one_gadget 1.5.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 143e72f7753ab6351d2d2ff06fe551302c9e1e46
-  data.tar.gz: 14892686d48601c9808f7819f1f4225b96cf4d52
+  metadata.gz: d381a734bccb70a6ffaac1b6e2ff82518adf2719
+  data.tar.gz: 406db08cea4fc116b4d81f61d585b7a25ec9ecd4
 SHA512:
-  metadata.gz: 183163649946a1a1e541c05748efc462cdeabd09d0eaf8e4dc68b6db80eb8d466c326009c760c7606f43e30d2f692011dbc8d8e26c90d36603eb6ca9f6ad1cd9
-  data.tar.gz: 4e8f94784b8eafcb83ad5c02e05d5be617c7baa5e84c57a24a1a19602b5d7e169ac3ecb8bf94c2ca48ed92d61d8661b449112837442c4826a3bb8efafc93d447
+  metadata.gz: 327cb7edce0f03ac5d43807d91c9850f63869e9041d59ed236b467fd6ca97aa4aaaa68361525daa1273259b7df96a00e69193ef1ddd3b4856126a61afb3148ad
+  data.tar.gz: 59b561675611597e011b5012574986138e041421eaecd8819ca40cdecc8f68056a2f42077eb7ad2f25f71ce2fd884b53aba9ea823791d250e18703d8e7228a3b

data/README.md

@@ -28,9 +28,9 @@ Note: require ruby version >= 2.1.0, you can use `ruby --version` to check.
 
 ## Implementation
 
-OneGadget uses simple self-implement symbolic execution to find the constraints of gadgets to success.
+OneGadget uses simple self-implement symbolic execution to find the constraints of gadgets to be successful.
 
-The article introducing how I develop this tool can be found [here](https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html).
+The article introducing how I develop this tool can be found [in my blog](https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html).
 
 ## Usage
 
@@ -39,7 +39,7 @@ much more one-gadgets have been found.
 And gadgets become too many to show them all,
 they would be selected automatically according to the difficulty of constraints.
 Therefore, gadgets shown will be less than previous versions (before v1.5.0).
-You can use option `--level 1` to show more gadgets found.
+But you can use option `--level 1` to show all gadgets found.
 
 ### Command Line Interface
 
@@ -55,6 +55,7 @@ $ one_gadget
 #     -r, --[no-]raw                   Output gadgets offset only, split with one space.
 #     -s, --script exploit-script      Run exploit script with all possible gadgets.
 #                                      The script will be run as 'exploit-script $offset'.
+#         --info BuildID               Show version information given BuildID.
 #         --version                    Current gem version.
 
 $ one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
@@ -210,4 +211,4 @@ one_gadget('60131540dadc6796cab33388349e6e4e68692053')
 Any suggestion or feature request is welcome! Feel free to send a pull request.
 
 Please let me know if you find any libc that make OneGadget fail to find gadgets.
-And, if you like this work, I'll be happy to be [stared](https://github.com/david942j/one_gadget/stargazers) :grimacing:
+And, if you like this work, I'll be happy to be [starred](https://github.com/david942j/one_gadget/stargazers) :grimacing:

data/bin/one_gadget

@@ -31,6 +31,10 @@ parser = OptionParser.new do |opts|
     options[:script] = script
   end
 
+  opts.on('--info BuildID', 'Show version information given BuildID.') do |b|
+    options[:info] = b
+  end
+
   opts.on('--version', 'Current gem version.') do |v|
     options[:version] = v
   end
@@ -49,6 +53,13 @@ def execute(script, offset)
   Process.wait pid
 end
 
