public OperandRewriter(IntelArchitecture arch, ExpressionEmitter emitter, Frame frame, IRewriterHost host) { this.arch = arch; this.m = emitter; this.frame = frame; this.host = host; }
public override ProcedureBase GetTrampolineDestination(ImageReader rdr, IRewriterHost host) { var rw = Architecture.CreateRewriter( rdr, Architecture.CreateProcessorState(), Architecture.CreateFrame(), host); var rtlc = rw.FirstOrDefault(); if (rtlc == null || rtlc.Instructions.Count == 0) return null; var jump = rtlc.Instructions[0] as RtlGoto; if (jump == null) return null; var pc = jump.Target as ProcedureConstant; if (pc != null) return pc.Procedure; var access = jump.Target as MemoryAccess; if (access == null) return null; var addrTarget = access.EffectiveAddress as Address; if (addrTarget == null) { var wAddr = access.EffectiveAddress as Constant; if (wAddr == null) { return null; } addrTarget = MakeAddressFromConstant(wAddr); } ProcedureBase proc = host.GetImportedProcedure(addrTarget, rtlc.Address); if (proc != null) return proc; return host.GetInterceptedCall(addrTarget); }
public override IEnumerable<RtlInstructionCluster> CreateRewriter(ImageReader rdr, ProcessorState state, Frame frame, IRewriterHost host) { return new MipsRewriter( this, new MipsDisassembler(this, rdr, IsVersion6OrLater), frame, host); }
protected override IEnumerable<RtlInstructionCluster> GetInstructionStream(Frame frame, IRewriterHost host) { return new X86Rewriter( arch, host, new X86State(arch), asmResult.SegmentMap.Segments.Values.First().MemoryArea.CreateLeReader(0), frame); }
protected override IEnumerable<RtlInstructionCluster> GetInstructionStream(Frame frame, IRewriterHost host) { return arch.CreateRewriter( new LeImageReader(image, 0), arch.CreateProcessorState(), frame, this.host); }
public IEnumerable<RtlInstructionCluster> CreateRewriter(ImageReader rdr, ProcessorState state, Frame frame, IRewriterHost host) { var linAddr = rdr.Address.ToLinear(); RtlTrace trace; if (!rewriters.Traces.TryGetValue(rdr.Address, out trace)) NUnit.Framework.Assert.Fail(string.Format("Unexpected request for a rewriter at address {0}", rdr.Address)); return trace; }
public HeuristicDisassembler( Program program, HeuristicProcedure proc, IRewriterHost host) { this.program = program; this.proc = proc; this.host = host; blockMap = new Dictionary<Address, HeuristicBlock>(); }
public ShingledScanner(Program program, IRewriterHost host, DecompilerEventListener eventListener) { this.program = program; this.host = host; this.eventListener = eventListener; this.bad = program.Platform.MakeAddressFromLinear(~0ul); this.possibleCallDestinationTallies = new Dictionary<Address,int>(); this.possiblePointerTargetTallies = new Dictionary<Address, int>(); this.instructions = new SortedList<Address, MachineInstruction>(); }
protected void Given_RewriterHost() { host = mr.Stub<IRewriterHost>(); host.Stub(h => h.EnsurePseudoProcedure(null, null, 0)) .IgnoreArguments() .Do(new Func<string, DataType, int, PseudoProcedure>((n, dt, a) => { return new PseudoProcedure(n, dt, a); })); }
protected override IEnumerable<RtlInstructionCluster> GetInstructionStream(Frame frame, IRewriterHost host) { var addr = Address.Ptr16(10); var image = new LoadedImage(addr, new byte[1]); return arch.CreateRewriter( arch.CreateImageReader(image, addr), arch.CreateProcessorState(), frame, host); }
public override OperandRewriter CreateOperandRewriter(IntelArchitecture arch, Frame frame, IRewriterHost host) { return new OperandRewriter64(arch, frame, host); }
protected Identifier Fsr2; // cached FSR2 register identifier protected PIC18RewriterBase(PICArchitecture arch, PICDisassemblerBase disasm, PICProcessorState state, IStorageBinder binder, IRewriterHost host) : base(arch, disasm, state, binder, host) { Fsr2 = binder.EnsureRegister(PIC18Registers.FSR2); }
public ProcedureBase GetTrampolineDestination(ImageReader rdr, IRewriterHost host) { var dasm = new PowerPcDisassembler(this, rdr, WordWidth); return GetTrampolineDestination(dasm, host); }
