metasm 1.0.4 → 1.0.6

data/metasm/cpu/mips/decode.rb

@@ -221,7 +221,7 @@ class MIPS
 	end
 
 	def backtrace_is_function_return(expr, di=nil)
-		expr.reduce_rec == :$ra
+		Expression[expr].reduce_rec == :$ra
 	end
 
 	def backtrace_is_stack_address(expr)

data/metasm/cpu/ppc/decode.rb

@@ -142,7 +142,7 @@ class PowerPC
 	end
 
 	def backtrace_is_function_return(expr, di=nil)
-		expr.reduce_rec == :lr
+		Expression[expr].reduce_rec == :lr
 	end
 
 	def backtrace_is_stack_address(expr)

data/metasm/cpu/sh4/decode.rb

@@ -341,7 +341,7 @@ class Sh4
 	end
 
 	def backtrace_is_function_return(expr, di=nil)
-		expr.reduce_rec == :pr
+		Expression[expr].reduce_rec == :pr
 	end
 
 	def delay_slot(di=nil)

data/metasm/cpu/x86_64/decompile.rb

@@ -0,0 +1,68 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/x86_64/main'
+
+module Metasm
+class X86_64
+	def func_abi(dcmp)
+		# TODO check cpu.abi_funcall
+		@func_abi ||= nil
+		return @func_abi if @func_abi
+
+		if dcmp.dasm.program.shortname == 'coff'
+			@func_abi = { :args => [:rcx, :rdx, :r10, :r11], :stackoff => 32 }	# TODO
+		else
+			@func_abi = { :args => [:rdi, :rsi, :rdx, :rcx], :stackoff => 0 }	# XXX saved rip offset ?
+		end
+	end
+
+	# return the array of arguments (symbols, indirections wrt frameptr) to be used as arguments for decompilation of the function call in di
+	def decompile_get_func_args(dcmp, func_entry, di, f)
+		abi_args = func_abi(dcmp)[:args].dup
+		stackoff = func_abi(dcmp)[:stackoff]
+
+		args = []
+		f.type.args.to_a.each { |a|
+			if r = a.has_attribute_var('register')
+				args << Expression[r.to_sym]
+				abi_args.delete r.to_sym
+			elsif o = a.has_attribute_var('stackoff')
+				args << Indirection[[:frameptr, :+, Integer(o)], 8]
+			elsif abi_args.empty?
+				args << Indirection[[:frameptr, :+, stackoff], 8]
+				stackoff += 8
+			else
+				args << Expression[abi_args.shift]
+			end
+		}
+
+		args
+	end
+
+	def decompile_check_abi(dcmp, entry, func)
+		abi_regargs = func_abi(dcmp)[:args].map { |ra| ra.to_s }
+		a = func.type.args || []
+
+		# delete unused regs not part of the ABI
+		a.delete_if { |arg| arg.has_attribute('unused') and ra = arg.has_attribute_var('register') and not abi_regargs.index(ra) }
+
+		# delete last regs of the ABI if unused
+		abi_regargs.reverse.each { |ra|
+			break if a.find { |arg| arg.has_attribute_var('register') == ra and not arg.has_attribute('unused') }
+			a.delete_if { |arg| arg.has_attribute('unused') and arg.has_attribute_var('register') == ra }
+		}
+
+		# reorder ABI regs according to ABI
+		a.sort_by! { |arg| ra = arg.has_attribute_var('register') ; abi_regargs.index(ra) || (1000 + a.index(arg)) }
+
+		# TODO
+		#if not f = dcmp.dasm.function[entry] or not f.return_address
+			#func.add_attribute 'noreturn'
+		#end
+	end
+end
+end

data/metasm/cpu/x86_64.rb

@@ -13,3 +13,4 @@ require 'metasm/cpu/x86_64/decode'
 require 'metasm/cpu/x86_64/render'
 require 'metasm/cpu/x86_64/debug'
 require 'metasm/cpu/x86_64/compile_c'
+require 'metasm/cpu/x86_64/decompile'