+if options[:info]
+  result = OneGadget::Gadget.builds_info(options[:info])
+  exit(1) if result.nil? # error happend
+  OneGadget::Logger.info("Information of #{options[:info]}:\n#{result.join("\n")}\n")
+  exit(0)
+end
+
 level = options[:level] || 0
 if options[:build_id]
   gadgets = OneGadget.gadgets(build_id: options[:build_id], details: true, level: level)

data/lib/one_gadget/abi.rb

@@ -4,9 +4,12 @@ module OneGadget
     # Define class methods here.
     module ClassMethods
       # Registers in i386.
-      LINUX_X86_32 = %w(eax ebx ecx edx edi esi ebp esp).freeze
+      LINUX_X86_32 = %w(eax ebx ecx edx edi esi ebp esp) + 0.upto(7).map { |i| "xmm#{i}" }
       # Registers in x86_64/
-      LINUX_X86_64 = LINUX_X86_32 + %w(rax rbx rcx rdx rdi rsi rbp rsp) + 8.upto(15).map { |i| "r#{i}" }
+      LINUX_X86_64 = LINUX_X86_32 +
+                     %w(rax rbx rcx rdx rdi rsi rbp rsp) +
+                     8.upto(15).map { |i| "r#{i}" } +
+                     8.upto(15).map { |i| "xmm#{i}" }
       # Registers' name in amd64.
       # @return [Array<String>] List of registers.
       def amd64

data/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb

@@ -0,0 +1,49 @@
+require 'one_gadget/gadget'
+# ubuntu17.10-libc-2.26.so
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2.1) stable release version 2.26, by Roland McGrath et al.
+# Copyright (C) 2017 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 6.4.0 20171010.
+# Available extensions:
+# 	crypt add-on version 2.1 by Michael Glad and others
+# 	GNU Libidn by Simon Josefsson
+# 	Native POSIX Threads Library by Ulrich Drepper et al
+# 	BIND-8.2.3-T5B
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 293958,
+                      constraints: ["rax == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 294042,
+                      constraints: ["[rsp+0x30] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 890723,
+                      constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"],
+                      effect: "execve(\"/bin/sh\", r13, rbx)")
+OneGadget::Gadget.add(build_id, 891441,
+                      constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", [rbp-0xa0], [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 891448,
+                      constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 891452,
+                      constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", rcx, rdx)")
+OneGadget::Gadget.add(build_id, 1035486,
+                      constraints: ["[rsp+0x40] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 1035498,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, [rax])")
+OneGadget::Gadget.add(build_id, 1039246,
+                      constraints: ["[rsp+0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
+

data/lib/one_gadget/builds/libc-2.26-f65648a832414f2144ce795d75b6045a1ec2e252.rb

@@ -0,0 +1,52 @@
+require 'one_gadget/gadget'
+# ubuntu17.10-libc-2.26.so
+# 
+# Intel 80386
+# 
+# GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2.1) stable release version 2.26, by Roland McGrath et al.
+# Copyright (C) 2017 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 6.4.0 20171010.
+# Available extensions:
+# 	crypt add-on version 2.1 by Michael Glad and others
+# 	GNU Libidn by Simon Josefsson
+# 	Native POSIX Threads Library by Ulrich Drepper et al
+# 	BIND-8.2.3-T5B
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248879,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 248881,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248885,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
+OneGadget::Gadget.add(build_id, 248892,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 248927,
+                      constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+                      effect: "execve(\"/bin/sh\", eax, [esp])")
+OneGadget::Gadget.add(build_id, 248928,
+                      constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+                      effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
+OneGadget::Gadget.add(build_id, 421503,
+                      constraints: ["edi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 421504,
+                      constraints: ["edi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+OneGadget::Gadget.add(build_id, 1257406,
+                      constraints: ["esi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 1257407,
+                      constraints: ["esi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+

data/lib/one_gadget/builds/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.rb

