metasm 1.0.3 → 1.0.4

data/metasm/preprocessor.rb

@@ -1176,7 +1176,7 @@ class Preprocessor
 				op = op.dup
 				op.raw << ntok.raw
 			# ok
-			when '^', '+', '-', '*', '/', '%', '>>', '<<', '>=', '<=', '||', '&&', '!=', '=='
+			when '^', '+', '-', '*', '/', '%', '>>', '<<', '>=', '<=', '||', '&&', '!=', '==', '?'
 			# unknown
 			else
 				lexer.unreadtok tok
@@ -1273,6 +1273,21 @@ class Preprocessor
 					stack << Expression.new(opstack.pop, stack.pop, stack.pop)
 				end
 
+				if op.value == :'?'
+					a1 = parse(lexer)
+					if not tok = lexer.readtok or tok.type != :punct or tok.raw != ':'
+						raise op, 'expected ":" ternary operator'
+					end
+					a2 = parse(lexer)
+					case Expression[stack.pop].reduce
+					when 0;         stack << a2
+					when ::Integer; stack << a1
+					else;           stack << a2
+					end
+
+					next
+				end
+
 				opstack << op.value
 
 				raise op, 'need rhs' if not e = parse_value(lexer)

data/misc/openrisc-parser.rb

@@ -0,0 +1,79 @@
+#!/usr/bin/ruby
+
+require 'xml'
+
+xml = Xml.parse_file(ARGV.shift || 'openrisc-insn.html')
+
+# [name, bin, args]
+addop = []
+# arg => [flds]
+valid_args = {}
+# field => [bitoff, bitmask]
+fields = {}
+
+xml.each('ul') { |ul|
+	syntax = nil
+	bits = []
+	vals = []
+	trno = 0
+	ul.each('li') { |li|
+		if li.children[0] == 'syntax:'
+			# <li>syntax:<tt><font>l.add $rd, $ra, $rb</font></tt></li>
+			syntax = li.children[1].children[0].children[0]
+		end
+	}
+	next if not syntax
+	ul.each('tr') { |tr|
+		case trno
+		when 0; tr.each('td') { |td| bits << td.children[0].split.map { |b| b.to_i } }
+		when 2; tr.each('td') { |td| vals << td.children.map { |v| v =~ /^0x/ ? v.to_i(16) : v.gsub('-', '') }.first }
+		end
+		trno += 1
+	}
+
+	iname = syntax.split[0].sub(/^l\./, '')
+	iargs = syntax.split[1].to_s.split(',').map { |a| a.gsub(/[${}-]/, '').gsub(/(\w+)\((\w+)\)/, '\2_\1') }
+	bin = bits.zip(vals).inject(0) { |b, (bt, bv)| bv.kind_of?(Integer) ? b | (bv << bt.last) : b }
+	addop << [iname, bin]
+
+	flds = bits.zip(vals).inject({}) { |h, (bt, bv)|
+		next h if bv.kind_of?(Integer)
+		blen = bt.first + 1 - bt.last
+		h.update bv => [bt.last, (1 << blen) - 1]
+	}
+	flds.each { |n, (o, m)|
+		if not fields[n]
+			fields[n] = [o, m]
+		elsif fields[n] != [o, m]
+			puts "# fields mismatch in #{iname} #{n}"
+		end
+	}
+
+	addop.last << iargs
+
+	iargs.each { |a|
+		a.split('_').each { |f|
+			if not flds.delete(f)
+				puts "# no field #{f} for arg #{a} in #{iname}"
+			end
+		}
+		valid_args[a] ||= a.split('_')
+	}
+	flds.each_key { |f|
+		puts "# no arg using #{f} in #{iname}"
+		a_i = "#{f}_ign"
+		valid_args[a_i] ||= [f]
+		addop.last.last << a_i
+	}
+}
+
+puts "\tdef init_cpu"
+puts "\t\t@opcode_list = []"
+puts "\t\t@valid_args = { #{valid_args.map { |a, f| ":#{a} => [#{f.map { |ff| ':' + ff }.join(', ')}]" }.join(', ')} }"
+puts "\t\t@fields_off = { #{fields.map { |k, v| ":#{k} => #{v[0]}" }.join(', ')} }"
+puts "\t\t@fields_mask = { #{fields.map { |k, v| ":#{k} => #{'0x%02X' % v[1]}" }.join(', ')} }"
+puts
+addop.each { |op|
+	puts "\t\taddop '#{op[0]}', #{'0x%08X' % op[1]}#{op[2].map { |a| ", :#{a}" }.join('')}"
+}
+puts "\tend"

