metasm 1.0.1 → 1.0.2

data/samples/dasm-plugins/bindiff.rb

@@ -0,0 +1,15 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+# metasm dasm plugin: asks to load a second program, and unleash the samples/bindiff fury
+# usage: load the plugin, and a 2nd binary, disassemble functions in both, diff'em
+
+require File.join(Metasm::Metasmdir, 'samples', 'bindiff.rb')
+
+Gui::DasmWindow.new("bindiff target").promptopen("chose bindiff target") { |w|
+	w.title = "#{w.widget.dasm.program.filename} - metasm bindiff"
+	@bindiff_win = BinDiffWindow.new(self, w.widget.dasm)
+}
+

data/samples/dasm-plugins/bookmark.rb

@@ -0,0 +1,133 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm GUI plugin: 
+# pops a list of bookmarked functions
+# also allows the custom coloration of blocks/functions
+
+if gui
+	class ColorWindow < Metasm::Gui::ToolWindow
+		def initialize_window(&b)
+			self.title = 'pick a color'
+			self.widget = ColorWidget.new(&b)
+		end
+	end
+
+	class ColorWidget < Metasm::Gui::DrawableWidget
+		attr_accessor :ph, :pw
+		def initialize_widget(&b)
+			super()
+			@action = b
+			@pw = 3
+			@ph = 8
+		end
+
+		def initial_size
+			[@pw*256, @ph*16]
+		end
+
+		def paint
+			0x100.times { |x|
+				cx = x
+				if x & 0x10 > 0
+					cx = (x&0xf0) + (15-(x&0xf))
+				end
+				0x10.times { |y|
+					col = '%02x%x' % [cx, y]
+					draw_rectangle_color(col, x*@pw, y*@ph, @pw, @ph)
+				}
+			}
+		end
+
+		def xy_to_col(x, y)
+			x = x.to_i / @pw
+			y = y.to_i / @ph
+			if x >=0 and y >= 0 and x <= 0xff and y <= 0xf
+				if x & 0x10 > 0
+					x = (x&0xf0) + (15-(x&0xf))
+				end
+				col = '%02x%x' % [x, y]
+				toplevel.title = "color #{col}"
+				col
+			end
+		end
+
+		def mousemove(x, y)
+			xy_to_col(x, y)
+		end
+
+		def mouserelease(x, y)
+			if c = xy_to_col(x, y)
+				toplevel.destroy
+				@action.call(c)
+			end
+		end
+	end
+
+	# list of user-specified addrs
+	@bookmarklist = []
+	# every single addr => color
+	@bookmarkcolor = {}
+
+	obg = gui.bg_color_callback	# chain old callback
+	gui.bg_color_callback = lambda { |a|
+		if obg and col = obg[a]
+			col
+		else
+			# least priority
+			@bookmarkcolor[a]
+		end
+	}
+
+	popbookmarks = lambda { |*a|
+		list = [['address', 'color']] + @bookmarklist.map { |bm| [Expression[bm].to_s, @bookmarkcolor[bm].to_s] }
+		listcolcb = lambda { |e| [nil, @bookmarkcolor[Expression.parse_string(e[0]).reduce]] }
+		gui.listwindow('bookmarks', list, :color_callback => listcolcb) { |e| gui.focus_addr(e[0]) }
+	}
+
+	# an api to bookmark a function
+	def bookmark_function(addr, color)
+		return if not fa = find_function_start(addr)
+		list = function_blocks(fa).map { |k, v| block_at(k).list.map { |di| di.address } }.flatten
+		bookmark_addrs list, color
+	end
+	def bookmark_addrs(list, color)
+		al = [list].flatten.uniq
+		gui.session_append("dasm.bookmark_addrs(#{list.inspect}, #{color.inspect})")
+		@bookmarklist |= [al.min]
+		al.each { |a| @bookmarkcolor[a] = color }
+		gui.gui_update
+	end
+	def bookmark_delete_function(addr)
+		return if not fa = find_function_start(addr)
+		list = function_blocks(fa).map { |k, v| block_at(k).list.map { |di| di.address } }.flatten
+		bookmark_delete list
+	end
+	def bookmark_delete(list)
+		@bookmarklist -= list
+		list.each { |a| @bookmarkcolor.delete a }
+	end
+	def bookmark_delete_color(col)
+		@bookmarkcolor.delete_if { |k, v| if v == col ; @bookmarklist.delete k ; true end }
+	end
+
+
+	w = gui.toplevel
+	w.addsubmenu(w.find_menu('Views'), '_Bookmarks', popbookmarks)
+	w.update_menu
+	gui.keyboard_callback[?B] = popbookmarks
+	gui.keyboard_callback[?C] = lambda { |a|
+		if s = gui.curview.instance_variable_get('@selected_boxes') and not s.empty?
+			al = s.map { |b| b[:line_address] }
+		elsif fa = find_function_start(gui.curaddr)
+			al = function_blocks(fa).map { |k, v| block_at(k).list.map { |di| di.address } }
+		else
+			next
+		end
+		# XXX also prompt for comment/bookmark name ?
+		ColorWindow.new(gui.toplevel) { |col| bookmark_addrs(al, col) }
+	}
+end

