metasm 1.0.3 → 1.0.4

data/metasm/cpu/ebpf/render.rb

@@ -0,0 +1,36 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/ebpf/opcodes'
+require 'metasm/render'
+
+module Metasm
+class EBPF
+	class Reg
+		include Renderable
+		def render ; ["r#@v"] end
+	end
+
+	class Memref
+		include Renderable
+		def render
+			r = []
+			r << { 1 => 'byte ', 2 => 'word ', 4 => 'dword ', 8 => 'qword ' }[@msz]
+			r << '['
+			r << @base if @base
+			r << '+' if @base and @offset
+			r << @offset if @offset
+			r << ']'
+		end
+	end
+
+	class Pktref
+		def render
+			['pkt '] + super
+		end
+	end
+end
+end

data/metasm/cpu/ia32/debug.rb

@@ -66,9 +66,11 @@ class Ia32
 		end
 	end
 
+	DBG_BPX = "\xcc"
+	DBG_BPX.force_encoding('BINARY') if DBG_BPX.respond_to?(:force_encoding)
 	def dbg_enable_bpx(dbg, bp)
 		bp.internal[:previous] ||= dbg.memory[bp.address, 1]
-		dbg.memory[bp.address, 1] = "\xcc"
+		dbg.memory[bp.address, 1] = DBG_BPX
 	end
 
 	def dbg_disable_bpx(dbg, bp)
@@ -189,5 +191,41 @@ class Ia32
 	def dbg_func_arg_set(dbg, argnr, arg)
 		dbg.memory_write_int(Expression[:esp, :+, 4*(argnr+1)], arg)
 	end
+
+	def dbg_resolve_pc(di, fbd, pc_reg, dbg_ctx)
+		a = di.instruction.args.map { |aa| symbolic(aa) }
+
+		cond = case di.opcode.name
+		when 'jz', 'je';    dbg_ctx.get_flag(:z)
+		when 'jnz', 'jne'; !dbg_ctx.get_flag(:z)
+		when 'jo';   dbg_ctx.get_flag(:o)
+		when 'jno'; !dbg_ctx.get_flag(:o)
+		when 'js';   dbg_ctx.get_flag(:s)
+		when 'jns'; !dbg_ctx.get_flag(:s)
+		when 'jc', 'jb', 'jnae';   dbg_ctx.get_flag(:c)
+		when 'jnc', 'jnb', 'jae'; !dbg_ctx.get_flag(:c)
+		when 'jbe', 'jna';  dbg_ctx.get_flag(:c) or   dbg_ctx.get_flag(:z)
+		when 'jnbe', 'ja'; !dbg_ctx.get_flag(:c) and !dbg_ctx.get_flag(:z)
+		when 'jl', 'jnge'; dbg_ctx.get_flag(:s) != dbg_ctx.get_flag(:o)
+		when 'jnl', 'jge'; dbg_ctx.get_flag(:s) == dbg_ctx.get_flag(:o)
+		when 'jle', 'jng';  dbg_ctx.get_flag(:z) or  dbg_ctx.get_flag(:s) != dbg_ctx.get_flag(:o)
+		when 'jnle', 'jg'; !dbg_ctx.get_flag(:z) and dbg_ctx.get_flag(:s) == dbg_ctx.get_flag(:o)
+		when 'jp', 'jpe';   dbg_ctx.get_flag(:p)
+		when 'jnp', 'jpo'; !dbg_ctx.get_flag(:p)
+		when 'loop';             dbg_ctx[dbg_register_list[2]] != 0
+		when 'loopz', 'loope';   dbg_ctx[dbg_register_list[2]] != 0 and  dbg_ctx.get_flag(:z)
+		when 'loopnz', 'loopne'; dbg_ctx[dbg_register_list[2]] != 0 and !dbg_ctx.get_flag(:z)
+		when 'jcxz', 'jecxz', 'jrcxz'
+			mask = {?c => 0xffff, ?e => 0xffff_ffff, ?r => -1}[di.opcode.name[1]]
+			dbg_ctx[dbg_register_list[2]] & mask == 0
+		else return super(di, fbd, pc_reg, dbg_ctx)
+		end
+
+		if cond
+			fbd[pc_reg] = a.last
+		else
+			fbd[pc_reg] = di.next_addr
+		end
+	end
 end
 end

