, :hash => obj }	# XXX to avoid confusion with code, etc
+		when 'c' # code
+			# XXX format varies with version (header.signature)
+			obj = {}
+			obj[:type] = :code
+			obj[:argcount] = decode_long
+			#obj[:kwonly_argcount] = decode_long	# not in py2.7
+			obj[:nlocals] = decode_long
+			obj[:stacksize] = decode_long
+			obj[:flags] = decode_long	# TODO bit-decode this one
+			obj[:fileoff] = @encoded.ptr + 5	# XXX assume :code is a 's'
+			obj[:code] = decode_pymarshal
+			obj[:consts] = decode_pymarshal
+			obj[:names] = decode_pymarshal
+			obj[:varnames] = decode_pymarshal
+			obj[:freevars] = decode_pymarshal
+			obj[:cellvars] = decode_pymarshal
+			obj[:filename] = decode_pymarshal
+			obj[:name] = decode_pymarshal
+			obj[:firstlineno] = decode_long
+			obj[:lnotab] = decode_pymarshal
+			@all_code << obj
+			obj
+		when 'u' # unicode
+			@encoded.read(decode_long)
+		#when '?' # unknown TODO
+		#when '<' # set TODO
+		#when '>' # set (frozen) TODO
+		else
+			raise "unsupported python marshal #{c.inspect}"
+		end
+	end
+	def decode
+		decode_header
+		@all_code = []
+		@references = []
+		@root = decode_pymarshal
+		@references = nil
+	end
+	def cpu_from_headers
+		Python.new(self)
+	end
+	def each_section
+		yield @encoded, 0
+	end
+	def get_default_entrypoints
+		if @root.kind_of? Hash and @root[:type] == :code
+			[@root[:fileoff]]
+		else
+			[]
+		end
+	end
+	# return the :code part which contains off
+	def code_at_off(off)
+		@all_code.find { |c| c[:fileoff] <= off and c[:fileoff] + c[:code].length > off }
+	end
+end
+end

data/{lib/metasm → metasm}/exe_format/serialstruct.rb RENAMED

@@ -13,19 +13,20 @@ class SerialStruct
 	NAME=0
 	DECODE=1
 	ENCODE=2
-	DEFVAL=3
-	ENUM=4
-	BITS=5
+	SIZEOF=3
+	DEFVAL=4
+	ENUM=5
+	BITS=6
 class << self
 	# defines a new field
 	# adds an accessor
-	def new_field(name, decode, encode, defval, enum=nil, bits=nil)
+	def new_field(name, decode, encode, sizeof, defval, enum=nil, bits=nil)
 		if name
 			attr_accessor name
 			name = "@#{name}".to_sym
 		end
-		(@@fields[self] ||= []) << [name, decode, encode, defval, enum, bits]
+		(@@fields[self] ||= []) << [name, decode, encode, sizeof, defval, enum, bits]
 	end
 	# creates a field constructor for a simple integer
@@ -34,7 +35,7 @@ class << self
 		recv = class << self ; self ; end
 		types.each { |type|
 			recv.send(:define_method, type) { |name, *args|
-				new_field(name, "decode_#{type}".to_sym, "encode_#{type}".to_sym, args[0] || 0, args[1])
+				new_field(name, "decode_#{type}".to_sym, "encode_#{type}".to_sym, "sizeof_#{type}".to_sym, args[0] || 0, args[1])
 			}
 			# shortcut to define multiple fields of this type with default values
@@ -46,24 +47,33 @@ class << self
 	# standard fields:
+	# virtual field, handled explicitly in a custom encode/decode
+	def virtual(*a)
+		a.each { |f|
+			new_field(f, nil, nil, nil, nil)
+		}
+	end
 	# a fixed-size memory chunk
 	def mem(name, len, defval='')
-		new_field(name, lambda { |exe, me| exe.curencoded.read(len) }, lambda { |exe, me, val| val[0, len].ljust(len, 0.chr) }, defval)
