metasm 1.0.5 → 1.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e74fc20e6f9465f9bac4e96967e3537fd58304a4d962fbfa3d93b4516291ca99
-  data.tar.gz: a818712400dc1be554245295e3f33f1f926d3c95e03b7f730fb034b0d2e2b78c
+  metadata.gz: 220a98d0282862014276d9667dcd41aa444270ba4b4019a5add42e0d58a4e9b2
+  data.tar.gz: 674c9502bd4724a7cba78e57fd0ae42099ee226d039843cbed3d3f11c40c9e55
 SHA512:
-  metadata.gz: 4526e61a6ad9b55ce9376424018afd0979c688b281cae38de8050d18eff4475ca5d02c03a3e64db479a964542e347bbb10e36238a1c94ed9e7a9771519f04e11
-  data.tar.gz: 864c9fcf111d806fc311d65062743d449a9a355d6b7b2bd5b44f0625a4d1c7fb6c86af4c1147dafd8c706f1a5659970c26e0911e953d4c82710ad2db3e5b025e
+  metadata.gz: 2357bb7357af85c8ace72fde57f8af490f6a2a64d10c086ba1037e96d88143a8089d0ce7266080c173932ac9de15a19041d70579aa1a3b9a0aab8954ae5565bc
+  data.tar.gz: a84f3952ffa0e0dcd44602b0b6826f1211d1930b63c8190afaadbe038c9017917f48a2f72bd35da0a4195e2409c663c2b3504b8ac6e017f6b825ae7586d10727

data/.gitignore

@@ -1,3 +1,4 @@
 pkg/**
 doc/**/*.html
 metasm/dynldr-*.so
+Gemfile.lock

data/Gemfile

@@ -1,3 +1,3 @@
-source 'https://rubygems.org' do
-  gemspec
-end
+source 'https://rubygems.org'
+gemspec
+

data/Rakefile

@@ -7,4 +7,4 @@ Rake::TestTask.new do |t|
 end
 
 task default: :test
-
+task spec: :test

data/cortex.yaml

@@ -0,0 +1,17 @@
+---
+info:
+  title: Metasm
+  description: This is a mirror of the mercurial repository for metasm
+  x-cortex-git:
+    github:
+      alias: r7org
+      repository: rapid7/metasm
+  x-cortex-tag: metasm
+  x-cortex-type: service
+  x-cortex-domain-parents:
+  - tag: metasploit
+  x-cortex-groups:
+  - exposure:external-ship
+openapi: 3.0.1
+servers:
+- url: "/"

data/metasm/cpu/arm64/decode.rb

@@ -47,11 +47,6 @@ class ARM64
 		}
 	end
 
-	def disassembler_default_func
-		df = DecodedFunction.new
-		df
-	end
-
 	def decode_instr_op(edata, di)
 		op = di.opcode
 		di.instruction.opname = op.name
@@ -96,7 +91,6 @@ class ARM64
 					mode = [ :uxtb, :uxth, :uxtw, :uxtx, :sxtb, :sxth, :sxtw, :sxtx ][x]
 					RegShift.new r, mode, shift
 				end
-			when :i16_5; Expression[field_val[a]]
 			when :il18_5;
 				v = field_val[a]
 				s = (v >> 16) & 3
@@ -146,7 +140,12 @@ class ARM64
 				Memref.new(r, nil, nil, Expression[o*mem_sz], mem_sz, op.props[:mem_incr])
 			when :cond_12
 				RegCC.new OP_CC[field_val[a]]
-			else raise SyntaxError, "Internal error: invalid argument #{a.inspect} in #{op.name}"
+			else
+				if @fields_shift[a]
+					Expression[field_val[a]]
+				else
+					raise SyntaxError, "Internal error: invalid argument #{a.inspect} in #{op.name}"
+				end
 			end
 		}
 
