RubyGems - metasm - Versions diffs - 1.0.1 → 1.0.2 - Mend

metasm 1.0.1 → 1.0.2

Files changed (235) hide show

checksums.yaml +7 -0
data/.gitignore +1 -0
data/.hgtags +3 -0
data/Gemfile +1 -0
data/INSTALL +61 -0
data/LICENCE +458 -0
data/README +29 -21
data/Rakefile +10 -0
data/TODO +10 -12
data/doc/code_organisation.txt +2 -0
data/doc/core/DynLdr.txt +247 -0
data/doc/core/ExeFormat.txt +43 -0
data/doc/core/Expression.txt +220 -0
data/doc/core/GNUExports.txt +27 -0
data/doc/core/Ia32.txt +236 -0
data/doc/core/SerialStruct.txt +108 -0
data/doc/core/VirtualString.txt +145 -0
data/doc/core/WindowsExports.txt +61 -0
data/doc/core/index.txt +1 -0
data/doc/style.css +6 -3
data/doc/usage/debugger.txt +327 -0
data/doc/usage/index.txt +1 -0
data/doc/use_cases.txt +2 -2
data/metasm.gemspec +22 -0
data/{lib/metasm.rb → metasm.rb} +11 -3
data/{lib/metasm → metasm}/compile_c.rb +13 -7
data/metasm/cpu/arc.rb +8 -0
data/metasm/cpu/arc/decode.rb +425 -0
data/metasm/cpu/arc/main.rb +191 -0
data/metasm/cpu/arc/opcodes.rb +588 -0
data/{lib/metasm → metasm/cpu}/arm.rb +7 -5
data/{lib/metasm → metasm/cpu}/arm/debug.rb +2 -2
data/{lib/metasm → metasm/cpu}/arm/decode.rb +13 -12
data/{lib/metasm → metasm/cpu}/arm/encode.rb +23 -8
data/{lib/metasm → metasm/cpu}/arm/main.rb +0 -3
data/metasm/cpu/arm/opcodes.rb +324 -0
data/{lib/metasm → metasm/cpu}/arm/parse.rb +25 -13
data/{lib/metasm → metasm/cpu}/arm/render.rb +2 -2
data/metasm/cpu/arm64.rb +15 -0
data/metasm/cpu/arm64/debug.rb +38 -0
data/metasm/cpu/arm64/decode.rb +289 -0
data/metasm/cpu/arm64/encode.rb +41 -0
data/metasm/cpu/arm64/main.rb +105 -0
data/metasm/cpu/arm64/opcodes.rb +232 -0
data/metasm/cpu/arm64/parse.rb +20 -0
data/metasm/cpu/arm64/render.rb +95 -0
data/{lib/metasm/ppc.rb → metasm/cpu/bpf.rb} +2 -4
data/metasm/cpu/bpf/decode.rb +142 -0
data/metasm/cpu/bpf/main.rb +60 -0
data/metasm/cpu/bpf/opcodes.rb +81 -0
data/metasm/cpu/bpf/render.rb +41 -0
data/metasm/cpu/cy16.rb +9 -0
data/metasm/cpu/cy16/decode.rb +253 -0
data/metasm/cpu/cy16/main.rb +63 -0
data/metasm/cpu/cy16/opcodes.rb +78 -0
data/metasm/cpu/cy16/render.rb +41 -0
data/metasm/cpu/dalvik.rb +11 -0
data/{lib/metasm → metasm/cpu}/dalvik/decode.rb +35 -13
data/{lib/metasm → metasm/cpu}/dalvik/main.rb +51 -2
data/{lib/metasm → metasm/cpu}/dalvik/opcodes.rb +19 -11
data/metasm/cpu/ia32.rb +17 -0
data/{lib/metasm → metasm/cpu}/ia32/compile_c.rb +5 -7
data/{lib/metasm → metasm/cpu}/ia32/debug.rb +5 -5
data/{lib/metasm → metasm/cpu}/ia32/decode.rb +246 -59
data/{lib/metasm → metasm/cpu}/ia32/decompile.rb +7 -7
data/{lib/metasm → metasm/cpu}/ia32/encode.rb +19 -13
data/{lib/metasm → metasm/cpu}/ia32/main.rb +51 -8
data/metasm/cpu/ia32/opcodes.rb +1424 -0
data/{lib/metasm → metasm/cpu}/ia32/parse.rb +47 -16
data/{lib/metasm → metasm/cpu}/ia32/render.rb +31 -4
data/metasm/cpu/mips.rb +14 -0
data/{lib/metasm → metasm/cpu}/mips/compile_c.rb +1 -1
data/metasm/cpu/mips/debug.rb +42 -0
data/{lib/metasm → metasm/cpu}/mips/decode.rb +46 -16
data/{lib/metasm → metasm/cpu}/mips/encode.rb +4 -3
data/{lib/metasm → metasm/cpu}/mips/main.rb +11 -4
data/{lib/metasm → metasm/cpu}/mips/opcodes.rb +86 -17
data/{lib/metasm → metasm/cpu}/mips/parse.rb +1 -1
data/{lib/metasm → metasm/cpu}/mips/render.rb +1 -1
data/{lib/metasm/dalvik.rb → metasm/cpu/msp430.rb} +1 -1
data/metasm/cpu/msp430/decode.rb +247 -0
data/metasm/cpu/msp430/main.rb +62 -0
data/metasm/cpu/msp430/opcodes.rb +101 -0
data/{lib/metasm → metasm/cpu}/pic16c/decode.rb +6 -7
data/{lib/metasm → metasm/cpu}/pic16c/main.rb +0 -0
data/{lib/metasm → metasm/cpu}/pic16c/opcodes.rb +1 -1
data/{lib/metasm/mips.rb → metasm/cpu/ppc.rb} +4 -4
data/{lib/metasm → metasm/cpu}/ppc/decode.rb +18 -12
data/{lib/metasm → metasm/cpu}/ppc/decompile.rb +3 -3
data/{lib/metasm → metasm/cpu}/ppc/encode.rb +2 -2
data/{lib/metasm → metasm/cpu}/ppc/main.rb +17 -12
data/{lib/metasm → metasm/cpu}/ppc/opcodes.rb +11 -5
