rallhook 0.7.5 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/AUTHORS +2 -0
- data/CHANGELOG +2 -0
- data/README +0 -2
- data/Rakefile +1 -1
- data/TODO +0 -1
- data/ext/rallhook_base/deps/distorm/config.h +170 -0
- data/ext/rallhook_base/deps/distorm/distorm.h +401 -0
- data/ext/rallhook_base/deps/distorm/mnemonics.c +258 -0
- data/ext/rallhook_base/deps/distorm/mnemonics.h +200 -0
- data/ext/rallhook_base/deps/distorm/src/decoder.c +548 -0
- data/ext/rallhook_base/deps/distorm/src/decoder.h +18 -0
- data/ext/rallhook_base/deps/distorm/src/distorm.c +375 -0
- data/ext/rallhook_base/deps/distorm/src/instructions.c +490 -0
- data/ext/rallhook_base/deps/distorm/src/instructions.h +445 -0
- data/ext/rallhook_base/deps/distorm/src/insts.c +4851 -0
- data/ext/rallhook_base/deps/distorm/src/insts.h +36 -0
- data/ext/rallhook_base/deps/distorm/src/operands.c +1270 -0
- data/ext/rallhook_base/deps/distorm/src/operands.h +38 -0
- data/ext/rallhook_base/deps/distorm/src/prefix.c +380 -0
- data/ext/rallhook_base/deps/distorm/src/prefix.h +76 -0
- data/ext/rallhook_base/deps/distorm/src/pydistorm.h +62 -0
- data/ext/rallhook_base/deps/distorm/src/textdefs.c +180 -0
- data/ext/rallhook_base/deps/distorm/src/textdefs.h +68 -0
- data/ext/rallhook_base/deps/distorm/src/wstring.c +55 -0
- data/ext/rallhook_base/deps/distorm/src/wstring.h +43 -0
- data/ext/rallhook_base/deps/distorm/src/x86defs.c +41 -0
- data/ext/rallhook_base/deps/distorm/src/x86defs.h +105 -0
- data/ext/rallhook_base/extconf.rb +15 -20
- data/ext/rallhook_base/rallhook.c +20 -8
- metadata +27 -5
@@ -0,0 +1,548 @@
|
|
1
|
+
/*
|
2
|
+
decoder.c
|
3
|
+
|
4
|
+
diStorm3 - Powerful disassembler for X86/AMD64
|
5
|
+
http://ragestorm.net/distorm/
|
6
|
+
distorm at gmail dot com
|
7
|
+
Copyright (C) 2010 Gil Dabah
|
8
|
+
|
9
|
+
This program is free software: you can redistribute it and/or modify
|
10
|
+
it under the terms of the GNU General Public License as published by
|
11
|
+
the Free Software Foundation, either version 3 of the License, or
|
12
|
+
(at your option) any later version.
|
13
|
+
|
14
|
+
This program is distributed in the hope that it will be useful,
|
15
|
+
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
16
|
+
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
17
|
+
GNU General Public License for more details.
|
18
|
+
|
19
|
+
You should have received a copy of the GNU General Public License
|
20
|
+
along with this program. If not, see <http://www.gnu.org/licenses/>
|
21
|
+
*/
|
22
|
+
|
23
|
+
|
24
|
+
#include "decoder.h"
|
25
|
+
|
26
|
+
#include "prefix.h"
|
27
|
+
#include "x86defs.h"
|
28
|
+
#include "operands.h"
|
29
|
+
#include "../mnemonics.h"
|
30
|
+
|
31
|
+
|
32
|
+
/* Instruction Prefixes - Opcode - ModR/M - SIB - Displacement - Immediate */
|
33
|
+
|
34
|
+
static _DecodeType decode_get_effective_addr_size(_DecodeType dt, _iflags decodedPrefixes)
|
35
|
+
{
|
36
|
+
/*
|
37
|
+
* This table is to map from the current decoding mode to an effective address size:
|
38
|
+
* Decode16 -> Decode32
|
39
|
+
* Decode32 -> Decode16
|
40
|
+
* Decode64 -> Decode32
|
41
|
+
*/
|
42
|
+
static _DecodeType AddrSizeTable[] = {Decode32Bits, Decode16Bits, Decode32Bits};
|
43
|
+
|
44
|
+
/* Switch to non default mode if prefix exists, only for ADDRESS SIZE. */
|
45
|
+
if (decodedPrefixes & INST_PRE_ADDR_SIZE) dt = AddrSizeTable[dt];
|
46
|
+
return dt;
|
47
|
+
}
|
48
|
+
|
49
|
+
static _DecodeType decode_get_effective_op_size(_DecodeType dt, _iflags decodedPrefixes, unsigned int rex, _iflags instFlags)
|
50
|
+
{
|
51
|
+
/*
|
52
|
+
* This table is to map from the current decoding mode to an effective operand size:
|
53
|
+
* Decode16 -> Decode32
|
54
|
+
* Decode32 -> Decode16
|
55
|
+
* Decode64 -> Decode16
|
56
|
+
* Not that in 64bits it's a bit more complicated, because of REX and promoted instructions.