data/samples/dasm-plugins/scanxrefs.rb

@@ -7,12 +7,14 @@
 # metasm dasm plugin: scan for xrefs to the target address, incl. relative offsets (eg near call/jmp)
 def scanxrefs(target)
 	ans = []
-	msk = (1 << cpu.size) - 1
+	csz = cpu.size
+	msk = (1 << csz) - 1
+	upq = (csz == 64 ? 'q' : 'V')
 	sections.sort.each { |s_addr, edata|
 		raw = edata.data.to_str
-		(0..raw.length-4).each { |off|
-			r = raw[off, 4].unpack('V').first
-			ans << (s_addr + off) if (r + off+4 + s_addr) & msk == target or r == target
+		(0..raw.length-csz/8).each { |off|
+			r = raw[off, csz/8].unpack(upq).first
+			ans << (s_addr + off) if (r + off+csz/8 + s_addr) & msk == target or r == target
 		}
 	}
 	ans

data/samples/dasm-plugins/selfmodify.rb

@@ -100,9 +100,9 @@ def self.emu(dasm, addr)
 	loop_again_cond = Expression[:'!', loop_again_cond] if dasm.decoded[a_cond].next_addr != a_out
 
 	init_bd = {}
-	loop_bd.keys.grep(Symbol).each { |reg|
-		bt = dasm.backtrace(reg, a_pre, :include_start => true)
-		init_bd[reg] = bt.first if bt.length == 1 and bt.first != Metasm::Expression::Unknown and bt.first != Metasm::Expression[reg]
+	loop_bd.values.map { |v| v.externals }.flatten.uniq.each { |ext|
+		bt = dasm.backtrace(ext, a_pre, :include_start => true)
+		init_bd[ext] = bt.first if bt.length == 1 and bt.first != Metasm::Expression::Unknown and bt.first != Metasm::Expression[ext]
 	}
 
 	# reject non-determinist memory write
@@ -115,11 +115,11 @@ def self.emu(dasm, addr)
 	loop do
 		# the effects of the loop
 		post_bd = loop_bd.inject({}) { |bd, (k, v)|
-	       		if k.kind_of? Metasm::Indirection
+			if k.kind_of? Metasm::Indirection
 				k = k.bind(pre_bd).reduce_rec
 				raise "bad ptr #{k}" if not dasm.get_section_at(k.pointer.reduce)
 			end
-		       	bd.update k => Metasm::Expression[v.bind(pre_bd).reduce]
+			bd.update k => Metasm::Expression[v.bind(pre_bd).reduce]
 		}
 
 		# the indirections used by the loop
@@ -139,7 +139,7 @@ def self.emu(dasm, addr)
 
 		break if loop_again_cond.bind(post_bd).reduce == 0
 
-		pre_bd = post_bd
+		pre_bd.update(post_bd)
 		pre_bd.delete_if { |k, v| not k.kind_of? Symbol }
 	end
 
@@ -166,7 +166,7 @@ def self.find_loop(dasm, addr)
 	first = b1.address
 	last = b2.list.last.address
 	post = (b2.to_normal - [b1.address]).first
-	loop_bd = dasm.code_binding(first, post)
+	loop_bd = dasm.code_binding(first, post, :include_flags => true)
 