data/samples/dasm-plugins/c_constants.rb

@@ -0,0 +1,57 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin
+# decompose immediate values from C constants, adds a comment with the decomposition
+
+# find immediate exprs in the instruction at addr, yield them
+def imm_to_const(addr)
+	return if not di = di_at(addr)
+	# TODO enter into memrefs ?
+	di.instruction.args.grep(Expression).each { |a|
+		i = a.reduce
+		next if not i.kind_of? Integer
+		next if not cstbase = yield(i)
+		if c = imm_to_const_decompose(i, cstbase)
+			di.add_comment c
+		end
+	}
+end
+
+# find the bitwise decomposition of imm into constants whose name include cstbase
+def imm_to_const_decompose(imm, cstbase)
+	cstbase = /#{cstbase}/i if not cstbase.kind_of? Regexp
+	dict = {}
+	c_parser.lexer.definition.keys.grep(cstbase).each { |cst|
+		if i = c_parser.macro_numeric(cst)
+			dict[cst] = i
+		end
+	}
+	c_parser.toplevel.symbol.each { |k, v|
+		dict[k] = v if v.kind_of? Integer and k =~ cstbase
+	}
+	dict.delete_if { |k, v| imm & v != v }
+	if cst = dict.index(imm)
+		cst
+	else
+		# a => 1, b => 2, c => 4, all => 7: discard abc, keep 'all'
+		dict.delete_if { |k, v| dict.find { |kk, vv| vv > v and vv & v == v } }
+		dict.keys.join(' | ') if not dict.empty?
+	end
+end
+
+if gui
+	gui.keyboard_callback[?K] = lambda { |*a|
+		addr = gui.curaddr
+		imm_to_const(addr) { |i|
+			gui.inputbox("const name for #{Expression[i]}") { |name|
+				imm_to_const(addr) { |ii| name if ii == i }
+				gui.gui_update
+			}
+			nil
+		}
+	}
+end

data/samples/dasm-plugins/colortheme_solarized.rb

@@ -0,0 +1,125 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm gui plugin: change the colortheme used in the GUI
+# based on solarized: http://ethanschoonover.com/solarized/
+
+if gui
+	solarized = {
+		# name => hex RRGGBB
+		:base03  => '002b36',
+		:base02  => '073642',
+		:base01  => '586e75',
+		:base00  => '657b83',
+		:base0   => '839496',
+		:base1   => '93a1a1',
+		:base2   => 'eee8d5',
+		:base3   => 'fdf6e3',
+		:yellow  => 'b58900',
+		:orange  => 'cb4b16',
+		:red     => 'dc322f',
+		:magenta => 'd33682',
+		:violet  => '6c71c4',
+		:blue    => '268bd2',
+		:cyan    => '2aa198',
+		:green   => '859900',
+
+		# personnal additions for more contrast
+		:base0C  => '094048',
+		:base0D  => '00151b',
+
+		:black   => '002b36',	# base03
+		:white   => '93a1a1',	# base1
+
+		:yellow_bg  => '5a591b',# approx mean with black + manual tweak
+		:orange_bg  => '553a16',
+		:red_bg     => '461b1d',
+		:magenta_bg => '69305c',
+		:violet_bg  => '364d7d',
+		:blue_bg    => '135a84',
+		:cyan_bg    => '156567',
+		:green_bg   => '16510b',
+	}
+
+	# all widget's colorscheme inherits from this one
+	# this is the dark background theme. For light background, change
+	#  all 'baseX' into 'base0X' and 'base0X' into 'baseX'.
+	default = {
+		:background    => :black,
+		:text          => :white,
+		:instruction   => :white,
+		:cursorline_bg => :base02,
+		:comment       => :base01,
+		:caret         => :base0,
+		:label         => :violet,
+		:address       => :blue,
+		:hl_word_bg    => :white,
+		:hl_word       => :black,
+	}
+
+	specific = {
+		# widget name => colortheme
+		# unspecified colors are taken from 'default'
+		# still unspecified colors are left unchanged
+		:listing => {
+			:raw_data  => :white,
+			:arrows_bg => :base02,
+			:arrow_up  => :cyan,
+			:arrow_dn  => :blue,
+			:arrow_hl  => :orange,
+		},
+
+		:opcodes => {
+			:raw_data  => :white,
+		},
+
+		:decompile => {
+			:keyword   => :blue,
+			:localvar  => :red,
+			:globalvar => :green,
+			:intrinsic => :yellow,
+		},
+
+		:coverage => {
+			:code      => :red,
+			:data      => :blue,
+			:caret     => :yellow,
+			:caret_col => :green,
+		},
+
+		:graph => {
+			:background    => :base0D,
+			:hlbox_bg      => :base02,
+			:box_bg        => :base03,
+			:cursorline_bg => :base03,
+			:arrow_cond    => :green,
+			:arrow_uncond  => :cyan,
+			:arrow_direct  => :blue,
+			:arrow_hl      => :orange,
+			:box_bg_shadow => '000000',
+		},
+
+		:hex => {
+			:ascii         => :white,
+			:data          => :base1,
+			:write_pending => :red,
+			:caret_mirror  => :base0C,
+		},
+	}
+
+	gui.view_indexes.each { |v|
+		cs = specific[v] || {}
+		view = gui.view(v)
+		# keep original view ':foo => :text' colors
+		legacy = view.default_color_association.dup
+		# but discard actual color defs (still present as fallback anyway)
+		legacy.delete_if { |k, c| c.kind_of?(::String) }
+		nca = solarized.merge(legacy).merge(default).merge(cs)
+		view.set_color_association(nca)
+	}
+
+	true
+end