data/metasm/decode.rb

@@ -165,6 +165,20 @@ class EncodedData
 		Expression.decode_imm(read(isz/8), type, endianness)
 	end
 	alias decode_immediate decode_imm
+
+	LEB_MAX_BYTES=(128.0/7).ceil
+	# decode a length-encoded immediate
+	def decode_leb(signed=false, max_bytes=LEB_MAX_BYTES)
+		v = s = 0
+		while s < 7*max_bytes
+			b = get_byte
+			v |= (b & 0x7f) << s
+			s += 7
+			break if (b&0x80) == 0
+		end
+		v = Expression.make_signed(v, s) if signed
+		v
+	end
 end
 
 class Expression

data/metasm/decompile.rb

@@ -99,7 +99,7 @@ class Decompiler
 
 		# [esp+8] => [:frameptr-12]
 		# TODO slow
-		makestackvars entry, myblocks.map { |b, to| @dasm.decoded[b].block }
+		makestackvars(entry, myblocks.map { |b, to| @dasm.decoded[b].block })
 
 		# find registry dependencies between blocks
 		deps = @dasm.cpu.decompile_func_finddeps(self, myblocks, func)
@@ -107,6 +107,10 @@ class Decompiler
 		scope = func.initializer = C::Block.new(@c_parser.toplevel)
 		if df = @dasm.function[entry]
 			scope.decompdata = df.decompdata ||= {:unalias_type => {}, :unalias_name => {}}
+			if df.noreturn
+				func.add_attribute('noreturn')
+				func.type.type = C::BaseType.new(:void)
+			end
 		else
 			scope.decompdata ||= {:unalias_type => {}, :unalias_name => {}}
 		end
@@ -140,7 +144,11 @@ class Decompiler
 		@dasm.cpu.decompile_check_abi(self, entry, func)
 
 		case ret = scope.statements.last
-		when C::CExpression; puts "no return at end of func" if $VERBOSE
+		when C::CExpression
+			if ret.op == :funcall and ret.lexpr.has_attribute('noreturn')
+			else
+				puts "no return at end of func" if $VERBOSE
+			end
 		when C::Return
 			if not ret.value
 				scope.statements.pop
@@ -368,6 +376,7 @@ class Decompiler
 		repl_bind = {}	# di => bt_bd
 
 		@dasm.cpu.decompile_makestackvars(@dasm, funcstart, blocks) { |block|
+			blockstart = block.address
 			block.list.each { |di|
 				bd = di.backtrace_binding ||= @dasm.cpu.get_backtrace_binding(di)
 				newbd = repl_bind[di] = {}
@@ -423,18 +432,18 @@ class Decompiler
 			p = C::CExpression[[p], itype]
 			C::CExpression[:*, p]
 		when ::Integer
-			C::CExpression[e]
+			C::CExpression[e, C::BaseType.new("__int#{@dasm.cpu.size}".to_sym)]
 		when C::CExpression
 			e
 		else
 			name = e.to_s
 			if not s = scope.symbol_ancestors[name]
 				s = C::Variable.new
-				s.type = C::BaseType.new(:__int32)
+				s.type = C::BaseType.new("__int#{@dasm.cpu.size}".to_sym)
 				case e
 				when ::String	# edata relocation (rel.length = size of pointer)
-					return @c_parser.toplevel.symbol[e] || new_global_var(e, itype || C::BaseType.new(:int), scope)
-				when ::Symbol; s.storage = :register ; s.add_attribute("register(#{name})")
+					return @c_parser.toplevel.symbol[e] || new_global_var(e, itype || s.type, scope)
+				when ::Symbol; s.add_attribute("register(#{name})")
 				else s.type.qualifier = [:volatile]
 					puts "decompile_cexpr unhandled #{e.inspect}, using #{e.to_s.inspect}" if $VERBOSE
 				end
@@ -571,9 +580,9 @@ class Decompiler
 				e
 			when C::Goto
 				if e.target == brk
-					C::Break.new
+					C::Break.new.with_misc(e.misc)
 				elsif e.target == cnt
-					C::Continue.new
+					C::Continue.new.with_misc(e.misc)
 				else e
 				end
 			else e
@@ -591,7 +600,7 @@ class Decompiler
 			}
 			walk(i.bthen.statements) { |sst| sst.outer = i.bthen.outer if sst.kind_of?(C::Block) and sst.outer == i.bthen }
 			scope.statements.concat i.bthen.statements
-			i.bthen = C::Break.new
+			i.bthen = C::Break.new.with_misc(i.misc)
 		end
 