@@ -0,0 +1,47 @@
+require 'one_gadget/gadget'
+# spec/data/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.so
+# 
+# Intel 80386
+# 
+# GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27.
+# Copyright (C) 2018 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 7.3.0.
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248810,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 248812,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248816,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
+OneGadget::Gadget.add(build_id, 248823,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 248858,
+                      constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+                      effect: "execve(\"/bin/sh\", eax, [esp])")
+OneGadget::Gadget.add(build_id, 248859,
+                      constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+                      effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
+OneGadget::Gadget.add(build_id, 422559,
+                      constraints: ["esi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 422560,
+                      constraints: ["esi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+OneGadget::Gadget.add(build_id, 1267518,
+                      constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 1267519,
+                      constraints: ["ebx is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+

data/lib/one_gadget/builds/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb

@@ -0,0 +1,41 @@
+require 'one_gadget/gadget'
+# spec/data/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.so
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27.
+# Copyright (C) 2018 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 7.3.0.
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 324293,
+                      constraints: ["rcx == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 324386,
+                      constraints: ["[rsp+0x40] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 939679,
+                      constraints: ["[r14] == NULL || r14 == NULL", "[r12] == NULL || r12 == NULL"],
+                      effect: "execve(\"/bin/sh\", r14, r12)")
+OneGadget::Gadget.add(build_id, 940120,
+                      constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", [rbp-0x88], [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 940127,
+                      constraints: ["[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 940131,
+                      constraints: ["[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 1090444,
+                      constraints: ["[rsp+0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 1090456,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, [rax])")
+

data/lib/one_gadget/emulators/instruction.rb

@@ -4,7 +4,7 @@ module OneGadget
     class Instruction
       attr_reader :inst # @return [String]  The instruction name.
       attr_reader :argc # @return [Integer] Count of arguments.
-      # Instantiate a n{Instruction} object.
+      # Instantiate a {Instruction} object.
       # @param [String] inst The instruction name.
       # @param [Integer] argc
       #   Count of arguments.
@@ -23,7 +23,7 @@ module OneGadget
         args = cmd[idx + inst.size..-1].split(',')
         raise ArgumentError, "Incorrect argument number in #{cmd}, expect: #{argc}" if argc >= 0 && args.size != argc
         args.map do |arg|
-          arg.gsub(/QWORD|DWORD|WORD|BYTE|PTR/, '').strip
+          arg.gsub(/XMMWORD|QWORD|DWORD|WORD|BYTE|PTR/, '').strip
         end
       end
 

data/lib/one_gadget/emulators/lambda.rb

@@ -95,9 +95,9 @@ module OneGadget
         #   If +arg+ contains number only, return it.
         #   Otherwise, return a {Lambda} object.
         # @example
-        #   obj = parse('[rsp+0x50]')
+        #   obj = Lambda.parse('[rsp+0x50]')
         #   #=> #<Lambda @obj='rsp', @immi=80, @deref_count=1>
-        #   parse('obj+0x30', predefined: { 'obj' => obj }).to_s
+        #   Lambda.parse('obj+0x30', predefined: { 'obj' => obj }).to_s
         #   #=> '[rsp+0x50]+0x30'
         def parse(arg, predefined: {})
           deref_count = 0
@@ -110,10 +110,10 @@ module OneGadget
           val = 0
           if sign
             raise ArgumentError, "Not support #{arg}" unless OneGadget::Helper.integer?(arg[sign..-1])
-            val = Integer(arg[sign..-1])
-            arg = arg[0, sign]
+            val = Integer(arg.slice!(sign..-1))
           end
-          obj = (predefined[arg] || Lambda.new(arg)) + val
+          obj = predefined[arg] || Lambda.new(arg)
+          obj += val unless val.zero?
           deref_count.zero? ? obj : obj.deref
         end
       end

data/lib/one_gadget/emulators/processor.rb

@@ -10,13 +10,13 @@ module OneGadget
       # Instantiate a {Processor} object.
       # @param [Array<String>] registers Registers that supported in the architecture.
       def initialize(registers)
-        @registers = registers.map { |reg| [reg, OneGadget::Emulators::Lambda.new(reg)] }.to_h
+        @registers = registers.map { |reg| [reg, to_lambda(reg)] }.to_h
         @stack = {}
       end
 
