rex-arch 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1e73a03da5069cff65f1c9d22d50d1d6024eea48
+  data.tar.gz: 6f7f9129562968ef1d5d195730f05b2f1d6c5497
+SHA512:
+  metadata.gz: 2181d12182bbc956c39468c476b263ff4417dae9cb01a8b231c96c78ae1fc315330ef9d7039a871e317aeb587f64098a76801b3ccf1bbdb6d9568ccf70218a11
+  data.tar.gz: 040d3144e31a36a327cb9fc70803be8745b89bc148681d2c107adcb620254a9f4f11ea16c8765cce2e63224a8264242c6154d8982b437356951457f37be05b8b

data.tar.gz.sig

@@ -0,0 +1,3 @@
+f��/��S�M2��qY��Y:���^�v�_7!�˲a�+E����>�W���™�Q/���:hS,n��L���z�r
+�HM̳^���:�![S��8���b1�A]�5��5h��#R���qvӃ�l���U������}"�ϡջ����j�FG��h)"�w��	�d�"�y	��ݶ�G
+4��}5�*�mPw'+qH	4��

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.1.5
+before_install: gem install bundler -v 1.12.5

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,52 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project maintainers at msfdev@metasploit.com. If
+the incident involves a committer, you may report directly to
+egypt@metasploit.com or todb@metasploit.com.
+
+All complaints will be reviewed and investigated and will result in a
+response that is deemed necessary and appropriate to the circumstances.
+Maintainers are obligated to maintain confidentiality with regard to the
+reporter of an incident.
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in rex-arch.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,27 @@
+Copyright (C) 2012-2013, Rapid7, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+	  this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above copyright notice,
+	  this list of conditions and the following disclaimer in the documentation
+	  and/or other materials provided with the distribution.
+
+    * Neither the name of Rapid7 LLC nor the names of its contributors
+	  may be used to endorse or promote products derived from this software
+	  without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,30 @@
+# Rex::Arch
+
+Ruby Exploitation(Rex) Library which contains architecture specific information such as registers, opcodes, and stack manipulation routines.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rex-arch'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rex-arch
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/rapid7/rex-arch. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "rex/arch"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/rex/arch.rb

