metasm 1.0.3 → 1.0.4

data/metasm/cpu/ia32/main.rb

@@ -73,26 +73,31 @@ class Ia32 < CPU
 	# segment register: es, cs, ss, ds, fs, gs and the theoretical segr6/7
 	class SegReg < Argument
 		simple_map((0..7).zip(%w(es cs ss ds fs gs segr6 segr7)))
+		def symbolic(di=nil) ; to_s.to_sym end
 	end
 
 	# debug register (dr0..dr3, dr6, dr7), and theoretical dr4/5
 	class DbgReg < Argument
 		simple_map((0..7).map { |i| [i, "dr#{i}"] })
+		def symbolic(di=nil) ; to_s.to_sym end
 	end
 
 	# control register (cr0, cr2, cr3, cr4) and theoretical cr1/5/6/7
 	class CtrlReg < Argument
 		simple_map((0..7).map { |i| [i, "cr#{i}"] })
+		def symbolic(di=nil) ; to_s.to_sym end
 	end
 
 	# test registers (tr0..tr7) (undocumented)
 	class TstReg < Argument
 		simple_map((0..7).map { |i| [i, "tr#{i}"] })
+		def symbolic(di=nil) ; to_s.to_sym end
 	end
 
 	# floating point registers
 	class FpReg < Argument
 		simple_map((0..7).map { |i| [i, "ST(#{i})"] } << [nil, 'ST'])
+		def symbolic(di=nil) ; to_s.tr('()', '').to_sym end
 	end
 
 	# Single Instr Multiple Data register (mm0..mm7, xmm0..xmm7, ymm0..ymm7)
@@ -145,6 +150,11 @@ class Ia32 < CPU
 		def ==(o)
 			self.class == o.class and seg == o.seg and addr == o.addr
 		end
+
+		def symbolic(di=nil)
+			# XXX realmode only
+			Expression[[@seg, :<<, 4], :|, @addr]
+		end
 	end
 
 	# ModRM represents indirections in x86 (eg dword ptr [eax+4*ebx+12h])

data/metasm/cpu/ia32/parse.rb

@@ -133,6 +133,8 @@ class ModRM
 
 		raise otok, 'mrm: bad reg size' if b.kind_of?(Reg) and i.kind_of?(Reg) and b.sz != i.sz
 
+		raise otok, 'mrm: cannot encode [rip+reg], only [rip+imm]' if (b and b.val == 16 and i) or (i and i.val == 16 and (b or s != 1))
+
 		# find default address size
 		adsz = b ? b.sz : i ? i.sz : nil
 		# ptsz may be nil now, will be fixed up later (in parse_instr_fixup) to match another instruction argument's size
@@ -355,5 +357,9 @@ end
 	def instr_uncond_jump_to(target)
 		parse_instruction("jmp #{target}")
 	end
+
+	def instr_jump_stop
+		parse_instruction("hlt")
+	end
 end
 end

data/metasm/cpu/mcs51/decode.rb

@@ -87,7 +87,7 @@ class MCS51
 		di
 	end
 
-	def backtrace_binding(b)
+	def init_backtrace_binding
 		@backtrace_binding ||= {}
 	end
 

data/metasm/cpu/mcs51/main.rb

@@ -37,6 +37,9 @@ class MCS51 < CPU
 			new(S_TO_I[s])
 		end
 
+		def symbolic(di=nil)
+			to_s.to_sym
+		end
 	end
 
 	class Immediate
@@ -47,6 +50,10 @@ class MCS51 < CPU
 		def to_s
 			"#" + @value.to_s
 		end
+
+		def symbolic(di=nil)
+			Expression[@value]
+		end
 	end
 
 	class Memref
@@ -59,6 +66,10 @@ class MCS51 < CPU
 		def to_s
 			@base ? "@" + @base.to_s : @offset.to_s
 		end
+
+		def symbolic(di=nil)
+			Indirection[(@base || @offset), 1, (di.address if di)]
+		end
 	end
 
 	def initialize

data/metasm/cpu/mips/decode.rb

@@ -126,12 +126,6 @@ class MIPS
 		di
 	end
 
-	# hash opname => lambda { |di, *sym_args| binding }
-	def backtrace_binding
-		@backtrace_binding ||= init_backtrace_binding
-	end
-	def backtrace_binding=(b) @backtrace_binding = b end
-
 	def init_backtrace_binding
 		@backtrace_binding ||= {}
 		opcode_list.map { |ol| ol.name }.uniq.each { |op|
@@ -167,6 +161,7 @@ class MIPS
 			when 'jal', 'jalr'; lambda { |di, a0| { :$ra => Expression[Expression[di.address, :+, 2*di.bin_length].reduce] } }
 			when 'li', 'mov'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
 			when 'syscall'; lambda { |di, *a| { :$v0 => Expression::Unknown } }
+			when /^b/; lambda { |di, *a| {} }
 			end
 