data/samples/dasm-plugins/cppobj_funcall.rb

@@ -0,0 +1,60 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin
+# finds instances of indirect calls a la call [ecx+40h], backtraces ecx, comments with the C++ object function pointer name
+# if the backtracked object has no type, prompt for a C structure name.
+
+# TODO simpler gui interface to set [base+off] =>  ; struct->member
+
+@indirect_call_struct = {}
+def solve_indirect_call_set_struct(ptr, struct)
+	struct = @c_parser.toplevel.struct[struct] if struct.kind_of? String
+	raise 'no such struct' if not struct
+	@indirect_call_struct[ptr] = struct
+end
+
+def solve_indirect_calls
+	@decoded.values.grep(DecodedInstruction).each { |di|
+		next if not di.opcode.props[:saveip]	# only calls
+		fptr = get_xrefs_x(di)
+		next if fptr.to_a.length != 1
+		fptr = Expression[fptr.first].reduce_rec
+		next if not fptr.kind_of? Indirection
+		next if not fptr.pointer.lexpr.kind_of? Symbol
+		next if not fptr.pointer.rexpr.kind_of? Integer
+		obj = backtrace(fptr.pointer.lexpr, di.address)
+		obj.delete Expression::Unknown
+		next if obj.length != 1
+		obj = obj.first
+		obj = Expression[obj].reduce_rec
+		next if not obj.kind_of? Indirection
+		obj = obj.pointer	# vtable ptr -> object ptr
+
+		if not struct = @indirect_call_struct[obj]
+			struct = yield obj if block_given?
+			solve_indirect_call_set_struct(obj, struct || :none)
+		end
+
+		if struct.kind_of? C::Struct and fld = struct.members.find { |m| struct.offsetof(c_parser, m) == fptr.pointer.rexpr } and fld.name
+			di.add_comment "#{struct.name || obj}->#{fld.name}"
+			di.comment.delete 'x:unknown'
+		end
+	}
+end
+
+if gui
+	solve_indirect_calls { |ptr|
+		gui.inputbox("struct name for object at #{ptr}") { |name|
+			solve_indirect_call_set_struct(ptr, name)
+			# re-solve everything, cause we're called only once but many indirect calls may use ptr
+			solve_indirect_calls
+			gui.gui_update
+		}
+	}
+	gui.gui_update
+	nil
+end

data/samples/dasm-plugins/dasm_all.rb

@@ -0,0 +1,70 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin: retrieve a section section, and disassemble everything it can, skipping existing code and nops
+# usage: load the plugin, then call (ruby snipped): dasm.dasm_all_section '.text'
+def dasm_all(addrstart, length, method=:disassemble_fast_deep)
+	s = get_section_at(addrstart)
+	return if not s
+	s = s[0]
+	boff = s.ptr
+	off = 0
+	while off < length
+		if di = di_at(addrstart + off)
+			off += di.bin_length
+		elsif @decoded[addrstart+off]
+			off += 1
+		else
+			s.ptr = boff+off
+			maydi = cpu.decode_instruction(s, 0)
+			if not maydi
+				off += 1
+			elsif maydi.instruction.to_s =~ /nop|lea (.*), \[\1(?:\+0)?\]|mov (.*), \2|int 3/
+				off += maydi.bin_length
+			else
+				puts "dasm_all: found #{Expression[addrstart+off]}" if $VERBOSE
+				send(method, addrstart+off)
+			end
+		end
+		Gui.main_iter if gui and off & 15 == 0
+	end
+
+	count = 0
+	off = 0
+	while off < length
+		addr = addrstart+off
+		if di = di_at(addr)
+			if di.block_head?
+				b = di.block
+				if not @function[addr] and b.from_subfuncret.to_a.empty? and b.from_normal.to_a.empty?
+					l = auto_label_at(addr, 'sub_orph')
+					puts "dasm_all: found orphan function #{l}"
+					@function[addrstart+off] = DecodedFunction.new
+					@function[addrstart+off].finalized = true
+					detect_function_thunk(addr)
+					count += 1
+				end
+			end
+			off += di.bin_length
+		else
+			off += 1
+		end
+		Gui.main_iter if gui and off & 15 == 0
+	end
+
+	puts "found #{count} orphan functions" if $VERBOSE
+
+	gui.gui_update if gui
+end
+
+def dasm_all_section(name, method=:disassemble_fast_deep)
+	section_info.each { |n, a, l, i|
+		if name == n
+			dasm_all(Expression[a].reduce, l, method)
+		end
+	}
+	true
+end