data/metasm/cpu/ppc/parse.rb +55 -0
data/metasm/cpu/python.rb +8 -0
data/metasm/cpu/python/decode.rb +136 -0
data/metasm/cpu/python/main.rb +36 -0
data/metasm/cpu/python/opcodes.rb +180 -0
data/{lib/metasm → metasm/cpu}/sh4.rb +1 -1
data/{lib/metasm → metasm/cpu}/sh4/decode.rb +48 -17
data/{lib/metasm → metasm/cpu}/sh4/main.rb +13 -4
data/{lib/metasm → metasm/cpu}/sh4/opcodes.rb +7 -8
data/metasm/cpu/x86_64.rb +15 -0
data/{lib/metasm → metasm/cpu}/x86_64/compile_c.rb +28 -17
data/{lib/metasm → metasm/cpu}/x86_64/debug.rb +4 -4
data/{lib/metasm → metasm/cpu}/x86_64/decode.rb +57 -15
data/{lib/metasm → metasm/cpu}/x86_64/encode.rb +55 -26
data/{lib/metasm → metasm/cpu}/x86_64/main.rb +14 -6
data/metasm/cpu/x86_64/opcodes.rb +136 -0
data/{lib/metasm → metasm/cpu}/x86_64/parse.rb +10 -2
data/metasm/cpu/x86_64/render.rb +35 -0
data/metasm/cpu/z80.rb +9 -0
data/metasm/cpu/z80/decode.rb +313 -0
data/metasm/cpu/z80/main.rb +67 -0
data/metasm/cpu/z80/opcodes.rb +224 -0
data/metasm/cpu/z80/render.rb +59 -0
data/{lib/metasm/os/main.rb → metasm/debug.rb} +160 -401
data/{lib/metasm → metasm}/decode.rb +35 -4
data/{lib/metasm → metasm}/decompile.rb +15 -16
data/{lib/metasm → metasm}/disassemble.rb +201 -45
data/{lib/metasm → metasm}/disassemble_api.rb +651 -87
data/{lib/metasm → metasm}/dynldr.rb +220 -133
data/{lib/metasm → metasm}/encode.rb +10 -1
data/{lib/metasm → metasm}/exe_format/a_out.rb +9 -6
data/{lib/metasm → metasm}/exe_format/autoexe.rb +1 -0
data/{lib/metasm → metasm}/exe_format/bflt.rb +57 -27
data/{lib/metasm → metasm}/exe_format/coff.rb +11 -3
data/{lib/metasm → metasm}/exe_format/coff_decode.rb +53 -20
data/{lib/metasm → metasm}/exe_format/coff_encode.rb +11 -13
data/{lib/metasm → metasm}/exe_format/dex.rb +13 -5
data/{lib/metasm → metasm}/exe_format/dol.rb +1 -0
data/{lib/metasm → metasm}/exe_format/elf.rb +93 -57
data/{lib/metasm → metasm}/exe_format/elf_decode.rb +143 -34
data/{lib/metasm → metasm}/exe_format/elf_encode.rb +122 -31
data/metasm/exe_format/gb.rb +65 -0
data/metasm/exe_format/javaclass.rb +424 -0
data/{lib/metasm → metasm}/exe_format/macho.rb +204 -16
data/{lib/metasm → metasm}/exe_format/main.rb +26 -3
data/{lib/metasm → metasm}/exe_format/mz.rb +1 -0
data/{lib/metasm → metasm}/exe_format/nds.rb +7 -4
data/{lib/metasm → metasm}/exe_format/pe.rb +71 -8
data/metasm/exe_format/pyc.rb +167 -0
data/{lib/metasm → metasm}/exe_format/serialstruct.rb +67 -14
data/{lib/metasm → metasm}/exe_format/shellcode.rb +7 -3
data/metasm/exe_format/shellcode_rwx.rb +114 -0
data/metasm/exe_format/swf.rb +205 -0
data/{lib/metasm → metasm}/exe_format/xcoff.rb +7 -7
data/metasm/exe_format/zip.rb +335 -0
data/metasm/gui.rb +13 -0
data/{lib/metasm → metasm}/gui/cstruct.rb +35 -41
data/{lib/metasm → metasm}/gui/dasm_coverage.rb +11 -11
data/{lib/metasm → metasm}/gui/dasm_decomp.rb +7 -20
data/{lib/metasm → metasm}/gui/dasm_funcgraph.rb +0 -0
data/metasm/gui/dasm_graph.rb +1695 -0
data/{lib/metasm → metasm}/gui/dasm_hex.rb +12 -8
data/{lib/metasm → metasm}/gui/dasm_listing.rb +43 -28
data/{lib/metasm → metasm}/gui/dasm_main.rb +310 -53
data/{lib/metasm → metasm}/gui/dasm_opcodes.rb +5 -19
data/{lib/metasm → metasm}/gui/debug.rb +93 -27
data/{lib/metasm → metasm}/gui/gtk.rb +162 -40
data/{lib/metasm → metasm}/gui/qt.rb +12 -2
data/{lib/metasm → metasm}/gui/win32.rb +179 -42
data/{lib/metasm → metasm}/gui/x11.rb +59 -59
data/{lib/metasm → metasm}/main.rb +389 -264
data/{lib/metasm/os/remote.rb → metasm/os/gdbremote.rb} +146 -54
data/{lib/metasm → metasm}/os/gnu_exports.rb +1 -1
data/{lib/metasm → metasm}/os/linux.rb +628 -151
data/metasm/os/main.rb +330 -0
data/{lib/metasm → metasm}/os/windows.rb +132 -42
data/{lib/metasm → metasm}/os/windows_exports.rb +141 -0
data/{lib/metasm → metasm}/parse.rb +26 -24
data/{lib/metasm → metasm}/parse_c.rb +221 -116
data/{lib/metasm → metasm}/preprocessor.rb +55 -40
data/{lib/metasm → metasm}/render.rb +14 -38