 			@backtrace_binding[op] ||= binding if binding
@@ -177,25 +172,20 @@ class MIPS
 	def get_backtrace_binding(di)
 		a = di.instruction.args.map { |arg|
 			case arg
-			when Memref; arg.symbolic(di.address)
+			when Memref; arg.symbolic(di)
 			when Reg; arg.symbolic
 			else arg
 			end
 		}
 
-		binding = if binding = backtrace_binding[di.instruction.opname]
-			binding[di, *a]
+		if binding = backtrace_binding[di.instruction.opname]
+			bd = binding[di, *a]
+			bd.delete 0	# allow add $zero, 42 => nop
+			bd
 		else
-			if di.instruction.opname[0] == ?b and di.opcode.props[:setip]
-			else
-				puts "unknown instruction to emu #{di}" if $VERBOSE
-			end
-			{}
+			puts "unhandled instruction to backtrace: #{di}" if $VERBOSE
+			{:incomplete_binding => Expression[1]}
 		end
-
-		binding.delete 0	# allow add $zero, 42 => nop
-
-		binding
 	end
 
 	def get_xrefs_x(dasm, di)

data/metasm/cpu/mips/main.rb

@@ -26,7 +26,7 @@ class MIPS < CPU
 		end
 
 		Sym = @i_to_s.sort.map { |k, v| v.to_sym }
-		def symbolic ; @i == 0 ? 0 : Sym[@i] end
+		def symbolic(di=nil) ; @i == 0 ? 0 : Sym[@i] end
 	end
 
 	class FpReg
@@ -48,11 +48,11 @@ class MIPS < CPU
 			@base, @offset, @sz = base, offset, sz
 		end
 
-		def symbolic(orig)
+		def symbolic(di=nil)
 			p = nil
 			p = Expression[p, :+, @base.symbolic] if base
 			p = Expression[p, :+, @offset] if offset
-			Indirection[p.reduce, @sz/8, orig]
+			Indirection[p.reduce, @sz/8, (di.address if di)]
 		end
 	end
 

data/metasm/cpu/mips/opcodes.rb

@@ -181,7 +181,7 @@ class MIPS
 		addop 'teqi', (1<<26) | (0b01100<<16), :rs, :i16, :setip
 		addop 'tnei', (1<<26) | (0b01110<<16), :rs, :i16, :setip
 		addop 'bltzal', (1<<26) | (0b10000<<16), :rs, :i16, :setip, :saveip
-		addop 'bgezal', (1<<26) | (0b10001<<16), :i16, :setip, :stopexec, :saveip	# bgezal $zero => unconditionnal
+		addop 'bgezal', (1<<26) | (0b10001<<16), :i16, :setip, :stopexec, :saveip	# bgezal $zero => unconditional
 		addop 'bgezal', (1<<26) | (0b10001<<16), :rs, :i16, :setip, :saveip
 
 

data/metasm/cpu/msp430/decode.rb

@@ -124,10 +124,6 @@ class MSP430
 		di
 	end
 
-	def backtrace_binding
-		@backtrace_binding ||= init_backtrace_binding
-	end
-
 	def init_backtrace_binding
 		@backtrace_binding ||= {}
 
@@ -159,7 +155,7 @@ class MSP430
 		a = di.instruction.args.map { |arg|
 			case arg
 			when Reg; arg.symbolic
-			when Memref; arg.symbolic(di.address)
+			when Memref; arg.symbolic(di)
 			else arg
 			end
 		}
@@ -192,7 +188,7 @@ class MSP430
 		val = di.instruction.args[0]
 		case val
 		when Reg; val = val.symbolic
-		when Memref; val = val.symbolic(di.address)
+		when Memref; val = val.symbolic(di)
 		end
 
 		[Expression[val]]

data/metasm/cpu/msp430/main.rb

@@ -20,7 +20,7 @@ class MSP430 < CPU
 
 		attr_accessor :i
 		def initialize(i) ; @i = i end
-		def symbolic ; Sym[@i] end
+		def symbolic(di=nil) ; Sym[@i] end
 		def render ; [Sym[@i].to_s] end
 		def ==(o) ; o.class == self.class and o.i == @i end
 	end
@@ -35,10 +35,10 @@ class MSP430 < CPU
 			@postincr = postincr
 		end
 
