metasm 1.0.4 → 1.0.6

data/metasm/cpu/dwarf/decompile.rb

@@ -0,0 +1,212 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/dwarf/main'
+
+module Metasm
+class Dwarf
+	def decompile_makestackvars(dasm, funcstart, blocks)
+		oldbd = {}
+		blocks.each { |block|
+			oldbd[block.address] = dasm.address_binding[block.address]
+			dasm.address_binding[block.address] = {}
+                }
+
+		dasm.address_binding[funcstart][:opstack] = Expression[:frameptr]
+		blocks.each { |block|
+			# cache the value of opstack wrt :frameptr at each block entry
+			if not stkoff = dasm.address_binding[block.address][:opstack]
+				stkoff = dasm.backtrace(:opstack, block.address, :snapshot_addr => funcstart)
+				# conserve the minimum offset in case of conflicts
+				stkoff = Expression[:frameptr] + stkoff.map { |so| so - :frameptr }.min
+			end
+			dasm.address_binding[block.address][:opstack] = stkoff
+			block.list.first.misc ||= {}
+			block.list.first.misc[:opstack_before] = stkoff
+
+			# compute the value at the end of the block and propagate as start value for next blocks
+			# allows coherent tracing along all paths if blocks are walked in code order, even with loops with stack leak/consume
+			last_di = block.list.last
+			stkoff = dasm.backtrace(:opstack, last_di.address, :snapshot_addr => funcstart, :include_start => true).first
+			last_di.misc ||= {}
+			last_di.misc[:opstack_after] = stkoff
+			block.each_to_normal { |at|
+				dasm.address_binding[at][:opstack] ||= stkoff if dasm.address_binding[at]
+			}
+
+			yield block
+		}
+		oldbd.each { |a, b| b ? dasm.address_binding[a] = b : dasm.address_binding.delete(a) }
+	end
+
+	def decompile_func_finddeps_di(dcmp, func, di, a, w)
+	end
+
+	def decompile_func_finddeps(dcmp, blocks, func)
+		{}
+	end
+
+	def decompile_blocks(dcmp, myblocks, deps, func, nextaddr = nil)
+		scope = func.initializer
+		stmts = scope.statements
+
+		# TODO handle loops pushing/poping the stack (:opstack_before loop.first != :opstack_after loop.last)
+
+		# opstack offset => current C variable
+		opstack = {}
+
+		# *(_int32*)(local_base+16) => 16
+		ce_ptr_offset = lambda { |ee, base|
+			if ee.kind_of?(C::CExpression) and ee.op == :* and not ee.lexpr and ee.rexpr.kind_of?(C::CExpression) and
+					not ee.rexpr.op and ee.rexpr.rexpr.kind_of?(C::CExpression)
+				if not ee.rexpr.rexpr.op and ee.rexpr.rexpr.rexpr.kind_of?(C::Variable) and ee.rexpr.rexpr.rexpr.name == base
+					0
+				elsif ee.rexpr.rexpr.lexpr.kind_of?(C::Variable) and ee.rexpr.rexpr.lexpr.name == base and
+						ee.rexpr.rexpr.rexpr.kind_of?(C::CExpression) and not ee.rexpr.rexpr.rexpr.op and ee.rexpr.rexpr.rexpr.rexpr.kind_of?(::Integer)
+					if ee.rexpr.rexpr.op == :+
+						ee.rexpr.rexpr.rexpr.rexpr
+					elsif ee.rexpr.rexpr.op == :-
+						-ee.rexpr.rexpr.rexpr.rexpr
+					end
+				end
+			end
+		}
+		ce_opstack_offset = lambda { |ee| ce_ptr_offset[ee, 'frameptr'] }
+
+		basetype = C::BaseType.new("__int#@size".to_sym)
+		new_opstack_var = lambda { |off|
+			varname = "loc_#{off}"
+			ne = C::Variable.new(varname, basetype)
+			scope.symbol[varname] = ne
+			stmts << C::Declaration.new(ne)
+			ne
+		}
+		get_opstack_var = lambda { |off|
+			opstack[off] ||= new_opstack_var[off]
+		}
+
+		di_addr = nil
+
+		# Expr => CExpr
+		ce = lambda { |*e|
+			c_expr = dcmp.decompile_cexpr(Expression[Expression[*e].reduce], scope)
+			dcmp.walk_ce(c_expr, true) { |ee|
+				if soff = ce_opstack_offset[ee.rexpr]
+					# must do soff.rexpr before lexpr in case of reaffectation !
+					ee.rexpr = get_opstack_var[soff/8]
+					ee.rexpr = C::CExpression[ee.rexpr] if not ee.op and ee.type.pointer?
+				end
+				if soff = ce_opstack_offset[ee.lexpr]
+					ee.lexpr = get_opstack_var[soff/8]