data/misc/hexdump.rb +2 -1
data/misc/lint.rb +58 -0
data/misc/txt2html.rb +9 -7
data/samples/bindiff.rb +3 -4
data/samples/dasm-plugins/bindiff.rb +15 -0
data/samples/dasm-plugins/bookmark.rb +133 -0
data/samples/dasm-plugins/c_constants.rb +57 -0
data/samples/dasm-plugins/colortheme_solarized.rb +125 -0
data/samples/dasm-plugins/cppobj_funcall.rb +60 -0
data/samples/dasm-plugins/dasm_all.rb +70 -0
data/samples/dasm-plugins/demangle_cpp.rb +31 -0
data/samples/dasm-plugins/deobfuscate.rb +251 -0
data/samples/dasm-plugins/dump_text.rb +35 -0
data/samples/dasm-plugins/export_graph_svg.rb +86 -0
data/samples/dasm-plugins/findgadget.rb +75 -0
data/samples/dasm-plugins/hl_opcode.rb +32 -0
data/samples/dasm-plugins/hotfix_gtk_dbg.rb +19 -0
data/samples/dasm-plugins/imm2off.rb +34 -0
data/samples/dasm-plugins/match_libsigs.rb +93 -0
data/samples/dasm-plugins/patch_file.rb +95 -0
data/samples/dasm-plugins/scanfuncstart.rb +36 -0
data/samples/dasm-plugins/scanxrefs.rb +26 -0
data/samples/dasm-plugins/selfmodify.rb +197 -0
data/samples/dasm-plugins/stringsxrefs.rb +28 -0
data/samples/dasmnavig.rb +1 -1
data/samples/dbg-apihook.rb +24 -9
data/samples/dbg-plugins/heapscan.rb +283 -0
data/samples/dbg-plugins/heapscan/compiled_heapscan_lin.c +155 -0
data/samples/dbg-plugins/heapscan/compiled_heapscan_win.c +128 -0
data/samples/dbg-plugins/heapscan/graphheap.rb +616 -0
data/samples/dbg-plugins/heapscan/heapscan.rb +709 -0
data/samples/dbg-plugins/heapscan/winheap.h +174 -0
data/samples/dbg-plugins/heapscan/winheap7.h +307 -0
data/samples/dbg-plugins/trace_func.rb +214 -0
data/samples/disassemble-gui.rb +35 -5
data/samples/disassemble.rb +31 -6
data/samples/dump_upx.rb +24 -12
data/samples/dynamic_ruby.rb +12 -3
data/samples/exeencode.rb +6 -5
data/samples/factorize-headers-peimports.rb +1 -1
data/samples/lindebug.rb +175 -381
data/samples/metasm-shell.rb +1 -2
data/samples/peldr.rb +2 -2
data/tests/all.rb +1 -1
data/tests/arc.rb +26 -0
data/tests/dynldr.rb +22 -4
data/tests/expression.rb +55 -0
data/tests/graph_layout.rb +285 -0
data/tests/ia32.rb +79 -26
data/tests/mips.rb +9 -2
data/tests/x86_64.rb +66 -18
metadata +330 -218
data/lib/metasm/arm/opcodes.rb +0 -177
data/lib/metasm/gui.rb +0 -23
data/lib/metasm/gui/dasm_graph.rb +0 -1354
data/lib/metasm/ia32.rb +0 -14
data/lib/metasm/ia32/opcodes.rb +0 -873
data/lib/metasm/ppc/parse.rb +0 -52
data/lib/metasm/x86_64.rb +0 -12
data/lib/metasm/x86_64/opcodes.rb +0 -118
data/samples/gdbclient.rb +0 -583
data/samples/rubstop.rb +0 -399

data/samples/dbg-plugins/heapscan/compiled_heapscan_win.c ADDED

@@ -0,0 +1,128 @@
+typedef uintptr_t VALUE;
+static VALUE const_WindowsHeap;
+VALUE rb_ary_new(void);
+VALUE rb_ary_push(VALUE, VALUE);
+extern VALUE *rb_cObject __attribute__((import));
+VALUE rb_const_get(VALUE, VALUE);
+void rb_define_method(VALUE, char*, VALUE(*)(), int);
+VALUE rb_funcall(VALUE recv, unsigned int id, int nargs, ...);
+VALUE rb_intern(char*);
+VALUE rb_iv_get(VALUE, char*);
+VALUE rb_hash_aset(VALUE, VALUE, VALUE);
+VALUE rb_hash_aref(VALUE, VALUE);
+VALUE rb_uint2inum(VALUE);
+VALUE rb_num2ulong(VALUE);
+char *rb_string_value_ptr(VALUE*);
+VALUE rb_gc_enable(void);
+VALUE rb_gc_disable(void);
+#include "winheap.h"
+#define INT2FIX(i) (((i) << 1) | 1)
+static VALUE m_WindowsHeap23scan_heap_segment(VALUE self, VALUE vfirst, VALUE vlen)
+{
+	char *heapcpy;
+	struct _HEAP_ENTRY *he;
+	VALUE chunks;
+	VALUE first = rb_num2ulong(vfirst);
+	VALUE len = vlen >> 1;
+	VALUE off;
+	VALUE page;
+	VALUE sz;
+	chunks = rb_iv_get(self, "@chunks");
+	page = rb_funcall(self, rb_intern("pagecache"), 2, vfirst, INT2FIX(len));
+	heapcpy = rb_string_value_ptr(&page);
+	rb_gc_disable();
+	off = 0;
+	while (off < len) {
+		he = heapcpy + off;
+		if (he->Flags & 1) {
+			sz = (VALUE)he->Size*8;
+			if (sz > he->UnusedBytes)
+				sz -= he->UnusedBytes;
+			else
+				sz = 0;