 	[pre, first, last, post, loop_bd]
 end
@@ -179,7 +179,7 @@ def self.redirect(dasm, addr)
 		b.to_normal.map! { |tn| dasm.normalize(tn) == addr ? newto : tn }
 		dasm.add_xref(newto, Metasm::Xref.new(:x, b.list.last.address))
 		b.list.last.add_comment "x:#{newto}"
-		dasm.addrs_todo << [newto, b.list.last.address]
+		dasm.addrs_todo << { :addr => newto, :from => b.list.last.address }
 	}
 end
 end

data/samples/dbg-plugins/trace_func.rb

@@ -92,7 +92,7 @@ end
 # retrieve an instructionblock, disassemble if needed
 def trace_get_block(addr)
 	# TODO trace all blocks from addr for which we know the target, stop on call / jmp [foo]
-	disassembler.disassemble_fast_block(addr)
+	disassembler.disassemble_fast(addr)
 	if di = disassembler.di_at(addr)
 		di.block
 	end

data/samples/disassemble-gui.rb

@@ -51,6 +51,7 @@ OptionParser.new { |opt|
 	opt.on('-d', '--debug') { $DEBUG = $VERBOSE = true }
 	opt.on('-S <file>', '--session <sessionfile>', 'save user actions in this session file') { |a|  opts[:session] = a }
 	opt.on('-N', '--new-session', 'start new session, discard old one') { opts[:newsession] = true }
+	opt.on('-A', '--disassemble-all-entrypoints') { opts[:dasm_all] = true }
 }.parse!(ARGV)
 
 case exename = ARGV.shift
@@ -83,6 +84,7 @@ else
 end
 
 ep = ARGV.map { |arg| (?0..?9).include?(arg[0]) ? Integer(arg) : arg }
+ep += exe.get_default_entrypoints if opts[:dasm_all]
 
 if exe
 	dasm = exe.disassembler
@@ -91,8 +93,7 @@ if exe
 	dasm.parse_c_file opts[:cheader] if opts[:cheader]
 	dasm.backtrace_maxblocks_data = -1 if opts[:nodatatrace]
 	dasm.debug_backtrace = true if opts[:debugbacktrace]
-	dasm.callback_finished = lambda { w.dasm_widget.focus_addr w.dasm_widget.curaddr, :decompile ; dasm.decompiler.finalize } if opts[:decompile]
-	dasm.disassemble_fast_deep(*ep) if opts[:fast]
+	dasm.callback_finished = lambda { dasm.callback_finished = nil ; w.dasm_widget.focus_addr w.dasm_widget.curaddr, :decompile ; dasm.decompiler.finalize } if opts[:decompile]
 elsif dbg
 	dbg.load_map opts[:map] if opts[:map]
 	dbg.disassembler.parse_c_file opts[:cheader] if opts[:cheader]
@@ -104,8 +105,10 @@ elsif dbg
 		end
 	}
 end
+
 if dasm
-	w.display(dasm, ep)
+	w.display(dasm)
+	w.dasm_widget.focus_addr(ep.first) if not ep.empty?
 	opts[:plugin].to_a.each { |p|
 		begin
 			dasm.load_plugin(p)
@@ -113,6 +116,13 @@ if dasm
 			puts "Error with plugin #{p}: #{$!.class} #{$!}"
 		end
 	}
+	ep.each { |eep|
+		if opts[:fast]
+			w.dasm_widget.disassemble_fast_deep(eep)
+		else
+			w.dasm_widget.disassemble(eep)
+		end
+	}
 
 	if opts[:session]
 		if File.exist?(opts[:session])
@@ -130,3 +140,4 @@ end
 opts[:hookstr].to_a.each { |f| eval f }
 