       # Parse one command into instruction and arguments.
       # @param [String] cmd One line of result of objdump.
-      # @return [Array(Instruction, Array<String>)]
+      # @return [(Instruction, Array<String>)]
       #   The parsing result.
       def parse(cmd)
         inst = instructions.find { |i| i.match?(cmd) }
@@ -33,6 +33,12 @@ module OneGadget
       # @return [Array<Instruction>] The support instructions.
       def instructions; raise NotImplementedError
       end
+
+      private
+
+      def to_lambda(reg)
+        OneGadget::Emulators::Lambda.new(reg)
+      end
     end
   end
 end

data/lib/one_gadget/emulators/x86.rb

@@ -1,5 +1,7 @@
-require 'one_gadget/emulators/processor'
 require 'one_gadget/emulators/instruction'
+require 'one_gadget/emulators/lambda'
+require 'one_gadget/emulators/processor'
+require 'one_gadget/error'
 
 module OneGadget
   module Emulators
@@ -13,10 +15,10 @@ module OneGadget
         @sp = sp
         @pc = pc
         @stack = Hash.new do |h, k|
-          lmda = OneGadget::Emulators::Lambda.new(sp)
-          lmda.immi = k
-          lmda.deref!
-          h[k] = lmda
+          h[k] = OneGadget::Emulators::Lambda.new(sp).tap do |lmda|
+            lmda.immi = k
+            lmda.deref!
+          end
         end
       end
 
@@ -24,22 +26,22 @@ module OneGadget
       # Will raise exceptions when encounter unhandled instruction.
       # @param [String] cmd
       #   One line from result of objdump.
-      # @return [void]
+      # @return [Boolean]
       def process!(cmd)
         inst, args = parse(cmd)
         # return registers[pc] = args[0] if inst.inst == 'call'
         return true if inst.inst == 'jmp' # believe the fetcher has handled jmp.
         sym = "inst_#{inst.inst}".to_sym
-        send(sym, *args) != :fail
+        __send__(sym, *args) != :fail
       end
 
       # Process one command, without raising any exceptions.
       # @param [String] cmd
       #   See {#process!} for more information.
-      # @return [void]
+      # @return [Boolean]
       def process(cmd)
         process!(cmd)
-      rescue ArgumentError
+      rescue ArgumentError, OneGadget::Error::Error
         false
       end
 
@@ -55,7 +57,10 @@ module OneGadget
           Instruction.new('nop', -1),
           Instruction.new('push', 1),
           Instruction.new('sub', 2),
-          Instruction.new('xor', 2)
+          Instruction.new('xor', 2),
+          Instruction.new('movq', 2),
+          Instruction.new('movaps', 2),
+          Instruction.new('movhps', 2)
         ]
       end
 
@@ -83,12 +88,53 @@ module OneGadget
           # Just ignore strange case...
           return unless tar.include?(sp)
           tar = OneGadget::Emulators::Lambda.parse(tar, predefined: registers)
-          return if tar.deref_count != 1 # should not happened
+          return if tar.deref_count != 1 # should not happen
           tar.ref!
           stack[tar.evaluate(eval_dict)] = src
         end
       end
 
