metasm 1.0.3 → 1.0.4

data/metasm/disassemble_api.rb

@@ -130,11 +130,6 @@ class DecodedInstruction
 	end
 end
 
-class CPU
-	# compat alias, for scripts using older version of metasm
-	def get_backtrace_binding(di) backtrace_binding(di) end
-end
-
 class Disassembler
 	# access the default value for @@backtrace_maxblocks for newly created Disassemblers
 	def self.backtrace_maxblocks ; @@backtrace_maxblocks ; end
@@ -210,8 +205,8 @@ class Disassembler
 	alias instructionblocks each_instructionblock
 
 	# return a backtrace_binding reversed (akin to code emulation) (but not really)
-	def get_fwdemu_binding(di, pc=nil)
-		@cpu.get_fwdemu_binding(di, pc)
+	def get_fwdemu_binding(di, pc=nil, dbg_ctx=nil)
+		@cpu.get_fwdemu_binding(di, pc, dbg_ctx)
 	end
 
 	# reads len raw bytes from the mmaped address space
@@ -276,7 +271,7 @@ class Disassembler
 		if b = block_at(from_addr)
 			b.add_to_normal(addr)
 		end
-		@addrs_todo << [addr, from_addr]
+		@addrs_todo << { :addr => addr, :from => from_addr }
 		disassemble
 	end
 
@@ -286,6 +281,12 @@ class Disassembler
 		e.inv_export[e.ptr] if e
 	end
 
+	# return the array of all labels associated to an addr
+	def get_all_labels_at(addr)
+		addr = normalize(addr)
+		label_alias[addr].to_a
+	end
+
 	# sets the label for the specified address
 	# returns nil if the address is not mapped
 	# memcheck is passed to get_section_at to validate that the address is mapped
@@ -295,6 +296,7 @@ class Disassembler
 		e, b = get_section_at(addr, memcheck)
 		if not e
 		elsif not l = e.inv_export[e.ptr] or (!overwrite and l != name)
+			split_block(addr)
 			l = @program.new_label(name)
 			e.add_export l, e.ptr
 			@label_alias_cache = nil
@@ -683,7 +685,7 @@ class Disassembler
 	# give something equivalent to the code accessible from the (list of) entrypoints given
 	# from the @decoded dasm graph
 	# assume all jump targets have a matching label in @prog_binding
-	# may add inconditionnal jumps in the listing to preserve the code flow
+	# may add inconditional jumps in the listing to preserve the code flow
 	def flatten_graph(entry, include_subfunc=true)
 		ret = []
 		entry = [entry] if not entry.kind_of? Array
@@ -691,11 +693,16 @@ class Disassembler
 		done = []
 		inv_binding = @prog_binding.invert
 		while addr = todo.pop
-			next if done.include? addr or not di_at(addr)
+			next if done.include?(addr)
 			done << addr
-			b = @decoded[addr].block
 
 			ret << Label.new(inv_binding[addr]) if inv_binding[addr]
+			if not di_at(addr)
+				ret << @cpu.instr_jump_stop
+				next
+			end
+
+			b = @decoded[addr].block
 			ret.concat b.list.map { |di| di.instruction }
 
 			b.each_to_otherfunc(self) { |to|
@@ -709,8 +716,8 @@ class Disassembler
 
 			if not di = b.list[-1-@cpu.delay_slot] or not di.opcode.props[:stopexec] or di.opcode.props[:saveip]
 				to = b.list.last.next_addr
-				if todo.include? to
-					if done.include? to or not di_at(to)
+				if todo.include?(to) and di_at(to)
+					if done.include?(to)
 						if not to_l = inv_binding[to]
 							to_l = auto_label_at(to, 'loc')
 							if done.include? to and idx = ret.index(@decoded[to].block.list.first.instruction)
@@ -721,6 +728,8 @@ class Disassembler
 					else
 						todo << to	# ensure it's next in the listing
 					end
+				else
+					ret << @cpu.instr_jump_stop
 				end
 			end
 		end
@@ -977,7 +986,7 @@ class Disassembler
 	end
 