|
57
|
+
*/
|
58
|
+
static _DecodeType OpSizeTable[] = {Decode32Bits, Decode16Bits, Decode16Bits};
|
59
|
+
|
60
|
+
if (decodedPrefixes & INST_PRE_OP_SIZE) return OpSizeTable[dt];
|
61
|
+
|
62
|
+
if (dt == Decode64Bits) {
|
63
|
+
/*
|
64
|
+
* REX Prefix toggles data size to 64 bits.
|
65
|
+
* Operand size prefix toggles data size to 16.
|
66
|
+
* Default data size is 32 bits.
|
67
|
+
* Promoted instructions are 64 bits if they don't require a REX perfix.
|
68
|
+
* Non promoted instructions are 64 bits if the REX prefix exists.
|
69
|
+
*/
|
70
|
+
/* Automatically promoted instructions have only INST_64BITS SET! */
|
71
|
+
if (((instFlags & (INST_64BITS | INST_PRE_REX)) == INST_64BITS) ||
|
72
|
+
/* Other instructions in 64 bits can be promoted only with a REX prefix. */
|
73
|
+
((decodedPrefixes & INST_PRE_REX) && (rex & PREFIX_EX_W))) dt = Decode64Bits;
|
74
|
+
else dt = Decode32Bits; /* Default. */
|
75
|
+
}
|
76
|
+
return dt;
|
77
|
+
}
|
78
|
+
|
79
|
+
static _DecodeResult decode_inst(_CodeInfo* ci, _PrefixState* ps, _DInst* di)
|
80
|
+
{
|
81
|
+
/* The ModR/M byte of the current instruction. */
|
82
|
+
unsigned int modrm = 0;
|
83
|
+
|
84
|
+
/* The REX/VEX prefix byte value. */
|
85
|
+
unsigned int vrex = ps->vrex;
|
86
|
+
|
87
|
+
/*
|
88
|
+
* Backup original input, so we can use it later if a problem occurs
|
89
|
+
* (like not enough data for decoding, invalid opcode, etc).
|
90
|
+
*/
|
91
|
+
const uint8_t* startCode = ci->code;
|
92
|
+
|
93
|
+
/* Holds the info about the current found instruction. */
|
94
|
+
_InstInfo* ii = NULL;
|
95
|
+
|
96
|
+
/* Used only for special CMP instructions which have pseudo opcodes suffix. */
|
97
|
+
unsigned char cmpType = 0;
|
98
|
+
|
99
|
+
/*
|
100
|
+
* Indicates whether it is right to LOCK the instruction by decoding its first operand.
|
101
|
+
* Only then you know if it's ok to output the LOCK prefix's text...
|
102
|
+
* Used for first operand only.
|
103
|
+
*/
|
104
|
+
int lockable = FALSE;
|
105
|
+
|
106
|
+
/* Calcualte (and cache) effective-operand-size and effective-address-size only once. */
|
107
|
+
_DecodeType effOpSz, effAdrSz;
|
108
|
+
|
109
|
+
ii = inst_lookup(ci, ps);
|
110
|
+
if (ii == NULL) goto _Undecodable;
|
111
|
+
|
112
|
+
/*
|
113
|
+
* If both REX and OpSize are available we will have to disable the OpSize, because REX has precedence.
|
114
|
+
* However, only if REX.W is set !
|
115
|
+
* We had to wait with this test, since the operand size may be a mandatory prefix,
|
116
|
+
* and we know it only after prefetching.
|
117
|
+
*/
|
118
|
+
if ((ps->prefixExtType == PET_REX) &&
|
119
|
+
(ps->decodedPrefixes & INST_PRE_OP_SIZE) &&
|
120
|
+
(!ps->isOpSizeMandatory) &&
|
121
|
+
(vrex & PREFIX_EX_W)) {
|
122
|
+
ps->decodedPrefixes &= ~INST_PRE_OP_SIZE;
|
123
|
+
prefixes_ignore(ps, PFXIDX_OP_SIZE);
|
124
|
+
}
|
125
|
+
|
126
|
+
/*
|
127
|
+
* In this point we know the instruction we are about to decode and its operands (unless, it's an invalid one!),
|
128
|
+
* so it makes it the right time for decoding-type suitability testing.
|
129
|
+
* Which practically means, don't allow 32 bits instructions in 16 bits decoding mode, but do allow
|
130
|
+
* 16 bits instructions in 32 bits decoding mode, of course...