@@ -173,7 +172,13 @@ class ARM64
 			when 'mov', 'adr', 'adrp'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
 			when 'movz'; lambda { |di, a0, a1| { a0 => Expression[a1] } }
 			when 'movn'; lambda { |di, a0, a1| { a0 => Expression[:~, a1] } }
-			#when 'movk'; lambda { |di, a0, a1| a1 + lsl replace target bits of a0, other unchanged
+			when 'movk'; lambda { |di, a0, a1|
+				# set a 16bit word of the target reg, dont touch the others
+				if a1.kind_of?(Expression) and a1.op == :<< and a1.rexpr.kind_of?(::Integer)
+					{ a0 => Expression[[a0, :&, (((1<<64)-1) - (0xffff << a1.rexpr))], :|, a1] }
+				else
+					{ a0 => Expression[a0, :|, a1] }	# shouldn't happen, but should be fine with standard code
+				end }
 			when 'and', 'ands', 'orr', 'or', 'eor', 'xor'
 				bin_op = { 'and' => :&, 'ands' => :&, 'orr' => :|,
 					'or' => :|, 'eor' => :^, 'xor' => :^ }[op]
@@ -257,12 +262,31 @@ class ARM64
 		end
 	end
 
+	def decode_cc_to_expr(cc)
+		case cc
+		when 'eq'; Expression[:eflag_z]
+		when 'ne'; Expression[:'!', :eflag_z]
+		when 'cs'; Expression[:eflag_c]		# carry set
+		when 'cc'; Expression[:'!', :eflag_c]	# carry clear
+		when 'mi'; Expression[:eflag_n]		# minus
+		when 'pl'; Expression[:'!', :eflag_n]	# plus
+		when 'vs'; Expression[:eflag_v]		# oVerflow set
+		when 'vc'; Expression[:'!', :eflag_v]	# overflow clear
+		when 'hi'; Expression[:eflag_c, :&, [:'!', :eflag_z]]	# unsigned higher
+		when 'ls'; Expression[:eflag_z, :|, [:'!', :eflag_c]]	# unsigned lower or same
+		when 'ge'; Expression[:eflag_n, :'==', :eflag_v]
+		when 'lt'; Expression[:eflag_n, :'!=', :eflag_v]
+		when 'gt'; Expression[[:eflag_n, :'==', :eflag_v], :&, [:'!', :eflag_z]]
+		when 'le'; Expression[[:eflag_n, :'!=', :eflag_v], :|, :eflag_z]
+		end
+	end
+
 	def get_xrefs_x(dasm, di)
 		if di.opcode.props[:setip]
 			tg = di.instruction.args.last
 			case tg
 			when nil
-				raise 'internal error: no jmp target' if di.opcode.name != 'ret'
+				raise "internal error: no jmp target for #{di}" if di.opcode.name != 'ret' and di.opcode.name != 'eret'
 				tg = :x30
 			when Expression
 			else tg = tg.symbolic(di)
@@ -274,12 +298,64 @@ class ARM64
 		end
 	end
 
+	# returns a DecodedFunction from a parsed C function prototype
+	def decode_c_function_prototype(cp, sym, orig=nil)
+		sym = cp.toplevel.symbol[sym] if sym.kind_of?(::String)
+		df = DecodedFunction.new
+		orig ||= Expression[sym.name]
+
+		new_bt = lambda { |expr, rlen|
+			df.backtracked_for << BacktraceTrace.new(expr, orig, expr, rlen ? :r : :x, rlen)
+		}
+
+		# return instr emulation
+		if sym.has_attribute 'noreturn' or sym.has_attribute '__noreturn__'
+			df.noreturn = true
+		else
+			new_bt[:x30, nil]
+		end
+
+		[*0..18].each { |r|
+			# dirty regs according to ABI
+			df.backtrace_binding.update "x#{r}".to_sym => Expression::Unknown
+		}
+
+		# scan args for function pointers
+		reg_args = [:x0, :x1, :x2, :x3, :x4, :x5, :x6, :x7]
+		sym.type.args.to_a.zip(reg_args).each { |a, ra|
+			break if not a or not ra
+			if a.type.untypedef.kind_of?(C::Pointer)
+				pt = a.type.untypedef.type.untypedef
+				if pt.kind_of?(C::Function)
+					new_bt[ra, nil]
+					df.backtracked_for.last.detached = true
+				elsif pt.kind_of?(C::Struct)
+					new_bt[ra, cp.typesize[:ptr]]
+				else
+					new_bt[ra, cp.sizeof(nil, pt)]
+				end
+			end
+		}
+
+		df
+	end
+
+	def disassembler_default_func
+		df = DecodedFunction.new
+		df.backtrace_binding = { :sp => Expression[:sp] }
+		(0..30).each { |r|
+			df.backtrace_binding["x#{r}".to_sym] = (r <= 18 ? Expression::Unknown : Expression["x#{r}".to_sym])
+		}
+		df.backtracked_for = [BacktraceTrace.new(Expression[:x30], :default, Expression[:x30], :x)]
+		df
+	end
+
 	def backtrace_is_function_return(expr, di=nil)
-		expr.reduce_rec == :x30
+		Expression[expr].reduce_rec == :x30
 	end
 