+      # This instruction moves 128bits.
+      def inst_movaps(tar, src)
+        # XXX: here we only support `movaps [sp+*], xmm*`
+        # TODO: This need an extra constraint: sp & 0xf == 0
+        src, tar = check_xmm_sp(src, tar) { raise_unsupported('movaps', tar, src) }
+        off = tar.evaluate(eval_dict)
+        (128 / self.class.bits).times do |i|
+          stack[off + i * size_t] = src[i]
+        end
+      end
+
+      # Mov *src to tar[:64]
+      def inst_movq(tar, src)
+        # XXX: here we only support `movq xmm*, [sp+*]`
+        tar, src = check_xmm_sp(tar, src) { raise_unsupported('movq', tar, src) }
+        off = src.evaluate(eval_dict)
+        (64 / self.class.bits).times do |i|
+          tar[i] = stack[off + i * size_t]
+        end
+      end
+
+      # Move *src to tar[64:128]
+      def inst_movhps(tar, src)
+        # XXX: here we only support `movhps xmm*, [sp+*]`
+        tar, src = check_xmm_sp(tar, src) { raise_unsupported('movhps', tar, src) }
+        off = src.evaluate(eval_dict)
+        (64 / self.class.bits).times do |i|
+          tar[i + 64 / self.class.bits] = stack[off + i * size_t]
+        end
+      end
+
+      # check if (tar, src) in form (xmm*, [sp+*])
+      def check_xmm_sp(tar, src)
+        return yield unless tar.start_with?('xmm') && register?(tar) && src.include?(sp)
+        tar_lm = OneGadget::Emulators::Lambda.parse(tar, predefined: registers)
+        src_lm = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        return yield if src_lm.deref_count != 1
+        src_lm.ref!
+        [tar_lm, src_lm]
+      end
+
       def inst_lea(tar, src)
         src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
         src.ref!
@@ -97,7 +143,7 @@ module OneGadget
 
       def inst_push(val)
         val = OneGadget::Emulators::Lambda.parse(val, predefined: registers)
-        registers[sp] -= bytes
+        registers[sp] -= size_t
         cur_top = registers[sp].evaluate(eval_dict)
         raise ArgumentError, "Corrupted stack pointer: #{cur_top}" unless cur_top.is_a?(Integer)
         stack[cur_top] = val
@@ -150,14 +196,23 @@ module OneGadget
         :fail
       end
 
-      def bytes
+      def size_t
         self.class.bits / 8
       end
 
       def eval_dict
-        dict = {}
-        dict[sp] = 0
-        dict
+        { sp => 0 }
+      end
+
+      def raise_unsupported(inst, *args)
+        raise OneGadget::Error::UnsupportedInstructionArguments, "#{inst} #{args.join(', ')}"
+      end
+
+      def to_lambda(reg)
+        return super unless reg =~ /^xmm\d+$/
+        Array.new(128 / self.class.bits) do |i|
+          OneGadget::Emulators::Lambda.new("#{reg}__#{i}")
+        end
       end
     end
   end

data/lib/one_gadget/error.rb

@@ -0,0 +1,9 @@
+module OneGadget
+  module Error
+    class Error < StandardError
+    end
+
+    class UnsupportedInstructionArguments < Error
+    end
+  end
+end

data/lib/one_gadget/fetcher.rb

@@ -15,9 +15,7 @@ module OneGadget
       # @return [Array<OneGadget::Gadget::Gadget>?]
       #   +nil+ is returned if cannot find target id in database.
       def from_build_id(build_id, remote: true)
-        if (build_id =~ /\A#{OneGadget::Helper::BUILD_ID_FORMAT}\Z/).nil?
-          raise ArgumentError, format('invalid BuildID format: %p', build_id)
-        end
+        OneGadget::Helper.verify_build_id!(build_id)
         OneGadget::Gadget.builds(build_id, remote: remote)
       end
 