|
131
|
+
|
132
|
+
* NOTE: Make sure the instruction set for 32 bits has explicitly this specfic flag set.
|
133
|
+
* NOTE2: Make sure the instruction set for 64 bits has explicitly this specfic flag set.
|
134
|
+
|
135
|
+
* If this is the case, drop what we've got and restart all over after DB'ing that byte.
|
136
|
+
|
137
|
+
* Though, don't drop an instruction which is also supported in 16 and 32 bits.
|
138
|
+
*/
|
139
|
+
|
140
|
+
/* ! ! ! DISABLED UNTIL FURTHER NOTICE ! ! ! Decode16Bits CAN NOW DECODE 32 BITS INSTRUCTIONS ! ! !*/
|
141
|
+
/* if (ii && (dt == Decode16Bits) && (ii->flags & INST_32BITS) && (~ii->flags & INST_16BITS)) ii = NULL; */
|
142
|
+
|
143
|
+
/* Drop instructions which are invalid in 64 bits. */
|
144
|
+
if ((ci->dt == Decode64Bits) && (ii->flags & INST_INVALID_64BITS)) goto _Undecodable;
|
145
|
+
|
146
|
+
/* If it's only a 64 bits instruction drop it in other decoding modes. */
|
147
|
+
if ((ci->dt != Decode64Bits) && (ii->flags & INST_64BITS_FETCH)) goto _Undecodable;
|
148
|
+
|
149
|
+
if (ii->flags & INST_MODRM_REQUIRED) {
|
150
|
+
/* If the ModRM byte is not part of the opcode, skip the last byte code, so code points now to ModRM. */
|
151
|
+
if (~ii->flags & INST_MODRM_INCLUDED) {
|
152
|
+
ci->code++;
|
153
|
+
if (--ci->codeLen < 0) goto _Undecodable;
|
154
|
+
}
|
155
|
+
modrm = *ci->code;
|
156
|
+
|
157
|
+
/* Some instructions enforce that reg=000, so validate that. (Specifically EXTRQ). */
|
158
|
+
if ((ii->flags & INST_FORCE_REG0) && (((modrm >> 3) & 7) != 0)) goto _Undecodable;
|
159
|
+
/* Some instructions enforce that mod=11, so validate that. */
|
160
|
+
if ((ii->flags & INST_MODRR) && (modrm < INST_DIVIDED_MODRM)) goto _Undecodable;
|
161
|
+
}
|
162
|
+
|
163
|
+
ci->code++; /* Skip the last byte we just read (either last opcode's byte code or a ModRM). */
|
164
|
+
|
165
|
+
/* Cache the effective operand-size and address-size. */
|
166
|
+
effOpSz = decode_get_effective_op_size(ci->dt, ps->decodedPrefixes, vrex, ii->flags);
|
167
|
+
effAdrSz = decode_get_effective_addr_size(ci->dt, ps->decodedPrefixes);
|
168
|
+
|
169
|
+
memset(di, 0, sizeof(_DInst));
|
170
|
+
di->base = R_NONE;
|
171
|
+
|
172
|
+
/*
|
173
|
+
* Try to extract the next operand only if the latter exists.
|
174
|
+
* For example, if there is not first operand, no reason to try to extract second operand...
|
175
|
+
* I decided that a for-break is better for readability in this specific case than goto.
|
176
|
+
* Note: do-while with a constant 0 makes the compiler warning about it.