 	def backtrace_is_stack_address(expr)
-		Expression[expr].expr_externals.include? :sp
+		Expression[expr].expr_externals.include?(:sp)
 	end
 end
 end

data/metasm/cpu/arm64/decompile.rb

@@ -0,0 +1,142 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/arm64/main'
+
+module Metasm
+class ARM64
+	def abi_funcall
+		@abi_funcall ||= { :changed => (0..18).map { |r| "x#{r}".to_sym } }
+	end
+
+	def decompile_makestackvars(dasm, funcstart, blocks)
+		oldbd = {}
+		oldbd[funcstart] = dasm.address_binding[funcstart]
+		dasm.address_binding[funcstart] = { :sp => Expression[:frameptr] }
+		blocks.each { |block|
+			oldbd[block.address] = dasm.address_binding[block.address]
+			stkoff = dasm.backtrace(:sp, block.address, :snapshot_addr => funcstart)
+			dasm.address_binding[block.address] = { :sp => Expression[:frameptr, :+, stkoff[0]-:frameptr] }
+			yield block
+		}
+		oldbd.each { |a, b| b ? dasm.address_binding[a] = b : dasm.address_binding.delete(a) }
+	end
+
+	def decompile_func_finddeps_di(dcmp, func, di, a, w)
+	end
+
+	def decompile_func_finddeps(dcmp, blocks, func)
+		{}
+	end
+
+	def decompile_blocks(dcmp, myblocks, deps, func, nextaddr = nil)
+		scope = func.initializer
+		func.type.args.each { |a| scope.symbol[a.name] = a }
+		stmts = scope.statements
+
+		di_addr = nil
+
+		# Expr => CExpr
+		ce = lambda { |*e|
+			c_expr = dcmp.decompile_cexpr(Expression[Expression[*e].reduce], scope)
+			dcmp.walk_ce(c_expr) { |ee| ee.with_misc :di_addr => di_addr } if di_addr
+			c_expr
+		}
+
+		blocks_toclean = myblocks.dup
+		until myblocks.empty?
+			b, to = myblocks.shift
+			if l = dcmp.dasm.get_label_at(b)
+				stmts << C::Label.new(l)
+			end
+
+			# go !
+			di_list = dcmp.dasm.decoded[b].block.list.dup
+			di_list.each { |di|
+				di_addr = di.address
+				# TODO jz/jnz
+				if di.opcode.props[:setip] and not di.opcode.props[:stopexec]
+					case di.opcode.name
+					when 'cbz'
+						cc = Expression[di.instruction.args.first.symbolic, :==, 0]
+					when 'cbnz'
+						cc = Expression[di.instruction.args.first.symbolic, :!=, 0]
+					when /^b(.*)/
+						cc = decode_cc_to_expr($1)
+					end
+					n = dcmp.backtrace_target(get_xrefs_x(dcmp.dasm, di).first, di.address)
+					bd = get_fwdemu_binding(di)
+					stmts << C::If.new(ce[cc], C::Goto.new(n).with_misc(:di_addr => di.address)).with_misc(:di_addr => di.address)
+					to.delete dcmp.dasm.normalize(n)
+				elsif di.opcode.name == 'ret'
+					ret = ce[:x0]
+					stmts << C::Return.new(ret).with_misc(:di_addr => di.address)
+				elsif di.opcode.name == 'bl'
+					n = dcmp.backtrace_target(get_xrefs_x(dcmp.dasm, di).first, di.address)
+					args = []
+					if f = dcmp.c_parser.toplevel.symbol[n] and f.type.kind_of?(C::Function) and f.type.args
+						f.type.args.each_with_index { |a, i| args << ce["x#{i}".to_sym] }
+					end
+
+					if not n.kind_of?(::String) or (f and not f.type.kind_of?(C::Function))
+						# indirect funcall
+						fptr = ce[n]
+						proto = C::Function.new(C::BaseType.new(:__int64))
+						proto = f.type if f and f.type.kind_of? C::Function
+						f = C::CExpression[[fptr], C::Pointer.new(proto)]
+					elsif not f
+						# internal functions are predeclared, so this one is extern
+						f = C::Variable.new
+						f.name = n
+						f.type = C::Function.new(C::BaseType.new(:__int64))
+						if dcmp.recurse > 0
+							dcmp.c_parser.toplevel.symbol[n] = f
+							dcmp.c_parser.toplevel.statements << C::Declaration.new(f)
+						end
+					end
+					e = C::CExpression[f, :funcall, args].with_misc(:di_addr => di_addr)
+					e = C::CExpression[ce[:x0], :'=', e, f.type.type].with_misc(:di_addr => di_addr) if f.type.type != C::BaseType.new(:void)
+					stmts << e
+				else
+					bd = get_fwdemu_binding(di)
+					if di.backtrace_binding[:incomplete_binding]
+						stmts << C::Asm.new(di.instruction.to_s, nil, nil, nil, nil, nil).with_misc(:di_addr => di.address)
+					else
+						bd.each { |k, v|
+							e = ce[k, :'=', v]
+							stmts << e #if not e.kind_of?(C::Variable)	# [:eflag_s, :=, :unknown].reduce
+						}
+					end
+				end
+				di_addr = nil
+			}
+
+			case to.length
+			when 0
+				if not myblocks.empty? and not stmts.last.kind_of?(C::Return)
+					puts "  block #{Expression[b]} has no to and don't end in ret"
+				end
+			when 1
+				if (myblocks.empty? ? nextaddr != to[0] : myblocks.first.first != to[0])
+					stmts << C::Goto.new(dcmp.dasm.auto_label_at(to[0], 'unknown_goto'))
+				end
+			else
+				puts "  block #{Expression[b]} with multiple to"
+			end
+		end
+
+		# cleanup di.bt_binding (we set :frameptr etc in those, this may confuse the dasm)
+		blocks_toclean.each { |b_, to_|
+			dcmp.dasm.decoded[b_].block.list.each { |di|
+				di.backtrace_binding = nil
+			}
+		}
+	end
+
+	def decompile_check_abi(dcmp, entry, func)
+	end
+end
+end

