one_gadget 1.6.2 → 1.7.0

data/lib/one_gadget/emulators/amd64.rb

@@ -1,5 +1,5 @@
-require 'one_gadget/emulators/x86'
 require 'one_gadget/abi'
+require 'one_gadget/emulators/x86'
 
 module OneGadget
   module Emulators

data/lib/one_gadget/emulators/i386.rb

@@ -1,5 +1,5 @@
-require 'one_gadget/emulators/x86'
 require 'one_gadget/abi'
+require 'one_gadget/emulators/x86'
 
 module OneGadget
   module Emulators

data/lib/one_gadget/emulators/instruction.rb

@@ -5,26 +5,32 @@ module OneGadget
     # Define instruction name and it's argument count.
     class Instruction
       attr_reader :inst # @return [String]  The instruction name.
-      attr_reader :argc # @return [Integer] Count of arguments.
+      attr_reader :argc # @return [Range] Count of arguments.
       # Instantiate a {Instruction} object.
       # @param [String] inst The instruction name.
-      # @param [Integer] argc
+      # @param [Range, Integer] argc
       #   Count of arguments.
       #   Negative integer for doesn't care the number of arguments.
       def initialize(inst, argc)
         @inst = inst
-        @argc = argc
+        @argc = case argc
+                when -1 then 0..Float::INFINITY
+                when Range then argc
+                when Integer then argc..argc
+                end
       end
 
       # Extract arguments from command.
       # @param [String] cmd
       # @return [Array<String>] Arguments.
+      # @raise [OneGadget::Error::InstructionArgumentError]
       def fetch_args(cmd)
         idx = cmd.index(inst)
+        cmd = cmd[0...cmd.rindex('//')] if cmd.rindex('//')
         cmd = cmd[0...cmd.rindex('#')] if cmd.rindex('#')
-        args = cmd[idx + inst.size..-1].split(',')
-        if argc >= 0 && args.size != argc
-          raise Error::ArgumentError, "Incorrect argument number in #{cmd}, expect: #{argc}"
+        args = parse_args(cmd[idx + inst.size..-1])
+        unless argc.include?(args.size)
+          raise OneGadget::Error::InstructionArgumentError, "Incorrect argument number in #{cmd}, expect: #{argc}"
         end
 
         args.map do |arg|
@@ -36,7 +42,30 @@ module OneGadget
       # @param [String] cmd
       # @return [Boolean]
       def match?(cmd)
-        cmd.include?(inst + ' ')
+        (cmd =~ /#{inst}\s/) != nil
+      end
+
+      private
+
+      def parse_args(str)
+        args = []
+        cur = +''
+        bkt_cnt = 0
+        str.each_char do |c|
+          if c == ',' && bkt_cnt.zero?
+            args << cur
+            cur = +''
+            next
+          end
+
+          cur << c
+          case c
+          when '[' then bkt_cnt += 1
+          when ']' then bkt_cnt -= 1
+          end
+        end
+        args << cur unless cur.empty?
+        args
       end
     end
   end

data/lib/one_gadget/emulators/lambda.rb

@@ -24,7 +24,7 @@ module OneGadget
       # @param [Numeric] other Value to add.
       # @return [Lambda] The result.
       def +(other)
-        raise Error::ArgumentError, 'Expect other to be Numeric.' unless other.is_a?(Numeric)
+        raise Error::InstructionArgumentError, "Expect other(#{other}) to be numeric." unless other.is_a?(Numeric)
 
         if deref_count > 0
           ret = Lambda.new(self)
@@ -50,12 +50,13 @@ module OneGadget
       end
 
       # Decrease dreference count with 1.
-      # @return [void]
-      # @raise [Error::ArgumentError] When this object cannot be referenced anymore.
+      # @return [self]
+      # @raise [Error::InstrutionArgumentError] When this object cannot be referenced anymore.
       def ref!
-        raise Error::ArgumentError, 'Cannot reference anymore!' if @deref_count <= 0
+        raise Error::InstructionArgumentError, 'Cannot reference anymore!' if @deref_count <= 0
 