|
177
|
+
*/
|
178
|
+
for (;;) {
|
179
|
+
if (ii->d != OT_NONE) {
|
180
|
+
if (!operands_extract(ci, di, ii, (_OpType)ii->d, ONT_1, modrm, ps, effOpSz, effAdrSz, &lockable)) goto _Undecodable;
|
181
|
+
} else break;
|
182
|
+
|
183
|
+
if (ii->s != OT_NONE) {
|
184
|
+
if (!operands_extract(ci, di, ii, (_OpType)ii->s, ONT_2, modrm, ps, effOpSz, effAdrSz, NULL)) goto _Undecodable;
|
185
|
+
} else break;
|
186
|
+
|
187
|
+
/* Use third operand, only if the flags says this InstInfo requires it. */
|
188
|
+
if (ii->flags & INST_USE_OP3) {
|
189
|
+
if (!operands_extract(ci, di, ii, (_OpType)((_InstInfoEx*)ii)->op3, ONT_3, modrm, ps, effOpSz, effAdrSz, NULL)) goto _Undecodable;
|
190
|
+
} else break;
|
191
|
+
|
192
|
+
/* Support for a fourth operand is added for (i.e:) INSERTQ instruction. */
|
193
|
+
if (ii->flags & INST_USE_OP4) {
|
194
|
+
if (!operands_extract(ci, di, ii, (_OpType)((_InstInfoEx*)ii)->op4, ONT_4, modrm, ps, effOpSz, effAdrSz, NULL)) goto _Undecodable;
|
195
|
+
}
|
196
|
+
break;
|
197
|
+
} /* Continue here after all operands were extracted. */
|
198
|
+
|
199
|
+
/* If it were a 3DNow! instruction, we will have to find the instruction itself now that we got its operands extracted. */
|
200
|
+
if (ii->flags & INST_3DNOW_FETCH) {
|
201
|
+
ii = inst_lookup_3dnow(ci);
|
202
|
+
if (ii == NULL) goto _Undecodable;
|
203
|
+
}
|
204
|
+
|
205
|
+
/* Check whether pseudo opcode is needed, only for CMP instructions: */
|
206
|
+
if (ii->flags & INST_PSEUDO_OPCODE) {
|
207
|
+
if (--ci->codeLen < 0) goto _Undecodable;
|
208
|
+
cmpType = *ci->code;
|
209
|
+
ci->code++;
|
210
|
+
/* Comparison type must be between 0 to 8, otherwise Reserved. */
|
211
|
+
if (cmpType >= INST_CMP_MAX_RANGE) goto _Undecodable;
|
212
|
+
}
|
213
|
+
|
214
|
+
/*
|
215
|
+
* There's a limit of 15 bytes on instruction length. The only way to violate
|
216
|
+
* this limit is by putting redundant prefixes before an instruction.
|
217
|
+
* start points to first prefix if any, otherwise it points to instruction first byte.
|
218
|
+
*/
|
219
|
+
if ((ci->code - ps->start) > INST_MAXIMUM_SIZE) goto _Undecodable; /* Drop instruction. */
|
220
|
+
|
221
|
+
/*
|
222
|
+
* If we reached here the instruction was fully decoded, we located the instruction in the DB and extracted operands.
|
223
|
+
* Use the correct mnemonic according to the DT.
|
224
|
+
* If we are in 32 bits decoding mode it doesn't necessarily mean we will choose mnemonic2, alas,
|
225
|
+
* it means that if there is a mnemonic2, it will be used.
|
226
|
+
*/
|
227
|
+
|
228
|
+
/* Start with prefix LOCK. */
|
229
|
+
if ((lockable == TRUE) && (ii->flags & INST_PRE_LOCK)) {
|
230
|
+
ps->usedPrefixes |= INST_PRE_LOCK;
|
231
|
+
di->flags |= FLAG_LOCK;
|
232
|
+
} else if ((ii->flags & INST_PRE_REPNZ) && (ps->decodedPrefixes & INST_PRE_REPNZ)) {
|
233
|
+
ps->usedPrefixes |= INST_PRE_REPNZ;
|
234
|
+
di->flags |= FLAG_REPNZ;
|
235
|
+
} else if ((ii->flags & INST_PRE_REP) && (ps->decodedPrefixes & INST_PRE_REP)) {
|
236
|
+
ps->usedPrefixes |= INST_PRE_REP;
|
237
|
+
di->flags |= FLAG_REP;
|
238
|
+
}
|
239
|
+
|
240
|
+
/* If it's JeCXZ the ADDR_SIZE prefix affects them. */
|
241
|
+
if ((ii->flags & (INST_PRE_ADDR_SIZE | INST_USE_EXMNEMONIC)) == (INST_PRE_ADDR_SIZE | INST_USE_EXMNEMONIC)) {
|
242
|
+
ps->usedPrefixes |= INST_PRE_ADDR_SIZE;
|
243
|
+
if (effAdrSz == Decode16Bits) di->opcode = ii->opcodeId;
|
244
|
+
else if (effAdrSz == Decode32Bits) di->opcode = ((_InstInfoEx*)ii)->opcodeId2;
|
245
|
+
/* Ignore REX.W in 64bits, JECXZ is promoted. */
|
246
|
+
else /* Decode64Bits */ di->opcode = ((_InstInfoEx*)ii)->opcodeId3;
|
247
|
+
}
|
248
|
+
|
249
|
+
/* LOOPxx instructions are also native instruction, but they are special case ones, ADDR_SIZE prefix affects them. */
|
250
|
+
else if ((ii->flags & (INST_PRE_ADDR_SIZE | INST_NATIVE)) == (INST_PRE_ADDR_SIZE | INST_NATIVE)) {
|
251
|
+
di->opcode = ii->opcodeId;
|
252
|
+
|
253
|
+
/* If LOOPxx gets here from 64bits, it must be Decode32Bits because Address Size perfix is set. */
|
254
|
+
ps->usedPrefixes |= INST_PRE_ADDR_SIZE;
|
255
|
+
}
|
256
|
+
/*
|
257
|
+
* Note:
|
258
|
+
* If the instruction is prefixed by operand size we will format it in the non-default decoding mode!