public HeuristicScanner(Program prog, IRewriterHost host) { this.program = prog; this.host = host; }
//public override ProcedureBase GetTrampolineDestination(EndianImageReader rdr, IRewriterHost host) //{ // var dasm = new PowerPcDisassembler(this, rdr, WordWidth); // return GetTrampolineDestination(dasm, host); //} /// <summary> /// Detects the presence of a PowerPC trampoline and returns the imported function /// that is actually being requested. /// </summary> /// <remarks> /// A PowerPC trampoline looks like this: /// addis rX,r0,XXXX (or oris rx,r0,XXXX) /// lwz rY,YYYY(rX) /// mtctr rY /// bctr rY /// When loading the ELF binary, we discovered the memory locations /// that will contain pointers to imported functions. If the address /// XXXXYYYY matches one of those memory locations, we have found a /// trampoline. /// </remarks> /// <param name="rdr"></param> /// <param name="host"></param> /// <returns></returns> public ProcedureBase GetTrampolineDestination(IEnumerable <PowerPcInstruction> rdr, IRewriterHost host) { var e = rdr.GetEnumerator(); if (!e.MoveNext() || (e.Current.Opcode != Opcode.addis && e.Current.Opcode != Opcode.oris)) { return(null); } var addrInstr = e.Current.Address; var reg = ((RegisterOperand)e.Current.op1).Register; var uAddr = ((ImmediateOperand)e.Current.op3).Value.ToUInt32() << 16; if (!e.MoveNext() || e.Current.Opcode != Opcode.lwz) { return(null); } var mem = e.Current.op2 as MemoryOperand; if (mem == null) { return(null); } if (mem.BaseRegister != reg) { return(null); } uAddr = (uint)((int)uAddr + mem.Offset.ToInt32()); reg = ((RegisterOperand)e.Current.op1).Register; if (!e.MoveNext() || e.Current.Opcode != Opcode.mtctr) { return(null); } if (((RegisterOperand)e.Current.op1).Register != reg) { return(null); } if (!e.MoveNext() || e.Current.Opcode != Opcode.bcctr) { return(null); } // We saw a thunk! now try to resolve it. var addr = Address.Ptr32(uAddr); var ep = host.GetImportedProcedure(addr, addrInstr); if (ep != null) { return(ep); } return(host.GetInterceptedCall(addr)); }
public override ProcedureBase GetTrampolineDestination(ImageReader imageReader, IRewriterHost host) { throw new NotImplementedException(); }
public PowerPcRewriter(PowerPcArchitecture arch, IEnumerable <PowerPcInstruction> instrs, IStorageBinder binder, IRewriterHost host) { this.arch = arch; this.binder = binder; this.host = host; this.dasm = instrs.GetEnumerator(); }
public Z80Rewriter(Z80ProcessorArchitecture arch, EndianImageReader rdr, ProcessorState state, IStorageBinder binder, IRewriterHost host) { this.arch = arch; this.binder = binder; this.host = host; this.dasm = new Z80Disassembler(rdr).GetEnumerator(); }
public ThumbRewriter(ThumbProcessorArchitecture arch, EndianImageReader rdr, ArmProcessorState state, IStorageBinder frame, IRewriterHost host) { this.instrs = CreateInstructionStream(rdr); this.frame = frame; this.host = host; this.itState = 0; this.itStateCondition = ArmCodeCondition.AL; }
protected override IEnumerable <RtlInstructionCluster> GetInstructionStream(IStorageBinder binder, IRewriterHost host) { var dasm = new Pdp11Disassembler(arch.CreateImageReader(image, 0), arch); return(new Pdp11Rewriter(arch, dasm, binder, base.CreateHost())); }
protected override IEnumerable <RtlInstructionCluster> GetRtlStream(MemoryArea mem, IStorageBinder binder, IRewriterHost host) { return(Architecture.CreateRewriter( new BeImageReader(mem, mem.BaseAddress), Architecture.CreateProcessorState(), binder, host)); }
protected override IEnumerable <RtlInstructionCluster> GetRtlStream(MemoryArea mem, IStorageBinder binder, IRewriterHost host) { return(new AlphaRewriter( arch, mem.CreateLeReader(0), binder, host)); }
public override IEnumerable <RtlInstructionCluster> CreateRewriter(ImageReader rdr, ProcessorState state, Frame frame, IRewriterHost host) { throw new NotImplementedException(); }