         @deref_count -= 1
+        self
       end
 
       # A new {Lambda} object with dereference count increase 1.
@@ -84,43 +85,53 @@ module OneGadget
       #   The context.
       # @return [Integer] Result of evaluation.
       def evaluate(context)
-        raise Error::ArgumentError, "Can't eval #{self}" if deref_count > 0
-        raise Error::ArgumentError, "Can't eval #{self}" if obj && !context.key?(obj)
+        raise Error::InstructionArgumentError, "Can't eval #{self}" if deref_count > 0 || (obj && !context.key?(obj))
 
         context[obj] + immi
       end
 
       class << self
-        # Target: parse things like <tt>[rsp+0x50]</tt> into a {Lambda} object.
-        # @param [String] arg
+        # Target: parse string like <tt>[rsp+0x50]</tt> into a {Lambda} object.
+        # @param [String] argument
         # @param [Hash{String => Lambda}] predefined
         #   Predfined values.
         # @return [OneGadget::Emulators::Lambda, Integer]
-        #   If +arg+ contains number only, return it.
-        #   Otherwise, return a {Lambda} object.
+        #   If +argument+ contains number only, returns the value.
+        #   Otherwise, returns a {Lambda} object.
         # @example
         #   obj = Lambda.parse('[rsp+0x50]')
         #   #=> #<Lambda @obj='rsp', @immi=80, @deref_count=1>
         #   Lambda.parse('obj+0x30', predefined: { 'obj' => obj }).to_s
         #   #=> '[rsp+0x50]+0x30'
-        def parse(arg, predefined: {})
-          deref_count = 0
-          if arg[0] == '[' # a little hack because there should nerver something like +[[rsp+1]+2]+ to parse.
-            arg = arg[1..-2]
-            deref_count = 1
-          end
+        # @example
+        #   Lambda.parse('[x0, -104]')
+        #   #=> #<Lambda @obj='x0', @immi=-104, @deref_count=1>
+        def parse(argument, predefined: {})
+          arg = argument.dup
           return Integer(arg) if OneGadget::Helper.integer?(arg)
+          # nested []
+          return parse(arg[1...arg.rindex(']')], predefined: predefined).deref if arg[0] == '['
+
+          base, disp = mem_obj(arg)
+          obj = predefined[base] || Lambda.new(base)
+          obj += disp unless disp.zero?
+          obj
+        end
+
+        private
 
-          sign = arg =~ /[+-]/
-          val = 0
-          if sign
-            raise Error::ArgumentError, "Not support #{arg}" unless OneGadget::Helper.integer?(arg[sign..-1])
+        # @return [(String, Integer)]
+        def mem_obj(arg)
+          # We have three forms:
+          # 0. reg
+          # 1. reg+imm / reg-imm
+          # 2. reg, imm / reg, -imm
+          tokens = arg.gsub(/[\+\-]/, ' \0').scan(/[\+\-\w]+/)
+          return [tokens.first, 0] if tokens.size == 1
+          raise Error::UnsupportedInstructionArgumentError, arg unless tokens.size == 2
+          raise Error::UnsupportedInstructionArgumentError, arg unless OneGadget::Helper.integer?(tokens.last)
 
-            val = Integer(arg.slice!(sign..-1))
-          end
-          obj = predefined[arg] || Lambda.new(arg)
-          obj += val unless val.zero?
-          deref_count.zero? ? obj : obj.deref
+          [tokens.first, Integer(tokens.last)]
         end
       end
     end

data/lib/one_gadget/emulators/processor.rb

@@ -8,11 +8,24 @@ module OneGadget
     class Processor
       attr_reader :registers # @return [Hash{String => OneGadget::Emulators::Lambda}] The current registers' state.
       attr_reader :stack # @return [Hash{Integer => OneGadget::Emulators::Lambda}] The content on stack.
+      attr_reader :sp # @return [String] Stack pointer.
+      attr_reader :pc # @return [String] Program counter.
+
       # Instantiate a {Processor} object.
-      # @param [Array<String>] registers Registers that supported in the architecture.
-      def initialize(registers)
+      # @param [Array<String>] registers
+      #   Registers that supported in the architecture.
+      # @param [String] sp
+      #   The stack register.
+      def initialize(registers, sp)
         @registers = registers.map { |reg| [reg, to_lambda(reg)] }.to_h
-        @stack = {}
+        @sp = sp
+        @constraints = []
+        @stack = Hash.new do |h, k|
+          h[k] = OneGadget::Emulators::Lambda.new(sp).tap do |lmda|
+            lmda.immi = k
+            lmda.deref!
+          end
+        end
       end
 