+		new_field(name, lambda { |exe, me| exe.curencoded.read(len) }, lambda { |exe, me, val| val[0, len].ljust(len, 0.chr) }, lambda { |exe, me| len }, defval)
 	end
 	# a fixed-size string, 0-padded
 	def str(name, len, defval='')
-		e = lambda { |exe, me, val| val[0, len].ljust(len, 0.chr) }
 		d = lambda { |exe, me| v = exe.curencoded.read(len) ; v = v[0, v.index(?\0)] if v.index(?\0) ; v }
-		new_field(name, d, e, defval)
+		e = lambda { |exe, me, val| val[0, len].ljust(len, 0.chr) }
+		s = lambda { |exe, me| len }
+		new_field(name, d, e, s, defval)
 	end
 	# 0-terminated string
 	def strz(name, defval='')
 		d = lambda { |exe, me|
-		       	ed = exe.curencoded
+			ed = exe.curencoded
 			ed.read(ed.data.index(?\0, ed.ptr)-ed.ptr+1).chop
 		}
 		e = lambda { |exe, me, val| val + 0.chr }
-		new_field(name, d, e, defval)
+		s = lambda { |exe, val| val.length + 1 }
+		new_field(name, d, e, s, defval)
 	end
 	# field access
@@ -93,7 +103,7 @@ class << self
 		d = lambda { |exe, me| @bitfield_val = exe.send("decode_#{inttype}") }
 		# reset a temp var
 		e = lambda { |exe, me, val| @bitfield_val = 0 ; nil }
-		new_field(nil, d, e, nil)
+		new_field(nil, d, e, 0, nil)
 		h = h.sort
 		h.length.times { |i|
@@ -107,7 +117,7 @@ class << self
 			d = lambda { |exe, me| (@bitfield_val >> off) & mask }
 			# update the temp var with the field value, return nil
 			e = lambda { |exe, me, val| @bitfield_val |= (val & mask) << off ; nil }
-		       	new_field(name, d, e, 0)
+			new_field(name, d, e, 0, 0)
 		}
 		# free the temp var
@@ -118,11 +128,13 @@ class << self
 			@bitfield_val = nil
 			exe.send("encode_#{inttype}", val)
 		}
-		new_field(nil, d, e, nil)
+		s = lambda { |exe, me| exe.send("sizeof_#{inttype}") }
+		new_field(nil, d, e, s, nil)
 	end
 	# inject a hook to be run during the decoding process
 	def decode_hook(before=nil, &b)
+		@@fields[self] ||= []
 		idx = (before ? @@fields[self].index(fld_get(before)) : -1)
 		@@fields[self].insert(idx, [nil, b])
 	end
@@ -209,6 +221,39 @@ end	# class methods
 		ed
 	end
+	# size of the structure = fields.sum { size of field }
+	def sizeof(exe)
+		struct_fields(exe).inject(0) { |off, f|
+			case sz = f[SIZEOF]
+			when Proc; sz = sz[exe, self]
+			when Symbol; sz = exe.send(sz)
+			when Array; sz = exe.send(*sz)
+			when nil; sz = 0
+			end
+			off + sz
+		}
+	end
+	# offset (in bytes) of the structure member
+	# for bitfields, return the byte offset of the whole bitfield
+	def offsetof(exe, fld)
+		fld2 = fld
+		fld2 = "@#{fld}".to_sym if fld.to_s[0] != ?@
+		off = 0
+		struct_fields(exe).each { |f|
+			return off if f[NAME] == fld or f[NAME] == fld2
+			case sz = f[SIZEOF]
+			when Proc; sz = sz[exe, self]
+			when Symbol; sz = exe.send(sz)
+			when Array; sz = exe.send(*sz)
+			when nil; sz = 0
+			end
+			off += sz
+		}
+		raise 'unknown field'
+	end
 	# shortcut to create a new instance and decode it
 	def self.decode(*a)
 		s = new
@@ -216,6 +261,14 @@ end	# class methods
 		s
 	end
+	def self.sizeof(exe)
+		new.sizeof(exe)
+	end
+	def self.offsetof(exe, fld)
+		new.offsetof(exe, fld)
+	end
 	def dump(e, a)
 		case e
 		when Integer; e >= 0x100 ? '0x%X'%e : e