 Metasm::Gui.main
+

data/samples/emubios.rb

@@ -0,0 +1,251 @@
+#!/usr/bin/ruby
+
+# Sample to show the EmuDebugger working on X86 16bit realmode code (eg hard disk MBR)
+
+require 'metasm'
+include Metasm
+
+# use global vars for read_sector()
+$dasm = $dbg = nil
+
+$rawname = ARGV.shift || 'mbr.bin'
+cpu = Ia32.new(16)
+# add register tracking for the segment registers
+cpu.dbg_register_list << :cs << :ds << :es << :fs << :gs << :ss
+$dasm = dasm = Shellcode.new(Ia32.new(16), 0).disassembler
+dasm.backtrace_maxblocks_data = -1
+
+# initial memory
+dasm.add_section(EncodedData.new("\x00"*0x40000), 0)
+
+# read one sector from the drive to memory, invalidate already disassembled instruction from the address range
+def read_sector(addr, fileoff, len)
+	e, o = $dasm.get_section_at(addr)
+	$dasm.decoded.keys.grep(addr..(addr+len)).each { |k| $dasm.decoded.delete k }
+	raw_chunk = File.open($rawname, 'rb') { |fd| fd.pos = fileoff ; fd.read len } || ''
+	raw_chunk << 0.chr until raw_chunk.length >= len
+	e[e.ptr, len] = raw_chunk
+	$dbg.invalidate if $dbg
+end
+
+# load as BIOS MBR code
+read_sector(0x7c00, 0, 0x200)
+
+# buffer used for int 16h read keyboard
+$stdin_buf = "moo\r\n"
+
+$dbg = dbg = Metasm::EmuDebugger.new(dasm)
+dbg.set_reg_value(:eip, 0x7c00)
+dbg.set_reg_value(:esp, 0x7c00)
+
+# reset trace file
+File.open('emudbg.trace', 'w') {}
+def trace(thing)
+	File.open('emudbg.trace', 'a') { |fd| fd.puts thing }
+end
+def puts_trace(str)
+	trace str
+	puts str
+end
+
+# custom emulation of various instrs for realmode-specific behavior
+# this is a very bad realmode emulator
+# eg segment selectors are mostly ignored except for a few specific cases described here
+# seems to work for the few crackme i worked on !
+dbg.callback_emulate_di = lambda { |di|
+	puts di if $VERBOSE
+	trace di
+	case di.opcode.name
+	when 'jmp'
+		tg = di.instruction.args.first
+		if di.address == dbg.resolve(tg)
+			# break from simulation on ebfe
+			puts "EB FE !"
+			dbg.bpx(di.address)
+			break true
+		elsif tg.kind_of?(Ia32::Farptr)
+			# handle far jumps
+			dbg.pc = dbg.resolve(Expression[[tg.seg, :<<, 4], :+, tg.addr])
+			break true
+		end
+	when 'retf.i16'
+		# XXX really ss:esp, but we'd need to fix push/pop etc too, so keep to 0:esp for now
+		w1 = dbg.memory_read_int(:esp, 2)
+		dbg.set_reg_value(:esp, dbg.resolve(Expression[:esp, :+, 2]))
+		w2 = dbg.memory_read_int(:esp, 2)
+		dbg.set_reg_value(:esp, dbg.resolve(Expression[:esp, :+, 2]))
+		dbg.set_reg_value(:cs, w2)
+		dbg.pc = dbg.resolve(Expression[[w2, :<<, 4], :+, w1])
+		break true
+	when 'ret'
+		w1 = dbg.memory_read_int(:esp, 2)
+		dbg.set_reg_value(:esp, dbg.resolve(Expression[:esp, :+, 2]))
+		dbg.pc = dbg.resolve(Expression[[:cs, :<<, 4], :+, w1])
+		break true
+	when 'lodsb'
+		# read from ds:si instead of 0:esi
+		# XXX rep