       # Parse one command into instruction and arguments.
@@ -21,14 +34,31 @@ module OneGadget
       #   The parsing result.
       def parse(cmd)
         inst = instructions.find { |i| i.match?(cmd) }
-        raise Error::ArgumentError, "Not implemented instruction in #{cmd}" if inst.nil?
+        raise Error::UnsupportedInstructionError, "Not implemented instruction in #{cmd}" if inst.nil?
 
         [inst, inst.fetch_args(cmd)]
       end
 
+      # Process one command, without raising any exceptions.
+      # @param [String] cmd
+      #   See {#process!} for more information.
+      # @return [Boolean]
+      def process(cmd)
+        process!(cmd)
+      # rescue OneGadget::Error::UnsupportedError # for debugging
+      rescue OneGadget::Error::Error
+        false
+      end
+
       # Method need to be implemented in inheritors.
-      # @return [void]
-      def process(_cmd); raise NotImplementedError
+      #
+      # Process one command.
+      # Will raise exceptions when encounter unhandled instruction.
+      # @param [String] _cmd
+      #   One line from result of objdump.
+      # @return [Boolean]
+      #   If successfully processed.
+      def process!(_cmd); raise NotImplementedError
       end
 
       # Method need to be implemented in inheritors.
@@ -36,11 +66,69 @@ module OneGadget
       def instructions; raise NotImplementedError
       end
 
+      # To be inherited.
+      #
+      # @param [Integer] _idx
+      #   The idx-th argument.
+      #
+      # @return [Lambda, Integer]
+      #   Return value can be a {Lambda} or an +Integer+.
+      def argument(_idx); raise NotImplementedError
+      end
+
+      # @return [Array<String>]
+      #   Extra constraints found during execution.
+      def constraints
+        return [] if @constraints.empty?
+
+        # currently only ':writable' type
+        cons = @constraints.uniq { |_type, obj| obj.deref_count.zero? ? obj.obj.to_s : obj.to_s }
+        cons.map { |_type, obj| "writable: #{obj}" }.sort
+      end
+
       private
 
+      def check_register!(reg)
+        raise Error::InstructionArgumentError, "#{reg.inspect} is not a valid register" unless register?(reg)
+      end
+
+      def check_argument(idx, expect)
+        case expect
+        when :global_var? then global_var?(argument(idx))
+        when :zero? then argument(idx).is_a?(Integer) && argument(idx).zero?
+        end
+      end
+
+      def register?(reg)
+        registers.include?(reg)
+      end
+
       def to_lambda(reg)
         OneGadget::Emulators::Lambda.new(reg)
       end
+
+      def raise_unsupported(inst, *args)
+        raise OneGadget::Error::UnsupportedInstructionArgumentError, "#{inst} #{args.join(', ')}"
+      end
+
+      def eval_dict
+        { sp => 0 }
+      end
+
+      def size_t
+        self.class.bits / 8
+      end
+
+      def global_var?(obj)
+        obj.to_s.include?(pc)
+      end
+
+      class << self
+        # 32 or 64.
+        # @return [Integer] 32 or 64.
+        def bits; raise NotImplementedError
+        end
+      end
     end
   end
 end

data/lib/one_gadget/emulators/x86.rb

@@ -7,19 +7,10 @@ module OneGadget
   module Emulators
     # Super class for amd64 and i386 processor.
     class X86 < Processor
-      attr_reader :sp # @return [String] Stack pointer.
-      attr_reader :pc # @return [String] Program counter.
       # Constructor for a x86 processor.
       def initialize(registers, sp, pc)
-        super(registers)
-        @sp = sp
+        super(registers, sp)
         @pc = pc
-        @stack = Hash.new do |h, k|
-          h[k] = OneGadget::Emulators::Lambda.new(sp).tap do |lmda|
-            lmda.immi = k
-            lmda.deref!
-          end
-        end
       end
 