@@ -0,0 +1,173 @@
+# -*- coding: binary -*-
+require "rex/arch/version"
+
+module Rex
+
+
+###
+#
+# This module provides generalized methods for performing operations that are
+# architecture specific.  Furthermore, the modules contained within this
+# module provide features that are specific to a given architecture.
+#
+###
+module Arch
+
+  #
+  # Architecture classes
+  #
+  require 'rex/arch/x86'
+  require 'rex/arch/sparc'
+  require 'rex/arch/zarch'
+
+  #
+  # Architecture constants
+  #
+  ARCH_ANY     = '_any_'
+  ARCH_X86     = 'x86'
+  ARCH_X86_64  = 'x86_64'
+  ARCH_X64     = 'x64' # To be used for compatability with ARCH_X86_64
+  ARCH_MIPS    = 'mips'
+  ARCH_MIPSLE  = 'mipsle'
+  ARCH_MIPSBE  = 'mipsbe'
+  ARCH_PPC     = 'ppc'
+  ARCH_PPC64   = 'ppc64'
+  ARCH_CBEA    = 'cbea'
+  ARCH_CBEA64  = 'cbea64'
+  ARCH_SPARC   = 'sparc'
+  ARCH_CMD     = 'cmd'
+  ARCH_PHP     = 'php'
+  ARCH_TTY     = 'tty'
+  ARCH_ARMLE   = 'armle'
+  ARCH_ARMBE   = 'armbe'
+  ARCH_JAVA    = 'java'
+  ARCH_RUBY    = 'ruby'
+  ARCH_DALVIK  = 'dalvik'
+  ARCH_PYTHON  = 'python'
+  ARCH_NODEJS  = 'nodejs'
+  ARCH_FIREFOX = 'firefox'
+  ARCH_ZARCH   = 'zarch'
+  ARCH_TYPES   =
+    [
+      ARCH_X86,
+      ARCH_X86_64,
+      ARCH_MIPS,
+      ARCH_MIPSLE,
+      ARCH_MIPSBE,
+      ARCH_PPC,
+      ARCH_PPC64,
+      ARCH_CBEA,
+      ARCH_CBEA64,
+      ARCH_SPARC,
+      ARCH_ARMLE,
+      ARCH_ARMBE,
+      ARCH_CMD,
+      ARCH_PHP,
+      ARCH_TTY,
+      ARCH_JAVA,
+      ARCH_RUBY,
+      ARCH_DALVIK,
+      ARCH_PYTHON,
+      ARCH_NODEJS,
+      ARCH_FIREFOX,
+      ARCH_ZARCH,
+    ]
+
+  ARCH_ALL = ARCH_TYPES
+
+  #
+  # Endian constants
+  #
+  ENDIAN_LITTLE = 0
+  ENDIAN_BIG    = 1
+
+  IS_ENDIAN_LITTLE = ( [1].pack('s') == "\x01\x00" ) ? true : false
+  IS_ENDIAN_BIG    = ( not IS_ENDIAN_LITTLE )
+
+  #
+  # This routine adjusts the stack pointer for a given architecture.
+  #
+  def self.adjust_stack_pointer(arch, adjustment)
+
+    if ( arch.is_a?(::Array))
+      arch = arch[0]
+    end
+
+    case arch
+      when /x86/
+        Rex::Arch::X86.adjust_reg(Rex::Arch::X86::ESP, adjustment)
+      else
+        nil
+    end
+  end
+
+  #
+  # This route provides address packing for the specified arch
+  #
+  def self.pack_addr(arch, addr)
+
+    if ( arch.is_a?(::Array))
+      arch = arch[0]
+    end
+
+    case arch
+      when ARCH_X86
+        [addr].pack('V')
+      when ARCH_X86_64, ARCH_X64
+        [addr].pack('Q<')
+      when ARCH_MIPS # ambiguous
+        [addr].pack('N')
+      when ARCH_MIPSBE
+        [addr].pack('N')
+      when ARCH_MIPSLE
+        [addr].pack('V')
+      when ARCH_PPC  # ambiguous
+        [addr].pack('N')
+      when ARCH_SPARC
+        [addr].pack('N')
+      when ARCH_ARMLE
+        [addr].pack('V')
+      when ARCH_ARMBE
+        [addr].pack('N')
+      when ARCH_ZARCH
+        [addr].pack('Q>')
+    end
+  end
+
+  #
+  # This routine reports the endianess of a given architecture
+  #
+  def self.endian(arch)
+
+    if ( arch.is_a?(::Array))
+      arch = arch[0]
+    end
+
+    case arch
+      when ARCH_X86
+        return ENDIAN_LITTLE
+      when ARCH_X86_64
+        return ENDIAN_LITTLE
+      when ARCH_MIPS # ambiguous
+        return ENDIAN_BIG
+      when ARCH_MIPSLE
+        return ENDIAN_LITTLE
+      when ARCH_MIPSBE
+        return ENDIAN_BIG
+      when ARCH_PPC  # ambiguous
+        return ENDIAN_BIG
+      when ARCH_SPARC
+        return ENDIAN_BIG
+      when ARCH_ARMLE
+        return ENDIAN_LITTLE
+      when ARCH_ARMBE
+        return ENDIAN_BIG
+      when ARCH_ZARCH
+        return ENDIAN_BIG
+    end
+
+    return ENDIAN_LITTLE
+  end
+
+end
+end