+				end
+			}
+			ret = if soff = ce_opstack_offset[c_expr]
+					 C::CExpression[get_opstack_var[soff/8]]
+				else
+					c_expr
+				end
+			dcmp.walk_ce(ret) { |ee| ee.with_misc :di_addr => di_addr } if di_addr
+			ret
+		}
+
+
+		blocks_toclean = myblocks.dup
+		until myblocks.empty?
+			b, to = myblocks.shift
+			if l = dcmp.dasm.get_label_at(b)
+				stmts << C::Label.new(l).with_misc(:di_addr => b)
+			end
+
+			# go !
+			di_list = dcmp.dasm.decoded[b].block.list.dup
+			di_list.each { |di|
+				di_addr = di.address
+				bd = get_fwdemu_binding(di)
+				case di.opcode.name
+				when 'bra'
+					n = dcmp.backtrace_target(get_xrefs_x(dcmp.dasm, di).first, di.address)
+					stacktop = ce[get_opstack_var[(bd[:opstack] - :frameptr + 8) / 8]]
+					stmts << C::If.new(C::CExpression[stacktop], C::Goto.new(n).with_misc(:di_addr => di.address)).with_misc(:di_addr => di.address)
+					stmts << ce[stacktop, :'=', 0]
+					# XXX does not assign cond = 0 in if as decompiler may expect only single goto in if body
+					to.delete dcmp.dasm.normalize(n)
+				when 'swap'
+					offs = []
+					bd.each { |k, v|
+						cvar = dcmp.decompile_cexpr(Expression[Expression[k].reduce], scope)
+						if soff = ce_opstack_offset[cvar]
+							offs << (soff/8)
+						end
+					}
+					off = offs.min
+					stmts << ce[get_opstack_var[:tmp], :'=', get_opstack_var[off]]
+					stmts << ce[get_opstack_var[off], :'=', get_opstack_var[off+1]]
+					stmts << ce[get_opstack_var[off+1], :'=', get_opstack_var[:tmp]]
+					stmts << ce[get_opstack_var[:tmp],  :'=', 0]
+				when 'rot'
+					offs = []
+					bd.each { |k, v|
+						cvar = dcmp.decompile_cexpr(Expression[Expression[k].reduce], scope)
+						if soff = ce_opstack_offset[cvar]
+							offs << (soff/8)
+						end
+					}
+
+					off = offs.min
+					stmts << ce[get_opstack_var[:tmp],  :'=', get_opstack_var[off]]
+					stmts << ce[get_opstack_var[off],   :'=', get_opstack_var[off+2]]
+					stmts << ce[get_opstack_var[off+2], :'=', get_opstack_var[off+1]]
+					stmts << ce[get_opstack_var[off+1], :'=', get_opstack_var[:tmp]]
+					stmts << ce[get_opstack_var[:tmp],  :'=', 0]
+				else
+					if di.backtrace_binding[:incomplete_binding]
+						stmts << C::Asm.new(di.instruction.to_s, nil, nil, nil, nil, nil).with_misc(:di_addr => di.address)
+					else
+						bd.each { |k, v|
+							next if k == :opstack
+							e = ce[k, :'=', v]
+							stmts << e if not e.kind_of?(C::Variable)	# [:eflag_s, :=, :unknown].reduce
+						}
+						rawbd = dcmp.disassembler.cpu.get_backtrace_binding(di)
+						if rawbd[:opstack] == Expression[:opstack, :-, 8] and (bd[:opstack] - :frameptr).kind_of?(::Integer)
+							stacktop = ce[get_opstack_var[(bd[:opstack] - :frameptr + 8) / 8]]
+							stmts << ce[stacktop, :'=', 0]
+						end
+					end
+				end
+				di_addr = nil
+			}
+
+			case to.length
+			when 0
+				if not myblocks.empty? and not stmts.last.kind_of?(C::Return)
+					puts "  block #{Expression[b]} has no to and don't end in ret"
+				end
+			when 1
+				if (myblocks.empty? ? nextaddr != to[0] : myblocks.first.first != to[0])
+					if dcmp.dasm.decoded[to[0]]
+						stmts << C::Goto.new(dcmp.dasm.auto_label_at(to[0], 'unknown_goto'))
+					else
+						stmts << C::Return.new(C::CExpression[ce[get_opstack_var[(di_list.last.misc[:opstack_after] - :frameptr)/8]]])
+					end
+				end
+			else
+				puts "  block #{Expression[b]} with multiple to"
+			end
+		end
+
+		# cleanup di.bt_binding (we set :frameptr etc in those, this may confuse the dasm)
+		blocks_toclean.each { |b_, to_|
+			dcmp.dasm.decoded[b_].block.list.each { |di|
+				di.backtrace_binding = nil
+			}
+		}
+	end
+
+	def decompile_check_abi(dcmp, entry, func)
+	end
+end
+end