data/metasm/cpu/arm64/opcodes.rb

@@ -34,12 +34,12 @@ class ARM64
 	end
 
 	def addop_data_shifted(n, bin, *args)
-		addop n, bin | (0b00 << 22), :rt, :rn, :rm_lsl_i6, :r_32, *args
-		addop n, bin | (0b01 << 22), :rt, :rn, :rm_lsr_i6, :r_32, *args
-		addop n, bin | (0b10 << 22), :rt, :rn, :rm_asr_i6, :r_32, *args
-		addop n, bin | (0b00 << 22) | (1 << 31), :rt, :rn, :rm_lsl_i5, *args
-		addop n, bin | (0b01 << 22) | (1 << 31), :rt, :rn, :rm_lsr_i5, *args
-		addop n, bin | (0b10 << 22) | (1 << 31), :rt, :rn, :rm_asr_i5, *args
+		addop n, bin | (0b00 << 22), :rt, :rn, :rm_lsl_i5, :r_32, *args
+		addop n, bin | (0b01 << 22), :rt, :rn, :rm_lsr_i5, :r_32, *args
+		addop n, bin | (0b10 << 22), :rt, :rn, :rm_asr_i5, :r_32, *args
+		addop n, bin | (0b00 << 22) | (1 << 31), :rt, :rn, :rm_lsl_i6, *args
+		addop n, bin | (0b01 << 22) | (1 << 31), :rt, :rn, :rm_lsr_i6, *args
+		addop n, bin | (0b10 << 22) | (1 << 31), :rt, :rn, :rm_asr_i6, *args
 	end
 