 	# loads a map file (addr => symbol)
-	# off is an optionnal offset to add to every address found (for eg rebased binaries)
+	# off is an optional offset to add to every address found (for eg rebased binaries)
 	# understands:
 	#  standard map files (eg linux-kernel.map: <addr> <type> <name>, e.g. 'c01001ba t setup_idt')
 	#  ida map files (<sectionidx>:<sectionoffset> <name>)
@@ -996,7 +1005,7 @@ class Disassembler
 				# we do not have section load order, let's just hope that the addresses are sorted (and sortable..)
 				#  could check the 1st part of the file, with section sizes, but it is not very convenient
 				# the regexp is so that we skip the 1st part with section descriptions
-				# in the file, section 1 is the 1st section ; we have an additionnal section (exe header) which fixes the 0-index
+				# in the file, section 1 is the 1st section ; we have an additional section (exe header) which fixes the 0-index
 				# XXX this is PE-specific, TODO fix it for ELF (ida references sections, we reference segments...)
 				addr = sks[$1.to_i(16)] + $2.to_i(16) + off
 				set_label_at(addr, $3, false, !seen[addr])
@@ -1137,7 +1146,11 @@ class Disassembler
 				addr = Expression.parse(pp).reduce
 				len = Expression.parse(pp).reduce
 				edata = EncodedData.new(data.unpack('m*').first, :virtsize => len)
-				add_section(addr, edata)
+				# check for an existing section, eg from binarypath
+				existing_section = get_section_at(addr)
+				if not existing_section or existing_section[0].data.to_str != edata.data.to_str
+					add_section(addr, edata)
+				end
 			when 'map'
 				load_map data
 			when 'decoded'
@@ -1741,7 +1754,7 @@ class Disassembler
 	end
 
 	# same as load_plugin, but hides the @gui attribute while loading, preventing the plugin do popup stuff
-	# this is useful when you want to load a plugin from another plugin to enhance the plugin's functionnality
+	# this is useful when you want to load a plugin from another plugin to enhance the plugin's functionality
 	# XXX this also prevents setting up kbd_callbacks etc..
 	def load_plugin_nogui(plugin_filename)
 		oldgui = gui

data/metasm/dynldr.rb

@@ -5,7 +5,7 @@
 
 # This sample creates the dynldr.so ruby shared object that allows interaction with
 # native libraries
-# x86 only for now
+# x86/x64 only for now
 
 module Metasm
 class DynLdr
@@ -1229,7 +1229,7 @@ EOS
 		cp.alloc_c_struct(structname, values)
 	end
 
-	# return a C::AllocCStruct mapped over the string (with optionnal offset)
+	# return a C::AllocCStruct mapped over the string (with optional offset)
 	# str may be an EncodedData
 	def self.decode_c_struct(structname, str, off=0)
 		str = str.data if str.kind_of? EncodedData

data/metasm/encode.rb

@@ -214,8 +214,14 @@ class ExeFormat
 
 				raise EncodeError, "cannot find candidate in #{elem.inspect}, immediate too big #{wantsize.inspect} #{target_bounds.inspect}" if acceptable.empty?
 
-				# keep the shortest
-				acceptable.sort_by { |edata| edata.virtsize }.first
+				# keep the shortest, use a hack make sort consistent in all cases
+				# see https://8thlight.com/blog/will-warner/2013/03/26/stable-sorting-in-ruby.html
+				n = 0
+				mod_map = acceptable.map { |edata| n += 1 ; [[edata.virtsize, n], edata] }
+				interm_sort = mod_map.sort { |left, right| left[0] <=> right[0] }
+				mod_sort_result = interm_sort.collect { |edata| edata[1] }
+				result = mod_sort_result.first
+				result
 			else
 				elem
 			end

data/metasm/exe_format/autoexe.rb

@@ -37,6 +37,7 @@ end
 
 # register a new binary file signature
 def self.register_signature(sig, exe=nil, &b)
+	sig.force_encoding('binary') if sig.respond_to?(:force_encoding)
 	(@signatures ||= []) << [sig, exe || b]
 end
 