       # Process one command.
@@ -27,6 +18,7 @@ module OneGadget
       # @param [String] cmd
       #   One line from result of objdump.
       # @return [Boolean]
+      #   If successfully processed.
       def process!(cmd)
         inst, args = parse(cmd)
         # return registers[pc] = args[0] if inst.inst == 'call'
@@ -36,16 +28,6 @@ module OneGadget
         __send__(sym, *args) != :fail
       end
 
-      # Process one command, without raising any exceptions.
-      # @param [String] cmd
-      #   See {#process!} for more information.
-      # @return [Boolean]
-      def process(cmd)
-        process!(cmd)
-      rescue OneGadget::Error::Error
-        false
-      end
-
       # Supported instruction set.
       # @return [Array<Instruction>] The supported instructions.
       def instructions
@@ -65,133 +47,111 @@ module OneGadget
         ]
       end
 
-      class << self
-        # 32 or 64.
-        # @return [Integer] 32 or 64.
-        def bits; raise NotImplementedError
-        end
-      end
-
-      # To be inherited.
-      #
-      # @param [Integer] _idx
-      #   The idx-th argument.
-      #
-      # @return [Lambda, Integer]
-      #   Return value can be a {Lambda} or an +Integer+.
-      def argument(_idx); raise NotImplementedError
-      end
-
       private
 
-      def register?(reg)
-        registers.include?(reg)
-      end
-
-      def inst_mov(tar, src)
+      def inst_mov(dst, src)
         src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
-        if register?(tar)
-          registers[tar] = src
+        if register?(dst)
+          registers[dst] = src
         else
           # Just ignore strange case...
-          return unless tar.include?(sp)
+          return unless dst.include?(sp)
 
-          tar = OneGadget::Emulators::Lambda.parse(tar, predefined: registers)
-          return if tar.deref_count != 1 # should not happen
+          dst = OneGadget::Emulators::Lambda.parse(dst, predefined: registers)
+          return if dst.deref_count != 1 # should not happen
 
-          tar.ref!
-          stack[tar.evaluate(eval_dict)] = src
+          dst.ref!
+          stack[dst.evaluate(eval_dict)] = src
         end
       end
 
       # This instruction moves 128bits.
-      def inst_movaps(tar, src)
+      def inst_movaps(dst, src)
         # XXX: here we only support `movaps [sp+*], xmm*`
         # TODO: This need an extra constraint: sp & 0xf == 0
-        src, tar = check_xmm_sp(src, tar) { raise_unsupported('movaps', tar, src) }
-        off = tar.evaluate(eval_dict)
+        src, dst = check_xmm_sp(src, dst) { raise_unsupported('movaps', dst, src) }
+        off = dst.evaluate(eval_dict)
         (128 / self.class.bits).times do |i|
           stack[off + i * size_t] = src[i]
         end
       end
 
-      # Mov *src to tar[:64]
-      def inst_movq(tar, src)
+      # Mov *src to dst[:64]
+      def inst_movq(dst, src)
         # XXX: here we only support `movq xmm*, [sp+*]`
-        tar, src = check_xmm_sp(tar, src) { raise_unsupported('movq', tar, src) }
+        dst, src = check_xmm_sp(dst, src) { raise_unsupported('movq', dst, src) }
         off = src.evaluate(eval_dict)
         (64 / self.class.bits).times do |i|
-          tar[i] = stack[off + i * size_t]
+          dst[i] = stack[off + i * size_t]
         end
       end
 
-      # Move *src to tar[64:128]
-      def inst_movhps(tar, src)
+      # Move *src to dst[64:128]
+      def inst_movhps(dst, src)
         # XXX: here we only support `movhps xmm*, [sp+*]`
-        tar, src = check_xmm_sp(tar, src) { raise_unsupported('movhps', tar, src) }
+        dst, src = check_xmm_sp(dst, src) { raise_unsupported('movhps', dst, src) }
         off = src.evaluate(eval_dict)
         (64 / self.class.bits).times do |i|
-          tar[i + 64 / self.class.bits] = stack[off + i * size_t]
+          dst[i + 64 / self.class.bits] = stack[off + i * size_t]
         end
       end
 