data/metasm/cpu/ia32/decode.rb

@@ -323,12 +323,6 @@ class Ia32
 		end
 	end
 
-	# hash opcode_name => lambda { |dasm, di, *symbolic_args| instr_binding }
-	def backtrace_binding
-		@backtrace_binding ||= init_backtrace_binding
-	end
-	def backtrace_binding=(b) @backtrace_binding = b end
-
 	def opsz(di, op=nil)
 		if di and di.instruction.prefix and di.instruction.prefix[:opsz] and (op || di.opcode).props[:needpfx] != 0x66; 48-@size
 		else @size
@@ -443,7 +437,7 @@ class Ia32
 				lambda { |di| bt = lambda { |pos| Expression[[Indirection[esp, opsz(di)/8, di.address], :>>, pos], :&, 1] }
 					{ esp => Expression[esp, :+, opsz(di)/8], :eflag_c => bt[0], :eflag_z => bt[6], :eflag_s => bt[7], :eflag_o => bt[11] } }
 			when 'sahf'
-				lambda { |di| bt = lambda { |pos| Expression[[eax, :>>, pos], :&, 1] }
+				lambda { |di| bt = lambda { |pos| Expression[[eax, :>>, 8+pos], :&, 1] }
 					{ :eflag_c => bt[0], :eflag_z => bt[6], :eflag_s => bt[7] } }
 			when 'lahf'
 				lambda { |di|
@@ -452,7 +446,7 @@ class Ia32
 					bts[0, :eflag_c] #bts[2, :eflag_p] #bts[4, :eflag_a]
 					bts[6, :eflag_z]
 					bts[7, :eflag_s]
-					{ eax => efl }
+					{ Expression[[eax, :>>, 8], :&, 0xff] => efl }
 				}
 			when 'pushad'
 				lambda { |di|
@@ -663,6 +657,24 @@ class Ia32
 						{ a0 => 0 }
 					end
 				}
+			when 'movdqa', 'movdqu', 'movaps', 'movups'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
+			when 'cmpxchg'; lambda { |di, a0, a1|	# eax == a0 ? a0 <= a1, zf <= 1 : eax <= a0, zf <= 0
+				eax_ = self.class::Reg.new(0, opsz(di)).symbolic
+				cmp = Expression[eax_, :==, a0]
+				{ :eflag_z => cmp,
+				  eax_ => Expression[[cmp, :*, eax_], :|, [[1, :-, cmp], :*, a0]],
+				  a0 => Expression[[cmp, :*, a1], :|, [[1, :-, cmp], :*, a0]] } }
+			when 'cmpxchg8b', 'cmpxchg16b'; lambda { |di, a0|	# edx:eax == mem ? mem <= ecx:ebx, zf <= 1 : edx:eax <= mem, zf <= 0
+				sz = (di.opcode.name =~ /8b/ ? 32 : 64)
+				eax_ = self.class::Reg.new(0, sz).symbolic
+				ecx_ = self.class::Reg.new(1, sz).symbolic
+				edx_ = self.class::Reg.new(2, sz).symbolic
+				ebx_ = self.class::Reg.new(3, sz).symbolic
+				cmp = Expression[[[edx_, :<<, sz], :|, eax_], :==, a0]
+				{ :eflag_z => cmp,
+				  eax_ => Expression[[cmp, :*, eax_], :|, [[1, :-, cmp], :*, [a0, :&, (1 << sz) - 1]]],
+				  edx_ => Expression[[cmp, :*, edx_], :|, [[1, :-, cmp], :*, [a0, :>>, sz]]],
+				  a0 => Expression[[cmp, :*, [[ecx_, :<<, sz], :|, ebx_]], :|, [[1, :-, cmp], :*, a0]] } }
 			when 'nop', 'pause', 'wait', 'cmp', 'test'; lambda { |di, *a| {} }
 			end
 
@@ -690,7 +702,7 @@ class Ia32
 						end
 					ret
 				}
-			when 'inc', 'dec', 'neg', 'shl', 'shr', 'sar', 'ror', 'rol', 'rcr', 'rcl', 'shld', 'shrd'
+			when 'inc', 'dec', 'neg', 'shl', 'shr', 'sal', 'sar', 'ror', 'rol', 'rcr', 'rcl', 'shld', 'shrd'
 				lambda { |di, a0, *a|
 					ret = (binding ? binding[di, a0, *a] : {})
 					res = ret[a0] || Expression::Unknown
@@ -699,6 +711,8 @@ class Ia32
 					case op
 					when 'neg'; ret[:eflag_c] = Expression[[res, :&, mask[di]], :'!=', 0]
 					when 'inc', 'dec'	# don't touch carry flag
+					when 'shr', 'sar', 'shrd'; ret[:eflag_c] = Expression[[a0, :>>, [a[0], :-, 1]], :&, 1]	# XXX shr 0 => no touch flag
+					when 'shl', 'sal', 'shld'; ret[:eflag_c] = Expression[[a0, :>>, [di.instruction.args[0].sz, :-, a[0]]], :&, 1]
 					else ret[:eflag_c] = Expression::Unknown	# :incomplete_binding ?
 					end
 					ret[:eflag_o] = case op
@@ -726,8 +740,8 @@ class Ia32
 		@backtrace_binding
 	end
 