+		dbg.set_reg_value(:eax, dbg.resolve(Expression[[:eax, :&, 0xffffff00], :|, Indirection[[[:ds, :<<, 4], :+, [:esi, :&, 0xffff]], 1]]))
+		dbg.set_reg_value(:esi, dbg.resolve(Expression[[:esi, :&, 0xffff0000], :|, [[:esi, :&, 0xffff], :+, 1]]))
+		dbg.pc += di.bin_length
+		true
+	when 'lodsd'
+		# read from ds:si instead of 0:esi
+		# XXX rep
+		dbg.set_reg_value(:eax, dbg.resolve(Expression[Indirection[[[:ds, :<<, 4], :+, [:esi, :&, 0xffff]], 4]]))
+		dbg.set_reg_value(:esi, dbg.resolve(Expression[[:esi, :&, 0xffff0000], :|, [[:esi, :&, 0xffff], :+, 4]]))
+		dbg.pc += di.bin_length
+		true
+	when 'stosd'
+		# write to es:di instead of 0:edi
+		# XXX rep
+		dbg.memory_write_int(Expression[[:es, :<<, 4], :+, [:edi, :&, 0xffff]], :eax, 4)
+		dbg.set_reg_value(:edi, dbg.resolve(Expression[[:edi, :&, 0xffff0000], :|, [[:edi, :&, 0xffff], :+, 4]]))
+		dbg.pc += di.bin_length
+		true
+	when /movs([bwdq])/
+		sz = { 'b' => 1, 'w' => 2, 'd' => 4, 'q' => 8 }[$1]
+		# XXX repz
+		if di.instruction.prefix[:rep]
+			count = dbg[:ecx] & 0xffff
+		else
+			count = 1
+		end
+		count.times {
+			val = dbg.resolve(Expression[Indirection[[[:ds, :<<, 4], :+, [:esi, :&, 0xffff]], sz]])
+			dbg.memory_write_int(Expression[[:es, :<<, 4], :+, [:edi, :&, 0xffff]], val, sz)
+			dbg[:esi] = (dbg[:esi] + sz) & 0xffff
+			dbg[:edi] = (dbg[:edi] + sz) & 0xffff
+			dbg[:ecx] -= 1 if di.instruction.prefix[:rep]
+		}
+		dbg.pc += di.bin_length
+		true
+	when 'les'
+		dst = di.instruction.args[0].symbolic(di)
+		dst = dst.externals.first if dst.kind_of?(Expression)
+		src = di.instruction.args[1].symbolic(di)
+		dbg.set_reg_value(dst, dbg.resolve(Indirection[[[:es, :<<, 4], :+, src.pointer], 2]))
+		dbg.pc += di.bin_length
+		true
+	when 'div'
+		op = di.instruction.args[0].symbolic(di)
+		sz = op.kind_of?(Expression) ? { 0xff => 1, 0xffff => 2 }[op.rexpr] : 4
+		dv = dbg.resolve(op)
+		case sz
+		when 1
+			dv2 = dbg[:eax] & 0xffff
+			dbg[:eax] = ((dv2 / dv) & 0xff) | (((dv2 % dv) & 0xff) << 8)
+		when 2
+			dv2 = ((dbg[:edx] & 0xffff) << 16) | (dbg[:eax] & 0xffff)
+			dbg[:eax] = (dv2 / dv) & 0xffff
+			dbg[:edx] = (dv2 % dv) & 0xffff
+		when 4
+			dv2 = (dbg[:edx] << 32) | dbg[:eax]
+			dbg[:eax] = (dv2 / dv)
+			dbg[:edx] = (dv2 % dv)
+		end
+		dbg.pc += di.bin_length
+		true
+	when 'loop'
+		# movzx ecx, cx
+		dbg.set_reg_value(:ecx, dbg.resolve(Expression[:ecx, :&, 0xffff]))
+		false
+	when 'int'
+		intnr = di.instruction.args.first.reduce
+		eax = dbg[:eax]
+		ah = (eax >> 8) & 0xff
+		al = eax & 0xff
+		case intnr
+		when 0x10
+			# print screen interrupt
+			$screenbuf ||= []
+			$screenx ||= 0
+			$screeny ||= 0
+			case ah
+			when 0x00
+				$screenbuf = []
+				$screenx = 0
+				$screeny = 0
+			when 0x02
+				dh = (dbg[:edx] >> 8) & 0xff
+				dl = dbg[:edx] & 0xff
+				puts_trace "movc(#{dh}, #{dl})"
+				puts $screenbuf
+				$screenx = dl
+				$screeny = dh
+			when 0x0e
+				puts_trace "putc(#{[al].pack('C*').inspect})"