data/lib/rex/arch/sparc.rb

@@ -0,0 +1,75 @@
+# -*- coding: binary -*-
+
+module Rex
+module Arch
+
+#
+# Everything here is mostly stolen from vlad's perl sparc stuff
+#
+module Sparc
+
+  #
+  # Register number constants
+  #
+  RegisterNumber =
+    {
+      'g0' =>  0, 'g1' =>  1, 'g2' =>  2, 'g3' =>  3,
+      'g4' =>  4, 'g5' =>  5, 'g6' =>  6, 'g7' =>  7,
+      'o0' =>  8, 'o1' =>  9, 'o2' => 10, 'o3' => 11,
+      'o4' => 12, 'o5' => 13, 'o6' => 14, 'o7' => 15,
+      'l0' => 16, 'l1' => 17, 'l2' => 18, 'l3' => 19,
+      'l4' => 20, 'l5' => 21, 'l6' => 22, 'l7' => 23,
+      'i0' => 24, 'i1' => 25, 'i2' => 26, 'i3' => 27,
+      'i4' => 28, 'i5' => 29, 'i6' => 30, 'i7' => 31,
+      'sp' => 14, 'fp' => 30,
+    } # :nodoc:
+
+  #
+  # Encodes a SETHI instruction with the value 'constant' being put into 'dst' register
+  #
+  def self.sethi(constant, dst)
+    [
+      (RegisterNumber[dst] << 25) |
+      (4 << 22) |
+      (constant >> 10)
+    ].pack('N')
+  end
+
+  #
+  # Encodes an OR instruction with the value 'constant' being OR'ed with the 'src' register into the 'dst' register
+  #
+  def self.ori(src, constant, dst)
+    [
+      (2 << 30) |
+      (RegisterNumber[dst] << 25) |
+      (2 << 19) |
+      (RegisterNumber[src] << 14) |
+      (1 << 13) |
+      (constant & 0x1fff)
+    ].pack('N')
+  end
+
+  #
+  # Puts 'constant' into the 'dst' register using as few instructions as possible by checking the size of the value.
+  # XXX: signedness support
+  #
+  def self.set(constant, dst)
+    if (constant <= 4095 and constant >= 0)
+      ori('g0', constant, dst)
+    elsif (constant & 0x3ff != 0)
+      set_dword(constant, dst)
+    else
+      sethi(constant, dst)
+    end
+  end
+
+  #
+  # Puts 'constant' into the 'dst' register using both sethi and ori (necessary to use both uncessarily in some cases with encoders)
+  #
+  def self.set_dword(constant, dst)
+    sethi(constant, dst) + ori(dst, constant & 0x3ff, dst)
+  end
+
+end
+
+end end