data/lib/one_gadget/gadget.rb

@@ -64,6 +64,33 @@ module OneGadget
         BUILDS[build_id]
       end
 
+      # Returns the comments in builds/libc-*-<build_id>*.rb
+      # @param [String] build_id
+      #   Supports give only few starting bytes, but a warning will be shown
+      #   if multiple BulidIDs are matched.
+      # @return [String?]
+      #   Lines of comments.
+      # @example
+      #   puts OneGadget::Gadget.builds_info('3bbdc')
+      #   # https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6-amd64-2.19-18+deb8u4/lib64/libc-2.19.so
+      #   #
+      #   # Advanced Micro Devices X86-64
+      #   # ...
+      def builds_info(build_id)
+        raise ArgumentError, "Invalid BuildID #{build_id.inspect}" if build_id =~ /[^0-9a-f]/
+        files = Dir.glob(File.join(BUILDS_PATH, "*-#{build_id}*.rb")).sort
+        return OneGadget::Logger.not_found(build_id) && nil if files.empty?
+        if files.size > 1
+          OneGadget::Logger.warn("Multiple BuildIDs match /^#{build_id}/\n")
+          show = files.map do |f|
+            File.basename(f, '.rb').reverse.split('-', 2).join(' ').reverse
+          end
+          OneGadget::Logger.warn("Candidates are:\n#{show * "\n"}\n")
+          return nil
+        end
+        OneGadget::Helper.comments_of_file(files.first)
+      end
+
       # Add a gadget, for scripts in builds/ to use.
       # @param [String] build_id The target's build id.
       # @param [Integer] offset The relative address offset of this gadget.

data/lib/one_gadget/helper.rb

@@ -1,9 +1,10 @@
-require 'elftools'
 require 'net/http'
 require 'openssl'
 require 'pathname'
 require 'tempfile'
 
+require 'elftools'
+
 require 'one_gadget/logger'
 
 module OneGadget
@@ -13,6 +14,26 @@ module OneGadget
     BUILD_ID_FORMAT = /[0-9a-f]{40}/
     # Define class methods here.
     module ClassMethods
+      # Verify if `build_id` is a valid SHA1 hex format.
+      # @param [String] build_id
+      #   BuildID.
+      # @raise [ArgumentError]
+      #   Raises error if invalid.
+      # @return [void]
+      def verify_build_id!(build_id)
+        return if build_id =~ /\A#{OneGadget::Helper::BUILD_ID_FORMAT}\Z/
+        raise ArgumentError, format('invalid BuildID format: %p', build_id)
+      end
+
+      # Fetch lines start with '#'.
+      # @param [String] file
+      #   Filename.
+      # @return [Array<String>]
+      #   Lines of comments.
+      def comments_of_file(file)
+        File.readlines(file).map { |s| s[2..-1].rstrip if s.start_with?('# ') }.compact
+      end
+
       # Get absolute path from relative path. Support symlink.
       # @param [String] path Relative path.
       # @return [String] Absolute path, with symlink resolved.
@@ -30,7 +51,7 @@ module OneGadget
       #   build_id_of('/lib/x86_64-linux-gnu/libc-2.23.so')
       #   #=> '60131540dadc6796cab33388349e6e4e68692053'
       def build_id_of(path)
-        ELFTools::ELFFile.new(File.open(path)).build_id
+        File.open(path) { |f| ELFTools::ELFFile.new(f).build_id }
       end
 
       # Disable colorize.
@@ -48,7 +69,7 @@ module OneGadget
       # Is colorify output enabled?
       # @return [Boolean]
       #   True or false.
-      def enable_color
+      def color_enabled?
         # if not set, use tty to check
         return $stdout.tty? if @disable_color.nil?
         !@disable_color
@@ -68,7 +89,7 @@ module OneGadget
       # @param [Symbol] sev Specific which kind of color want to use, valid symbols are defined in +COLOR_CODE+.
       # @return [String] Wrapper with color codes.
       def colorize(str, sev: :normal_s)
-        return str unless enable_color
+        return str unless color_enabled?
         cc = COLOR_CODE
         color = cc.key?(sev) ? cc[sev] : ''
         "#{color}#{str.sub(cc[:esc_m], color)}#{cc[:esc_m]}"
@@ -96,9 +117,8 @@ module OneGadget
       def download_build(file)
         temp = Tempfile.new(['gadgets', file + '.rb'])
         url_request(url_of_file(File.join('lib', 'one_gadget', 'builds', file + '.rb')))
-        temp.write url_request(url_of_file(File.join('lib', 'one_gadget', 'builds', file + '.rb')))
-        temp.close
-        temp
+        temp.write(url_request(url_of_file(File.join('lib', 'one_gadget', 'builds', file + '.rb'))))
+        temp.tap(&:close)
       end
 