-		def symbolic(orig=nil)
+		def symbolic(di=nil)
 			r = @base.symbolic if @base
 			e = Expression[r, :+, @offset].reduce
-			Indirection[e, (@size || 1), orig]
+			Indirection[e, (@size || 1), (di.address if di)]
 		end
 
 		include Renderable

data/metasm/cpu/openrisc.rb

@@ -0,0 +1,11 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/main'
+require 'metasm/cpu/openrisc/decode'
+require 'metasm/cpu/openrisc/render'
+require 'metasm/cpu/openrisc/debug'
+require 'metasm/cpu/openrisc/decompile'

data/metasm/cpu/openrisc/debug.rb

@@ -0,0 +1,106 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/openrisc/opcodes'
+
+module Metasm
+class OpenRisc
+	def dbg_register_pc
+		@dbg_register_pc ||= :pc
+	end
+	def dbg_register_sp
+		@dbg_register_sp ||= :r1
+	end
+
+	def dbg_register_list
+		@dbg_register_list ||= (1..31).to_a.map { |i| "r#{i}".to_sym } + [:pc, :nextpc, :flag]
+	end
+
+	def dbg_flag_list
+		@dbg_flag_list ||= []
+	end
+
+	def dbg_register_size
+		@dbg_register_size ||= Hash.new(32)
+	end
+
+	def get_fwdemu_binding(di, pc_reg=nil, dbg_ctx=nil)
+		fbd = di.backtrace_binding ||= get_backtrace_binding(di)
+		fbd = fix_fwdemu_binding(di, fbd)
+		if pc_reg
+			if @delay_slot == 0
+				n_a = Expression[pc_reg, :+, 4]
+			else
+				n_a = Expression[:nextpc, :+, 4]
+			end
+			if di.opcode.props[:setip]
+				xr = get_xrefs_x(nil, di).to_a
+				xr |= [n_a] if not di.opcode.props[:stopexec]
+				if xr.length == 1
+					if @delay_slot == 0
+						fbd[pc_reg] = xr[0]
+					else
+						fbd[pc_reg] = Expression[:nextpc]
+						fbd[:nextpc] = xr[0]
+					end
+				else
+					dbg_resolve_pc(di, fbd, pc_reg, dbg_ctx)
+				end
+			else
+				if @delay_slot == 0
+					fbd[pc_reg] = n_a
+				else
+					fbd[pc_reg] = Expression[:nextpc]
+					fbd[:nextpc] = n_a
+				end
+			end
+		end
+		fbd
+	end
+
+	def dbg_resolve_pc(di, fbd, pc_reg, dbg_ctx)
+		a = di.instruction.args.map { |aa| symbolic(aa) }
+
+		cond = case di.opcode.name
+		when 'bf'; dbg_ctx.get_reg_value(:flag) != 0
+		when 'bnf'; dbg_ctx.get_reg_value(:flag) == 0
+		else return super(di, fbd, pc_reg, dbg_ctx)
+		end
+
+		if cond
+			n_a = a.last
+		else
+			if @delay_slot == 0
+				n_a = di.next_addr + 4
+			else
+				n_a = Expression[:nextpc, :+, 4]
+			end
+		end
+
+		if @delay_slot == 0
+			fbd[pc_reg] = n_a
+		else
+			fbd[pc_reg] = Expression[:nextpc]
+			fbd[:nextpc] = n_a
+		end
+	end
+
+	def dbg_enable_bp(dbg, bp)
+	end
+
+	def dbg_disable_bp(dbg, bp)
+	end
+
+	def dbg_need_stepover(dbg, addr, di)
+		if @delay_slot == 0
+			di.opcode.props[:saveip]
+		else
+			ddi = dbg.disassembler.di_at(addr-4)
+			ddi and ddi.opcode.props[:saveip]
+		end
+	end
+end
+end