+				$screenbuf << '' until $screenbuf.length > $screeny
+				$screenbuf[$screeny] << '.' until $screenbuf[$screeny].length > $screenx
+				$screenbuf[$screeny][$screenx, 1] = [al].pack('C*')
+				$screenx += 1
+			else
+				puts_trace "unk int #{'%02xh' % intnr} #{'%02x' % ah}"
+			end
+		when 0x13
+			# read disk interrupt
+			drive_nr = dbg[:edx] & 0xff
+			case ah
+			when 0x00
+				dbg.unset_flag(:c)
+				puts_trace "reset_disk_drive #{'%x' % drive_nr}"
+			when 0x02
+				sect_cnt = al
+				sect_c = ((dbg[:ecx] >> 8) & 0xff) | ((dbg[:ecx] << 2) & 0x300)
+				sect_h = (dbg[:edx] >> 8) & 0xff
+				sect_s = (dbg[:ecx] & 0x3f)
+				sect_lba = (sect_c * 16 + sect_h) * 63 + sect_s - 1
+				sect_drv = dbg[:edx] & 0xff
+				dst_addr = dbg[:es] * 16 + dbg[:ebx]
+				puts_trace "read #{sect_cnt} sect at #{'%03X:%02X:%02X' % [sect_c, sect_h, sect_s]} (#{'0x%X' % sect_lba}) to #{'0x%X' % dst_addr} drv #{'%x' % drive_nr}"
+				read_sector(dst_addr, sect_lba * 512, sect_cnt * 512)
+			when 0x08
+				dbg.unset_flag(:c)
+				dbg[:eax] = 0		# ah = return code
+				dbg[:ebx] = 0		# bl = drive type
+				dbg[:ecx] = 0x1010	# ch = cyl_max, cl >> 6 = cyl_max_hi, cl & 3f = sector_per_track
+				dbg[:edx] = 0x1001	# dh = head_max, dl = nr_of_drives
+				puts_trace "read_drive_parameters #{'%x' % drive_nr}"
+			when 0x41
+				dbg.unset_flag(:c)
+				dbg[:ebx] = 0xaa55
+				dbg[:ecx] = 1		# 1: device access through packet structure (cf 42), 2: lock & eject, 4: enhanced drive support
+				puts_trace "drive_check_extension_present #{'%x' % drive_nr}"
+			when 0x42
+				sect_cnt = dbg.memory_read_int(Expression[[:ds, :<<, 4], :+, [[:esi, :+, 2], :&, 0xffff]], 2)
+				dst_addr = dbg.memory_read_int(Expression[[:ds, :<<, 4], :+, [[:esi, :+, 4], :&, 0xffff]], 2)
+				dst_seg  = dbg.memory_read_int(Expression[[:ds, :<<, 4], :+, [[:esi, :+, 6], :&, 0xffff]], 2)
+				sect_lba = dbg.memory_read_int(Expression[[:ds, :<<, 4], :+, [[:esi, :+, 8], :&, 0xffff]], 8)
+				dst_addr += dst_seg << 4
+				puts_trace "read extended #{sect_cnt} sect at #{'0x%X' % sect_lba} to #{'0x%X' % dst_addr} drv #{'%x' % drive_nr}"
+				read_sector(dst_addr, sect_lba * 512, sect_cnt * 512)
+			else
+				puts_trace "unk int #{'%02xh' % intnr} #{'%02x' % ah}"
+			end
+		when 0x16
+			# read keyboard interrupt
+			case ah
+			when 0x00
+				al = $stdin_buf.unpack('C').first || 0
+				$stdin_buf[0, 1] = ''
+				dbg[:eax] = al
+				puts_trace "getc => #{[al].pack('C*').inspect}"
+			else
+				puts_trace "unk int #{'%02xh' % intnr} #{'%02x' % ah}"
+			end
+		else
+			puts_trace "unk int #{'%02xh' % intnr} #{'%02x' % ah}"
+		end
+		dbg.pc += di.bin_length
+		true
+	end
+}
+
+# Start the GUI
+Gui::DbgWindow.new.display(dbg)
+# some pretty settings for the initial view
+dbg.gui.run_command('wd 16')
+dbg.gui.run_command('wp 6')
+dbg.gui.parent.code.toggle_view(:graph)
+
+Gui.main