 	def addop_data_imm(n, bin, *args)
@@ -78,7 +78,7 @@ class ARM64
 	OP_CC = %w[eq ne cs cc  mi pl vs vc  hi ls ge lt  gt le al al2]
 	def addop_cc(n, bin, *args)
 		OP_CC.each_with_index { |e, i|
-			args << :stopexec if e == 'al' and args.include?(:setip)
+			args << :stopexec if e[0, 2] == 'al' and args.include?(:setip)
 			addop n+e, bin | i, *args
 		}
 	end
@@ -103,6 +103,7 @@ class ARM64
 		 :m_rm_extend, :rm_extend_i3,
 		 :i14_5, :i16_5, :il18_5, :i19_5, :i26_0, :i12_10_s1,
 		 :i19_5_2_29,
+		 :crn, :crm, :i3_16, :i3_5, :i7_5, :i15_5,
 		 :m_rn_s7, :m_rn_s9, :m_rn_u12,
 		 :bitmask, :bitmask_imm, :cond_12,
 		].each { |p| @valid_args[p] = true }
@@ -118,6 +119,7 @@ class ARM64
 			:i19_5_2_29 => 0x60ffffe0, :cond_12 => 0xf,
 			:bitmask_n => 1, :bitmask_s => 0x3f, :bitmask_r => 0x3f,
 			:regextend_13 => 7, :i1_12 => 1, :i3_10 => 7,
+			:crn => 0xf, :crm => 0xf, :i3_16 => 7, :i3_5 => 7, :i7_5 => 0x7f, :i15_5 => 0x7fff,
 			:m_rn_s7  => ((0x7f << 10) | 0x1f),
 			:m_rn_s9  => ((0x1ff << 7) | 0x1f),
 			:m_rn_u12 => ((0xfff << 5) | 0x1f)
@@ -133,6 +135,7 @@ class ARM64
 			:i19_5_2_29 => 0, :cond_12 => 12,
 			:bitmask_n => 22, :bitmask_s => 10, :bitmask_r => 16,
 			:regextend_13 => 13, :i1_12 => 12, :i3_10 => 10,
+			:crn => 12, :crm => 8, :i3_16 => 16, :i3_5 => 5, :i7_5 => 5, :i15_5 => 5,
 			:m_rn_s7 => 5, :m_rn_s9 => 5, :m_rn_u12 => 5
 
 		addop 'adr',  1 << 28, :rt, :i19_5_2_29, :pcrel
@@ -183,6 +186,31 @@ class ARM64
 		addop 'dcps2', (0b11010100 << 24) | (0b101 << 21) | (0b00010), :i16_5, :stopexec
 		addop 'dcps3', (0b11010100 << 24) | (0b101 << 21) | (0b00011), :i16_5, :stopexec
 
+		# MSR (immediate)
+		addop 'msr_sp',       (0b1101010100 << 22) | (0b0000000100 << 12) | (0b10111111), :crm
+		addop 'msr_daif_set', (0b1101010100 << 22) | (0b0000110100 << 12) | (0b11011111), :crm
+		addop 'msr_daif_clr', (0b1101010100 << 22) | (0b0000110100 << 12) | (0b11111111), :crm
+
+		# HINT
+		addop 'nop',   (0b1101010100 << 22) | (0b0000110010 << 12) | (0b000000011111)
+		addop 'sevl',  (0b1101010100 << 22) | (0b0000110010 << 12) | (0b000000111111)
+		addop 'sev',   (0b1101010100 << 22) | (0b0000110010 << 12) | (0b000001011111)
+		addop 'wfe',   (0b1101010100 << 22) | (0b0000110010 << 12) | (0b000001111111)
+		addop 'wfi',   (0b1101010100 << 22) | (0b0000110010 << 12) | (0b000010011111)
+		addop 'yield', (0b1101010100 << 22) | (0b0000110010 << 12) | (0b000010111111)
+		addop 'nop',   (0b1101010100 << 22) | (0b0000110010 << 12) | (0b000000011111), :i7_5
+
+		addop 'clrex', (0b1101010100 << 22) | (0b0000110011 << 12) | (0b01011111), :crm	# arg ignored
+		addop 'dsb',   (0b1101010100 << 22) | (0b0000110011 << 12) | (0b10011111), :crm
+		addop 'dmb',   (0b1101010100 << 22) | (0b0000110011 << 12) | (0b10111111), :crm
+		addop 'isb',   (0b1101010100 << 22) | (0b0000110011 << 12) | (0b11011111), :crm
+
+		addop 'sys',   (0b1101010100 << 22) | (0b001 << 19), :i3_16, :crn, :crm, :i3_5, :rt
+		addop 'sysl',  (0b1101010100 << 22) | (0b101 << 19), :i3_16, :crn, :crm, :i3_5, :rt
+
+		addop 'msr',   (0b1101010100 << 22) | (0b01 << 20), :i15_5, :rt	# i15 = MSR number
+		addop 'mrs',   (0b1101010100 << 22) | (0b11 << 20), :i15_5, :rt
+
 		addop_s31 'tbz', (0b0110110 << 24), :rt, :i14_5
 