@@ -59,6 +60,7 @@ register_signature("dex\n") { DEX }
 register_signature("dey\n") { DEY }
 register_signature("\xfa\x70\x0e\x1f") { FatELF }
 register_signature("\x50\x4b\x03\x04") { ZIP }
+register_signature("\0asm") { WasmFile }
 register_signature('Metasm.dasm') { Disassembler }
 
 # replacement for AutoExe where #load defaults to a Shellcode of the specified CPU

data/metasm/exe_format/coff.rb

@@ -213,7 +213,7 @@ class COFF < ExeFormat
 	end
 
 	# tree-like structure, holds all misc data the program might need (icons, cursors, version information)
-	# conventionnally structured in a 3-level depth structure:
+	# conventionally structured in a 3-level depth structure:
 	#  I resource type (icon/cursor/etc, see +TYPES+)
 	#  II resource id (icon n1, icon 'toto', ...)
 	#  III language-specific version (icon n1 en, icon n1 en-dvorak...)
@@ -230,6 +230,12 @@ class COFF < ExeFormat
 		end
 	end
 
+	# unwind info
+	class ExceptionEntry < SerialStruct
+		# function start RVA, function end RVA, UNWIND_INFO RVA
+		words :func, :func_end, :unwind
+	end
+
 	# array of relocations to apply to an executable file
 	# when it is loaded at an address that is not its preferred_base_address
 	class RelocationTable < SerialStruct
@@ -258,9 +264,20 @@ class COFF < ExeFormat
 		end
 
 		class RSDS < SerialStruct
-			mem :guid, 16
+			word :guid_03
+			halfs :guid_45, :guid_67
+			bytes :guid_8, :guid_9, :guid_a, :guid_b, :guid_c, :guid_d, :guid_e, :guid_f
 			word :age
 			strz :pdbfilename
+
+			def guid
+				"%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X" % [guid_03, guid_45, guid_67, guid_8, guid_9, guid_a, guid_b, guid_c, guid_d, guid_e, guid_f]
+			end
+
+			# http path to pdb (compressed)
+			def msdl_url
+				"http://msdl.microsoft.com/download/symbols/#{pdbfilename}/#{guid.delete("-")}#{age}/#{pdbfilename.chop}_"
+			end
 		end
 	end
 
@@ -396,7 +413,8 @@ class COFF < ExeFormat
 	end
 
 	attr_accessor :header, :optheader, :directory, :sections, :endianness, :symbols, :bitsize,
-		:export, :imports, :resource, :certificates, :relocations, :debug, :tls, :loadconfig, :delayimports, :com_header
+		:export, :imports, :resource, :exception_table, :certificates,
+		:relocations, :debug, :tls, :loadconfig, :delayimports, :com_header
 
 	# boolean, set to true to have #decode() ignore the base_relocs directory
 	attr_accessor :nodecode_relocs

data/metasm/exe_format/coff_decode.rb

@@ -639,6 +639,17 @@ class COFF
 		resource.decode_version(self, lang)
 	end
 
+	# decode the exception table, holding the start and end of every function in the binary (x64)
+	# includes a pointer to the UNWIND_INFO structure for exception handling
+	def decode_exception_table
+		if et = @directory['exception_table'] and sect_at_rva(et[0])
+			@exception_table = []
+			(et[1]/12).times {
+				@exception_table << ExceptionEntry.decode(self)
+			}
+		end
+	end
+
 	# decodes certificate table
 	def decode_certificates
 		if ct = @directory['certificate_table']
@@ -782,6 +793,7 @@ class COFF
 		decode_exports
 		decode_imports
 		decode_resources
+		decode_exception_table
 		decode_certificates
 		decode_debug
 		decode_tls

data/metasm/exe_format/coff_encode.rb

@@ -172,6 +172,7 @@ class COFF
 			@iat_p ||= Expression[coff.label_at(edata['iat'].last, 0, 'iat'), :-, coff.label_at(coff.encoded, 0)]
 			edata['idata'] << super(coff)
 