-      # check if (tar, src) in form (xmm*, [sp+*])
-      def check_xmm_sp(tar, src)
-        return yield unless tar.start_with?('xmm') && register?(tar) && src.include?(sp)
+      # check if (dst, src) in form (xmm*, [sp+*])
+      def check_xmm_sp(dst, src)
+        return yield unless dst.start_with?('xmm') && register?(dst) && src.include?(sp)
 
-        tar_lm = OneGadget::Emulators::Lambda.parse(tar, predefined: registers)
+        dst_lm = OneGadget::Emulators::Lambda.parse(dst, predefined: registers)
         src_lm = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
         return yield if src_lm.deref_count != 1
 
         src_lm.ref!
-        [tar_lm, src_lm]
+        [dst_lm, src_lm]
       end
 
-      def inst_lea(tar, src)
+      def inst_lea(dst, src)
+        check_register!(dst)
+
         src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
         src.ref!
-        registers[tar] = src
+        registers[dst] = src
       end
 
       def inst_push(val)
         val = OneGadget::Emulators::Lambda.parse(val, predefined: registers)
         registers[sp] -= size_t
         cur_top = registers[sp].evaluate(eval_dict)
-        raise Error::ArgumentError, "Corrupted stack pointer: #{cur_top}" unless cur_top.is_a?(Integer)
+        raise Error::InstructionArgumentError, "Corrupted stack pointer: #{cur_top}" unless cur_top.is_a?(Integer)
 
         stack[cur_top] = val
       end
 
       def inst_xor(dst, src)
+        check_register!(dst)
+
         # only supports dst == src
-        raise Error::ArgumentError, 'xor operator only supports dst = src' unless dst == src
+        raise Error::UnsupportedInstructionArgumentError, 'xor operator only supports dst = src' unless dst == src
 
         dst[0] = 'r' if self.class.bits == 64 && dst.start_with?('e')
         registers[dst] = 0
       end
 
-      def inst_add(tar, src)
+      def inst_add(dst, src)
+        check_register!(dst)
+
         src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
-        registers[tar] += src
+        registers[dst] += src
       end
 
-      def inst_sub(tar, src)
+      def inst_sub(dst, src)
         src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
-        raise Error::ArgumentError, "Can't handle -= of type #{src.class}" unless src.is_a?(Integer)
+        raise Error::UnsupportedInstructionArgumentError, "Unhandled -= of type #{src.class}" unless src.is_a?(Integer)
 
-        registers[tar] -= src
+        registers[dst] -= src
       end
 
       # yap, nop
       def inst_nop(*); end
 
-      def check_argument(idx, expect)
-        case expect
-        when :global then argument(idx).to_s.include?(pc) # easy check
-        when :zero? then argument(idx).is_a?(Integer) && argument(idx).zero?
-        end
-      end
-
       # Handle some valid calls.
       # For example, +sigprocmask+ will always be a valid call
       # because it just invokes syscall.
@@ -203,8 +163,8 @@ module OneGadget
         checker = {
           'sigprocmask' => {},
           '__close' => {},
-          'unsetenv' => { 0 => :global },
-          '__sigaction' => { 1 => :global, 2 => :zero? }
+          'unsetenv' => { 0 => :global_var? },
+          '__sigaction' => { 1 => :global_var?, 2 => :zero? }
         }
         func = checker.keys.find { |n| addr.include?(n) }
         return if func && checker[func].all? { |idx, sym| check_argument(idx, sym) }
@@ -213,18 +173,6 @@ module OneGadget
         :fail
       end
 
-      def size_t
-        self.class.bits / 8
-      end
-
-      def eval_dict
-        { sp => 0 }
-      end
-
-      def raise_unsupported(inst, *args)
-        raise OneGadget::Error::UnsupportedInstructionArgumentsError, "#{inst} #{args.join(', ')}"
-      end
-
       def to_lambda(reg)
         return super unless reg =~ /^xmm\d+$/