|
259
|
+
* So there might be a situation that an instruction of 32 bit gets formatted in 16 bits decoding mode.
|
260
|
+
* Both ways should end up with a correct and expected formatting of the text.
|
261
|
+
*/
|
262
|
+
else if (effOpSz == Decode16Bits) { /* Decode16Bits */
|
263
|
+
|
264
|
+
/* Set operand size. */
|
265
|
+
FLAG_SET_OPSIZE(di, Decode16Bits);
|
266
|
+
|
267
|
+
/*
|
268
|
+
* If it's a special instruction which has two mnemonics, then use the 16 bits one + update usedPrefixes.
|
269
|
+
* Note: use 16 bits mnemonic if that instruction supports 32 bit or 64 bit explicitly.
|
270
|
+
*/
|
271
|
+
if ((ii->flags & INST_USE_EXMNEMONIC) && ((ii->flags & (INST_32BITS | INST_64BITS)) == 0)) ps->usedPrefixes |= INST_PRE_OP_SIZE;
|
272
|
+
di->opcode = ii->opcodeId;
|
273
|
+
} else if (effOpSz == Decode32Bits) { /* Decode32Bits */
|
274
|
+
|
275
|
+
/* Set operand size. */
|
276
|
+
FLAG_SET_OPSIZE(di, Decode32Bits);
|
277
|
+
|
278
|
+
/* Give a chance for special mnemonic instruction in 32 bits decoding. */
|
279
|
+
if (ii->flags & INST_USE_EXMNEMONIC) {
|
280
|
+
ps->usedPrefixes |= INST_PRE_OP_SIZE;
|
281
|
+
/* Is it a special instruction which has another mnemonic for mod=11 ? */
|
282
|
+
if (ii->flags & INST_MNEMONIC_MODRM_BASED) {
|
283
|
+
if (modrm >= INST_DIVIDED_MODRM) di->opcode = ii->opcodeId;
|
284
|
+
else di->opcode = ((_InstInfoEx*)ii)->opcodeId2;
|
285
|
+
}
|
286
|
+
/* Or is it a special CMP instruction which needs a pseudo opcode suffix ? */
|
287
|
+
else if (ii->flags & INST_PSEUDO_OPCODE) {
|
288
|
+
/*
|
289
|
+
* The opcodeId is the base id of the pseudo compare mnemonics,
|
290
|
+
* thus we can access the next ones from 0 to 7 safely, because they are already allocated.
|
291
|
+
*/
|
292
|
+
di->opcode = ii->opcodeId + cmpType;
|
293
|
+
} else di->opcode = ((_InstInfoEx*)ii)->opcodeId2;
|
294
|
+
} else di->opcode = ii->opcodeId;
|
295
|
+
} else { /* Decode64Bits, note that some instructions might be decoded in Decode32Bits above. */
|
296
|
+
|
297
|
+
/* Set operand size. */
|
298
|
+
FLAG_SET_OPSIZE(di, Decode64Bits);
|
299
|
+
|
300
|
+
if (ii->flags & (INST_USE_EXMNEMONIC | INST_USE_EXMNEMONIC2)) {
|
301
|
+
/* Use third mnemonic, for 64 bits. */
|
302
|
+
if ((ii->flags & INST_USE_EXMNEMONIC2) && (vrex & PREFIX_EX_W)) {
|
303
|
+
ps->usedPrefixes |= INST_PRE_REX;
|
304
|
+
di->opcode = ((_InstInfoEx*)ii)->opcodeId3;
|
305
|
+
} else di->opcode = ((_InstInfoEx*)ii)->opcodeId2; /* Use second mnemonic. */
|
306
|
+
} else di->opcode = ii->opcodeId;
|
307
|
+
}
|
308
|
+
|
309
|
+
/* If it's a native instruction use OpSize Prefix. */
|
310
|
+
if ((ii->flags & INST_NATIVE) && (ps->decodedPrefixes & INST_PRE_OP_SIZE)) ps->usedPrefixes |= INST_PRE_OP_SIZE;
|
311
|
+
|
312
|
+
/* Check VEX mnemonics: */
|
313
|
+
if ((ii->flags & INST_PRE_VEX) &&
|
314
|
+
(((((_InstInfoEx*)ii)->flagsEx & INST_MNEMONIC_VEXW_BASED) && (vrex & PREFIX_EX_W)) ||
|
315
|
+
((((_InstInfoEx*)ii)->flagsEx & INST_MNEMONIC_VEXL_BASED) && (vrex & PREFIX_EX_L)))) {
|
316
|
+
di->opcode = ((_InstInfoEx*)ii)->opcodeId2;
|
317
|
+
}
|
318
|
+
|
319
|
+
/*
|
320
|
+
* Store the address size inside the flags.