 		addop 'b',   (0b000101 << 26), :i26_0, :setip, :stopexec
@@ -194,22 +222,23 @@ class ARM64
 		addop 'eret',(0b1101011 << 25) | (0b0100 << 21) | (0b11111 << 16) | (0b11111 << 5), :setip, :stopexec
 		addop 'drps',(0b1101011 << 25) | (0b0101 << 21) | (0b11111 << 16) | (0b11111 << 5), :setip, :stopexec
 
-		addop_s31 'mov',  (0b0010001 << 24), :rt, :rn			# alias for add rt, rn, 0
-		addop_s31 'add',  (0b0010001 << 24), :rt, :rn, :i12_10_s1
-		addop_s31 'adds', (0b0110001 << 24), :rt, :rn, :i12_10_s1
-		addop_s31 'sub',  (0b1010001 << 24), :rt, :rn, :i12_10_s1
-		addop_s31 'subs', (0b1110001 << 24), :rt, :rn, :i12_10_s1
-
-		addop_s31 'movn', (0b00100101 << 23), :rt, :il18_5
-		addop_s31 'mov',  (0b10100101 << 23), :rt, :i16_5	# alias movz rt, i16 LSL 0
-		addop_s31 'movz', (0b10100101 << 23), :rt, :il18_5
-		addop_s31 'movk', (0b11100101 << 23), :rt, :il18_5
-
-		addop_store 'str',   (0b10_111_0_00_00 << 22)
-		addop_store 'ldr',   (0b10_111_0_00_01 << 22)
-		addop_store 'ldrsw', (0b10_111_0_00_10 << 22)
-		addop_store 'strb',  (0b00_111_0_00_00 << 22)
-		addop_store 'ldrb',  (0b00_111_0_00_01 << 22)
+		addop_s31 'mov',  0b0010001 << 24, :rt, :rn			# alias for add rt, rn, 0
+		addop_s31 'add',  0b0010001 << 24, :rt, :rn, :i12_10_s1
+		addop_s31 'adds', 0b0110001 << 24, :rt, :rn, :i12_10_s1
+		addop_s31 'sub',  0b1010001 << 24, :rt, :rn, :i12_10_s1
+		addop_s31 'subs', 0b1110001 << 24, :rt, :rn, :i12_10_s1
+
+		addop_s31 'movn', 0b00100101 << 23, :rt, :il18_5
+		addop_s31 'mov',  0b10100101 << 23, :rt, :i16_5	# alias movz rt, i16 LSL 0
+		addop_s31 'movz', 0b10100101 << 23, :rt, :il18_5
+		addop_s31 'movk', 0b11100101 << 23, :rt, :il18_5
+
+		addop_s30 'ldr',  0b00011000 << 24 , :rt, :i19_5
+		addop_store 'str',   0b10_111_0_00_00 << 22
+		addop_store 'ldr',   0b10_111_0_00_01 << 22
+		addop_store 'ldrsw', 0b10_111_0_00_10 << 22
+		addop_store 'strb',  0b00_111_0_00_00 << 22
+		addop_store 'ldrb',  0b00_111_0_00_01 << 22
 		addop_s31 'stp',  0b00_101_0_001_0 << 22, :rt, :rt2, :m_rn_s7, :mem_incr => :post
 		addop_s31 'stp',  0b00_101_0_011_0 << 22, :rt, :rt2, :m_rn_s7, :mem_incr => :pre
 		addop_s31 'stp',  0b00_101_0_010_0 << 22, :rt, :rt2, :m_rn_s7
@@ -222,6 +251,7 @@ class ARM64
 		addop_s31 'csinv', (0b1011010100 << 21) | (0b00 << 10), :rt, :rn, :rm, :cond_12, :r_z
 		addop_s31 'csneg', (0b1011010100 << 21) | (0b01 << 10), :rt, :rn, :rm, :cond_12, :r_z
 