 		patch_test = lambda { |ce|
@@ -631,7 +640,7 @@ class Decompiler
 					       ce.body = ce.body.statements.first
 				       when 0
 					       if ce.kind_of?(C::DoWhile) and i = ce.body.outer.statements.index(ce)
-						      ce = ce.body.outer.statements[i] = C::While.new(ce.test, ce.body)
+						      ce = ce.body.outer.statements[i] = C::While.new(ce.test, ce.body).with_misc(ce.misc)
 					       end
 					       ce.body = nil
 				       end
@@ -645,13 +654,13 @@ class Decompiler
 				i = ce.body.statements.last
 				if i.kind_of?(C::If) and not i.belse and i.bthen.kind_of?(C::Break)
 					ce.body.statements.pop
-					next C::DoWhile.new(i.test.negate, ce.body)
+					next C::DoWhile.new(i.test.negate, ce.body).with_misc(ce.misc)
 				end
 			end
 
 			# if (a) b = 1; else b = 2;  =>  b = a ? 1 : 2
 			if ce.kind_of?(C::If) and ce.belse.kind_of?(C::CExpression) and ce.belse.op == :'=' and ce.belse.lexpr.kind_of?(C::Variable) and ce.bthen.kind_of?(C::CExpression) and ce.bthen.op == :'=' and ce.bthen.lexpr == ce.belse.lexpr
-				next C::CExpression[ce.bthen.lexpr, :'=', [ce.test, :'?:', [ce.bthen.rexpr, ce.belse.rexpr]]]
+				next C::CExpression[ce.bthen.lexpr, :'=', [ce.test, :'?:', [ce.bthen.rexpr, ce.belse.rexpr]]].with_misc(ce.misc)
 			end
 		}
 
@@ -831,15 +840,15 @@ class Decompiler
 						ss.bthen.statements.pop
 						if l = ary[ssi+1] and l.kind_of?(C::Label)
 							ss.bthen.statements.grep(C::If).each { |it|
-								it.bthen = C::Break.new if it.bthen.kind_of?(C::Goto) and it.bthen.target == l.name
+								it.bthen = C::Break.new.with_misc(it.bthen.misc) if it.bthen.kind_of?(C::Goto) and it.bthen.target == l.name
 							}
 						end
-						ary[ssi] = C::While.new(ss.test, ss.bthen)
+						ary[ssi] = C::While.new(ss.test, ss.bthen).with_misc(ss.misc)
 					elsif ss.bthen.statements.last.kind_of?(C::Return) and gi = ((si+1)..ary.length).to_a.reverse.find { |_si| ary[_si].kind_of?(C::Goto) and ary[_si].target == s.name }
 						# l: if (a) { b; return; } c; goto l;  =>  while (!a) { c; } b; return;
 						wb = C::Block.new(scope)
 						wb.statements = decompile_cseq_while(ary[ssi+1...gi], wb)
-						w = C::While.new(C::CExpression.negate(ss.test), wb)
+						w = C::While.new(C::CExpression.negate(ss.test), wb).with_misc(ss)
 						ary[ssi..gi] = [w, *ss.bthen.statements]
 						finished = false ; break	#retry
 					end
@@ -848,7 +857,7 @@ class Decompiler
 					# l: a; goto l;  =>  while(1) { a; }
 					wb = C::Block.new(scope)
 					wb.statements = decompile_cseq_while(ary[si...gi], wb)
-					w = C::While.new(C::CExpression[1], wb)
+					w = C::While.new(C::CExpression[1], wb).with_misc(ary[gi].misc)
 					ary[si..gi] = [w]
 					finished = false ; break	#retry
 				end
@@ -861,10 +870,10 @@ class Decompiler
 					if g.bthen.kind_of?(C::Block) and g.bthen.statements.length > 1
 						nary = ary[si...gi] + [C::If.new(C::CExpression.negate(g.test), C::Break.new)] + g.bthen.statements[0...-1]
 						wb.statements = decompile_cseq_while(nary, wb)
-						w = C::DoWhile.new(C::CExpression[1], wb)
+						w = C::DoWhile.new(C::CExpression[1], wb).with_misc(g.misc)
 					else
 						wb.statements = decompile_cseq_while(ary[si...gi], wb)
-						w = C::DoWhile.new(g.test, wb)
+						w = C::DoWhile.new(g.test, wb).with_misc(g.misc)
 					end
 					ary[si..gi] = [w]
 					finished = false ; break	#retry
@@ -1001,10 +1010,18 @@ class Decompiler
 		vars = scope.symbol.values.sort_by { |v| walk_ce(funcalls) { |ce| break true if ce.rexpr == v } ? 0 : 1 }
 