|
321
|
+
* This is necessary for the caller to know the size of rSP when using PUSHA for example.
|
322
|
+
*/
|
323
|
+
FLAG_SET_ADDRSIZE(di, effAdrSz);
|
324
|
+
|
325
|
+
/* Set the unused prefixes mask. */
|
326
|
+
di->unusedPrefixesMask = prefixes_set_unused_mask(ps);
|
327
|
+
|
328
|
+
/* Copy instruction meta. */
|
329
|
+
di->meta = ii->meta;
|
330
|
+
if (di->segment == 0) di->segment = R_NONE;
|
331
|
+
|
332
|
+
/* Calculate the size of the instruction we've just decoded. */
|
333
|
+
di->size = (uint8_t)((ci->code - startCode) & 0xff);
|
334
|
+
return DECRES_SUCCESS;
|
335
|
+
|
336
|
+
_Undecodable: /* If the instruction couldn't be decoded for some reason, drop the first byte. */
|
337
|
+
memset(di, 0, sizeof(_DInst));
|
338
|
+
|
339
|
+
di->size = 1;
|
340
|
+
/* Clean operands just in case... */
|
341
|
+
ps->usedPrefixes = 0;
|
342
|
+
|
343
|
+
/* Special case for WAIT instruction: If it's dropped, you have to return a valid instruction! */
|
344
|
+
if (*startCode == INST_WAIT_INDEX) {
|
345
|
+
di->flags = 0;
|
346
|
+
di->opcode = I_WAIT;
|
347
|
+
return DECRES_SUCCESS;
|
348
|
+
}
|
349
|
+
|
350
|
+
/*
|
351
|
+
* Exclude the first byte, couldn't decode that instruction.
|
352
|
+
* So just DB(define byte) it and skip it.
|
353
|
+
* Render instruction as undefined.
|
354
|
+
*/
|
355
|
+
di->flags = FLAG_NOT_DECODABLE;
|
356
|
+
di->opcode = I_UNDEFINED;
|
357
|
+
/* Set its byte. */
|
358
|
+
di->imm.byte = *startCode;
|
359
|
+
|
360
|
+
/* Mark that we didn't manage to decode the instruction well. */
|
361
|
+
return DECRES_INPUTERR;
|
362
|
+
}
|
363
|
+
|
364
|
+
/*
|
365
|
+
* decode_internal
|
366
|
+
*
|
367
|
+
* supportOldIntr - Since now we work with new structure instead of the old _DecodedInst, we are still interested in backward compatibility.
|
368
|
+
* So although, the array is now of type _DInst, we want to read it in jumps of the old array element's size.
|
369
|
+
* This is in order to save memory allocation for conversion between the new and the old structures.
|
370
|
+
* It really means we can do the conversion in-place now.
|
371
|
+
*/
|
372
|
+
_DecodeResult decode_internal(const _CodeInfo* _ci, int supportOldIntr, _DInst result[], unsigned int maxResultCount, unsigned int* usedInstructionsCount)
|
373
|
+
{
|
374
|
+
_PrefixState ps;
|
375
|
+
unsigned int prefixSize;
|
376
|
+
_CodeInfo ci;
|
377
|
+
|
378
|
+
_OffsetType codeOffset = _ci->codeOffset;
|
379
|
+
const uint8_t* code = _ci->code;
|
380
|
+
int codeLen = _ci->codeLen;
|
381
|
+
|
382
|
+
/*
|
383
|
+
* This is used for printing only, it is the real offset of where the whole instruction begins.
|
384
|
+
* We need this variable in addition to codeOffset, because prefixes might change the real offset an instruction begins at.
|
385
|
+
* So we keep track of both.
|
386
|
+
*/
|
387
|
+
_OffsetType startInstOffset = 0;
|
388
|
+
|
389
|
+
const uint8_t* p;
|
390
|
+
|
391
|
+
/* Current working decoded instruction in results. */
|
392
|
+
unsigned int nextPos = 0;
|
393
|
+
_DInst *pdi = NULL;
|
394
|
+
|
395
|
+
_DecodeResult decodeResult;
|
396
|
+
|
397
|
+
/* No entries are used yet. */
|
398
|
+
*usedInstructionsCount = 0;
|
399
|
+
ci.dt = _ci->dt;
|
400
|
+
|
401
|
+
/* Decode instructions as long as we have what to decode/enough room in entries. */
|
402
|
+
while (codeLen > 0) {
|
403
|
+
|
404
|
+
/* startInstOffset holds the displayed offset of current instruction. */
|
405
|
+
startInstOffset = codeOffset;
|
406
|
+
|
407
|
+
memset(&ps, 0, (size_t)((char*)&ps.pfxIndexer[0] - (char*)&ps));
|
408
|
+
memset(ps.pfxIndexer, PFXIDX_NONE, sizeof(int) * PFXIDX_MAX);
|
409
|
+
ps.start = code;
|
410
|
+
ps.last = code;
|
411
|
+
prefixSize = 0;
|
412
|
+
|
413
|
+
if (prefixes_is_valid(*code, ci.dt)) {
|
414
|
+
prefixes_decode(code, codeLen, &ps, ci.dt);
|
415
|
+
/* Count prefixes, start points to first prefix. */
|
416
|
+
prefixSize = (unsigned int)(ps.last - ps.start);
|
417
|
+
/*
|
418
|
+
* It might be that we will just notice that we ran out of bytes, or only prefixes
|
419
|
+
* so we will have to drop everything and halt.