+			@libname.force_encoding('BINARY') if @libname.respond_to?(:force_encoding)
 			edata['nametable'] << @libname << 0
 
 			ord_mask = 1 << (coff.bitsize - 1)
@@ -182,6 +183,7 @@ class COFF
 				else
 					edata['nametable'].align 2
 					ptr = coff.encode_xword(rva_end['nametable'])
+					i.name.force_encoding('BINARY') if i.name.respond_to?(:force_encoding)
 					edata['nametable'] << coff.encode_half(i.hint || 0) << i.name << 0
 				end
 				edata['ilt'] << ptr
@@ -510,8 +512,8 @@ class COFF
 
 			s.encoded.reloc.each { |off, rel|
 				# check that the relocation looks like "program_start + integer" when bound using the fake binding
-				# XXX allow :i32 etc
-				if rel.endianness == @endianness and [:u32, :a32, :u64, :a64].include?(rel.type) and
+				# TODO relocate refs to IAT (eg plt)
+				if rel.endianness == @endianness and [:i32, :u32, :a32, :i64, :u64, :a64].include?(rel.type) and
 				rel.target.bind(binding).reduce.kind_of?(Expression) and
 				Expression[rel.target, :-, startaddr].bind(binding).reduce.kind_of?(::Integer)
 					# winner !
@@ -519,7 +521,7 @@ class COFF
 					# build relocation
 					r = RelocationTable::Relocation.new
 					r.offset = off & 0xfff
-					r.type = { :u32 => 'HIGHLOW', :u64 => 'DIR64', :a32 => 'HIGHLOW', :a64 => 'DIR64' }[rel.type]
+					r.type = { '32' => 'HIGHLOW', '64' => 'DIR64' }[rel.type.to_s[1, 2]]
 
 					# check if we need to start a new relocation table
 					if rt.base_addr and (rt.base_addr & ~0xfff) != (off & ~0xfff)
@@ -626,6 +628,7 @@ class COFF
 				end
 			end
 			s.rawaddr = nil if s.rawaddr.kind_of?(::Integer)	# XXX allow to force rawaddr ?
+			s.name.force_encoding('BINARY') if s.name.respond_to?(:force_encoding)
 			s_table << s.encode(self)
 		}
 

data/metasm/exe_format/dex.rb

@@ -331,17 +331,27 @@ class DEX < ExeFormat
 	def decode_u4(edata = @encoded) edata.decode_imm(:u32, @endianness) end
 	def sizeof_u2 ; 2 ; end
 	def sizeof_u4 ; 4 ; end
+	def encode_uleb(val, signed=false)
+		v = val
+		out = EncodedData.new
+		while v > 0x7f or v < -0x40 or (signed and v > 0x3f)
+			out << Expression[0x80 | (v&0x7f)].encode(:u8, @endianness)
+			v >>= 7
+		end
+		out << Expression[v & 0x7f].encode(:u8, @endianness)
+	end
 	def decode_uleb(ed = @encoded, signed=false)
 		v = s = 0
-		while s < 5*7
+		while s < 10*7
 			b = ed.read(1).unpack('C').first.to_i
 			v |= (b & 0x7f) << s
-			break if (b&0x80) == 0
 			s += 7
+			break if (b&0x80) == 0
 		end
 		v = Expression.make_signed(v, s) if signed
 		v
 	end
+	def encode_sleb(val) encode_uleb(val, true) end
 	def decode_sleb(ed = @encoded) decode_uleb(ed, true) end
 	attr_accessor :header, :strings, :types, :protos, :fields, :methods, :classes
 