data/lib/rex/arch/version.rb

@@ -0,0 +1,5 @@
+module Rex
+  module Arch
+    VERSION = "0.1.0"
+  end
+end

data/lib/rex/arch/x86.rb

@@ -0,0 +1,556 @@
+# -*- coding: binary -*-
+
+module Rex
+module Arch
+
+#
+# everything here is mostly stole from vlad's perl x86 stuff
+#
+
+module X86
+
+  #
+  # Register number constants
+  #
+  EAX = AL = AX = ES = 0
+  ECX = CL = CX = CS = 1
+  EDX = DL = DX = SS = 2
+  EBX = BL = BX = DS = 3
+  ESP = AH = SP = FS = 4
+  EBP = CH = BP = GS = 5
+  ESI = DH = SI =      6
+  EDI = BH = DI =      7
+
+  REG_NAMES32 = [ 'eax', 'ecx', 'edx', 'ebx', 'esp', 'ebp', 'esi', 'edi' ]
+
+  REG_NAMES16 = [ 'ax', 'cx', 'dx', 'bx', 'sp', 'bp', 'si', 'di' ]
+
+  REG_NAMES8L = [ 'al', 'cl', 'dl', 'bl', nil, nil, nil, nil ]
+
+  # Jump tp a specific register
+  def self.jmp_reg(str)
+    reg = reg_number(str)
+    _check_reg(reg)
+    "\xFF" + [224 + reg].pack('C')
+  end
+
+  #
+  # Generate a LOOP instruction (Decrement ECX and jump short if ECX == 0)
+  #
+  def self.loop(offset)
+    "\xE2" + pack_lsb(rel_number(offset, -2))
+  end
+
+  #
+  # This method returns the opcodes that compose a jump instruction to the
+  # supplied relative offset.
+  def self.jmp(addr)
+    "\xe9" + pack_dword(rel_number(addr))
+  end
+
+  #
+  # This method adds/subs a packed long integer
+  #
+  def self.dword_adjust(dword, amount=0)
+    pack_dword(dword.unpack('V')[0] + amount)
+  end
+
+  #
+  # This method returns the opcodes that compose a tag-based search routine
+  #
+  def self.searcher(tag)
+    "\xbe" + dword_adjust(tag,-1)+  # mov esi, Tag - 1
+    "\x46" +                        # inc esi
+    "\x47" +                        # inc edi (end_search:)
+    "\x39\x37" +                    # cmp [edi],esi
+    "\x75\xfb" +                    # jnz 0xa (end_search)
+    "\x46" +                        # inc esi
+    "\x4f" +                        # dec edi (start_search:)
+    "\x39\x77\xfc" +                # cmp [edi-0x4],esi
+    "\x75\xfa" +                    # jnz 0x10 (start_search)
+    jmp_reg('edi')                  # jmp edi
+  end
+
+  #
+  # Generates a buffer that will copy memory immediately following the stub
+  # that is generated to be copied to the stack
+  #
+  def self.copy_to_stack(len)
+    # four byte align
+    len = (len + 3) & ~0x3
+
+    stub =
+      "\xeb\x0f"+                # jmp _end
+      push_dword(len)+           # push n
+      "\x59"+                    # pop ecx
+      "\x5e"+                    # pop esi
+      "\x29\xcc"+                # sub esp, ecx
+      "\x89\xe7"+                # mov edi, esp
+      "\xf3\xa4"+                # rep movsb
+      "\xff\xe4"+                # jmp esp
+      "\xe8\xec\xff\xff\xff"     # call _start
+
+    stub
+  end
+
+  #
+  # This method returns the opcodes that compose a short jump instruction to
+  # the supplied relative offset.
+  #
+  def self.jmp_short(addr)
+    "\xeb" + pack_lsb(rel_number(addr, -2))
+  end
+
+  #
+  # This method returns the opcodes that compose a relative call instruction
+  # to the address specified.
+  #
+  def self.call(addr)
+    "\xe8" + pack_dword(rel_number(addr, -5))
+  end
+
+  #
+  # This method returns a number offset to the supplied string.
+  #
+  def self.rel_number(num, delta = 0)
+    s = num.to_s
+
+    case s[0, 2]
+      when '$+'
+        num = s[2 .. -1].to_i
+      when '$-'
+        num = -1 * s[2 .. -1].to_i
+      when '0x'
+        num = s.hex
+      else
+        delta = 0
+    end
+
+    return num + delta
+  end
+
+  #
+  # This method returns the number associated with a named register.
+  #
+  def self.reg_number(str)
+    return self.const_get(str.upcase)
+  end
+
+  #
+  # This method returns the register named associated with a given register
+  # number.
+  #
+  def self.reg_name32(num)
+    _check_reg(num)
+    return REG_NAMES32[num].dup
+  end
+
+  #
+  # This method generates the encoded effective value for a register.
+  #
+  def self.encode_effective(shift, dst)
+    return (0xc0 | (shift << 3) | dst)
+  end
+
+  #
+  # This method generates the mod r/m character for a source and destination
+  # register.
+  #
+  def self.encode_modrm(dst, src)
+    _check_reg(dst, src)
+    return (0xc0 | src | dst << 3).chr
+  end
+
+  #
+  # This method generates a push byte instruction.
+  #
+  def self.push_byte(byte)
+    # push byte will sign extend...
+    if byte < 128 && byte >= -128
+      return "\x6a" + (byte & 0xff).chr
+    end
+    raise ::ArgumentError, "Can only take signed byte values!", caller()
+  end
+
+  #
+  # This method generates a push word instruction.
+  #
+  def self.push_word(val)
+    return "\x66\x68" + pack_word(val)
+  end
+
+  #
+  # This method generates a push dword instruction.
+  #
+  def self.push_dword(val)
+    return "\x68" + pack_dword(val)
+  end
+
+  #
+  # This method generates a pop dword instruction into a register.