public override ProcedureBase GetTrampolineDestination(ImageReader rdr, IRewriterHost host) { var dasm = new PowerPcDisassembler( (PowerPcArchitecture64) Architecture, rdr, PrimitiveType.Word64); PowerPcInstruction instr; ImmediateOperand immOp; MemoryOperand memOp; //addi r12,r0,0000 instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.addi) return null; //oris r12,r12,0006 instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.oris) return null; immOp = (ImmediateOperand) instr.op3; uint aFuncDesc = immOp.Value.ToUInt32() << 16; //lwz r12,nnnn(r12) instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.lwz) return null; memOp = (MemoryOperand)instr.op2; int offset = memOp.Offset.ToInt32(); aFuncDesc = (uint)(aFuncDesc + offset); //std r2,40(r1) instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.std) return null; //lwz r0,0(r12) // Have a pointer to a trampoline instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.lwz) return null; //lwz r2,4(r12) instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.lwz) return null; // mtctr r0 instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.mtctr) return null; // bcctr 14,00 instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.bcctr) return null; // Read the function pointer from the function descriptor. offset = (int)aFuncDesc - (int)rdr.Address.ToUInt32(); rdr.Offset = rdr.Offset + offset; var aFn = rdr.ReadUInt32(); return null; }
public IEnumerable<RtlInstructionCluster> CreateRewriter(ImageReader rdr, ProcessorState state, Frame frame, IRewriterHost host) { return new Z80Rewriter(this, rdr, state, frame, host); }
public PowerPcRewriter(PowerPcArchitecture arch, EndianImageReader rdr, IStorageBinder binder, IRewriterHost host) { this.arch = arch; this.binder = binder; this.host = host; this.rdr = rdr; this.dasm = arch.CreateDisassemblerImpl(rdr).GetEnumerator(); }
public OperandRewriter64(IntelArchitecture arch, ExpressionEmitter m, IStorageBinder binder, IRewriterHost host) : base(arch, m, binder, host) { }
public override ProcedureBase?GetTrampolineDestination(Address addrInstr, IEnumerable <RtlInstruction> rtls, IRewriterHost host) { return(null); }
protected override IEnumerable <RtlInstructionCluster> GetRtlStream(MemoryArea mem, IStorageBinder binder, IRewriterHost host) { var dasm = mkDasm(arch.CreateImageReader(mem, 0)).Cast <MipsInstruction>(); return(new MipsRewriter(arch, null, dasm, binder, host)); }
protected override IEnumerable <RtlInstructionCluster> GetInstructionStream(Frame frame, IRewriterHost host) { return(arch.CreateRewriter( new LeImageReader(image, 0), arch.CreateProcessorState(), frame, this.host)); }
public XtensaRewriter(XtensaArchitecture arch, ImageReader rdr, ProcessorState state, Frame frame, IRewriterHost host) { this.arch = arch; this.rdr = rdr; this.state = state; this.frame = frame; this.host = host; this.dasm = new XtensaDisassembler(this.arch, rdr).GetEnumerator(); }
public override ProcedureBase GetTrampolineDestination(ImageReader imageReader, IRewriterHost host) { return(null); }
public OperandRewriter(IntelArchitecture arch, ExpressionEmitter emitter, IStorageBinder binder, IRewriterHost host) { this.arch = arch; this.m = emitter; this.binder = binder; this.host = host; }
public override ProcedureBase?GetTrampolineDestination(Address addrInstr, IEnumerable <RtlInstruction> instrs, IRewriterHost host) { var e = instrs.GetEnumerator(); if (!e.MoveNext()) { return(null); } if (e.Current is RtlGoto g && g.Target is Address addr && this.dispatchProcedures.TryGetValue(addr, out var disp)) { return(disp); } return(null); }
protected override IEnumerable<RtlInstructionCluster> GetInstructionStream(Frame frame, IRewriterHost host) { return new MipsRewriter(arch, dasm, frame, host); }
public OperandRewriter64(IntelArchitecture arch, Frame frame, IRewriterHost host) : base(arch, frame, host) { }
protected override IEnumerable<RtlInstructionCluster> GetInstructionStream(Frame frame, IRewriterHost host) { return new Rewriter(arch, image.CreateLeReader(0), new Mos6502ProcessorState(arch), new Frame(arch.FramePointerType), host); }
public override ProcedureBase GetTrampolineDestination(ImageReader imageReader, IRewriterHost host) { // No trampolines are supported. return null; }