-	# returns the condition (bool Expression) under which a conditionnal jump is taken
-	# returns nil if not a conditionnal jump
+	# returns the condition (bool Expression) under which a conditional jump is taken
+	# returns nil if not a conditional jump
 	# backtrace for the condition must include the jump itself (eg loop -> ecx--)
 	def get_jump_condition(di)
 		ecx = register_symbols[1]
@@ -742,12 +756,7 @@ class Ia32
 	end
 
 	def get_backtrace_binding(di)
-		a = di.instruction.args.map { |arg|
-			case arg
-			when ModRM, Reg, SimdReg; arg.symbolic(di)
-			else arg
-			end
-		}
+		a = di.instruction.args.map { |arg| symbolic(arg, di) }
 
 		if binding = backtrace_binding[di.opcode.basename]
 			bd = binding[di, *a]
@@ -798,14 +807,24 @@ class Ia32
 		end
 
 		case di.opcode.name
-		when 'push', 'call'
-			fbd = fbd.dup
+		when /^push/, 'call'
+			ori = fbd
+			fbd = {}
 			sz = opsz(di)/8
 			esp = register_symbols[4]
-			if i = fbd.delete(Indirection[esp, sz])
-				fbd[Indirection[[esp, :-, sz], sz]] = i
+			if ori[esp] and ori[Indirection[esp, sz]]
+				ori.each { |k, v|
+					if k.kind_of?(Indirection)
+						fbd[k.bind(esp => ori[esp]).reduce_rec] = v
+					else
+						fbd[k] = v
+					end
+				}
+			else
+				fbd = ori.dup
+				fbd[:incomplete_binding] = Expression[1]	# TODO
 			end
-		when 'pop', 'ret' # nothing to do
+		when /^pop/, 'ret' # nothing to do
 		when /^(push|pop|call|ret|enter|leave|stos|movs|lods|scas|cmps)/
 			fbd = fbd.dup
 			fbd[:incomplete_binding] = Expression[1]	# TODO
@@ -820,9 +839,8 @@ class Ia32
 		case di.opcode.basename
 		when 'ret'; return [Indirection[register_symbols[4], sz/8, di.address]]
 		when 'jmp', 'call'
-			a = di.instruction.args.first
-			if dasm and a.kind_of?(ModRM) and a.imm and (a.s == sz/8 or a.s == 4) and not a.b and dasm.get_section_at(a.imm)
-				return get_xrefs_x_jmptable(dasm, di, a, a.s*8)
+			if dasm and not di.instruction.args.first.kind_of?(Expression) and switch_table = get_xrefs_x_jmptable(dasm, di)
+				return switch_table
 			end
 		end
 
@@ -834,70 +852,57 @@ class Ia32
 		when Expression, ::Integer; [Expression[tg]]
 		when Farptr; tg.seg.reduce < 0x30 ? [tg.addr] : [Expression[[tg.seg, :*, 0x10], :+, tg.addr]]
 		else
-			puts "unhandled setip at #{di.address} #{di.instruction}" if $DEBUG
+			puts "unhandled setip at #{Expression[di.address]} #{di.instruction}" if $DEBUG
 			[]
 		end
 	end
 