+  #
+  def self.pop_dword(dst)
+    _check_reg(dst)
+    return (0x58 | dst).chr
+  end
+
+  #
+  # This method generates an instruction that clears the supplied register in
+  # a manner that attempts to avoid bad characters, if supplied.
+  #
+  def self.clear(reg, badchars = '')
+    _check_reg(reg)
+    return set(reg, 0, badchars)
+  end
+
+  #
+  # This method generates the opcodes that set the low byte of a given
+  # register to the supplied value.
+  #
+  def self.mov_byte(reg, val)
+    _check_reg(reg)
+    # chr will raise RangeError if val not between 0 .. 255
+    return (0xb0 | reg).chr + val.chr
+  end
+
+  #
+  # This method generates the opcodes that set the low word of a given
+  # register to the supplied value.
+  #
+  def self.mov_word(reg, val)
+    _check_reg(reg)
+    if val < 0 || val > 0xffff
+      raise RangeError, "Can only take unsigned word values!", caller()
+    end
+    return "\x66" + (0xb8 | reg).chr + pack_word(val)
+  end
+
+  #
+  # This method generates the opcodes that set the a register to the
+  # supplied value.
+  #
+  def self.mov_dword(reg, val)
+    _check_reg(reg)
+    return (0xb8 | reg).chr + pack_dword(val)
+  end
+
+  #
+  # This method is a general way of setting a register to a value.  Depending
+  # on the value supplied, different sets of instructions may be used.
+  #
+  # TODO: Make this moderatly intelligent so it chain instructions by itself
+    #   (ie. xor eax, eax + mov al, 4 + xchg ah, al)
+  def self.set(dst, val, badchars = '')
+    _check_reg(dst)
+
+    # If the value is 0 try xor/sub dst, dst (2 bytes)
+    if val == 0
+      opcodes = Rex::Text.remove_badchars("\x29\x2b\x31\x33", badchars)
+      if !opcodes.empty?
+        return opcodes[rand(opcodes.length)].chr + encode_modrm(dst, dst)
+      end
+# TODO: SHL/SHR
+# TODO: AND
+    end
+
+    # try push BYTE val; pop dst (3 bytes)
+    begin
+      return _check_badchars(push_byte(val) + pop_dword(dst), badchars)
+    rescue ::ArgumentError, ::RuntimeError, ::RangeError
+    end
+
+    # try clear dst, mov BYTE dst (4 bytes)
+    begin
+      unless val == 0 # clear tries to set(dst, 0, badchars), entering an infinite recursion
+        return _check_badchars(clear(dst, badchars) + mov_byte(dst, val), badchars)
+      end
+    rescue ::ArgumentError, ::RuntimeError, ::RangeError
+    end
+
+    # try mov DWORD dst (5 bytes)
+    begin
+      return _check_badchars(mov_dword(dst, val), badchars)
+    rescue ::ArgumentError, ::RuntimeError, ::RangeError
+    end
+
+    # try push DWORD, pop dst (6 bytes)
+    begin
+      return _check_badchars(push_dword(val) + pop_dword(dst), badchars)
+    rescue ::ArgumentError, ::RuntimeError, ::RangeError
+    end
+
+    # try clear dst, mov WORD dst (6 bytes)
+    begin
+      unless val == 0 # clear tries to set(dst, 0, badchars), entering an infinite recursion
+        return _check_badchars(clear(dst, badchars) + mov_word(dst, val), badchars)
+      end
+    rescue ::ArgumentError, ::RuntimeError, ::RangeError
+    end
+
+    raise RuntimeError, "No valid set instruction could be created!", caller()
+  end
+
+  #
+  # Builds a subtraction instruction using the supplied operand
+  # and register.
+  #
+  def self.sub(val, reg, badchars = '', add = false, adjust = false, bits = 0)
+    opcodes = []
+    shift   = (add == true) ? 0 : 5
+
+    if (bits <= 8 and val >= -0x7f and val <= 0x7f)
+      opcodes <<
+        ((adjust) ? '' : clear(reg, badchars)) +
+        "\x83" +
+        [ encode_effective(shift, reg) ].pack('C') +
+        [ val.to_i ].pack('C')
+    end
+
+    if (bits <= 16 and val >= -0xffff and val <= 0)
+      opcodes <<
+        ((adjust) ? '' : clear(reg, badchars)) +
+        "\x66\x81" +
+        [ encode_effective(shift, reg) ].pack('C') +
+        [ val.to_i ].pack('v')
+    end
+
+    opcodes <<
+      ((adjust) ? '' : clear(reg, badchars)) +
+      "\x81" +
+      [ encode_effective(shift, reg) ].pack('C') +
+      [ val.to_i ].pack('V')
+
+    # Search for a compatible opcode
+    opcodes.each { |op|
+      begin
+        _check_badchars(op, badchars)
+      rescue
+        next
+      end
+
+      return op
+    }
+
+    if opcodes.empty?
+      raise RuntimeError, "Could not find a usable opcode", caller()
+    end
+  end
+
+  #
+  # This method generates the opcodes equivalent to subtracting with a
+  # negative value from a given register.
+  #
+  def self.add(val, reg, badchars = '', adjust = false, bits = 0)
+    sub(val, reg, badchars, true, adjust, bits)
+  end
+
+  #
+  # This method wrappers packing a short integer as a little-endian buffer.
+  #
+  def self.pack_word(num)
+    [num].pack('v')
+  end
+
+  #
+  # This method wrappers packing an integer as a little-endian buffer.
+  #
+  def self.pack_dword(num)
+    [num].pack('V')
+  end
+
+  #