 		# find the domains of var aliases
-		vars.each { |var| unalias_var(var, scope, g) }
+		vars.each { |var|
+			if unalias_var(var, scope, g)
+				if not var.stackoff or var.stackoff > 0	# dont allow local vars as args
+					func.type.args << var unless func.type.args.find { |aa| aa.name == var.name }
+					scope.statements.delete_if { |sm| sm.kind_of?(C::Declaration) and sm.var.name == var.name }
+				end
+			end
+		}
 	end
 
 	# duplicates a var per domain value
+	# return var if used before being set (eg func arg)
 	def unalias_var(var, scope, g = c_to_graph(scope))
 		# [label, index] of references to var (reading it, writing it, ro/wo it (eg eax = *eax => eax_0 = *eax_1))
 		read = {}
@@ -1023,8 +1040,8 @@ class Decompiler
 		g_exprs.each { |label, exprs|
 			exprs.each_with_index { |ce, i|
 				if ce_read(ce, var)
-					if (ce.op == :'=' and isvar(ce.lexpr, var) and not ce_write(ce.rexpr, var)) or
-					   (ce.op == :funcall and r and not ce_write(ce.lexpr, var) and not ce_write(ce.rexpr, var) and @dasm.cpu.abi_funcall[:changed].include?(r.to_sym))
+					if (ce.kind_of?(C::CExpression) and ce.op == :'=' and isvar(ce.lexpr, var) and not ce_write(ce.rexpr, var)) or
+					   (ce.kind_of?(C::CExpression) and ce.op == :funcall and r and not ce_write(ce.lexpr, var) and not ce_write(ce.rexpr, var) and @dasm.cpu.abi_funcall[:changed].include?(r.to_sym))
 						(ro[label] ||= []) << i
 						(wo[label] ||= []) << i
 						unchecked << [label, i, :up] << [label, i, :down]
@@ -1109,6 +1126,8 @@ class Decompiler
 			end
 		}
 
+		reach_func_top = false
+		n_i = 0
 		# check it out
 		while o = unchecked.shift
 			dom = []
@@ -1147,15 +1166,17 @@ class Decompiler
 
 			unchecked -= dom + dom_wo + dom_ro
 
-			next if func_top
+			if func_top
+				reach_func_top = true
+				next
+			end
 
 			# patch
-			n_i = 0
 			n_i += 1 while scope.symbol_ancestors[newvarname = "#{var.name}_a#{n_i}"]
 
 			nv = var.dup
 			nv.misc = var.misc ? var.misc.dup : {}
-			nv.storage = :register if nv.has_attribute_var('register')
+			#nv.storage = :register if nv.has_attribute_var('register')
 			nv.attributes = nv.attributes.dup if nv.attributes
 			nv.name = newvarname
 			nv.misc[:unalias_name] = newvarname
@@ -1191,6 +1212,8 @@ class Decompiler
 				nv.add_attribute('out')
 			end
 		end
+
+		reach_func_top
 	end
 