       # Get the latest builds list from repo.
@@ -132,14 +152,14 @@ module OneGadget
       # @return [void]
       def ask_update(msg: '')
         name = 'one_gadget'
-        cmd = colorize("gem update #{name}")
+        cmd = colorize("gem update #{name} && gem cleanup #{name}")
         OneGadget::Logger.info(msg + "\n" + "Update with: $ #{cmd}" + "\n")
       end
 
       # Fetch the file archiecture of +file+.
       # @param [String] file The target ELF filename.
-      # @return [String]
-      #   Only supports :amd64, :i386 now.
+      # @return [Symbol]
+      #   Only supports architecture amd64 and i386 now.
       def architecture(file)
         f = File.open(file)
         str = ELFTools::ELFFile.new(f).machine

data/lib/one_gadget/logger.rb

@@ -25,13 +25,13 @@ module OneGadget
     # @param [String] build_id
     #   Build ID.
     def not_found(build_id)
-      warn("Cannot find BuildID [#{build_id}]")
+      warn("Cannot find BuildID [#{build_id}]\n")
       []
     end
 
     %i[info warn].each do |sym|
       define_method(sym) do |msg|
-        @logger.send(sym, msg)
+        @logger.__send__(sym, msg)
       end
     end
   end

data/lib/one_gadget/update.rb

@@ -53,8 +53,8 @@ module OneGadget
         FileUtils.mkdir_p(dir) unless File.directory?(dir)
         IO.binwrite(CACHE_FILE, '') unless File.exist?(CACHE_FILE)
         CACHE_FILE
-      rescue # prevent dir is not writable
-        return nil
+      rescue Errno::EACCES # prevent dir is not writable
+        nil
       end
     end
   end

data/lib/one_gadget/version.rb

@@ -1,4 +1,4 @@
 module OneGadget
   # Current gem version.
-  VERSION = '1.5.0'.freeze
+  VERSION = '1.6.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: one_gadget
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.6.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-06 00:00:00.000000000 Z
+date: 2018-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: elftools
@@ -24,76 +24,62 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: codeclimate-test-reporter
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.6'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.6'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '3.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '3.7'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.49'
+        version: '0.55'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.49'
+        version: '0.55'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.13.0
+        version: 0.16.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.13.0
+        version: 0.16.1
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -792,12 +778,17 @@ files:
 - lib/one_gadget/builds/libc-2.25-912fc00c0da67045111928bd5c8a350e5be18c41.rb
 - lib/one_gadget/builds/libc-2.25-eae5038c2b9ae67d9eda345aa9fbe0a7185ab436.rb
 - lib/one_gadget/builds/libc-2.26-2104f3d4ad5cf68603afbe7ba1a17f5ac99c5988.rb
+- lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb
+- lib/one_gadget/builds/libc-2.26-f65648a832414f2144ce795d75b6045a1ec2e252.rb
+- lib/one_gadget/builds/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.rb
+- lib/one_gadget/builds/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb
 - lib/one_gadget/emulators/amd64.rb
 - lib/one_gadget/emulators/i386.rb
 - lib/one_gadget/emulators/instruction.rb
 - lib/one_gadget/emulators/lambda.rb
 - lib/one_gadget/emulators/processor.rb
 - lib/one_gadget/emulators/x86.rb
+- lib/one_gadget/error.rb
 - lib/one_gadget/fetcher.rb
 - lib/one_gadget/fetchers/amd64.rb
 - lib/one_gadget/fetchers/base.rb
@@ -827,7 +818,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.14
 signing_key: 
 specification_version: 4
 summary: one_gadget