-	# we detected a jmp table (jmp [base+4*idx])
-	# try to return an accurate dest list
-	def get_xrefs_x_jmptable(dasm, di, mrm, sz)
-		# include the symbolic dest for backtrack stuff
-		ret = [Expression[mrm.symbolic(di)]]
-		i = mrm.i
-		if di.block.list.length == 2 and di.block.list[0].opcode.name =~ /^mov/ and a0 = di.block.list[0].instruction.args[0] and
-				a0.respond_to? :symbolic and a0.symbolic == i.symbolic
-			i = di.block.list[0].instruction.args[1]
-		end
-		pb = di.block.from_normal.to_a
-		if pb.length == 1 and pdi = dasm.decoded[pb[0]] and pdi.opcode.name =~ /^jn?be?/ and ppdi = pdi.block.list[-2] and ppdi.opcode.name == 'cmp' and
-				ppdi.instruction.args[0].symbolic == i.symbolic and lim = Expression[ppdi.instruction.args[1]].reduce and lim.kind_of? Integer
-			# cmp eax, 42 ; jbe switch ; switch: jmp [base+4*eax]
-			s = dasm.get_section_at(mrm.imm)
-			lim += 1 if pdi.opcode.name[-1] == ?e
-			lim.times { |v|
-				dasm.add_xref(s[1]+s[0].ptr, Xref.new(:r, di.address, sz/8))
-				ret << Indirection[[mrm.imm, :+, v*sz/8], sz/8, di.address]
-				s[0].read(sz/8)
-			}
-			l = dasm.auto_label_at(mrm.imm, 'jmp_table', 'xref')
-			replace_instr_arg_immediate(di.instruction, mrm.imm, Expression[l])
-			# add 'case 1' comments
-			cases = {}
-			ret.each_with_index { |ind, idx|
-				idx -= 1	# ret[0] = symbolic
-				next if idx < 0
-				a = dasm.backtrace(ind, di.address)
-				if a.length == 1 and a[0].kind_of?(Expression) and addr = a[0].reduce and addr.kind_of?(::Integer)
-					(cases[addr] ||= []) << idx
-				end
+	# indirect call, try to match a switch table pattern (eg jmp [base+4*idx])
+	# return a list of target addresses if found, nil otherwise
+	def get_xrefs_x_jmptable(dasm, di)
+		puts "search jmptable for #{Expression[di.address]} #{di.instruction}" if $DEBUG
+		arg0 = di.instruction.args.first.symbolic(di)
+
+		bt_log = []
+		dasm.backtrace(arg0, di.address, :maxdepth => 3, :log => bt_log)
+
+		expr = nil
+		index = nil
+		index_max = nil
+
+		bt_log.each { |btl|
+			next if btl[0] != :up
+			last = dasm.di_at(btl[4])
+			break if not last or last.block.to_normal.length > 2
+			next if last.block.to_normal.length != 2
+			# search cmp eax, 42 ; ja too_big ; jmp [base+4*eax]
+			# XXX 256 cases switch => no cmp...
+			prelast = last.block.list.reverse.find { |pl| pl.opcode.name == 'cmp' }
+			break unless prelast and cmp_value = prelast.instruction.args.last and cmp_value.kind_of?(Expression) and cmp_value.reduce.kind_of?(::Integer)
+			cmp_value = cmp_value.reduce % (1 << prelast.instruction.args.first.sz)	# cmp al, -12h ; jnbe => -12h is unsigned 0eeh
+			index = prelast.instruction.args.first.symbolic(prelast)
+			index = index.externals.first if index.kind_of?(Expression)	# cmp bl, 13 => ebx
+			expr = Expression[btl[1], :&, ((1 << @size) - 1)]		# XXX without the mask, additions may overflow (this breaks elsewhere too, need Expr32)
+			(expr.externals.grep(Symbol) - [index]).uniq.each { |r|
+				rv = dasm.backtrace(r, prelast.address, :maxdepth => 3)
+				expr = expr.bind(r => rv[0]) if rv.length == 1
 			}
-			cases.each { |addr, list|
-				dasm.add_comment(addr, "case #{list.join(', ')}:")
-			}
-			return ret
-		end
-
-		puts "unrecognized jmp table pattern, using wild guess for #{di}" if $VERBOSE
-		di.add_comment 'wildguess'
-		if s = dasm.get_section_at(mrm.imm - 3*sz/8)
-			v = -3
-		else
-			s = dasm.get_section_at(mrm.imm)
-			v = 0
-		end
-		while s[0].ptr < s[0].length
-			ptr = dasm.normalize s[0].decode_imm("u#{sz}".to_sym, @endianness)
-			diff = Expression[ptr, :-, di.address].reduce
-			if (diff.kind_of? ::Integer and diff.abs < 4096) or (di.opcode.basename == 'call' and ptr != 0 and dasm.get_section_at(ptr))
-				dasm.add_xref(s[1]+s[0].ptr-sz/8, Xref.new(:r, di.address, sz/8))
-				ret << Indirection[[mrm.imm, :+, v*sz/8], sz/8, di.address]
-			elsif v > 0
-				break
+			cmp_value = prelast.instruction.args.last.reduce % (1 << prelast.instruction.args.first.sz)
+			case last.opcode.name
+			when 'jae', 'jb', 'jnae', 'jnb'; index_max = cmp_value-1
+			when 'ja', 'jbe', 'jna', 'jnbe'; index_max = cmp_value
+			else; expr = nil
 			end
-			v += 1
+			break
+		}
+
+		if expr and expr.externals.grep(Symbol).uniq == [index]
+			# yay !
+			# include the symbolic dest for backtrace stuff
+			puts "found jmptable for #{Expression[di.address]} #{di.instruction} (#{index_max+1} entries)" if $VERBOSE
+			# TODO add labels / tables / xrefs etc
+			[Expression[arg0]] + (0..index_max).map { |i| expr.bind(index => i) }
 		end
-		ret
 	end
 