 	# revert the unaliasing namechange of vars where no alias subsists
@@ -1433,7 +1456,7 @@ class Decompiler
 				f = f.pointed if f.pointer?
 				next if not f.kind_of?(C::Function)
 				# cast func args to arg prototypes
-				f.args.to_a.zip(ce.rexpr).each_with_index { |(proto, arg), i| ce.rexpr[i] = C::CExpression[arg, proto.type] ; known_type[arg, proto.type] }
+				f.args.to_a.zip(ce.rexpr).each_with_index { |(proto, arg), i| if arg ; ce.rexpr[i] = C::CExpression[arg, proto.type] ; known_type[arg, proto.type] ; end }
 			elsif ce.op == :* and not ce.lexpr
 				if e = ce.rexpr and e.kind_of?(C::CExpression) and not e.op and e = e.rexpr and e.kind_of?(C::CExpression) and
 						e.op == :& and not e.lexpr and e.rexpr.kind_of?(C::Variable) and e.rexpr.stackoff
@@ -1582,7 +1605,7 @@ class Decompiler
 		walk_ce(scope) { |ce|
 			count_refs[ce.lexpr.name] += 1 if ce.lexpr.kind_of?(C::Variable)
 			count_refs[ce.rexpr.name] += 1 if ce.rexpr.kind_of?(C::Variable)
-			if is_cast[ce] and ce.rexpr.rexpr.kind_of?(C::Variable)
+			if is_cast[ce] and ce.type.pointer? and ce.rexpr.rexpr.kind_of?(C::Variable)
 				(uses[ce.rexpr.rexpr.name] ||= []) << ce.type.pointed
 			end
 		}
@@ -2039,6 +2062,7 @@ class Decompiler
 			when C::CExpression
 				@exprs[l_cur] = [stmt]
 				@to[l_cur] = [l_after]
+				@to[l_cur] = [] if stmt.op == :funcall and stmt.lexpr.has_attribute('noreturn')
 			when C::Return
 				@exprs[l_cur] = [stmt.value] if stmt.value
 				@to[l_cur] = []
@@ -2884,7 +2908,7 @@ class Decompiler
 		rename = lambda { |var, name|
 			var = var.rexpr if var.kind_of?(C::CExpression) and not var.op
 			next if not var.kind_of?(C::Variable) or not scope.symbol[var.name] or not name
-			next if (var.name !~ /^(var|arg)_/ and not var.storage == :register) or not scope.symbol[var.name] or name =~ /^(var|arg)_/
+			next if (var.name !~ /^(var|arg)_/ and not var.has_attribute_var('register')) or not scope.symbol[var.name] or name =~ /^(var|arg)_/
 			s = scope.symbol_ancestors
 			n = name
 			i = 0

data/metasm/disassemble.rb

@@ -1220,6 +1220,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 	# it is if all its end blocks are calls to noreturn functions
 	# if it is, create a @function[fa] with noreturn = true
 	# should only be called with fa = target of a call
+	# populates function[fa].return_address
 	def check_noreturn_function(fa)
 		fb = function_blocks(fa, false, false)
 		return if fb.empty?
@@ -1234,6 +1235,14 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 			# yay
 			@function[fa] ||= DecodedFunction.new
 			@function[fa].noreturn = true
+		elsif @function[fa]
+			lasts.each { |la|
+				di = block_at(la).list.last
+				if di.opcode.props[:stopexec] and di.opcode.props[:setip]
+					(@function[fa].return_address ||= []) << di.address
+				end
+			}
+			false
 		end
 	end
 
@@ -1520,7 +1529,7 @@ puts "  finalize subfunc #{Expression[subfunc]}" if debug_backtrace
 	#  :log => Array, will be updated with the backtrace evolution
 	#  :only_upto => backtrace only to update bt_for for current block & previous ending at only_upto
 	#  :no_check => don't use backtrace_check_found (will not backtrace indirection static values)
-	#  :terminals => array of symbols with constant value (stop backtracking if all symbols in the expr are terminals) (only supported with no_check)
+	#  :terminals => array of symbols with constant value (stop backtracking if all symbols in the expr are terminals)
 	#  :cpu_context => disassembler cpu_context
 	def backtrace(expr, start_addr, nargs={})
 		include_start   = nargs.delete :include_start
@@ -1559,7 +1568,7 @@ puts "  not backtracking stack address #{expr}" if debug_backtrace
 		end
 