+			rb_hash_aset(chunks, rb_uint2inum(first+off+sizeof(*he)), INT2FIX(sz));
+		}
+		off += he->Size*8;
+	}
+	rb_gc_enable();
+	return 4;
+}
+static VALUE m_WindowsHeap23scan_heap_segment_xr(VALUE self, VALUE vfirst, VALUE vlen)
+{
+	char *heapcpy;
+	struct _HEAP_ENTRY *he;
+	VALUE chunks;
+	VALUE first = rb_num2ulong(vfirst);
+	VALUE len = vlen >> 1;
+	VALUE off;
+	VALUE page;
+	VALUE xrchunksto = rb_iv_get(self, "@xrchunksto");
+	VALUE xrchunksfrom = rb_iv_get(self, "@xrchunksfrom");
+	chunks = rb_iv_get(self, "@chunks");
+	page = rb_funcall(self, rb_intern("pagecache"), 2, vfirst, INT2FIX(len));
+	heapcpy = rb_string_value_ptr(&page);
+	rb_gc_disable();
+	off = 0;
+	VALUE *ptr0, base, cklen;
+	while (off < len) {
+		he = heapcpy + off;
+		// address of the chunk
+		base = first + off + sizeof(*he);
+		if ((he->Flags & 1) &&
+		    (((cklen = rb_hash_aref(chunks, rb_uint2inum(base)))|4) != 4)) {
+			cklen /= 2*sizeof(void*);	// /2 == FIX2INT
+			// pointer to the data for the chunk in our copy of the heap from pagecache
+			ptr0 = (VALUE*)(heapcpy + off + sizeof(*he));
+			VALUE tabto = 0;
+			VALUE tabfrom;
+			while (cklen--) {
+				VALUE p = *ptr0++;
+				//if (p == base)	// ignore self-references
+				//	continue;
+				if ((rb_hash_aref(chunks, rb_uint2inum(p))|4) != 4) {
+					if (!tabto) {
+						tabto = rb_ary_new();
+						rb_hash_aset(xrchunksto, rb_uint2inum(base), tabto);
+					}
+					rb_ary_push(tabto, rb_uint2inum(p));
+					tabfrom = rb_hash_aref(xrchunksfrom, rb_uint2inum(p));
+					if ((tabfrom|4) == 4) {
+						tabfrom = rb_ary_new();
+						rb_hash_aset(xrchunksfrom, rb_uint2inum(p), tabfrom);
+					}
+					rb_ary_push(tabfrom, rb_uint2inum(base));
+				}
+			}
+		}
+		if (!he->Size)
+			break;
+		off += he->Size*8;
+	}
+	rb_gc_enable();
+	return 4;
+}
+static void do_init_once(void)
+{
+	const_WindowsHeap = rb_const_get(*rb_cObject, rb_intern("Metasm"));
+	const_WindowsHeap = rb_const_get(const_WindowsHeap, rb_intern("WindowsHeap"));
+	rb_define_method(const_WindowsHeap, "scan_heap_segment", m_WindowsHeap23scan_heap_segment, 2);
+	rb_define_method(const_WindowsHeap, "scan_heap_segment_xr", m_WindowsHeap23scan_heap_segment_xr, 2);
+}
+int Init_compiled_heapscan_win __attribute__((export))(void)
+{
+	do_init_once();
+	return 0;
+}

data/samples/dbg-plugins/heapscan/graphheap.rb ADDED

@@ -0,0 +1,616 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+module ::Metasm
+module Gui
+class GraphHeapWidget < GraphViewWidget
+	attr_accessor :heap, :addr_struct, :snapped
+	# addr_struct = 0x234 => AllocCStruct
+	def set_color_arrow(b1, b2)
+		if b1 == @caret_box or b2 == @caret_box
+			draw_color :arrow_hl
+		else
+			draw_color :arrow_cond
+		end
+	end
+	def setup_contextmenu(b, m)
+		addsubmenu(m, '_follow pointer') {
+			next if not lm = b[:line_member][@caret_y]
+			addr = b[:line_struct][@caret_y][lm]
+			next if not @heap.chunks[addr]
+			if lm.kind_of?(::Integer)
+				t = b[:line_struct][@caret_y].struct.type
+			else
+				t = lm.type
+			end
+			if t.pointer? and t.pointed.untypedef.kind_of? C::Union
+				@heap.chunk_struct[addr] ||= t.pointed.untypedef
+			end
+			st = @heap.chunk_struct[addr] || create_struct(addr)
+			ed = @dasm.get_edata_at(addr)
+			@addr_struct[addr] = @heap.cp.decode_c_struct(st.name, ed.data, ed.ptr)
+			gui_update
+		}
+		addsubmenu(m, '_hide box') {
+			@selected_boxes.each { |sb|
+				@addr_struct.delete sb.id if @addr_struct.length > 1
+			}
+			@curcontext.root_addrs = struct_find_roots(@addr_struct.keys.first)
+			gui_update
+		}
+		super(b, m)
+	end
+	def keypress(k)
+		case k
+		when ?u
+			# update display (refresh struct member values)
+			@parent_widget.parent_widget.console.commands['refresh'][]
+			gui_update
+		when ?t
+			# change struct field type
+			if @selected_boxes.length > 1
+				# mass-retype chunks
+				st = @addr_struct[@selected_boxes[0].id].struct
