static int analop(RAnal *a, RAnalOp *op, ut64 addr, const ut8 *buf, int len) { static int omode = 0; #if USE_ITER_API static #endif cs_insn *insn = NULL; int mode = (a->bits==64)? CS_MODE_64: (a->bits==32)? CS_MODE_32: (a->bits==16)? CS_MODE_16: 0; int n, ret; int regsz = 4; if (handle && mode != omode) { cs_close (&handle); handle = 0; } omode = mode; if (handle == 0) { ret = cs_open (CS_ARCH_X86, mode, &handle); if (ret != CS_ERR_OK) { handle = 0; return 0; } } switch (a->bits) { case 64: regsz = 8; break; case 16: regsz = 2; break; default: case 32: regsz = 4; break; } memset (op, '\0', sizeof (RAnalOp)); op->cycles = 1; // aprox op->type = R_ANAL_OP_TYPE_NULL; op->jump = UT64_MAX; op->fail = UT64_MAX; op->ptr = op->val = UT64_MAX; op->src[0] = NULL; op->src[1] = NULL; op->size = 0; op->delay = 0; r_strbuf_init (&op->esil); cs_option (handle, CS_OPT_DETAIL, CS_OPT_ON); // capstone-next #if USE_ITER_API { ut64 naddr = addr; size_t size = len; if (insn == NULL) insn = cs_malloc (handle); n = cs_disasm_iter (handle, (const uint8_t**)&buf, &size, (uint64_t*)&naddr, insn); } #else n = cs_disasm (handle, (const ut8*)buf, len, addr, 1, &insn); #endif struct Getarg gop = { .handle = handle, .insn = insn, .bits = a->bits }; if (n<1) { op->type = R_ANAL_OP_TYPE_ILL; } else { int rs = a->bits/8; const char *pc = (a->bits==16)?"ip": (a->bits==32)?"eip":"rip"; const char *sp = (a->bits==16)?"sp": (a->bits==32)?"esp":"rsp"; const char *bp = (a->bits==16)?"bp": (a->bits==32)?"ebp":"rbp"; op->size = insn->size; op->family = 0; op->prefix = 0; switch (insn->detail->x86.prefix[0]) { case X86_PREFIX_REPNE: op->prefix |= R_ANAL_OP_PREFIX_REPNE; break; case X86_PREFIX_REP: op->prefix |= R_ANAL_OP_PREFIX_REP; break; case X86_PREFIX_LOCK: op->prefix |= R_ANAL_OP_PREFIX_LOCK; break; } switch (insn->id) { case X86_INS_FNOP: case X86_INS_NOP: case X86_INS_PAUSE: op->type = R_ANAL_OP_TYPE_NOP; if (a->decode) esilprintf (op, ","); break; case X86_INS_HLT: op->type = R_ANAL_OP_TYPE_TRAP; break; case X86_INS_FBLD: case X86_INS_FBSTP: case X86_INS_FCOMPP: case X86_INS_FDECSTP: case X86_INS_FEMMS: case X86_INS_FFREE: case X86_INS_FICOM: case X86_INS_FICOMP: case X86_INS_FINCSTP: case X86_INS_FNCLEX: case X86_INS_FNINIT: case X86_INS_FNSTCW: case X86_INS_FNSTSW: case X86_INS_FPATAN: case X86_INS_FPREM: case X86_INS_FPREM1: case X86_INS_FPTAN: #if CS_API_MAJOR >=4 case X86_INS_FFREEP: #endif case X86_INS_FRNDINT: case X86_INS_FRSTOR: case X86_INS_FNSAVE: case X86_INS_FSCALE: case X86_INS_FSETPM: case X86_INS_FSINCOS: case X86_INS_FNSTENV: case X86_INS_FXAM: case X86_INS_FXSAVE: case X86_INS_FXSAVE64: case X86_INS_FXTRACT: case X86_INS_FYL2X: case X86_INS_FYL2XP1: case X86_INS_FISTTP: case X86_INS_FSQRT: case X86_INS_FXCH: case X86_INS_FTST: case X86_INS_FUCOMPI: case X86_INS_FUCOMI: case X86_INS_FUCOMPP: case X86_INS_FUCOMP: case X86_INS_FUCOM: op->type = R_ANAL_OP_TYPE_SUB; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_FLDCW: case X86_INS_FLDENV: case X86_INS_FLDL2E: case X86_INS_FLDL2T: case X86_INS_FLDLG2: case X86_INS_FLDLN2: case