 		if vals = (no_check ? (!need_backtrace(expr, terminals) and [expr]) : backtrace_check_found(expr,
-				di, origin, type, len, maxdepth, detached, cpu_context, snapshot_addr))
+				di, origin, type, len, maxdepth, detached, cpu_context, snapshot_addr, terminals))
 			# no need to update backtracked_for
 			return vals
 		elsif maxdepth <= 0
@@ -1599,7 +1608,7 @@ puts "  backtrace up #{Expression[h[:addr]]}  #{oldexpr}#{" => #{expr}" if expr
 					if expr != oldexpr and not snapshot_addr and vals = (no_check ?
 							(!need_backtrace(expr, terminals) and [expr]) :
 							backtrace_check_found(expr, nil, origin, type, len,
-								maxdepth-h[:loopdetect].length, detached, cpu_context, snapshot_addr))
+								maxdepth-h[:loopdetect].length, detached, cpu_context, snapshot_addr, terminals))
 						result |= vals
 						next
 					end
@@ -1641,7 +1650,7 @@ puts "  backtrace up #{Expression[h[:from]]}->#{Expression[h[:to]]}  #{oldexpr}#
 
 				if expr != oldexpr and vals = (no_check ? (!need_backtrace(expr, terminals) and [expr]) :
 						backtrace_check_found(expr, @decoded[h[:from]], origin, type, len,
-							maxdepth-h[:loopdetect].length, detached, cpu_context, snapshot_addr))
+							maxdepth-h[:loopdetect].length, detached, cpu_context, snapshot_addr, terminals))
 					if snapshot_addr
 						expr = StoppedExpr.new vals
 						next expr
@@ -1710,7 +1719,7 @@ puts "  backtrace: recursive function #{Expression[h[:funcaddr]]}" if debug_back
 				end
 puts "  backtrace #{h[:di] || Expression[h[:funcaddr]]}  #{oldexpr} => #{expr}" if debug_backtrace and expr != oldexpr
 				if vals = (no_check ? (!need_backtrace(expr, terminals) and [expr]) : backtrace_check_found(expr,
-						h[:di], origin, type, len, maxdepth-h[:loopdetect].length, detached, cpu_context, snapshot_addr))
+						h[:di], origin, type, len, maxdepth-h[:loopdetect].length, detached, cpu_context, snapshot_addr, terminals))
 					if snapshot_addr
 						expr = StoppedExpr.new vals
 					else
@@ -1827,7 +1836,7 @@ puts "  backtrace addrs_todo << #{Expression[retaddr]} from #{di} (funcret)" if
 	# TODO trace expr evolution through backtrace, to modify immediates to an expr involving label names
 	# TODO mov [ptr], imm ; <...> ; jmp [ptr] => rename imm as loc_XX
 	#  eg. mov eax, 42 ; add eax, 4 ; jmp eax  =>  mov eax, some_label-4
-	def backtrace_check_found(expr, di, origin, type, len, maxdepth, detached, cpu_context, snapshot_addr=nil)
+	def backtrace_check_found(expr, di, origin, type, len, maxdepth, detached, cpu_context, snapshot_addr=nil, terminals=[])
 		# only entrypoints or block starts called by a :saveip are checked for being a function
 		# want to execute [esp] from a block start
 		if type == :x and di and di == di.block.list.first and @cpu.backtrace_is_function_return(expr, @decoded[origin]) and (
@@ -1856,13 +1865,13 @@ puts "  backtrace addrs_todo << #{Expression[retaddr]} from #{di} (funcret)" if
 			f.backtracked_for |= @decoded[addr].block.backtracked_for.find_all { |btt| not btt.address }
 		end
 