data/metasm/cpu/dwarf/encode.rb

@@ -0,0 +1,49 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/dwarf/opcodes'
+require 'metasm/parse'
+
+module Metasm
+class Dwarf
+	def parse_argument(lexer)
+		lexer = AsmPreprocessor.new(lexer) if lexer.kind_of? String
+		lexer.skip_space
+		return if not tok = lexer.readtok
+
+		if tok.raw =~ /^r(\d+)/
+			Reg.new($1.to_i)
+		else
+			lexer.unreadtok tok
+			expr = Expression.parse(lexer)
+			lexer.skip_space
+			expr
+		end
+	end
+
+	def parse_arg_valid?(o, spec, arg)
+		# TODO check :reg and :imm spec, :uXX range
+		spec and arg
+	end
+
+
+	def encode_instr_op(program, i, op)
+		ed = EncodedData.new([op.bin].pack('C*'))
+		op.args.zip(i.args).each { |oa, ia|
+			case oa
+			when :reg
+			when :imm; raise "TODO encode imm"
+			when :i8, :u8, :i16, :u16, :i32, :u32, :i64, :u64; ed << ia.encode(oa, @endianness)
+			when :addr; ed << ia.encode("u#@size".to_sym, @endianness)
+			when :uleb; ed << ia.encode_leb(false)
+			when :sleb; ed << ia.encode_leb(true)
+			else raise "TODO encode op #{oa} #{ia}"
+			end
+		}
+		ed
+	end
+end
+end

data/metasm/cpu/dwarf/main.rb

@@ -0,0 +1,37 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2010 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+require 'metasm/main'
+
+module Metasm
+class Dwarf < CPU
+	def initialize(*args)
+		super()
+		@size = args.grep(Integer).first || 64
+		@endianness = args.delete(:little) || args.delete(:big) || :little
+	end
+
+	class Reg
+		attr_accessor :i
+
+		def initialize(i)
+			@i = i
+		end
+
+		def symbolic(di=nil)
+			"r#@i".to_sym
+		end
+
+		include Renderable
+		def render
+			["r#@i"]
+		end
+	end
+
+	def init_opcode_list
+		init
+	end
+end
+end

data/metasm/cpu/dwarf/opcodes.rb

@@ -0,0 +1,107 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2010 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+require 'metasm/cpu/dwarf/main'
+
+module Metasm
+class Dwarf
+	def addop(name, bin, *args)
+		o = Opcode.new name, bin
+
+		args.each { |a|
+			if @valid_props[a]
+				o.props[a] = true
+			elsif a.kind_of?(::Symbol)
+				o.args << a
+			elsif a.kind_of?(::Hash)
+				o.props.update a
+			else
+				raise "Internal error #{a.inspect}"
+			end
+		}
+
+		@opcode_list << o
+	end
+
+	def addop_20(name, bin, *args)
+		0x20.times { |i|
+			addop name, bin+i, :imm, *args, :imm => i
+		}
+	end
+
+	def init
+		@opcode_list = []
+		@valid_props = { :setip => true, :stopexec => true }
+
+		addop 'addr', 0x03, :addr
+
+		addop 'lit', 0x08, :u8
+		addop 'lit', 0x09, :i8
+		addop 'lit', 0x0A, :u16
+		addop 'lit', 0x0B, :i16
+		addop 'lit', 0x0C, :u32
+		addop 'lit', 0x0D, :i32
+		addop 'lit', 0x0E, :u64
+		addop 'lit', 0x0F, :i64
+		addop 'lit', 0x10, :uleb
+		addop 'lit', 0x11, :sleb
+		addop 'dup', 0x12
+		addop 'drop', 0x13
+		addop 'over', 0x14
+		addop 'pick', 0x15, :u8
+		addop 'swap', 0x16
+		addop 'rot', 0x17
+		addop 'xderef', 0x18
+
+		# push(op(pop()))
+		addop 'deref', 0x06
+		addop 'abs', 0x19
+		addop 'neg', 0x1F
+		addop 'not', 0x20
+		addop 'add_u', 0x23, :uleb	# real name plus_u
+		addop 'plus_u', 0x23, :uleb
+		addop 'deref_size', 0x94, :u8
+
+		# push(op(stk[-2], stk[-1])))	pop args
+		addop 'and', 0x1A
+		addop 'div', 0x1B
+		addop 'sub', 0x1C	# real name is 'minus'
+		addop 'minus', 0x1C
+		addop 'mod', 0x1D
+		addop 'mul', 0x1E
+		addop 'or', 0x21
+		addop 'add', 0x22
+		addop 'plus', 0x22
+		addop 'shl', 0x24
+		addop 'shr', 0x25
+		addop 'shra', 0x26
+		addop 'xor', 0x27
+
+		addop 'bra', 0x28, :i16, :setip	# branch if top of stack not null
+
+		# pop(op(stk[-1], stk[-2]))	pop args
+		addop 'eq', 0x29
+		addop 'ge', 0x2A
+		addop 'gt', 0x2B
+		addop 'le', 0x2C
+		addop 'lt', 0x2D
+		addop 'ne', 0x2E
+
+		addop 'skip', 0x2F, :i16, :setip, :stopexec
+		
+		addop_20 'lit', 0x30
+		addop_20 'reg', 0x50, :reg
+		addop_20 'breg', 0x70, :sleb, :reg
+
+		addop 'reg', 0x90, :uleb, :reg
+		addop 'fbreg', 0x91, :uleb
+		addop 'breg', 0x92, :uleb, :sleb, :reg
+		addop 'piece', 0x93
+		addop 'xderef_size', 0x95
+		addop 'nop', 0x96
+		addop 'addr', 0xF1, :gnu	# GNU_encoded_addr
+	end
+end
+end