+				inputbox("replacement struct for selected chunks", :text => st.name) { |n|
+					next if not nst = @heap.cp.toplevel.struct[n]
+					@selected_boxes.each { |sb|
+						as = @addr_struct[sb.id]
+						@heap.chunk_struct[sb.id] = nst
+						@addr_struct[sb.id] = @heap.cp.decode_c_struct(n, as.str, as.stroff)
+					}
+					gui_update
+				}
+			elsif b = @caret_box
+				if @caret_y == 0
+					as = @addr_struct[b.id]
+					st = as.struct
+					inputbox("replacement struct for #{st.name}", :text => st.name) { |n|
+						next if not nst = @heap.cp.toplevel.struct[n]
+						@heap.chunk_struct[b.id] = nst
+						@addr_struct[b.id] = @heap.cp.decode_c_struct(n, as.str, as.stroff)
+						gui_update
+					}
+				elsif m = b[:line_member][@caret_y]
+					if m.kind_of?(Integer)
+						# XXX Array, need to find the outer struct
+						mn = b[:line_text_col][@caret_y].map { |l, c| l }.join[/(\S*)\[/, 1]
+						ar = b[:line_struct][@caret_y]
+						st = b[:line_struct][0...@caret_y].reverse.compact.find { |st_| st_.struct.kind_of?(C::Struct) and st_[mn].struct == ar.struct }
+						raise '?' if not st
+						st = st.struct
+						m = st.fldlist[mn]
+					else
+						st = b[:line_struct][@caret_y].struct
+					end
+					inputbox("new type for #{m.name}", :text => m.dump_def(@heap.cp.toplevel)[0].join(' ')) { |nn|
+						nil while @heap.cp.readtok
+						@heap.cp.lexer.feed nn
+						if not v = C::Variable.parse_type(@heap.cp, @heap.cp.toplevel, true)
+							nil while @heap.cp.readtok
+							raise 'bad type'
+						end
+						v.parse_declarator(@heap.cp, @heap.cp.toplevel)
+						nt = v.type
+						nsz = @heap.cp.sizeof(nt)
+						osz = @heap.cp.sizeof(m)
+						if nsz > osz and st.kind_of?(C::Struct)
+							idx = st.members.index(m)
+							# eat next members
+							while nsz > osz
+								break if idx+1 >= st.members.length
+								sz = @heap.cp.sizeof(st.members.delete_at(idx+1))
+								osz += sz
+							end
+						end
+						if nsz < osz and st.kind_of?(C::Struct)
+							idx = st.members.index(m)
+							pos = st.offsetof(@heap.cp, m)
+							# fill gap with bytes
+							idx += 1
+							while nsz < osz
+								st.members[idx, 0] = [C::Variable.new(('unk_%x' % (pos+nsz)), C::BaseType.new(:__int8, :unsigned))]
+								idx += 1
+								nsz += 1
+							end
+						end
+						m.type = nt
+						st.update_member_cache(@heap.cp)
+						gui_update
+					}
+				end
+			end
+		when ?n
+			# rename struct field
+			if b = @caret_box
+				if @caret_y == 0
+					st = @addr_struct[b.id].struct
+					inputbox("new name for #{st.name}", :text => st.name) { |nn|
+						raise "struct #{nn} already exists (try 't')" if @heap.cp.toplevel.struct[nn]
+						@heap.cp.toplevel.struct[nn] = @heap.cp.toplevel.struct.delete(st.name)
+						st.name = nn
+						gui_update
+					}
+				elsif m = b[:line_member][@caret_y]
+					if m.kind_of?(Integer)
+						mn = b[:line_text_col][@caret_y].map { |l, c| l }.join[/(\S*)\[/, 1]
+						ar = b[:line_struct][@caret_y]
+						st = b[:line_struct][0...@caret_y].reverse.compact.find { |st_| st_.struct.kind_of?(C::Struct) and st_[mn].struct == ar.struct }
+						raise '?' if not st
+						st = st.struct
+						m = st.fldlist[mn]
+					else
+						st = b[:line_struct][@caret_y].struct
+					end
+					inputbox("new name for #{m.name}", :text => m.name) { |nn|
+						m.name = nn
+						st.update_member_cache(@heap.cp)
+						gui_update
+					}
+				end
+			end
+		when ?e
+			# edit struct field value under the cursor
+			if b = @caret_box
+				# TODO b[:struct][line], b.[:member][line] (int for Arrays)
+				st = b[:line_struct][@caret_y]
+				mb = b[:line_member][@caret_y]
+				if st and mb
+					if mb.kind_of?(C::Variable) and mb.type.kind_of?(C::Array) and mb.type.type.kind_of?(C::BaseType) and mb.type.type.name == :char
+						defval = st[mb].to_array.pack('C*').gsub(/\0*$/, '').gsub(/[^\x20-\x7e]/, '.')