+  # This method returns the least significant byte of a packed dword.
+  #
+  def self.pack_lsb(num)
+    pack_dword(num)[0,1]
+  end
+
+  #
+  # This method adjusts the value of the ESP register by a given amount.
+  #
+  def self.adjust_reg(reg, adjustment)
+    if (adjustment > 0)
+      sub(adjustment, reg, '', false, false, 32)
+    else
+      add(adjustment, reg, '', true, 32)
+    end
+  end
+
+  def self._check_reg(*regs) # :nodoc:
+    regs.each { |reg|
+      if reg > 7 || reg < 0
+        raise ArgumentError, "Invalid register #{reg}", caller()
+      end
+    }
+    return nil
+  end
+
+  def self._check_badchars(data, badchars) # :nodoc:
+    idx = Rex::Text.badchar_index(data, badchars)
+    if idx
+      raise RuntimeError, "Bad character at #{idx}", caller()
+    end
+    return data
+  end
+
+  #
+  # This method returns an array of 'safe' FPU instructions
+  #
+  def self.fpu_instructions
+    fpus = []
+
+    0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr }
+    0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr }
+    0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr }
+    0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr }
+    0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr }
+
+    fpus << "\xd9\xd0"
+    fpus << "\xd9\xe1"
+    fpus << "\xd9\xf6"
+    fpus << "\xd9\xf7"
+    fpus << "\xd9\xe5"
+
+    # This FPU instruction seems to fail consistently on Linux
+    #fpus << "\xdb\xe1"
+
+    fpus
+  end
+
+  #
+  # This method returns an array containing a geteip stub, a register, and an offset
+  # This method will return nil if the getip generation fails
+  #
+  def self.geteip_fpu(badchars, modified_registers = [])
+    #
+    # Default badchars to an empty string
+    #
+    badchars ||= ''
+
+    #
+    # Bail out early if D9 is restricted
+    #
+    return nil if badchars.index("\xd9")
+
+    #
+    # Create a list of FPU instructions
+    #
+    fpus = *self.fpu_instructions
+    bads = []
+    badchars.each_byte  do |c|
+      fpus.each do |str|
+        bads << str if (str.index(c.chr))
+      end
+    end
+    bads.each { |str| fpus.delete(str) }
+    return nil if fpus.length == 0
+
+    #
+    # Create a list of registers to use for fnstenv
+    #
+    dsts = []
+    0.upto(7) do |c|
+      dsts << c if (not badchars.index( (0x70+c).chr ))
+    end
+
+    if (dsts.include?(ESP) and badchars.index("\x24"))
+      dsts.delete(ESP)
+    end
+
+    return nil if dsts.length == 0
+
+    #
+    # Grab a random FPU instruction
+    #
+    fpu = fpus[ rand(fpus.length) ]
+
+    #
+    # Grab a random register from dst
+    #
+    while(dsts.length > 0)
+      buf = ''
+      mod_registers = [ESP]
+      dst = dsts[ rand(dsts.length) ]
+      dsts.delete(dst)
+
+      # If the register is not ESP, copy ESP
+      if (dst != ESP)
+        mod_registers.push(dst)
+        if badchars.index( (0x70 + dst).chr )
+          mod_registers.pop(dst)
+          next
+        end
+
+        if !(badchars.index("\x89") or badchars.index( (0xE0+dst).chr ))
+          buf << "\x89" + (0xE0 + dst).chr
+        else
+          if badchars.index("\x54")
+            mod_registers.pop(dst)
+            next
+          end
+          if badchars.index( (0x58+dst).chr )
+            mod_registers.pop(dst)
+            next
+          end
+          buf << "\x54" + (0x58 + dst).chr
+        end
+      end
+
+      pad = 0
+      while (pad < (128-12) and badchars.index( (256-12-pad).chr))
+        pad += 4
+      end
+
+      # Give up on finding a value to use here
+      if (pad == (128-12))
+        return nil
+      end
+
+      out = buf + fpu + "\xd9" + (0x70 + dst).chr
+      out << "\x24" if dst == ESP
+      out << (256-12-pad).chr
+
+      regs = [*(0..7)]
+      while (regs.length > 0)
+        reg = regs[ rand(regs.length) ]
+        regs.delete(reg)
+        next if reg == ESP
+        next if badchars.index( (0x58 + reg).chr )
+        mod_registers.push(reg)
+
+        # Pop the value back out
+        0.upto(pad / 4) { |c| out << (0x58 + reg).chr }
+
+        # Fix the value to point to self
+        gap = out.length - buf.length
+
+        mod_registers.uniq!
+        modified_registers.concat(mod_registers)
+        return [out, REG_NAMES32[reg].upcase, gap]
+      end
+      mod_registers.pop(dst)
+    end
+
+    return nil
+  end
+
+  #
+  # Parse a list of registers as a space or command delimited
+  # string and return the internal register IDs as an array
+  #
+  def self.register_names_to_ids(str)
+    register_ids = []
+    str.to_s.strip.split(/[,\s]/).
+      map    {|reg| reg.to_s.strip.upcase }.
+      select {|reg| reg.length > 0        }.
+      uniq.each do |reg|
+        next unless self.const_defined?(reg.intern)
+        register_ids << self.const_get(reg.intern)
+      end
+    register_ids
+  end
+
+end
+
+end end
+