public MipsRewriter(MipsProcessorArchitecture arch, EndianImageReader rdr, IEnumerable <MipsInstruction> instrs, IStorageBinder binder, IRewriterHost host) { this.arch = arch; this.binder = binder; this.rdr = rdr; this.dasm = instrs.GetEnumerator(); this.host = host; this.cmp = new ExpressionValueComparer(); }
protected override IEnumerable <RtlInstructionCluster> GetRtlStream(MemoryArea mem, IStorageBinder binder, IRewriterHost host) { return(arch.CreateRewriter(arch.CreateImageReader(mem, 0), arch.CreateProcessorState(), binder, host)); }
public OperandRewriter(IntelArchitecture arch, Frame frame, IRewriterHost host) { this.arch = arch; this.frame = frame; this.host = host; }
public Rewriter(Mos6502ProcessorArchitecture arch, EndianImageReader rdr, ProcessorState state, IStorageBinder binder, IRewriterHost host) { this.arch = arch; this.state = state; this.binder = binder; this.host = host; this.instrs = new Disassembler(rdr.CreateLeReader()); }
/// <summary> /// If the instructions located at the address the image reader is reading are a /// trampoline, returns the procedure where the destination is located, otherwise /// returns null. /// </summary> /// <param name="imageReader"></param> /// <returns></returns> public abstract ProcedureBase GetTrampolineDestination(ImageReader imageReader, IRewriterHost host);
public override IEnumerable <RtlInstructionCluster> CreateRewriter(EndianImageReader rdr, ProcessorState state, Frame frame, IRewriterHost host) { return(new C64BasicRewriter(this, rdr.Address, program, host)); }
protected override IEnumerable<RtlInstructionCluster> GetInstructionStream(Frame frame, IRewriterHost host) { var dasm = new Pdp11Disassembler(arch.CreateImageReader(image, 0), arch); return new Pdp11Rewriter(arch, dasm, frame); }
public override ProcedureBase GetTrampolineDestination(Address addrInstr, IEnumerable <RtlInstruction> rdr, IRewriterHost host) { var dasm = rdr.Take(8).ToArray(); if (dasm.Length < 8) { return(null); } //ImmediateOperand immOp; //MemoryOperand memOp; throw new NotImplementedException(); /* * //addi r12,r0,0000 * instr = dasm[0].Instructions[0]; * if (instr.Mnemonic != Mnemonic.addi) * return null; * * //oris r12,r12,0006 * instr = dasm.DisassembleInstruction(); * if (instr.Mnemonic != Mnemonic.oris) * return null; * immOp = (ImmediateOperand) instr.op3; * uint aFuncDesc = immOp.Value.ToUInt32() << 16; * * //lwz r12,nnnn(r12) * instr = dasm.DisassembleInstruction(); * if (instr.Mnemonic != Mnemonic.lwz) * return null; * memOp = (MemoryOperand)instr.op2; * int offset = memOp.Offset.ToInt32(); * aFuncDesc = (uint)(aFuncDesc + offset); * * //std r2,40(r1) * instr = dasm.DisassembleInstruction(); * if (instr.Mnemonic != Mnemonic.std) * return null; * * //lwz r0,0(r12) * // Have a pointer to a trampoline * instr = dasm.DisassembleInstruction(); * if (instr.Mnemonic != Mnemonic.lwz) * return null; * * //lwz r2,4(r12) * instr = dasm.DisassembleInstruction(); * if (instr.Mnemonic != Mnemonic.lwz) * return null; * * // mtctr r0 * instr = dasm.DisassembleInstruction(); * if (instr.Mnemonic != Mnemonic.mtctr) * return null; * * // bcctr 14,00 * instr = dasm.DisassembleInstruction(); * if (instr.Mnemonic != Mnemonic.bcctr) * return null; * * // Read the function pointer from the function descriptor. * * offset = (int)aFuncDesc - (int)rdr.Address.ToUInt32(); * rdr.Offset = rdr.Offset + offset; * var aFn = rdr.ReadUInt32(); * return null; */ }
public abstract OperandRewriter CreateOperandRewriter(IntelArchitecture arch, Frame frame, IRewriterHost host);
public override IEnumerable <RtlInstructionCluster> CreateRewriter(EndianImageReader rdr, ProcessorState state, IStorageBinder binder, IRewriterHost host) { return(new ThumbRewriter(this, rdr, host, binder)); //return new ThumbRewriterRetired(regsByNumber, this.native, rdr, (ArmProcessorState)state, binder, host); }
public IEnumerable<RtlInstructionCluster> CreateRewriter(ImageReader rdr, ProcessorState state, Frame frame, IRewriterHost host) { throw new NotImplementedException(); }