 	# checks if expr is a valid return expression matching the :saveip instruction
@@ -1239,11 +1244,15 @@ class Ia32
 	# the binding will not include memory access from subfunctions
 	# entry should be an entrypoint of the disassembler if finish is nil
 	# the code sequence must have only one end, with no to_normal
-	def code_binding(dasm, entry, finish=nil)
+	# options:
+	#  :include_flags => include EFLAGS in the returned binding
+	def code_binding(dasm, entry, finish=nil, nargs={})
+		include_flags = nargs.delete :include_flags
+
 		entry = dasm.normalize(entry)
 		finish = dasm.normalize(finish) if finish
 		lastdi = nil
-		binding = {}
+		bd = {}
 		bt = lambda { |from, expr, inc_start|
 			ret = dasm.backtrace(Expression[expr], from, :snapshot_addr => entry, :include_start => inc_start)
 			ret.length == 1 ? ret.first : Expression::Unknown
@@ -1268,7 +1277,7 @@ class Ia32
 					get_xrefs_w(dasm, di).each { |waddr, len|
 						# we want the ptr expressed with reg values at entry
 						ptr = bt[a, waddr, false]
-						binding[Indirection[ptr, len, a]] = bt[a, Indirection[waddr, len, a], true]
+						bd[Indirection[ptr, len, a]] = bt[a, Indirection[waddr, len, a], true]
 					}
 					false
 				end
@@ -1291,13 +1300,13 @@ class Ia32
 				if lastdi.opcode.props[:setip]
 					e = get_xrefs_x(dasm, lastdi)
 					raise 'bad code_binding ending' if e.to_a.length != 1 or not lastdi.opcode.props[:stopexec]
-					binding[:ip] = bt[lastdi.address, e.first, false]
+					bd[:ip] = bt[lastdi.address, e.first, false]
 				elsif not lastdi.opcode.props[:stopexec]
-					binding[:ip] = lastdi.next_addr
+					bd[:ip] = lastdi.next_addr
 				end
 			end
 		end
-		binding.delete_if { |k, v| Expression[k] == Expression[v] }
+		bd.delete_if { |k, v| Expression[k] == Expression[v] }
 
 		# add register binding
 		raise "no code_binding end" if not lastdi and not finish
@@ -1310,10 +1319,22 @@ class Ia32
 			mask = 0xffff_ffff	# dont use 1<<@size, because 16bit code may use e.g. edi (through opszoverride)
 			mask = 0xffff_ffff_ffff_ffff if @size == 64
 			val = Expression[val, :&, mask].reduce
-			binding[reg] = Expression[val]
+			bd[reg] = Expression[val]
 		}
 
-		binding
+		# add EFLAGS binding
+		if include_flags
+			[:eflag_z, :eflag_s, :eflag_c, :eflag_o].each { |eflag|
+				val =
+					if lastdi; bt[lastdi.address, eflag, true]
+					else bt[finish, eflag, false]
+					end
+				next if val == Expression[eflag]
+				bd[eflag] = Expression[val.reduce]
+			}
+		end
+
+		bd
 	end
 
 	# trace the stack pointer register across a function, rename occurences of esp+XX to esp+var_XX

data/metasm/cpu/ia32/decompile.rb

@@ -59,7 +59,7 @@ class Ia32
 
 	# add di-specific registry written/accessed
 	def decompile_func_finddeps_di(dcmp, func, di, a, w)
-		a << :eax if di.opcode.name == 'ret' and (not func.type.kind_of? C::BaseType or func.type.type.name != :void)	# standard ABI
+		a << register_symbols[0] if di.opcode.name == 'ret' and (not func.type.kind_of? C::BaseType or func.type.type.name != :void)	# standard ABI
 	end
 
 	# list variable dependency for each block, remove useless writes
@@ -111,7 +111,7 @@ class Ia32
 			}
 			if stackoff	# last block instr == subfunction call
 				deps_r[b] |= deps_subfunc[b] - deps_w[b]
-				deps_w[b] |= [:eax, :ecx, :edx]			# standard ABI
+				deps_w[b] |= register_symbols[0, 3]			# standard ABI
 			end
 		}
 
@@ -140,7 +140,7 @@ class Ia32
 					bw |= w.map { |ee| Expression[ee].externals.grep(::Symbol) }.flatten - [:unknown]
 					false
 				}
-				if r == :eax and (rdi || blk.list.last).opcode.name == 'ret'
+				if r == register_symbols[0] and (rdi || blk.list.last).opcode.name == 'ret'
 					func.type.type = C::BaseType.new(:void)
 					false
 				elsif rdi and rdi.backtrace_binding[r]
@@ -194,15 +194,18 @@ class Ia32
 	end
 
 	def decompile_blocks(dcmp, myblocks, deps, func, nextaddr = nil)
+		eax, ecx, edx, ebx, esp, ebp, esi, edi = register_symbols
+		ebx, esp, ebp = ebx, esp, ebp	# fix ruby unused var warning
 		scope = func.initializer
 		func.type.args.each { |a| scope.symbol[a.name] = a }
 		stmts = scope.statements
 		blocks_toclean = myblocks.dup
 		func_entry = myblocks.first[0]
+		di_addr = nil
 		until myblocks.empty?
 			b, to = myblocks.shift
 			if l = dcmp.dasm.get_label_at(b)
-				stmts << C::Label.new(l)
+				stmts << C::Label.new(l).with_misc(:di_addr => b)
 			end
 