+						string = true
+					else
+						defval = st[mb]
+						string = false
+					end
+					inputbox("new value for #{mb.respond_to?(:name) ? mb.name : mb}", :text => defval.to_s) { |nn|
+						if string
+							am = st[mb]
+							(nn.unpack('C*') + [0]).each_with_index { |b_, i| am[i] = b_ }
+						else
+							st[mb] = Expression.parse_string(nn).reduce
+						end
+						gui_update
+					}
+				end
+			end
+		when ?x
+			# show heap xrefs to the hilighted chunk
+			if b = @caret_box
+				list = [['address', 'size']]
+				@heap.xrchunksfrom[b.id].to_a.each { |a|
+					list << [Expression[a], Expression[@heap.chunks[a]]]
+				}
+				if list.length == 1
+					messagebox "no xref to #{Expression[b.id]}"
+				else
+					listwindow("heap xrefs to #{Expression[b.id]}", list) { |i| @parent_widget.focus_addr(i[0], nil, true) }
+				end
+			end
+		when ?I
+			# insert new field in struct
+			if b = @caret_box
+				if m = b[:line_member][@caret_y]
+					if m.kind_of?(Integer)
+						# XXX Array, need to find the outer struct
+						mn = b[:line_text_col][@caret_y].map { |l, c| l }.join[/(\S*)\[/, 1]
+						ar = b[:line_struct][@caret_y]
+						st = b[:line_struct][0...@caret_y].reverse.compact.find { |st_| st_.struct.kind_of?(C::Struct) and st_[mn].struct == ar.struct }
+						raise '?' if not st
+						st = st.struct
+						m = st.fldlist[mn]
+					else
+						st = b[:line_struct][@caret_y].struct
+					end
+					inputbox("new type to insert before #{m.name}", :text => m.dump_def(@heap.cp.toplevel)[0].join(' ')) { |nn|
+						nil while @heap.cp.readtok
+						@heap.cp.lexer.feed nn
+						if not v = C::Variable.parse_type(@heap.cp, @heap.cp.toplevel, true)
+							nil while @heap.cp.readtok
+							raise 'bad type'
+						end
+						v.parse_declarator(@heap.cp, @heap.cp.toplevel)
+						nt = v.type
+						idx = st.members.index(m)
+						pos = st.offsetof(@heap.cp, m)
+						name = oname = v.name || ('unk_%x_new' % pos)
+						cntr = 0
+						while st.members.find { |m_| m_.name == name }
+							name = oname + "_#{cntr+=1}"
+						end
+						st.members[idx, 0] = [C::Variable.new(name, nt)]
+						st.update_member_cache(@heap.cp)
+						gui_update
+					}
+				end
+			end
+		when ?S
+			# delete structure field
+			if b = @caret_box
+				if m = b[:line_member][@caret_y]
+					if m.kind_of?(Integer)
+						# XXX Array, need to find the outer struct
+						mn = b[:line_text_col][@caret_y].map { |l, c| l }.join[/(\S*)\[/, 1]
+						ar = b[:line_struct][@caret_y]
+						st = b[:line_struct][0...@caret_y].reverse.compact.find { |st_| st_.struct.kind_of?(C::Struct) and st_[mn].struct == ar.struct }
+						raise '?' if not st
+						st = st.struct
+						m = st.fldlist[mn]
+					else
+						st = b[:line_struct][@caret_y].struct
+					end
+					inputbox("delete #{m.name} ?") { |nn|
+						idx = st.members.index(m)
+						st.members.delete_at(idx)
+						st.update_member_cache(@heap.cp)
+						gui_update
+					}
+				end
+			end
+		when ?+
+			# append blocks linked from the currently shown blocks to the display
+			@addr_struct.keys.each { |ak|
+				@heap.xrchunksto[ak].to_a.each { |nt|
+					next if @addr_struct[nt]
+					# TODO check if the pointer is a some_struct*
+					st = @heap.chunk_struct[nt] || create_struct(nt)
+					ed = @dasm.get_edata_at(nt)
+					@addr_struct[nt] = @heap.cp.decode_c_struct(st.name, ed.data, ed.ptr)
+				}
+			}
+			gui_update
+		when ?-
+			# remove graph leaves in an attempt to undo ?+
+			unk = @addr_struct.keys.find_all { |ak|
+				(@heap.xrchunksto[ak].to_a & @addr_struct.keys).empty?
+			}
+			unk.each { |ak| @addr_struct.delete ak if @addr_struct.length > 1 }
+			gui_update
+		else return super(k)
+		end
+		true
+	end
+	# create the graph objects in ctx
+	def build_ctx(ctx)
+		# create boxes
+		todo = ctx.root_addrs.dup & @addr_struct.keys
+		todo << @addr_struct.keys.first if todo.empty?