@@ -425,7 +435,7 @@ class DEX < ExeFormat
 			next if not c.data
 			(c.data.direct_methods + c.data.virtual_methods).each { |m|
 				n = @types[c.classidx] + '->' + m.name
-				dasm.comment[m.codeoff+m.code.insns_off] = [n]
+				dasm.add_comment m.codeoff+m.code.insns_off, n
 			}
 		}
 		dasm.function[:default] = @cpu.disassembler_default_func

data/metasm/exe_format/elf.rb

@@ -78,7 +78,8 @@ class ELF < ExeFormat
 		'MIPS' => {1 => 'NOREORDER', 2 => 'PIC', 4 => 'CPIC',
 			8 => 'XGOT', 0x10 => '64BIT_WHIRL', 0x20 => 'ABI2',
 			0x40 => 'ABI_ON32', 0x80 => 'OPTIONSFIRST',
-			0x100 => '32BITMODE'}
+			0x100 => '32BITMODE'},
+		'OPENRISC' => { 1 => 'NODELAY' },
 	}
 
 	DYNAMIC_TAG = { 0 => 'NULL', 1 => 'NEEDED', 2 => 'PLTRELSZ', 3 =>
@@ -391,7 +392,16 @@ class ELF < ExeFormat
 			11 => '32S', 12 => '16', 13 => 'PC16', 14 => '8',
 			15 => 'PC8', 16 => 'DTPMOD64', 17 => 'DTPOFF64',
 			18 => 'TPOFF64', 19 => 'TLSGD', 20 => 'TLSLD',
-			21 => 'DTPOFF32', 22 => 'GOTTPOFF', 23 => 'TPOFF32' }
+			21 => 'DTPOFF32', 22 => 'GOTTPOFF', 23 => 'TPOFF32' },
+		'OPENRISC' => { 0 => 'NONE', 1 => '32', 2 => '16', 3 => '8',
+			4 => 'LO_16_IN_INSN', 5 => 'HI_16_IN_INSN', 6 => 'INSN_REL_26', 7 => 'GNU_VTENTRY',
+			8 => 'GNU_VTINHERIT', 9 => '32_PCREL', 10 => '16_PCREL', 11 => '8_PCREL',
+			12 => 'GOTPC_HI16', 13 => 'GOTPC_LO16', 14 => 'GOT15', 15 => 'PLT26',
+			16 => 'GOTOFF_HI16', 17 => 'GOTOFF_LO16', 18 => 'COPY', 19 => 'GLOB_DAT',
+			20 => 'JMP_SLOT', 21 => 'RELATIVE', 22 => 'TLS_GD_HI16', 23 => 'TLS_GD_LO16',
+			24 => 'TLS_LDM_HI16', 25 => 'TLS_LDM_LO16', 26 => 'TLS_LDO_HI16', 27 => 'TLS_LDO_LO16',
+			28 => 'TLS_IE_HI16', 29 => 'TLS_IE_LO16', 30 => 'TLS_LE_HI16', 31 => 'TLS_LE_LO16',
+			32 => 'TLS_TPOFF', 33 => 'TLS_DTPOFF', 34 => 'TLS_DTPMOD' },
 	}
 
 	DEFAULT_INTERP = '/lib/ld-linux.so.2'

data/metasm/exe_format/elf_decode.rb

@@ -742,6 +742,52 @@ class ELF
 		Metasm::Relocation.new(Expression[target], :u32, @endianness) if target
 	end
 