|
420
|
+
* Also take into consideration of flow control instruction filter.
|
421
|
+
*/
|
422
|
+
codeLen -= prefixSize;
|
423
|
+
if (((codeLen == 0) || (prefixSize == INST_MAXIMUM_SIZE)) && (~_ci->features & DF_RETURN_FC_ONLY)) {
|
424
|
+
/* Make sure there is enough room. */
|
425
|
+
if (nextPos + (ps.last - code) > maxResultCount) return DECRES_MEMORYERR;
|
426
|
+
|
427
|
+
for (p = code; p < ps.last; p++, startInstOffset++) {
|
428
|
+
/* Use next entry. */
|
429
|
+
if (supportOldIntr) pdi = (_DInst*)((char*)result + nextPos * sizeof(_DecodedInst));
|
430
|
+
else pdi = &result[nextPos];
|
431
|
+
nextPos++;
|
432
|
+
memset(pdi, 0, sizeof(_DInst));
|
433
|
+
|
434
|
+
pdi->flags = FLAG_NOT_DECODABLE;
|
435
|
+
pdi->imm.byte = *p;
|
436
|
+
pdi->size = 1;
|
437
|
+
pdi->addr = startInstOffset;
|
438
|
+
}
|
439
|
+
*usedInstructionsCount = nextPos; /* Include them all. */
|
440
|
+
if (codeLen == 0) break; /* Bye bye, out of bytes. */
|
441
|
+
}
|
442
|
+
code += prefixSize;
|
443
|
+
codeOffset += prefixSize;
|
444
|
+
|
445
|
+
/* If we got only prefixes or we want only flow control instructions, continue to next instruction. */
|
446
|
+
if ((prefixSize == INST_MAXIMUM_SIZE) || (_ci->features & DF_RETURN_FC_ONLY)) continue;
|
447
|
+
}
|
448
|
+
|
449
|
+
/*
|
450
|
+
* Now we decode the instruction and only then we do further prefixes handling.
|
451
|
+
* This is because the instruction could not be decoded at all, or an instruction requires
|
452
|
+
* a mandatory prefix, or some of the prefixes were useless, etc...
|
453
|
+
|
454
|
+
* Even if there were a mandatory prefix, we already took into account its size as a normal prefix.
|
455
|
+
* so prefixSize includes that, and the returned size in pdi is simply the size of the real(=without prefixes) instruction.
|
456
|
+
*/
|
457
|
+
if (ci.dt == Decode64Bits) {
|
458
|
+
if (ps.decodedPrefixes & INST_PRE_REX) {
|
459
|
+
/* REX prefix must precede first byte of instruction. */
|
460
|
+
if (ps.rexPos != (code - 1)) {
|
461
|
+
ps.decodedPrefixes &= ~INST_PRE_REX;
|
462
|
+
ps.prefixExtType = PET_NONE;
|
463
|
+
prefixes_ignore(&ps, PFXIDX_REX);
|
464
|
+
}
|
465
|
+
/*
|
466
|
+
* We will disable operand size prefix,
|
467
|
+
* if it exists only after decoding the instruction, since it might be a mandatory prefix.
|
468
|
+
* This will be done after calling inst_lookup in decode_inst.
|
469
|
+
*/
|
470
|
+
}
|
471
|
+
/* In 64 bits, segment overrides of CS, DS, ES and SS are ignored. So don't take'em into account. */
|
472
|
+
if (ps.decodedPrefixes & INST_PRE_SEGOVRD_MASK32) {
|
473
|
+
ps.decodedPrefixes &= ~INST_PRE_SEGOVRD_MASK32;
|
474
|
+
prefixes_ignore(&ps, PFXIDX_SEG);
|
475
|
+
}
|
476
|
+
}
|
477
|
+
|
478
|
+
/* Make sure there is at least one more entry to use, for the upcoming instruction. */
|
479
|
+
if (nextPos + 1 > maxResultCount) return DECRES_MEMORYERR;
|
480
|
+
if (supportOldIntr) pdi = (_DInst*)((char*)result + nextPos * sizeof(_DecodedInst));
|
481
|
+
else pdi = &result[nextPos];
|
482
|
+
nextPos++;
|
483
|
+
|
484
|
+
/*
|
485
|
+
* The reason we copy these two again is because we have to keep track on the input ourselves.