data/lib/rex/arch/zarch.rb

@@ -0,0 +1,17 @@
+# -*- coding: binary -*-
+
+module Rex
+module Arch
+
+#
+# base module for ZARCH creation    8/13/15
+# Author:   BeS Bigendian Smalls
+#
+
+module ZARCH
+
+
+end
+
+end end
+

data/rex-arch.gemspec

@@ -0,0 +1,26 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rex/arch/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "rex-arch"
+  spec.version       = Rex::Arch::VERSION
+  spec.authors       = ["dmohanty-r7"]
+  spec.email         = ["Dev_Mohanty@rapid7.com"]
+
+  spec.summary       = %q{This library contains architecture specific information such as registers, opcodes, and stack manipulation routines.}
+  spec.description   = %q{This library contains architecture specific information such as registers, opcodes, and stack manipulation routines.}
+  spec.homepage      = "https://github.com/rapid7/rex-arch"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+
+  spec.add_runtime_dependency "rex-text"
+end

metadata

@@ -0,0 +1,194 @@
+--- !ruby/object:Gem::Specification
+name: rex-arch
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- dmohanty-r7
+autorequire: 
+bindir: exe
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+  A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+  b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+  MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+  YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+  aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+  jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+  xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+  1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+  snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+  U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+  9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+  BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+  AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+  yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+  38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+  AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+  DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+  HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+  -----END CERTIFICATE-----
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIEKDCCAxCgAwIBAgILBAAAAAABL07hNVwwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+  A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+  b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
+  MDBaFw0xOTA0MTMxMDAwMDBaMFExCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+  YWxTaWduIG52LXNhMScwJQYDVQQDEx5HbG9iYWxTaWduIENvZGVTaWduaW5nIENB
+  IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyTxTnEL7XJnKr
+  NpfvU79ChF5Y0Yoo/ENGb34oRFALdV0A1zwKRJ4gaqT3RUo3YKNuPxL6bfq2RsNq
+  o7gMJygCVyjRUPdhOVW4w+ElhlI8vwUd17Oa+JokMUnVoqni05GrPjxz7/Yp8cg1
+  0DB7f06SpQaPh+LO9cFjZqwYaSrBXrta6G6V/zuAYp2Zx8cvZtX9YhqCVVrG+kB3
+  jskwPBvw8jW4bFmc/enWyrRAHvcEytFnqXTjpQhU2YM1O46MIwx1tt6GSp4aPgpQ
+  STic0qiQv5j6yIwrJxF+KvvO3qmuOJMi+qbs+1xhdsNE1swMfi9tBoCidEC7tx/0
+  O9dzVB/zAgMBAAGjgfowgfcwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+  Af8CAQAwHQYDVR0OBBYEFAhu2Lacir/tPtfDdF3MgB+oL1B6MEcGA1UdIARAMD4w
+  PAYEVR0gADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNv
+  bS9yZXBvc2l0b3J5LzAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdsb2Jh