 			# list of assignments [[dest reg, expr assigned]]
@@ -210,7 +213,11 @@ class Ia32
 			# reg binding (reg => value, values.externals = regs at block start)
 			binding = {}
 			# Expr => CExpr
-			ce  = lambda { |*e| dcmp.decompile_cexpr(Expression[Expression[*e].reduce], scope) }
+			ce  = lambda { |*e|
+				ret = dcmp.decompile_cexpr(Expression[Expression[*e].reduce], scope)
+				dcmp.walk_ce(ret) { |ee| ee.with_misc(:di_addr => di_addr) } if di_addr
+				ret
+			}
 			# Expr => Expr.bind(binding) => CExpr
 			ceb = lambda { |*e| ce[Expression[*e].bind(binding)] }
 
@@ -235,6 +242,7 @@ class Ia32
 			# returns an array to use as funcall arguments
 			get_func_args = lambda { |di, f|
 				# XXX see remarks in #finddeps
+				# TODO x64
 				bt = dcmp.dasm.backtrace(:esp, di.address, :snapshot_addr => func_entry, :include_start => true)
 				stackoff = Expression[[bt, :+, @size/8], :-, :esp].bind(:esp => :frameptr).reduce rescue nil
 				args_todo = f.type.args.to_a.dup
@@ -283,19 +291,20 @@ class Ia32
 