-		return if need_backtrace(expr)
+		return if need_backtrace(expr, terminals)
 		if snapshot_addr
 			return if expr.expr_externals(true).find { |ee| ee.kind_of?(Indirection) }
 		end
 
 puts "backtrace #{type} found #{expr} from #{di} orig #{@decoded[origin] || Expression[origin] if origin}" if debug_backtrace
-		result = backtrace_value(expr, maxdepth)
+		result = backtrace_value(expr, maxdepth, terminals)
 		# keep the ori pointer in the results to emulate volatile memory (eg decompiler prefers this)
 		#result << expr if not type	# XXX returning multiple values for nothing is too confusing, TODO fix decompiler
 		result.uniq!
@@ -1876,14 +1885,14 @@ puts "backtrace #{type} found #{expr} from #{di} orig #{@decoded[origin] || Expr
 	end
 
 	# returns an array of expressions with Indirections resolved (recursive with backtrace_indirection)
-	def backtrace_value(expr, maxdepth)
+	def backtrace_value(expr, maxdepth, terminals=[])
 		# array of expression with all indirections resolved
 		result = [Expression[expr.reduce]]
 
 		# solve each indirection sequentially, clone expr for each value (aka cross-product)
 		result.first.expr_indirections.uniq.each { |i|
 			next_result = []
-			backtrace_indirection(i, maxdepth).each { |rr|
+			backtrace_indirection(i, maxdepth, terminals).each { |rr|
 				next_result |= result.map { |e| Expression[e.bind(i => rr).reduce] }
 			}
 			result = next_result
@@ -1897,7 +1906,7 @@ puts "backtrace #{type} found #{expr} from #{di} orig #{@decoded[origin] || Expr
 	# then backtraces from ind.origin until it finds an :w xref origin
 	# if no :w access is found, returns the value encoded in the raw section data
 	# TODO handle unaligned (partial?) writes
-	def backtrace_indirection(ind, maxdepth)
+	def backtrace_indirection(ind, maxdepth, terminals=[])
 		if not ind.origin
 			puts "backtrace_ind: no origin for #{ind}" if $VERBOSE
 			return [ind]
@@ -1915,7 +1924,7 @@ puts "backtrace #{type} found #{expr} from #{di} orig #{@decoded[origin] || Expr
 		}
 
 		# resolve pointers (they may include Indirections)
-		backtrace_value(ind.target, maxdepth).each { |ptr|
+		backtrace_value(ind.target, maxdepth, terminals).each { |ptr|
 			# find write xrefs to the ptr
 			refs = []
 			each_xref(ptr, :w) { |x|
@@ -1945,7 +1954,7 @@ puts "backtrace #{type} found #{expr} from #{di} orig #{@decoded[origin] || Expr
 puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtrace
 					ret |= [Expression::Unknown]
 				when :end
-					if not refs.empty? and (expr == true or not need_backtrace(expr))
+					if not refs.empty? and (expr == true or not need_backtrace(expr, terminals))
 						if expr == true
 							# found a path avoiding the :w xrefs, read the encoded initial value
 							ret |= [decode_imm[ptr, ind.len]]
@@ -1975,7 +1984,7 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 					# may have new indirections... recall bt_value ?
 					#if not need_backtrace(expr)
 					if expr.expr_externals.all? { |e| @prog_binding[e] or @function[normalize(e)] } and expr.expr_indirections.empty?
-						ret |= backtrace_value(expr, maxdepth-1-h[:loopdetect].length)
+						ret |= backtrace_value(expr, maxdepth-1-h[:loopdetect].length, terminals)
 						false
 					else
 						expr
@@ -1985,7 +1994,7 @@ puts "   backtrace_indirection for #{ind.target} failed: #{ev}" if debug_backtra
 					expr = backtrace_emu_subfunc(h[:func], h[:funcaddr], h[:addr], expr, ind.origin, maxdepth-h[:loopdetect].length)
 					#if not need_backtrace(expr)
 					if expr.expr_externals.all? { |e| @prog_binding[e] or @function[normalize(e)] } and expr.expr_indirections.empty?
-						ret |= backtrace_value(expr, maxdepth-1-h[:loopdetect].length)
+						ret |= backtrace_value(expr, maxdepth-1-h[:loopdetect].length, terminals)
 						false
 					else
 						expr

data/metasm/dynldr.rb

@@ -57,6 +57,12 @@ extern VALUE *rb_eArgError __attribute__((import));
 #define DYNLDR_RUBY_19 #{RUBY_VERSION >= '1.9' ? 1 : 0}
 #endif
 