+		# TODO fix :bitmask decoding
 		addop_bitfield 'sbfm', 0b00_100110 << 23
 		addop_bitfield 'bfm',  0b01_100110 << 23
 		addop_bitfield 'ubfm', 0b10_100110 << 23

data/metasm/cpu/arm64.rb

@@ -13,3 +13,4 @@ require 'metasm/cpu/arm64/encode'
 require 'metasm/cpu/arm64/decode'
 require 'metasm/cpu/arm64/render'
 require 'metasm/cpu/arm64/debug'
+require 'metasm/cpu/arm64/decompile'

data/metasm/cpu/dwarf/debug.rb

@@ -0,0 +1,39 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm/cpu/dwarf/opcodes'
+
+module Metasm
+class Dwarf
+	def dbg_register_list
+		@dbg_register_list ||= [:r0, :r1, :r2, :r3, :opstack, :pc]
+	end
+
+	def dbg_resolve_pc(di, fbd, pc_reg, dbg_ctx)
+		case di.opcode.name
+		when 'bra'
+			if dbg_ctx.resolve(Indirection[:opstack, @size/8]) != 0
+				fbd[pc_reg] = di.instruction.args[0]
+			else
+				fbd[pc_reg] = di.next_addr
+			end
+		else return super(di, fbd, pc_reg, dbg_ctx)
+		end
+	end
+
+	def dbg_end_stepout(dbg, addr, di)
+		true
+	end
+
+	def initialize_emudbg(dbg)
+		stack = EncodedData.new("\x00" * 0x1000)
+		stack_addr = 0x10000
+		stack_addr += 0x10000 while dbg.disassembler.get_section_at(stack_addr)
+		dbg.disassembler.add_section(stack, stack_addr)
+		dbg.set_reg_value(:opstack, stack_addr)
+	end
+end
+end