+		done = []
+		while a = todo.shift
+			next if done.include? a
+			done << a
+			ctx.new_box a, :line_text_col => [], :line_address => [], :line_struct => [], :line_member => []
+			todo.concat @heap.xrchunksto[a].to_a & @addr_struct.keys
+		end
+		# link boxes
+		if (@heap.xrchunksto[ctx.box.first.id].to_a & @addr_struct.keys).length == ctx.box.length - 1
+			ot = ctx.box[0].id
+			ctx.box[1..-1].each { |b_|
+				ctx.link_boxes(ot, b_.id)
+			}
+		else
+			ctx.box.each { |b|
+				@heap.xrchunksto[b.id].to_a.each { |t|
+					ctx.link_boxes(b.id, t) if @addr_struct[t]
+				}
+			}
+		end
+		if snapped
+			@datadiff = {}
+		end
+		# calc box dimensions/text
+		ctx.box.each { |b|
+			colstr = []
+			curaddr = b.id
+			curst = @addr_struct[b.id]
+			curmb = nil
+			margin = ''
+			start_addr = curaddr
+			if snapped
+				ghosts = snapped[curaddr]
+			end
+			line = 0
+			render = lambda { |str, col| colstr << [str, col] }
+			nl = lambda {
+				b[:line_address][line] = curaddr
+				b[:line_text_col][line] = colstr
+				b[:line_struct][line] = curst
+				b[:line_member][line] = curmb
+				colstr = []
+				line += 1
+			}
+			render_val = lambda { |v|
+				if v.kind_of?(::Integer)
+					if v > 0x100
+						render['0x%X' % v, :text]
+					elsif v < -0x100
+						render['-0x%X' % -v, :text]
+					else
+						render[v.to_s, :text]
+					end
+				elsif not v
+					render['NULL', :text]
+				else
+					render[v.to_s, :text]
+				end
+			}
+			render_st = nil
+			render_st_ar = lambda { |ast, m|
+				elemt = m.type.untypedef.type.untypedef
+				if elemt.kind_of?(C::BaseType) and elemt.name == :char
+					render[margin, :text]
+					render["#{m.type.type.to_s[1...-1]} #{m.name}[#{m.type.length}] = #{ast[m].to_array.pack('C*').sub(/\0.*$/m, '').inspect}", :text]
+					nl[]
+					curaddr += ast.cp.sizeof(m)
+				else
+					t = m.type.type.to_s[1...-1]
+					tsz = ast.cp.sizeof(m.type.type)
+					fust = curst
+					fumb = curmb
+					curst = ast[m]
+					ast[m].to_array.each_with_index { |v, i|
+						curmb = i
+						render[margin, :text]
+						if elemt.kind_of?(C::Union)
+							if m.type.untypedef.type.kind_of?(C::Union)
+								render[elemt.kind_of?(C::Struct) ? 'struct ' : 'union ', :text]
+								render["#{elemt.name} ", :text] if elemt.name
+							else # typedef
+								render["#{elemt.to_s[1...-1]} ", :text]
+							end
+							render_st[v]
+							render[" #{m.name}[#{i}]", :text]
+						else
+							render["#{t} #{m.name}[#{i}] = ", :text]
+							render_val[v]
+							@datadiff[curaddr] = true if ghosts and ghosts.all? { |g| g[curaddr-start_addr, tsz] == ghosts[0][curaddr-start_addr, tsz] } and ghosts[0][curaddr-start_addr, tsz] != ast.str[curaddr, tsz].to_str
+						end
+						render[';', :text]
+						nl[]
+						curaddr += tsz
+					}
+					curst = fust
+					curmb = fumb
+				end
+			}
+			render_st = lambda { |ast|
+				st_addr = curaddr
+				oldst = curst
+				oldmb = curmb
+				oldmargin = margin
+				render['{', :text]
+				nl[]
+				margin += '    '
+				curst = ast
+				ast.struct.members.each { |m|
+					curmb = m
+					curaddr = st_addr + ast.struct.offsetof(@heap.cp, m)
+					if bo = ast.struct.bitoffsetof(@heap.cp, m)
+						# float curaddr to make ghost hilight work on bitfields
+						curaddr += (1+bo[0])/1000.0
+					end
+					if m.type.untypedef.kind_of?(C::Array)
+						render_st_ar[ast, m]
+					elsif m.type.untypedef.kind_of?(C::Union)
+						render[margin, :text]
+						if m.type.kind_of?(C::Union)
+							render[m.type.kind_of?(C::Struct) ? 'struct ' : 'union ', :text]
+							render["#{m.type.name} ", :text] if m.type.name
+						else # typedef
+							render["#{m.type.to_s[1...-1]} ", :text]
+						end
+						oca = curaddr
+						render_st[ast[m]]
+						nca = curaddr
+						curaddr = oca
+						render[" #{m.name if m.name};", :text]
+						nl[]
+						curaddr = nca
+					else
+						render[margin, :text]
+						render["#{m.type.to_s[1...-1]} ", :text]
+						render["#{m.name} = ", :text]
+						render_val[ast[m]]
+						tsz = ast.cp.sizeof(m)
+						# TODO bit-level multighosting
+						if ghosts and ghosts.all? { |g| g[curaddr.to_i-start_addr, tsz] == ghosts[0][curaddr.to_i-start_addr, tsz] } and ghosts[0][curaddr.to_i-start_addr, tsz] != ast.str[curaddr.to_i, tsz].to_str
+							if bo
+								ft = C::BaseType.new((bo[0] + bo[1] > 32) ? :__int64 : :__int32)
+								v1 = @heap.cp.decode_c_value(ghosts[0][curaddr.to_i-start_addr, tsz], ft, 0)
+								v2 = @heap.cp.decode_c_value(ast.str[curaddr.to_i, tsz], ft, 0)
+								@datadiff[curaddr] = true if (v1 >> bo[0]) & ((1 << bo[1])-1) != (v2 >> bo[0]) & ((1 << bo[1])-1)
+							else
+								@datadiff[curaddr] = true
+							end
+						end
+						render[';', :text]
+						if m.type.kind_of?(C::Pointer) and m.type.type.kind_of?(C::BaseType) and m.type.type.name == :char
+							if s = @dasm.decode_strz(ast[m], 32)
+								render["    // #{s.inspect}", :comment]
+							end
+						end
+						nl[]
+						curaddr += tsz
+						curaddr = curaddr.to_i if bo
+					end
+				}
+				margin = oldmargin
+				curst = oldst
+				curmb = oldmb
+				render[margin, :text]
+				render['}', :text]
+			}
+			ast = @addr_struct[curaddr]
+			render["struct #{ast.struct.name} *#{'0x%X' % curaddr} = ", :text]
+			render_st[ast]
+			render[';', :text]
+			nl[]
+			b.w = b[:line_text_col].map { |strc| strc.map { |s, c| s }.join.length }.max.to_i * @font_width + 2
+			b.w += 1 if b.w % 2 == 0
+			b.h = line * @font_height
+		}
+	end
+	def struct_find_roots(addr)
+		addr = @addr_struct.keys.find { |a| addr >= a and addr < a+@addr_struct[a].sizeof } if not @addr_struct[addr]
+		todo = [addr]
+		done = []
+		roots = []
+		default_root = nil
+		while a = todo.shift
+			if done.include?(a) # cycle
+				default_root ||= a
+				next
+			end
+			done << a
+			newf = @heap.xrchunksfrom[a].to_a & @addr_struct.keys
+			if newf.empty?