|
486
|
+
* There might be a case when an instruction is invalid, and then it will be counted as one byte only.
|
487
|
+
* But that instruction already read a byte or two from the stream and only then returned the error.
|
488
|
+
* Thus, we end up unsynchronized on the stream.
|
489
|
+
* This way, we are totally safe, because we keep track after the call to decode_inst, using the returned size.
|
490
|
+
*/
|
491
|
+
ci.code = code;
|
492
|
+
ci.codeLen = codeLen;
|
493
|
+
/* Nobody uses codeOffset in the decoder itself, so spare it. */
|
494
|
+
|
495
|
+
decodeResult = decode_inst(&ci, &ps, pdi);
|
496
|
+
|
497
|
+
/* See if we need to filter this instruction. */
|
498
|
+
if ((_ci->features & DF_RETURN_FC_ONLY) && (META_GET_FC(pdi->meta) == FC_NONE)) decodeResult = DECRES_FILTERED;
|
499
|
+
|
500
|
+
/* Set address to the beginning of the instruction. */
|
501
|
+
pdi->addr = startInstOffset;
|
502
|
+
|
503
|
+
/* Advance to next instruction. */
|
504
|
+
codeLen -= pdi->size;
|
505
|
+
codeOffset += pdi->size;
|
506
|
+
code += pdi->size;
|
507
|
+
|
508
|
+
/* Instruction's size should include prefixes. */
|
509
|
+
pdi->size += (uint8_t)prefixSize;
|
510
|
+
|
511
|
+
/* Drop all prefixes and the instruction itself, because the instruction wasn't successfully decoded. */
|
512
|
+
if ((decodeResult == DECRES_INPUTERR) && (~_ci->features & DF_RETURN_FC_ONLY)) {
|
513
|
+
nextPos--; /* Undo last result. */
|
514
|
+
if ((prefixSize + 1) > 0) { /* 1 for the first instruction's byte. */
|
515
|
+
if ((nextPos + prefixSize + 1) > maxResultCount) return DECRES_MEMORYERR;
|
516
|
+
|
517
|
+
for (p = ps.start; p < ps.last + 1; p++, startInstOffset++) {
|
518
|
+
/* Use next entry. */
|
519
|
+
if (supportOldIntr) pdi = (_DInst*)((char*)result + nextPos * sizeof(_DecodedInst));
|
520
|
+
else pdi = &result[nextPos];
|
521
|
+
nextPos++;
|
522
|
+
|
523
|
+
memset(pdi, 0, sizeof(_DInst));
|
524
|
+
pdi->flags = FLAG_NOT_DECODABLE;
|
525
|
+
pdi->imm.byte = *p;
|
526
|
+
pdi->size = 1;
|
527
|
+
pdi->addr = startInstOffset;
|
528
|
+
}
|
529
|
+
}
|
530
|
+
} else if (decodeResult == DECRES_FILTERED) nextPos--; /* Return it to pool, since it was filtered. */
|
531
|
+
|
532
|
+
/* Alright, the caller can read, at least, up to this one. */
|
533
|
+
*usedInstructionsCount = nextPos;
|
534
|
+
|
535
|
+
/* Check whether we need to stop on any flow control instruction. */
|
536
|
+
if ((decodeResult == DECRES_SUCCESS) && (_ci->features & DF_STOP_ON_FLOW_CONTROL)) {
|
537
|
+
if (((_ci->features & DF_STOP_ON_CALL) && (META_GET_FC(pdi->meta) == FC_CALL)) ||
|
538
|
+
((_ci->features & DF_STOP_ON_RET) && (META_GET_FC(pdi->meta) == FC_RET)) ||
|
539
|
+
((_ci->features & DF_STOP_ON_SYS) && (META_GET_FC(pdi->meta) == FC_SYS)) ||
|
540
|
+
((_ci->features & DF_STOP_ON_BRANCH) && (META_GET_FC(pdi->meta) == FC_BRANCH)) ||
|
541
|
+
((_ci->features & DF_STOP_ON_COND_BRANCH) && (META_GET_FC(pdi->meta) == FC_COND_BRANCH)) ||
|
542
|
+
((_ci->features & DF_STOP_ON_INT) && (META_GET_FC(pdi->meta) == FC_INT)))
|
543
|
+
return DECRES_SUCCESS;
|
544
|
+
}
|
545
|
+
}
|
546
|
+
|
547
|
+
return DECRES_SUCCESS;
|
548
|
+
}
|