data/metasm/cpu/dwarf/decode.rb

@@ -0,0 +1,124 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2010 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+require 'metasm/cpu/dwarf/opcodes'
+require 'metasm/decode'
+
+module Metasm
+class Dwarf
+	def build_bin_lookaside
+		lookaside = (0..0xff).inject({}) { |h, i| h.update i => [] }
+		opcode_list.each { |op|
+			lookaside[op.bin] << op
+		}
+		lookaside
+	end
+
+	def decode_findopcode(edata)
+		di = DecodedInstruction.new(self)
+		val = edata.get_byte
+		di if di.opcode = bin_lookaside[val].first
+	end
+
+	def decode_instr_op(edata, di)
+		before_ptr = edata.ptr
+		op = di.opcode
+		di.instruction.opname = op.name
+
+		op.args.each { |a|
+			di.instruction.args << case a
+			when :i8, :u8, :i16, :u16, :i32, :u32, :i64, :u64; Expression[edata.decode_imm(a, @endianness)]
+			when :addr; Expression[edata.decode_imm("u#@size".to_sym, @endianness)]
+			when :uleb; Expression[edata.decode_leb(false)]
+			when :sleb; Expression[edata.decode_leb(true)]
+			when :imm; Expression[op.props[:imm]]
+			when :reg; di.instruction.args[0] = Reg.new(di.instruction.args[0].reduce) ; next
+			when :gnu; len = edata.get_byte; len = @size/8 if len == 0 ; Expression[edata.decode_imm("u#{len*8}", @endianness)]
+			else raise SyntaxError, "Internal error: invalid argument #{a} in #{op.name}"
+			end
+		}
+
+		di.bin_length = 1 + edata.ptr - before_ptr
+		di
+	end
+
+	def decode_instr_interpret(di, addr)
+		if di.opcode.props[:setip]
+			delta = di.instruction.args.first.reduce
+			di.instruction.args[0] = Expression[addr + delta + di.bin_length]
+		end
+		di
+	end
+
+	def init_backtrace_binding
+		@backtrace_binding ||= {}
+
+		sz = @size/8
+		opstack = lambda { |off| Indirection[Expression[:opstack, :-, off*sz].reduce, sz] }
+		push_opstack = lambda { |val| { :opstack => Expression[:opstack, :+, sz], opstack[0] => Expression[val] } }
+		push_op2 = lambda { |op| { :opstack => Expression[:opstack, :-, sz],
+			opstack[0] => Expression[[opstack[1], op, opstack[0]], :&, (1<<@size)-1] } }
+
+		opcode_list.map { |ol| ol.name }.uniq.each { |opname|
+			@backtrace_binding[opname] ||= case opname
+			when 'addr', 'lit'; lambda { |di, a1| push_opstack[a1] }
+			when 'dup';  lambda { |di| push_opstack[opstack[0]] }
+			when 'drop'; lambda { |di| { :opstack => Expression[:opstack, :-, sz] } }
+			when 'over'; lambda { |di| push_opstack[opstack[1]] }
+			when 'pick'; lambda { |di, a1| push_opstack[opstack[a1.reduce]] }	# 0 => dup
+			when 'swap'; lambda { |di| { opstack[0] => Expression[opstack[1]], opstack[1] => Expression[opstack[0]] } }
+			# backtrace order
+			when 'rot'; lambda { |di| { opstack[0] => Expression[opstack[2]], opstack[1] => Expression[opstack[0]], opstack[2] => Expression[opstack[1]] } }
+			#when 'xderef';
+			when 'deref'; lambda { |di| { opstack[0] => Expression[Indirection[opstack[0], sz]] } }
+			when 'abs'; lambda { |di| { opstack[0] => Expression[opstack[0], :-, [[[opstack[0], :>>, sz-1], :&, 1], :*, [2, :*, opstack[0]]]] } }
+			when 'neg'; lambda { |di| { opstack[0] => Expression[:-, opstack[0]] } }
+			when 'not'; lambda { |di| { opstack[0] => Expression[:~, opstack[0]] } }
+			when 'add_u'; lambda { |di, a1| { opstack[0] => Expression[opstack[0], :+, a1] } }
+			when 'deref_size'; lambda { |di, a1| { opstack[0] => Expression[Indirection[opstack[0], a1.reduce]] } }
+			when 'and', 'div', 'sub', 'mod', 'mul', 'or', 'add', 'shl', 'shr', 'shra', 'xor', 'eq', 'ge', 'gt', 'le', 'lt', 'ne'
+				o = { 'and' => :&, 'div' => :/, 'sub' => :-, 'mod' => :%, 'mul' => :*, 'or' => :|,
+					'add' => :+, 'shl' => :<<, 'shr' => :>>, 'shra' => :>>, 'xor' => :^,
+					'eq' => :'==', 'ne' => :'!=', 'le' => :'<=', 'lt' => :<, 'ge' => :'>=', 'gt' => :> }[opname]
+				lambda { |di| push_op2[o] }
+			when 'reg'; lambda { |di, a1| push_opstack[a1] }
+			when 'breg'; lambda { |di, a1, a2| push_opstack[Expression[a1, :+, a2]] }
+			when 'bra'; lambda { |di, a| { :opstack => Expression[:opstack, :-, sz] } }
+			when 'skip'; lambda { |di, a| {} }
+			when 'nop'; lambda { |di| {} }
+			end
+		}
+
+		@backtrace_binding
+	end
+
+	def get_backtrace_binding(di)
+		if binding = backtrace_binding[di.opcode.name]
+			a = di.instruction.args.map { |arg| symbolic(arg, di) }
+			binding[di, *a] || {}
+		else
+			puts "unhandled instruction to backtrace: #{di}" if $VERBOSE
+			{:incomplete_binding => Expression[1]}
+		end
+	end
+
+	# TODO real forwardbind/backwardbind
+	#def fix_fwdemu_binding(di, fbd)
+	#end
+
+	def get_xrefs_x(dasm, di)
+		return [] if not di.opcode.props[:setip]
+		[di.instruction.args.first]
+	end
+
+	def backtrace_is_function_return(expr, di=nil)
+		false
+	end
+
+	def backtrace_is_stack_address(expr)
+		Expression[expr].expr_externals.include?(:opstack)
+	end
+end
+end