data/metasm/cpu/dwarf.rb

@@ -0,0 +1,11 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/main'
+require 'metasm/cpu/dwarf/decode'
+require 'metasm/cpu/dwarf/encode'
+require 'metasm/cpu/dwarf/decompile'
+require 'metasm/cpu/dwarf/debug'

data/metasm/cpu/ia32/debug.rb

@@ -227,5 +227,13 @@ class Ia32
 			fbd[pc_reg] = di.next_addr
 		end
 	end
+
+	def initialize_emudbg(dbg)
+		stack = EncodedData.new("\x00" * 0x10000)
+		stack_addr = 0x10000
+		stack_addr += 0x10000 while dbg.disassembler.get_section_at(stack_addr)
+		dbg.disassembler.add_section(stack, stack_addr)
+		dbg.set_reg_value(dbg_register_list[7], stack_addr + 0xf000)
+	end
 end
 end

data/metasm/cpu/ia32/decode.rb

@@ -542,7 +542,31 @@ class Ia32
 						  Expression[edx, :&, m] => Expression[[e, :>>, opsz(di)], :&, m] }
 					end
 				}
-			when 'div', 'idiv'; lambda { |di, *a| { eax => Expression::Unknown, edx => Expression::Unknown, :incomplete_binding => Expression[1] } }
+			when 'div', 'idiv'; lambda { |di, a0|
+				# TODO idiv => signed
+				case opsz(di)
+				when 8
+					src = Expression[eax, :&, 0xffff]
+					quot = Expression[[src, :/, a0], :&, 0xff]
+					rem  = Expression[[src, :%, a0], :&, 0xff]
+					{ Expression[eax, :&, 0xffff] => Expression[quot, :|, [rem, :<<, 8]] }
+				when 16
+					src = Expression[[eax, :&, 0xffff], :|, [[edx, :&, 0xffff], :<<, 16]]
+					quot = Expression[[src, :/, a0], :&, 0xffff]
+					rem  = Expression[[src, :%, a0], :&, 0xffff]
+					{ Expression[eax, :&, 0xffff] => quot, Expression[edx, :&, 0xffff] => rem }
+				when 32
+					src = Expression[[eax, :&, 0xffffffff], :|, [[edx, :&, 0xffffffff], :<<, 32]]
+					quot = Expression[[src, :/, a0], :&, 0xffffffff]
+					rem  = Expression[[src, :%, a0], :&, 0xffffffff]
+					{ Expression[eax, :&, 0xffffffff] => quot, Expression[edx, :&, 0xffffffff] => rem }
+				when 64
+					src = Expression[eax, :|, [edx, :<<, 64]]
+					quot = Expression[src, :/, a0]
+					rem  = Expression[src, :%, a0]
+					{ eax => quot, edx => rem }
+				end
+			}
 			when 'rdtsc'; lambda { |di| { eax => Expression::Unknown, edx => Expression::Unknown, :incomplete_binding => Expression[1] } }
 			when /^(stos|movs|lods|scas|cmps)[bwdq]$/
 				lambda { |di, *a|