data/metasm/cpu/openrisc/decode.rb

@@ -0,0 +1,182 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/openrisc/opcodes'
+require 'metasm/decode'
+
+module Metasm
+class OpenRisc
+	def build_bin_lookaside
+		bl = Array.new(255) { [] }
+		opcode_list.each { |op|
+			((op.bin >> 24) .. ((op.bin | op.bin_mask) >> 24)).each { |b|
+				if (b | (op.bin_mask >> 24)) == ((op.bin | op.bin_mask) >> 24)
+					bl[b] << op
+				end
+			}
+		}
+		bl
+	end
+
+	# tries to find the opcode encoded at edata.ptr
+	def decode_findopcode(edata)
+		return if edata.ptr > edata.data.length-4
+		di = DecodedInstruction.new self
+		val = edata.decode_imm(:u32, @endianness)
+		di.misc = val
+		return di if di.opcode = @bin_lookaside[val >> 24].find { |op|
+			(op.bin | op.bin_mask) == (val | op.bin_mask)
+		}
+	end
+
+	def decode_instr_op(edata, di)
+		op = di.opcode
+		di.instruction.opname = op.name
+		di.bin_length = 4
+		val = di.misc
+		fld = lambda { |f|
+			(val >> @fields_off[f]) & @fields_mask[f]
+		}
+		sign_fld = lambda { |f, sz|
+			Expression.make_signed(Expression[fld[f]], sz).reduce
+		}
+		fld_smoo = lambda {
+			Expression[Expression.make_signed((val & 0x7ff) | ((val >> 10) & 0xF800), 16)]
+		}
+
+		op.args.each { |a|
+			di.instruction.args << case a
+			when :rA, :rB, :rD; Reg.new(fld[a])
+			when :fA; FpReg.new(fld[:rA])
+			when :fB; FpReg.new(fld[:rB])
+			when :fD; FpReg.new(fld[:rD])
+			when :disp26; Expression[sign_fld[a, 26]]
+			when :uimm5, :uimm16; Expression[fld[a]]
+			when :simm16; Expression[sign_fld[a, 16]]
+			when :rA_simm16; Memref.new(Reg.new(fld[:rA]), Expression[sign_fld[:simm16, 16]], di.opcode.props[:memsz])
+			when :rA_smoo; Memref.new(Reg.new(fld[:rA]), fld_smoo[], di.opcode.props[:memsz])
+			else raise "unhandled arg #{a}"
+			end
+		}
+
+		di
+	end
+
+	def decode_instr_interpret(di, addr)
+		if di.opcode.props[:setip]
+			case di.opcode.name
+			when 'j', 'jal', 'bf', 'bnf'
+				# abs26 is not absolute, duh
+				arg = Expression[addr, :+, [di.instruction.args[-1], :<<, 2]].reduce
+				di.instruction.args[-1] = Expression[arg]
+			end
+		end
+
+		di
+	end
+
+	# populate the @backtrace_binding hash with default values
+	def init_backtrace_binding
+		@backtrace_binding ||= {}
+
+		opcode_list.map { |ol| ol.basename }.uniq.sort.each { |op|
+			binding = case op
+			when 'movhi'; lambda { |di, a0, a1| { a0 => Expression[a1, :<<, 16] } }
+			when 'add'; lambda { |di, a0, a1, a2| { a0 => Expression[a1, :+, a2] } }
+			when 'sub'; lambda { |di, a0, a1, a2| { a0 => Expression[a1, :-, a2] } }
+			when 'mul'; lambda { |di, a0, a1, a2| { a0 => Expression[a1, :*, a2] } }
+			when 'div'; lambda { |di, a0, a1, a2| { a0 => Expression[a1, :/, a2] } }
+			when 'and'; lambda { |di, a0, a1, a2| { a0 => Expression[a1, :&, a2] } }
+			when 'or';  lambda { |di, a0, a1, a2| { a0 => Expression[a1, :|, a2] } }
+			when 'xor'; lambda { |di, a0, a1, a2| { a0 => Expression[a1, :^, a2] } }
+			when 'shl'; lambda { |di, a0, a1, a2| { a0 => Expression[[a1, :<<, a2], :&, 0xffff_ffff] } }
+			when 'shr'; lambda { |di, a0, a1, a2| { a0 => Expression[[a1, :>>, a2], :&, 0xffff_ffff] } }
+			when 'sar'; lambda { |di, a0, a1, a2| { a0 => Expression[[[a1, :>>, a2], :|, [[0xffff_ffff, :<<, a2], :*, [a1, :>>, 31]]], :&, 0xffff_ffff] } }
+			when 'ror'; lambda { |di, a0, a1, a2| { a0 => Expression[[[a1, :>>, a2], :|, [a1, :<<, [32, :-, a2]]], :&, 0xffff_ffff] } }
+			when 'lwz', 'lbz', 'lhz'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