+				roots << a
+			else
+				todo.concat newf
+			end
+		end
+		roots << default_root if roots.empty? and default_root
+		roots
+	end
+	def focus_addr(addr, fu=nil)
+		return if @parent_widget and not addr = @parent_widget.normalize(addr)
+		# move window / change curcontext
+		if b = @curcontext.box.find { |b_| b_[:line_address].index(addr) }
+			@caret_box, @caret_x, @caret_y = b, 0, b[:line_address].rindex(addr)
+			@curcontext.view_x += (width/2 / @zoom - width/2)
+			@curcontext.view_y += (height/2 / @zoom - height/2)
+			@zoom = 1.0
+			focus_xy(b.x, b.y + @caret_y*@font_height)
+			update_caret
+		elsif addr_struct and (@addr_struct[addr] or @addr_struct.find { |a, s| addr >= a and addr < a+s.sizeof })
+			@curcontext = Graph.new 'testic'
+			@curcontext.root_addrs = struct_find_roots(addr)
+			@want_focus_addr = addr
+			gui_update
+		elsif @heap.chunks[addr]
+			@want_focus_addr = addr
+			do_focus_addr(addr)
+		else
+			return
+		end
+		true
+	end
+	def do_focus_addr(addr)
+		st = @heap.chunk_struct[addr] || create_struct(addr)
+		ed = @dasm.get_edata_at(addr)
+		@addr_struct = { addr => @heap.cp.decode_c_struct(st.name, ed.data, ed.ptr) }
+		gui_update
+	end
+	# create the struct chunk_<addr>, register it in @heap.chunk_struct
+	def create_struct(addr)
+		raise "no chunk here" if not @heap.chunks[addr]
+		ptsz = @dasm.cpu.size/8
+		# check if this is a c++ object with RTTI info
+		vptr = @dasm.decode_dword(addr)
+		rtti = @dasm.decode_dword(vptr-ptsz)
+		case OS.shortname
+		when 'winos'
+			typeinfo = @dasm.decode_dword(rtti+3*ptsz) if rtti
+			if typeinfo and s = @dasm.decode_strz(typeinfo+3*ptsz)
+				rtti_name = s[/^(.*)@@$/, 1]	# remove trailing @@
+			end
+		when 'linos'
+			typeinfo = @dasm.decode_dword(rtti+ptsz) if rtti
+			if typeinfo and s = @dasm.decode_strz(typeinfo)
+				rtti_name = s[/^[0-9]+(.*)$/, 1]	# remove leading number
+			end
+		end
+		if rtti_name and st = @heap.cp.toplevel.struct[rtti_name]
+			return @heap.chunk_struct[addr] = st
+		end
+		st = C::Struct.new
+		st.name = rtti_name || "chunk_#{'%x' % addr}"
+		st.members = []
+		li = 0
+		(@heap.chunks[addr] / ptsz).times { |i|
+			n = 'unk_%x' % (ptsz*i)
+			v = @dasm.decode_dword(addr+ptsz*i)
+			if i == 0 and rtti_name
+				t = C::Pointer.new(C::Pointer.new(C::BaseType.new(:void)))
+				n = 'vtable'
+			elsif @heap.chunks[v]
+				t = C::Pointer.new(C::BaseType.new(:void))
+			else
+				t = C::BaseType.new("__int#{ptsz*8}".to_sym, :unsigned)
+			end
+			st.members << C::Variable.new(n, t)
+			li = i+1
+		}
+		(@heap.chunks[addr] % ptsz).times { |i|
+			n = 'unk_%x' % (ptsz*li+i)
+			t = C::BaseType.new(:char, :unsigned)
+			st.members << C::Variable.new(n, t)
+		}
+		@heap.cp.toplevel.struct[st.name] = st
+		@heap.chunk_struct[addr] = st
+	end
+	def snap
+		if not snapped
+			@datadiff = {}
+			ocb = @parent_widget.bg_color_callback
+			@parent_widget.bg_color_callback = lambda { |a|
+				if @datadiff[a]
+					'f88'
+				elsif ocb
+					ocb[a]
+				end
+			}
+		end
+		@snapped = {}
+		@addr_struct.each { |a, ast|
+			@snapped[a] = [ast.str[ast.stroff, ast.sizeof].to_str]
+		}
+	end
+	def snap_add
+		return snap if not snapped
+		@addr_struct.each { |a, ast|
+			(@snapped[a] ||= []) << ast.str[ast.stroff, ast.sizeof].to_str
+		}
+	end
+	def get_cursor_pos
+		[super, addr_struct]
+	end
+	def set_cursor_pos(p)
+		s, @addr_struct = p
+		super(s)
+	end
+end
+end
+end