+// Ruby 3.2+ changed the RString/RArray struct layout (Variable Width Allocation).
+// len is now a direct field, and embedded string data starts after len (at the ptr offset).
+#ifndef DYNLDR_RUBY_32
+#define DYNLDR_RUBY_32 #{RUBY_VERSION >= '3.2' ? 1 : 0}
+#endif
+
 #if #{RUBY_VERSION >= '2.0' ? 1 : 0}
 // flonums. WHY?
 // also breaks Qtrue/Qnil
@@ -69,11 +75,24 @@ extern VALUE *rb_eArgError __attribute__((import));
  #define T_FIXNUM 0x15
  #define T_MASK   0x1f
  #define RSTRING_NOEMBED (1<<13)
- #define STR_PTR(o) ((RString(o)->flags & RSTRING_NOEMBED) ? RString(o)->ptr : (char*)&RString(o)->len)
- #define STR_LEN(o) ((RString(o)->flags & RSTRING_NOEMBED) ? RString(o)->len : (RString(o)->flags >> 14) & 0x1f)
+ #if DYNLDR_RUBY_32
+  // Ruby 3.2+: len is always a direct field; embedded string data starts at the ptr field offset
+  #define STR_PTR(o) ((RString(o)->flags & RSTRING_NOEMBED) ? RString(o)->ptr : (char*)&RString(o)->ptr)
+  #define STR_LEN(o) (RString(o)->len)
+ #else
+  // Ruby 1.9 - 3.1: embedded string data starts at the len field offset, length encoded in flags
+  #define STR_PTR(o) ((RString(o)->flags & RSTRING_NOEMBED) ? RString(o)->ptr : (char*)&RString(o)->len)
+  #define STR_LEN(o) ((RString(o)->flags & RSTRING_NOEMBED) ? RString(o)->len : (RString(o)->flags >> 14) & 0x1f)
+ #endif
  #define RARRAY_EMBED (1<<13)
- #define ARY_PTR(o) ((RArray(o)->flags & RARRAY_EMBED) ? (VALUE*)&RArray(o)->len : RArray(o)->ptr)
- #define ARY_LEN(o) ((RArray(o)->flags & RARRAY_EMBED) ? ((RArray(o)->flags >> 15) & 3) : RArray(o)->len)
+ #if DYNLDR_RUBY_32
+  // Ruby 3.2+: embedded array data starts at the len field offset (unchanged), but length uses more bits
+  #define ARY_PTR(o) ((RArray(o)->flags & RARRAY_EMBED) ? (VALUE*)&RArray(o)->len : RArray(o)->ptr)
+  #define ARY_LEN(o) ((RArray(o)->flags & RARRAY_EMBED) ? ((RArray(o)->flags >> 15) & 0x1f) : RArray(o)->len)
+ #else
+  #define ARY_PTR(o) ((RArray(o)->flags & RARRAY_EMBED) ? (VALUE*)&RArray(o)->len : RArray(o)->ptr)
+  #define ARY_LEN(o) ((RArray(o)->flags & RARRAY_EMBED) ? ((RArray(o)->flags >> 15) & 3) : RArray(o)->len)
+ #endif
 #else
  #define T_STRING 0x07
  #define T_ARRAY  0x09

data/metasm/encode.rb

@@ -290,6 +290,17 @@ class Expression
 		end
 	end
 
+	def encode_leb(signed=false)
+		v = reduce
+		raise "need numeric value for #{self}" if not v.kind_of?(::Integer)
+		out = EncodedData.new
+		while v > 0x7f or v < -0x40 or (signed and v > 0x3f)
+			out << [0x80 | (v&0x7f)].pack('C*')
+			v >>= 7
+		end
+		out << [v & 0x7f].pack('C*')
+	end
+
 	class << self
 	def encode_imm(val, type, endianness, backtrace=nil)
 		type = INT_SIZE.keys.find { |k| k.to_s[0] == ?a and INT_SIZE[k] == 8*type } if type.kind_of? ::Integer