+	def arch_decode_segments_reloc_openrisc(reloc)
+		if reloc.symbol.kind_of?(Symbol) and n = reloc.symbol.name and reloc.symbol.shndx == 'UNDEF' and @sections and
+			s = @sections.find { |s_| s_.name and s_.offset <= @encoded.ptr and s_.offset + s_.size > @encoded.ptr }
+			@encoded.add_export(new_label("#{s.name}_#{n}"), @encoded.ptr, true)
+		end
+
+		original_word = decode_word
+
+		# decode addend if needed
+		case reloc.type
+		when 'NONE' # no addend
+		else addend = reloc.addend || Expression.make_signed(original_word, 32)
+		end
+
+		case reloc.type
+		when 'NONE'
+		when '32', '32_PCREL'
+			target = reloc_target(reloc)
+			target = Expression[target, :-, reloc.offset] if reloc.type == '32_PCREL'
+			target = Expression[target, :+, addend] if addend and addend != 0
+		when 'INSN_REL_26'
+			target = reloc_target(reloc)
+			addend &= 0x3ff_ffff
+			target = Expression[target, :+, [addend, :<<, 2]] if addend and addend != 0
+			target = Expression[[original_word, :&, 0xfc0_0000], :|, [[target, :&, 0x3ff_ffff], :>>, 2]]
+		when 'HI_16_IN_INSN'
+			target = reloc_target(reloc)
+			addend &= 0xffff
+			target = Expression[target, :+, [addend, :<<, 16]] if addend and addend != 0
+			target = Expression[[original_word, :&, 0xffff_0000], :|, [[target, :>>, 16], :&, 0xffff]]
+		when 'LO_16_IN_INSN'
+			target = reloc_target(reloc)
+			addend &= 0xffff
+			target = Expression[target, :+, addend] if addend and addend != 0
+			target = Expression[[original_word, :&, 0xffff_0000], :|, [target, :&, 0xffff]]
+		when 'JMP_SLOT'
+			target = reloc_target(reloc)
+			target = Expression[target, :+, addend] if addend and addend != 0
+		else
+			puts "W: Elf: unhandled MIPS reloc #{reloc.inspect}" if $VERBOSE
+			target = nil
+		end
+
+		Metasm::Relocation.new(Expression[target], :u32, @endianness) if target
+	end
+
 	class DwarfDebug
 		# decode a DWARF2 'compilation unit'
 		def decode(elf, info, abbrev, str)
@@ -930,13 +976,14 @@ class ELF
 		case @header.machine
 		when 'X86_64'; X86_64.new
 		when '386'; Ia32.new
-		when 'MIPS'; (@header.flags.include?('32BITMODE') ? MIPS64 : MIPS).new @endianness
+		when 'MIPS'; (@header.flags.include?('32BITMODE') ? MIPS64 : MIPS).new(@endianness)
 		when 'PPC'; PPC.new
 		when 'ARM'; ARM.new
 		when 'AARCH64'; AArch64.new
 		when 'SH'; Sh4.new
 		when 'ARC_COMPACT'; ARC.new
 		when 'MSP430'; MSP430.new
+		when 'OPENRISC'; OpenRisc.new(:latest, @endianness, (@header.flags.include?('NODELAY') ? 0 : 1))
 		else raise "unsupported cpu #{@header.machine}"
 		end
 	end
@@ -1020,6 +1067,17 @@ EOC
 				d.function[Expression[fn]] = noret
 			}
 			d.function[:default] = @cpu.disassembler_default_func
+		when 'openrisc'
+			old_cp = d.c_parser
+			d.c_parser = nil
+			d.parse_c <<EOC
+void __libc_start_main(void(*)(), int, char**, void(*)(), void(*)()) __attribute__((noreturn));
+void __attribute__((noreturn)) exit(int);
+EOC
+			d.function[Expression['__libc_start_main']] = @cpu.decode_c_function_prototype(d.c_parser, '__libc_start_main')
+			d.function[Expression['exit']] = @cpu.decode_c_function_prototype(d.c_parser, 'exit')
+			d.c_parser = old_cp
+			d.function[:default] = @cpu.disassembler_default_func
 		end
 		d
 	end