X86_INS_FLDPI: case X86_INS_FLDZ: case X86_INS_FLD1: case X86_INS_FLD: op->type = R_ANAL_OP_TYPE_LOAD; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_FIST: case X86_INS_FISTP: case X86_INS_FST: case X86_INS_FSTP: case X86_INS_FSTPNCE: case X86_INS_FXRSTOR: case X86_INS_FXRSTOR64: op->type = R_ANAL_OP_TYPE_STORE; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_FDIV: case X86_INS_FIDIV: case X86_INS_FDIVP: case X86_INS_FDIVR: case X86_INS_FIDIVR: case X86_INS_FDIVRP: case X86_INS_FSUBR: case X86_INS_FISUBR: case X86_INS_FSUBRP: case X86_INS_FSUB: case X86_INS_FISUB: case X86_INS_FSUBP: op->type = R_ANAL_OP_TYPE_SUB; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_FMUL: case X86_INS_FIMUL: case X86_INS_FMULP: op->type = R_ANAL_OP_TYPE_MUL; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_CLI: case X86_INS_STI: op->type = R_ANAL_OP_TYPE_SWI; op->family = R_ANAL_OP_FAMILY_PRIV; break; case X86_INS_CLC: case X86_INS_STC: case X86_INS_CLAC: case X86_INS_CLGI: case X86_INS_CLTS: case X86_INS_CLWB: case X86_INS_STAC: case X86_INS_STGI: op->type = R_ANAL_OP_TYPE_MOV; op->family = R_ANAL_OP_FAMILY_CPU; break; // cmov case X86_INS_SETNE: case X86_INS_SETNO: case X86_INS_SETNP: case X86_INS_SETNS: case X86_INS_SETO: case X86_INS_SETP: case X86_INS_SETS: case X86_INS_SETL: case X86_INS_SETLE: case X86_INS_SETB: case X86_INS_SETG: case X86_INS_SETAE: case X86_INS_SETA: case X86_INS_SETBE: case X86_INS_SETE: case X86_INS_SETGE: op->type = R_ANAL_OP_TYPE_CMOV; op->family = 0; if (a->decode) { char *dst = getarg (&gop, 0, 0, NULL); switch (insn->id) { case X86_INS_SETE: esilprintf (op, "zf,%s,=", dst); break; case X86_INS_SETNE: esilprintf (op, "zf,!,%s,=", dst); break; case X86_INS_SETO: esilprintf (op, "of,%s,=", dst); break; case X86_INS_SETNO: esilprintf (op, "of,!,%s,=", dst); break; case X86_INS_SETP: esilprintf (op, "pf,%s,=", dst); break; case X86_INS_SETNP: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETS: esilprintf (op, "sf,%s,=", dst); break; case X86_INS_SETNS: esilprintf (op, "sf,!,%s,=", dst); break; case X86_INS_SETB: esilprintf (op, "cf,%s,=", dst); break; case X86_INS_SETAE: esilprintf (op, "cf,!,%s,=", dst); break; /* TODO */ #if 0 SETLE/SETNG Sets the byte in the operand to 1 if the Zero Flag is set or the Sign Flag is not equal to the Overflow Flag, otherwise sets the operand to 0. SETBE/SETNA Sets the byte in the operand to 1 if the Carry Flag or the Zero Flag is set, otherwise sets the operand to 0. SETL/SETNGE Sets the byte in the operand to 1 if the Sign Flag is not equal to the Overflow Flag, otherwise sets the operand to 0. case X86_INS_SETL: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETLE: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETG: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETA: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETBE: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETGE: esilprintf (op, "pf,!,%s,=", dst); break; break; #endif } free (dst); } break; // cmov case X86_INS_MOVSS: case X86_INS_CMOVA: case X86_INS_CMOVAE: case