+			when 'lbs'; lambda { |di, a0, a1| { a0 => Expression[Expression.make_signed(a1, 8)] } }
+			when 'lhs'; lambda { |di, a0, a1| { a0 => Expression[Expression.make_signed(a1, 16)] } }
+			when 'sw', 'sh', 'sb';  lambda { |di, a0, a1| { a0 => Expression[a1] } }
+			when 'jal', 'jalr'; lambda { |di, a0| { :r9 => Expression[di.next_addr + delay_slot(di)*4] } }
+			when 'jr', 'j', 'bf', 'bnf', 'nop'; lambda { |di, *a| {} }
+			when 'sfeq'; lambda { |di, a0, a1| { :flag => Expression[a0, :==, a1] } }
+			when 'sfne'; lambda { |di, a0, a1| { :flag => Expression[a0, :!=, a1] } }
+			when 'sfgtu'; lambda { |di, a0, a1| { :flag => Expression[[a0, :&, 0xffff_ffff], :>, [a1, :&, 0xffff_ffff]] } }
+			when 'sfgeu'; lambda { |di, a0, a1| { :flag => Expression[[a0, :&, 0xffff_ffff], :>=, [a1, :&, 0xffff_ffff]] } }
+			when 'sfltu'; lambda { |di, a0, a1| { :flag => Expression[[a0, :&, 0xffff_ffff], :<, [a1, :&, 0xffff_ffff]] } }
+			when 'sfleu'; lambda { |di, a0, a1| { :flag => Expression[[a0, :&, 0xffff_ffff], :<=, [a1, :&, 0xffff_ffff]] } }
+			when 'sfgts'; lambda { |di, a0, a1| { :flag => Expression[Expression.make_signed(a0, 32), :>, Expression.make_signed(a1, 32)] } }
+			when 'sfges'; lambda { |di, a0, a1| { :flag => Expression[Expression.make_signed(a0, 32), :>=, Expression.make_signed(a1, 32)] } }
+			when 'sflts'; lambda { |di, a0, a1| { :flag => Expression[Expression.make_signed(a0, 32), :<, Expression.make_signed(a1, 32)] } }
+			when 'sfles'; lambda { |di, a0, a1| { :flag => Expression[Expression.make_signed(a0, 32), :<=, Expression.make_signed(a1, 32)] } }
+			end
+			@backtrace_binding[op] ||= binding if binding
+		}
+
+		@backtrace_binding
+	end
+
+	# returns a DecodedFunction from a parsed C function prototype
+	def decode_c_function_prototype(cp, sym, orig=nil)
+		sym = cp.toplevel.symbol[sym] if sym.kind_of?(::String)
+		df = DecodedFunction.new
+		orig ||= Expression[sym.name]
+
+		new_bt = lambda { |expr, rlen|
+			df.backtracked_for << BacktraceTrace.new(expr, orig, expr, rlen ? :r : :x, rlen)
+		}
+
+		# return instr emulation
+		if sym.has_attribute 'noreturn' or sym.has_attribute '__noreturn__'
+			df.noreturn = true
+		else
+			new_bt[:r9, nil]
+		end
+
+		[3, 4, 5, 6, 7, 8, 11, 12, 13, 15, 17, 19, 21, 23, 25, 27, 29, 31].each { |r|
+			# dirty regs according to ABI
+			df.backtrace_binding.update "r#{r}".to_sym => Expression::Unknown
+		}
+
+		# scan args for function pointers
+		reg_args = [:r3, :r4, :r5, :r6, :r7, :r8]
+		sym.type.args.to_a.zip(reg_args).each { |a, ra|
+			break if not a or not ra
+			if a.type.untypedef.kind_of?(C::Pointer)
+				pt = a.type.untypedef.type.untypedef
+				if pt.kind_of?(C::Function)
+					new_bt[ra, nil]
+					df.backtracked_for.last.detached = true
+				elsif pt.kind_of?(C::Struct)
+					new_bt[ra, cp.typesize[:ptr]]
+				else
+					new_bt[ra, cp.sizeof(nil, pt)]
+				end
+			end
+		}
+
+		df
+	end
+
+	def disassembler_default_func
+		df = DecodedFunction.new
+		df.backtrace_binding = (1..32).inject({}) { |h, r| h.update "r#{r}".to_sym => Expression["r#{r}".to_sym] }
+		[3, 4, 5, 6, 7, 8, 11, 12, 13, 15, 17, 19, 21, 23, 25, 27, 29, 31].each { |r|
+			df.backtrace_binding["r#{r}".to_sym] = Expression::Unknown
+		}
+		df.backtracked_for = [BacktraceTrace.new(Expression[:r9], :default, Expression[:r9], :x)]
+		df
+	end
+
+	def backtrace_is_function_return(expr, di=nil)
+		Expression[expr].reduce_rec == :r9
+	end
+
+	def backtrace_is_stack_address(expr)
+		Expression[expr].expr_externals.include? :r1
+	end
+end
+end