public override IEnumerable <RtlInstructionCluster> CreateRewriter(EndianImageReader rdr, ProcessorState state, IStorageBinder binder, IRewriterHost host) { return(new MipsRewriter( this, rdr, CreateDisassemblerInternal(rdr), binder, host)); }
//public override ProcedureBase GetTrampolineDestination(ImageReader rdr, IRewriterHost host) //{ // var dasm = new PowerPcDisassembler(this, rdr, WordWidth); // return GetTrampolineDestination(dasm, host); //} /// <summary> /// Detects the presence of a PowerPC trampoline and returns the imported function /// that is actually being requested. /// </summary> /// <remarks> /// A PowerPC trampoline looks like this: /// addis rX,r0,XXXX (or oris rx,r0,XXXX) /// lwz rY,YYYY(rX) /// mtctr rY /// bctr rY /// When loading the ELF binary, we discovered the memory locations /// that will contain pointers to imported functions. If the address /// XXXXYYYY matches one of those memory locations, we have found a /// trampoline. /// </remarks> /// <param name="rdr"></param> /// <param name="host"></param> /// <returns></returns> public ProcedureBase GetTrampolineDestination(IEnumerable<PowerPcInstruction> rdr, IRewriterHost host) { var e = rdr.GetEnumerator(); if (!e.MoveNext() || (e.Current.Opcode != Opcode.addis && e.Current.Opcode != Opcode.oris)) return null; var addrInstr = e.Current.Address; var reg = ((RegisterOperand)e.Current.op1).Register; var uAddr = ((ImmediateOperand)e.Current.op3).Value.ToUInt32() << 16; if (!e.MoveNext() || e.Current.Opcode != Opcode.lwz) return null; var mem = e.Current.op2 as MemoryOperand; if (mem == null) return null; if (mem.BaseRegister != reg) return null; uAddr = (uint)((int)uAddr + mem.Offset.ToInt32()); reg = ((RegisterOperand)e.Current.op1).Register; if (!e.MoveNext() || e.Current.Opcode != Opcode.mtctr) return null; if (((RegisterOperand)e.Current.op1).Register != reg) return null; if (!e.MoveNext() || e.Current.Opcode != Opcode.bcctr) return null; // We saw a thunk! now try to resolve it. var addr = Address.Ptr32(uAddr); var ep = host.GetImportedProcedure(addr, addrInstr); if (ep != null) return ep; return host.GetInterceptedCall(addr); }
public override ProcedureBase?GetTrampolineDestination(Address addrInstr, IEnumerable <RtlInstruction> rdr, IRewriterHost host) { //$TODO: for now we don't attempt to locate trampolines. return(null); }
protected override IEnumerable<RtlInstructionCluster> GetInstructionStream(Frame frame, IRewriterHost host) { return new XtensaRewriter(arch, new LeImageReader(image, 0), state, new Frame(arch.WordWidth), host); }
public A64Rewriter(Arm64Architecture arch, EndianImageReader rdr, ProcessorState state, IStorageBinder binder, IRewriterHost host) { this.arch = arch; this.rdr = rdr; this.state = state; this.binder = binder; this.host = host; this.dasm = new AArch64Disassembler(arch, rdr).GetEnumerator(); }
public IEnumerable<RtlInstructionCluster> CreateRewriter(ImageReader rdr, ProcessorState state, Frame frame, IRewriterHost host) { return new Pdp11Rewriter(this, new Pdp11Disassembler(rdr, this), frame); }
public override IEnumerable <RtlInstructionCluster> CreateRewriter(EndianImageReader rdr, ProcessorState state, IStorageBinder binder, IRewriterHost host) { return(new i8051Rewriter(this, rdr, state, binder, host)); }
public override ProcedureBase GetTrampolineDestination(ImageReader imageReader, IRewriterHost host) { return null; }
protected override IEnumerable <RtlInstructionCluster> GetRtlStream(MemoryArea mem, IStorageBinder binder, IRewriterHost host) { return(new i8051Rewriter(arch, new BeImageReader(mem, 0), new i8051State(arch), binder, host)); }
public override IEnumerable<RtlInstructionCluster> CreateRewriter(ImageReader rdr, ProcessorState state, Frame frame, IRewriterHost host) { return new SparcRewriter(this, rdr, (SparcProcessorState)state, frame, host); }
protected override IEnumerable <RtlInstructionCluster> GetInstructionStream(IStorageBinder binder, IRewriterHost host) { return(new Z80Rewriter(arch, new LeImageReader(image, 0), state, new Frame(arch.WordWidth), host)); }