X86_INS_CMOVB: case X86_INS_CMOVBE: case X86_INS_FCMOVBE: case X86_INS_FCMOVB: case X86_INS_CMOVE: case X86_INS_FCMOVE: case X86_INS_CMOVG: case X86_INS_CMOVGE: case X86_INS_CMOVL: case X86_INS_CMOVLE: case X86_INS_FCMOVNBE: case X86_INS_FCMOVNB: case X86_INS_CMOVNE: case X86_INS_FCMOVNE: case X86_INS_CMOVNO: case X86_INS_CMOVNP: case X86_INS_FCMOVNU: case X86_INS_CMOVNS: case X86_INS_CMOVO: case X86_INS_CMOVP: case X86_INS_FCMOVU: case X86_INS_CMOVS: // mov case X86_INS_MOV: case X86_INS_MOVAPS: case X86_INS_MOVAPD: case X86_INS_MOVZX: case X86_INS_MOVUPS: case X86_INS_MOVABS: case X86_INS_MOVHPD: case X86_INS_MOVHPS: case X86_INS_MOVLPD: case X86_INS_MOVLPS: case X86_INS_MOVBE: case X86_INS_MOVSB: case X86_INS_MOVSD: case X86_INS_MOVSQ: case X86_INS_MOVSX: case X86_INS_MOVSXD: case X86_INS_MOVSW: case X86_INS_MOVD: case X86_INS_MOVQ: case X86_INS_MOVDQ2Q: { op->type = R_ANAL_OP_TYPE_MOV; op->ptr = UT64_MAX; switch (INSOP(0).type) { case X86_OP_MEM: op->ptr = INSOP(0).mem.disp; op->refptr = INSOP(0).size; if (INSOP(0).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(0).mem.base == X86_REG_RBP || INSOP(0).mem.base == X86_REG_EBP) { op->ptr = UT64_MAX; op->stackop = R_ANAL_STACK_SET; op->stackptr = regsz; } else { op->ptr = UT64_MAX; } if (a->decode) { if (op->prefix & R_ANAL_OP_PREFIX_REP) { int width = INSOP(0).size; const char *src = cs_reg_name(handle, INSOP(1).mem.base); const char *dst = cs_reg_name(handle, INSOP(0).mem.base); const char *counter = (a->bits==16)?"cx": (a->bits==32)?"ecx":"rcx"; esilprintf (op, "%s,!,?{,BREAK,},%s,DUP,%s,DUP,"\ "%s,[%d],%s,=[%d],df,?{,%d,%s,-=,%d,%s,-=,},"\ "df,!,?{,%d,%s,+=,%d,%s,+=,},%s,--=,%s," \ "?{,8,GOTO,},%s,=,%s,=", counter, src, dst, src, width, dst, width, width, src, width, dst, width, src, width, dst, counter, counter, dst, src); } else { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, NULL); esilprintf (op, "%s,%s", src, dst); free (src); free (dst); } } break; default: if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,=", src, dst); free (src); free (dst); } break; } if (op->refptr<1 || op->ptr == UT64_MAX) { switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; op->refptr = INSOP(1).size; if (INSOP(1).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(1).mem.base == X86_REG_RBP || INSOP(1).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_GET; op->stackptr = regsz; } break; case X86_OP_IMM: if (INSOP(1).imm > 10) op->ptr = INSOP(1).imm; break; default: break; } } } break; case X86_INS_SHL: case X86_INS_SHLD: case X86_INS_SHLX: op->type = R_ANAL_OP_TYPE_SHL; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "<<"); esilprintf (op, "%s,%s,$z,zf,=", src, dst); free (src); free (dst); } break; case X86_INS_SAR: case X86_INS_SARX: op->type = R_ANAL_OP_TYPE_SAR; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, ">>"); esilprintf (op, "%s,%s,$z,zf,=", src, dst); free (src); free (dst); } break; case X86_INS_SAL: op->type = R_ANAL_OP_TYPE_SAL; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "<<"); esilprintf (op, "%s,%s,$z,zf,=", src, dst); free (src); free (dst); } break; case X86_INS_SALC: op->type = R_ANAL_OP_TYPE_SAL; if (a->decode) { esilprintf (op, "$z,DUP,zf,=,al,="); } break; case X86_INS_SHR: case X86_INS_SHRD: case X86_INS_SHRX: op->type = R_ANAL_OP_TYPE_SHR; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,>>=,$z,zf,=", src, dst); free (src); free (dst); } break; case X86_INS_CMP: case X86_INS_CMPPD: case X86_INS_CMPPS: case X86_INS_CMPSW: case X86_INS_CMPSD: case X86_INS_CMPSQ: case X86_INS_CMPSB: case X86_INS_CMPSS: case X86_INS_TEST: if (insn->id == X86_INS_TEST) { op->type = R_ANAL_OP_TYPE_ACMP; //compare via and if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "0,%s,%s,&,==,$z,zf,=,$p,pf,=,$s,sf,=,0,cf,=,0,of,=", src, dst); free (src); free (dst); } } else { op->type = R_ANAL_OP_TYPE_CMP; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,==,$z,zf,=,$b%d,cf,=,$p,pf,=,$s,sf,=", src, dst, (INSOP(0).size*8)); free (src); free (dst); } } switch (INSOP(0).type) { case X86_OP_MEM: op->ptr = INSOP(0).mem.disp; op->refptr = INSOP(0).size; if (INSOP(0).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(0).mem.base == X86_REG_RBP || INSOP(0).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_SET; op->stackptr = regsz; } op->ptr = INSOP(1).imm; break; default: switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; op->refptr = INSOP(1).size; if (INSOP(1).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(1).mem.base == X86_REG_RBP || INSOP(1).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_SET; op->stackptr = regsz; } break; case X86_OP_IMM: op->ptr = INSOP(1).imm; break; default: break; } break; } break; case X86_INS_LEA: op->type = R_ANAL_OP_TYPE_LEA; if (a->decode) { char *src = getarg (&gop, 0, 0, NULL); char *dst = getarg (&gop, 1, 2, NULL); esilprintf (op, "%s,%s,=", dst, src); free (src); free (dst); } switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; op->refptr = INSOP(1).size; switch (INSOP(1).mem.base) { case X86_REG_RIP: op->ptr += addr + op->size; break; case X86_REG_RBP: case X86_REG_EBP: op->stackop = R_ANAL_STACK_GET; op->stackptr = regsz; break; default: /* unhandled */ break; } break; case X86_OP_IMM: if (INSOP(1).imm > 10) op->ptr = INSOP(1).imm; break; default: break; } break; case X86_INS_ENTER: case X86_INS_PUSH: case X86_INS_PUSHAW: case X86_INS_PUSHAL: case X86_INS_PUSHF: { char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%d,%s,-=,%s,%s,=[%d]", rs, sp, dst, sp, rs); free (dst); } switch (INSOP(0).type) { case X86_OP_IMM: op->ptr = INSOP(0).imm; op->type = R_ANAL_OP_TYPE_PUSH; break; default: op->type = R_ANAL_OP_TYPE_UPUSH; break; } op->stackop = R_ANAL_STACK_INC; op->stackptr = regsz; break; case X86_INS_LEAVE: op->type = R_ANAL_OP_TYPE_POP; if (a->decode) { esilprintf (op, "%s,%s,=,%s,[%d],%s,=,%d,%s,+=", bp, sp, sp, rs, bp, rs, sp); } op->stackop = R_ANAL_STACK_INC; op->stackptr = -regsz; break; case X86_INS_POP: case X86_INS_POPF: case X86_INS_POPAW: case X86_INS_POPAL: case X86_INS_POPCNT: op->type = R_ANAL_OP_TYPE_POP; if (a->decode) { char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,[%d],%s,=,%d,%s,+=", sp, rs, dst, rs, sp); free (dst); } op->stackop = R_ANAL_STACK_INC; op->stackptr = -regsz; break; case X86_INS_RET: case X86_INS_RETF: case X86_INS_RETFQ: case X86_INS_IRET: case X86_INS_IRETD: case X86_INS_IRETQ: case X86_INS_SYSRET: op->type = R_ANAL_OP_TYPE_RET; if (a->decode) esilprintf (op, "%s,[%d],%s,=,%d,%s,+=", sp, rs, pc, rs, sp); op->stackop = R_ANAL_STACK_INC; op->stackptr = -regsz; break; case X86_INS_INT3: if (a->decode) esilprintf (op, "3,$"); op->type = R_ANAL_OP_TYPE_TRAP; // TRAP break; case X86_INS_INT1: if (a->decode) esilprintf (op, "1,$"); op->type = R_ANAL_OP_TYPE_SWI; // TRAP break; case X86_INS_INT: if (a->decode) esilprintf (op, "%d,$", R_ABS((int)INSOP(0).imm)); op->type = R_ANAL_OP_TYPE_SWI; break; case X86_INS_SYSCALL: op->type = R_ANAL_OP_TYPE_SWI; break; case X86_INS_INTO: case X86_INS_VMCALL: case X86_INS_VMMCALL: op->type = R_ANAL_OP_TYPE_TRAP; if (a->decode) esilprintf (op, "%d,$", (int)INSOP(0).imm); break; case X86_INS_JL: case X86_INS_JLE: case X86_INS_JA: case X86_INS_JAE: case X86_INS_JB: case X86_INS_JBE: case X86_INS_JCXZ: case X86_INS_JECXZ: case X86_INS_JRCXZ: case X86_INS_JO: case X86_INS_JNO: case X86_INS_JS: case X86_INS_JNS: case X86_INS_JP: case X86_INS_JNP: case X86_INS_JE: case X86_INS_JNE: case X86_INS_JG: case X86_INS_JGE: case X86_INS_LOOP: case X86_INS_LOOPE: case X86_INS_LOOPNE: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = INSOP(0).imm; op->fail = addr+op->size; const char *cnt = (a->bits==16)?"cx":(a->bits==32)?"ecx":"rcx"; if (a->decode) { char *dst = getarg (&gop, 0, 2, NULL); switch (insn->id) { case X86_INS_JL: esilprintf (op, "of,sf,^,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JLE: esilprintf (op, "of,sf,^,zf,|,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JA: esilprintf (op, "cf,zf,|,!,?{,%s,%s,=,}",dst, pc); break; case X86_INS_JAE: esilprintf (op, "cf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JB: esilprintf (op, "cf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JO: esilprintf (op, "of,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNO: esilprintf (op, "of,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JE: esilprintf (op, "zf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JGE: esilprintf (op, "of,!,sf,^,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNE: esilprintf (op, "zf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JG: esilprintf (op, "sf,of,!,^,zf,!,&,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JS: esilprintf (op, "sf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNS: esilprintf (op, "sf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JP: esilprintf (op, "pf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNP: esilprintf (op, "pf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JBE: esilprintf (op, "zf,cf,|,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JCXZ: esilprintf (op, "cx,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JECXZ: esilprintf (op, "ecx,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JRCXZ: esilprintf (op, "rcx,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_LOOP: esilprintf (op, "1,%s,-=,%s,?