 			# go !
 			dcmp.dasm.decoded[b].block.list.each_with_index { |di, didx|
+				di_addr = di.address
 				a = di.instruction.args
 				if di.opcode.props[:setip] and not di.opcode.props[:stopexec]
 					# conditional jump
 					commit[]
 					n = dcmp.backtrace_target(get_xrefs_x(dcmp.dasm, di).first, di.address)
 					if di.opcode.name =~ /^loop(.+)?/
-						cx = C::CExpression[:'--', ceb[:ecx]]
+						cx = C::CExpression[:'--', ceb[ecx]]
 						cc = $1 ? C::CExpression[cx, :'&&', ceb[decode_cc_to_expr($1)]] : cx
 					else
 						cc = ceb[decode_cc_to_expr(di.opcode.name[1..-1])]
 					end
 					# XXX switch/indirect/multiple jmp
-					stmts << C::If.new(C::CExpression[cc], C::Goto.new(n))
+					stmts << C::If.new(C::CExpression[cc], C::Goto.new(n).with_misc(:di_addr => di_addr)).with_misc(:di_addr => di_addr)
 					to.delete dcmp.dasm.normalize(n)
 					next
 				end
@@ -312,7 +321,7 @@ class Ia32
 						f = dcmp.c_parser.toplevel.symbol["intrinsic_set_#{a1}"]
 						a2 = a2.symbolic(di)
 						a2 = [a2, :&, 0xffff] if sz == 16
-						stmts << C::CExpression.new(f, :funcall, [ceb[a2]], f.type.type)
+						stmts << C::CExpression.new(f, :funcall, [ceb[a2]], f.type.type).with_misc(:di_addr => di_addr)
 						next
 					end
 					case a2
@@ -324,7 +333,7 @@ class Ia32
 						f = dcmp.c_parser.toplevel.symbol["intrinsic_get_#{a2}"]
 						t = f.type.type
 						binding.delete a1.symbolic(di)
-						stmts << C::CExpression.new(ce[a1.symbolic(di)], :'=', C::CExpression.new(f, :funcall, [], t), t)
+						stmts << C::CExpression.new(ce[a1.symbolic(di)], :'=', C::CExpression.new(f, :funcall, [], t).with_misc(:di_addr => di_addr), t).with_misc(:di_addr => di_addr)
 						next
 					end
 				end
@@ -333,8 +342,8 @@ class Ia32
 				when 'ret'
 					commit[]
 					ret = nil
-					ret = C::CExpression[ceb[:eax]] unless func.type.type.kind_of? C::BaseType and func.type.type.name == :void
-					stmts << C::Return.new(ret)
+					ret = C::CExpression[ceb[eax]] unless func.type.type.kind_of? C::BaseType and func.type.type.name == :void
+					stmts << C::Return.new(ret).with_misc(:di_addr => di_addr)
 				when 'call'	# :saveip
 					n = dcmp.backtrace_target(get_xrefs_x(dcmp.dasm, di).first, di.address)
 					args = []
@@ -367,9 +376,9 @@ class Ia32
 						end
 					end
 					commit[]
-					binding.delete :eax
-					e = C::CExpression[f, :funcall, args]
-					e = C::CExpression[ce[:eax], :'=', e, f.type.type] if deps[b].include? :eax and f.type.type != C::BaseType.new(:void)
+					binding.delete eax
+					e = C::CExpression[f, :funcall, args].with_misc(:di_addr => di_addr)
+					e = C::CExpression[ce[eax], :'=', e, f.type.type].with_misc(:di_addr => di_addr) if deps[b].include? eax and f.type.type != C::BaseType.new(:void)
 					stmts << e
 				when 'jmp'
 					#if di.comment.to_a.include? 'switch'
@@ -388,7 +397,7 @@ class Ia32
 					a = di.instruction.args.first
 					if a.kind_of? Expression
 					elsif not a.respond_to? :symbolic
-						stmts << C::Asm.new(di.instruction.to_s, nil, [], [], nil, nil)
+						stmts << C::Asm.new(di.instruction.to_s, nil, [], [], nil, nil).with_misc(:di_addr => di_addr)
 					else
 						n = di.instruction.args.first.symbolic(di)
 						fptr = ceb[n]
@@ -399,12 +408,10 @@ class Ia32
 							args = get_func_args[di, fptr.type]
 						else
 							proto = C::Function.new(C::BaseType.new(:void))
-							fptr = C::CExpression[[fptr], C::Pointer.new(proto)]
+							fptr = C::CExpression[[fptr], C::Pointer.new(proto)].with_misc(:di_addr => di_addr)
 							args = []
 						end
-						ret = C::Return.new(C::CExpression[fptr, :funcall, args])
-						class << ret ; attr_accessor :from_instr end
-						ret.from_instr = di
+						ret = C::Return.new(C::CExpression[fptr, :funcall, args].with_misc(:di_addr => di_addr)).with_misc(:di_addr => di_addr)
 						stmts << ret
 						to = []
 					end
@@ -418,7 +425,7 @@ class Ia32
 					end
 					# need a way to transform arg => :frameptr+12
 					arg = di.backtrace_binding.keys.grep(Indirection).first.pointer
-					stmts << C::CExpression.new(dcmp.c_parser.toplevel.symbol['intrinsic_lgdt'], :funcall, [ceb[arg]], C::BaseType.new(:void))
+					stmts << C::CExpression.new(dcmp.c_parser.toplevel.symbol['intrinsic_lgdt'], :funcall, [ceb[arg]], C::BaseType.new(:void)).with_misc(:di_addr => di_addr)
 				when 'lidt'
 					if not dcmp.c_parser.toplevel.struct['interrupt_descriptor']
 						dcmp.c_parser.parse('struct interrupt_descriptor { __int16 offset0_16; __int16 segment; __int16 flags; __int16 offset16_32; };')
@@ -428,29 +435,29 @@ class Ia32
 						dcmp.c_parser.parse('void intrinsic_lidt(struct interrupt_table *);')
 					end
 					arg = di.backtrace_binding.keys.grep(Indirection).first.pointer
-					stmts << C::CExpression.new(dcmp.c_parser.toplevel.symbol['intrinsic_lidt'], :funcall, [ceb[arg]], C::BaseType.new(:void))