+  bHNpZ24ubmV0L3Jvb3QuY3JsMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQY
+  MBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3DQEBBQUAA4IBAQAiXMXd
+  PfQLcNjj9efFjgkBu7GWNlxaB63HqERJUSV6rg2kGTuSnM+5Qia7O2yX58fOEW1o
+  kdqNbfFTTVQ4jGHzyIJ2ab6BMgsxw2zJniAKWC/wSP5+SAeq10NYlHNUBDGpeA07
+  jLBwwT1+170vKsPi9Y8MkNxrpci+aF5dbfh40r5JlR4VeAiR+zTIvoStvODG3Rjb
+  88rwe8IUPBi4A7qVPiEeP2Bpen9qA56NSvnwKCwwhF7sJnJCsW3LZMMSjNaES2dB
+  fLEDF3gJ462otpYtpH6AA0+I98FrWkYVzSwZi9hwnOUtSYhgcqikGVJwQ17a1kYD
+  sGgOJO9K9gslJO8k
+  -----END CERTIFICATE-----
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIEyjCCA7KgAwIBAgISESEyE8rNriS4+1dc8jOHEUL8MA0GCSqGSIb3DQEBBQUA
+  MFExCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMScwJQYD
+  VQQDEx5HbG9iYWxTaWduIENvZGVTaWduaW5nIENBIC0gRzIwHhcNMTMxMDExMTUx
+  NTM4WhcNMTYxMDExMTUxNTM4WjBgMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz
+  c2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMRMwEQYDVQQKEwpSYXBpZDcgTExD
+  MRMwEQYDVQQDEwpSYXBpZDcgTExDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+  CgKCAQEAhD//7+739c69hssg0mD6CXgf2JkuWTcU81dgD7aKcoEPqU8e1FseBvDW
+  /Q5fNK2H2NgHV/Msn18zXuK0PkaJXqj/vDsuKB3Hq0BiR2AwyDdEw8K5MK5bgQc2
+  tmcVtEAejRoy1Uv5UyfaAYAxG6zsma3buV1fjnEAC3VouRg4+EX/f65H/a6srntK
+  5Etp3D71k2f0oUl8dOqOmSsRJQQ5zSs4ktDvpjAmsvzoA+1svceLYU95mvQsIw2T
+  edpmibGMwGw/HmgV+YWBgF5UGvax6zbC2i6DF2YHnDfkNb8/1MEIaxOTAbJTazTK
+  8laCQOyay6L1BNPQKjZBgOge8LZq1wIDAQABo4IBizCCAYcwDgYDVR0PAQH/BAQD
+  AgeAMEwGA1UdIARFMEMwQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBz
+  Oi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAwEwYD
+  VR0lBAwwCgYIKwYBBQUHAwMwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL2NybC5n
+  bG9iYWxzaWduLmNvbS9ncy9nc2NvZGVzaWduZzIuY3JsMIGGBggrBgEFBQcBAQR6
+  MHgwQAYIKwYBBQUHMAKGNGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2Fj
+  ZXJ0L2dzY29kZXNpZ25nMi5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwMi5n
+  bG9iYWxzaWduLmNvbS9nc2NvZGVzaWduZzIwHQYDVR0OBBYEFE536JwFx9SpaEi3
+  w8pcq2GRFA5BMB8GA1UdIwQYMBaAFAhu2Lacir/tPtfDdF3MgB+oL1B6MA0GCSqG
+  SIb3DQEBBQUAA4IBAQAGpGXHtFLjTTivV+xQPwtZhfPuJ7f+VGTMSAAYWmfzyHXM
+  YMFYUWJzSFcuVR2YfxtbS45P7U5Qopd7jBQ0Ygk5h2a+B5nE4+UlhHj665d0zpYM
+  1eWndMaO6WBOYnqtNyi8Dqqc1foKZDNHEDggYhGso7OIBunup+N4sPL9PwQ3eYe6
+  mUu8z0E4GXYViaMPOFkqaYnoYgf2L+7L5zKYT4h/NE/P7kj7EbduHgy/v/aAIrNl
+  2SpuQH+SWteq3NXkAmFEEqvLJQ4sbptZt8OP8ghL3pVAvZNFmww/YVszSkShSzcg
+  QdihYCSEL2drS2cFd50jBeq71sxUtxbv82DUa2b+
+  -----END CERTIFICATE-----
+date: 2016-07-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rex-text
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This library contains architecture specific information such as registers,
+  opcodes, and stack manipulation routines.
+email:
+- Dev_Mohanty@rapid7.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/rex/arch.rb
+- lib/rex/arch/sparc.rb
+- lib/rex/arch/version.rb
+- lib/rex/arch/x86.rb
+- lib/rex/arch/zarch.rb
+- rex-arch.gemspec
+homepage: https://github.com/rapid7/rex-arch
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: This library contains architecture specific information such as registers,
+  opcodes, and stack manipulation routines.
+test_files: []

metadata.gz.sig

@@ -0,0 +1 @@
+:��2�<���5Q0�J�놤c��l�GJ� h������)��L��\'1���]vS,��ٹ?�;��'�y��`i祈% ��%���)�]Kt�,;w�d1�C���SwH��M��\���P@�l�$�s�-z<C!���>��1�.0���#A�eǂ]���E�d��