+					stmts << C::CExpression.new(dcmp.c_parser.toplevel.symbol['intrinsic_lidt'], :funcall, [ceb[arg]], C::BaseType.new(:void)).with_misc(:di_addr => di_addr)
 				when 'ltr', 'lldt'
 					if not dcmp.c_parser.toplevel.symbol["intrinsic_#{di.opcode.name}"]
 						dcmp.c_parser.parse("void intrinsic_#{di.opcode.name}(int);")
 					end
 					arg = di.backtrace_binding.keys.first
-					stmts << C::CExpression.new(dcmp.c_parser.toplevel.symbol["intrinsic_#{di.opcode.name}"], :funcall, [ceb[arg]], C::BaseType.new(:void))
+					stmts << C::CExpression.new(dcmp.c_parser.toplevel.symbol["intrinsic_#{di.opcode.name}"], :funcall, [ceb[arg]], C::BaseType.new(:void)).with_misc(:di_addr => di_addr)
 				when 'out'
 					sz = di.instruction.args.find { |a_| a_.kind_of? Ia32::Reg and a_.val == 0 }.sz
 					if not dcmp.c_parser.toplevel.symbol["intrinsic_out#{sz}"]
 						dcmp.c_parser.parse("void intrinsic_out#{sz}(unsigned short port, __int#{sz} value);")
 					end
-					port = di.instruction.args.grep(Expression).first || :edx
-					stmts << C::CExpression.new(dcmp.c_parser.toplevel.symbol["intrinsic_out#{sz}"], :funcall, [ceb[port], ceb[:eax]], C::BaseType.new(:void))
+					port = di.instruction.args.grep(Expression).first || edx
+					stmts << C::CExpression.new(dcmp.c_parser.toplevel.symbol["intrinsic_out#{sz}"], :funcall, [ceb[port], ceb[eax]], C::BaseType.new(:void)).with_misc(:di_addr => di_addr)
 				when 'in'
 					sz = di.instruction.args.find { |a_| a_.kind_of? Ia32::Reg and a_.val == 0 }.sz
 					if not dcmp.c_parser.toplevel.symbol["intrinsic_in#{sz}"]
 						dcmp.c_parser.parse("__int#{sz} intrinsic_in#{sz}(unsigned short port);")
 					end
-					port = di.instruction.args.grep(Expression).first || :edx
+					port = di.instruction.args.grep(Expression).first || edx
 					f = dcmp.c_parser.toplevel.symbol["intrinsic_in#{sz}"]
-					binding.delete :eax
-					stmts << C::CExpression.new(ce[:eax], :'=', C::CExpression.new(f, :funcall, [ceb[port]], f.type.type), f.type.type)
+					binding.delete eax
+					stmts << C::CExpression.new(ce[eax], :'=', C::CExpression.new(f, :funcall, [ceb[port]], f.type.type), f.type.type).with_misc(:di_addr => di_addr)
 				when 'sti', 'cli'
 					stmts << C::Asm.new(di.instruction.to_s, nil, [], [], nil, nil)
 				when /^(mov|sto|lod)s([bwdq])/
@@ -462,15 +469,15 @@ class Ia32
 					blk = C::Block.new(scope)
 					case op
 					when 'mov'
-						blk.statements << C::CExpression[[:*, [[ceb[:edi]], pt]], :'=', [:*, [[ceb[:esi]], pt]]]
-						blk.statements << C::CExpression[ceb[:edi], :'=', [ceb[:edi], :+, [sz]]]
-						blk.statements << C::CExpression[ceb[:esi], :'=', [ceb[:esi], :+, [sz]]]
+						blk.statements << C::CExpression[[:*, [[ceb[edi]], pt]], :'=', [:*, [[ceb[esi]], pt]]].with_misc(:di_addr => di_addr)
+						blk.statements << C::CExpression[ceb[edi], :'=', [ceb[edi], :+, [sz]]].with_misc(:di_addr => di_addr)
+						blk.statements << C::CExpression[ceb[esi], :'=', [ceb[esi], :+, [sz]]].with_misc(:di_addr => di_addr)
 					when 'sto'
-						blk.statements << C::CExpression[[:*, [[ceb[:edi]], pt]], :'=', ceb[:eax]]
-						blk.statements << C::CExpression[ceb[:edi], :'=', [ceb[:edi], :+, [sz]]]
+						blk.statements << C::CExpression[[:*, [[ceb[edi]], pt]], :'=', ceb[eax]].with_misc(:di_addr => di_addr)
+						blk.statements << C::CExpression[ceb[edi], :'=', [ceb[edi], :+, [sz]]].with_misc(:di_addr => di_addr)
 					when 'lod'
-						blk.statements << C::CExpression[ceb[:eax], :'=', [:*, [[ceb[:esi]], pt]]]
-						blk.statements << C::CExpression[ceb[:esi], :'=', [ceb[:esi], :+, [sz]]]
+						blk.statements << C::CExpression[ceb[eax], :'=', [:*, [[ceb[esi]], pt]]].with_misc(:di_addr => di_addr)
+						blk.statements << C::CExpression[ceb[esi], :'=', [ceb[esi], :+, [sz]]].with_misc(:di_addr => di_addr)
 					#when 'sca'
 					#when 'cmp'
 					end
@@ -479,8 +486,8 @@ class Ia32
 					when nil
 						stmts.concat blk.statements
 					when 'rep'
-						blk.statements << C::CExpression[ceb[:ecx], :'=', [ceb[:ecx], :-, [1]]]
-						stmts << C::While.new(C::CExpression[ceb[:ecx]], blk)
+						blk.statements << C::CExpression[ceb[ecx], :'=', [ceb[ecx], :-, [1]]].with_misc(:di_addr => di_addr)
+						stmts << C::While.new(C::CExpression[ceb[ecx]], blk).with_misc(:di_addr => di_addr)
 					#when 'repz'	# sca/cmp only
 					#when 'repnz'
 					end
@@ -489,7 +496,7 @@ class Ia32
 					bd = get_fwdemu_binding(di)
 					if di.backtrace_binding[:incomplete_binding]
 						commit[]
-						stmts << C::Asm.new(di.instruction.to_s, nil, nil, nil, nil, nil)
+						stmts << C::Asm.new(di.instruction.to_s, nil, nil, nil, nil, nil).with_misc(:di_addr => di_addr)
 					else
 						update = {}
 						bd.each { |k, v|
@@ -504,6 +511,7 @@ class Ia32
 						binding.update update
 					end
 				end
+				di_addr = nil
 			}
 			commit[]