{,%s,%s,=,}", cnt, cnt, dst, pc); break; case X86_INS_LOOPE: esilprintf (op, "1,%s,-=,%s,?{,zf,?{,%s,%s,=,},}", cnt, cnt, dst, pc); break; case X86_INS_LOOPNE: esilprintf (op, "1,%s,-=,%s,?{,zf,!,?{,%s,%s,=,},}", cnt, cnt, dst, pc); break; } free (dst); } break; case X86_INS_CALL: case X86_INS_LCALL: switch (INSOP(0).type) { case X86_OP_IMM: op->type = R_ANAL_OP_TYPE_CALL; // TODO: what if UCALL? // TODO: use imm_size op->jump = INSOP(0).imm; op->fail = addr+op->size; break; case X86_OP_MEM: op->type = R_ANAL_OP_TYPE_UCALL; op->jump = UT64_MAX; if (INSOP(0).mem.base == 0) { op->ptr = INSOP(0).mem.disp; } break; default: op->type = R_ANAL_OP_TYPE_UCALL; op->jump = UT64_MAX; break; } if (a->decode) { char* arg = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s," "%d,%s,-=,%s," "=[]," "%s,%s,=", pc, rs, sp, sp, arg, pc); free (arg); } break; case X86_INS_JMP: case X86_INS_LJMP: if (a->decode) { char *src = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,=", src, pc); free (src); } // TODO: what if UJMP? switch (INSOP(0).type) { case X86_OP_IMM: op->jump = INSOP(0).imm; op->type = R_ANAL_OP_TYPE_JMP; if (a->decode) { ut64 dst = INSOP(0).imm; esilprintf (op, "0x%"PFMT64x",%s,=", dst, pc); } break; case X86_OP_MEM: op->type = R_ANAL_OP_TYPE_UJMP; if (INSOP(0).mem.base == X86_REG_RIP) { op->ptr = INSOP(0).mem.disp; op->ptr += addr + insn->size; op->refptr = 8; } else { cs_x86_op in = INSOP(0); if (in.mem.index == 0 && in.mem.base == 0 && in.mem.scale == 1) { op->type = R_ANAL_OP_TYPE_UJMP; op->ptr = in.mem.disp; if (a->decode) { esilprintf (op, "0x%"PFMT64x",[],%s,=", op->ptr, pc); } } } break; case X86_OP_REG: case X86_OP_FP: default: // other? op->type = R_ANAL_OP_TYPE_UJMP; break; } break; case X86_INS_IN: case X86_INS_INSW: case X86_INS_INSD: case X86_INS_INSB: case X86_INS_OUT: case X86_INS_OUTSB: case X86_INS_OUTSD: case X86_INS_OUTSW: op->type = R_ANAL_OP_TYPE_IO; break; case X86_INS_VXORPD: case X86_INS_VXORPS: case X86_INS_VPXORD: case X86_INS_VPXORQ: case X86_INS_VPXOR: case X86_INS_XORPS: case X86_INS_KXORW: case X86_INS_PXOR: case X86_INS_XOR: op->type = R_ANAL_OP_TYPE_XOR; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "^"); esilprintf (op, "%s,%s,$z,zf,=,$p,pf,=,0,cf,=,0,of,=,$s,sf,=", src, dst); free (src); free (dst); } break; case X86_INS_OR: op->type = R_ANAL_OP_TYPE_OR; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,|=", src, dst); free (src); free (dst); } break; case X86_INS_INC: op->type = R_ANAL_OP_TYPE_ADD; op->val = 1; if (a->decode) { char *src = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,++=", src); free (src); } break; case X86_INS_DEC: op->type = R_ANAL_OP_TYPE_SUB; op->val = 1; if (a->decode) { char *src = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,--=", src); free (src); } break; case X86_INS_SUB: case X86_INS_PSUBB: case X86_INS_PSUBW: case X86_INS_PSUBD: case X86_INS_PSUBQ: case X86_INS_PSUBSB: case X86_INS_PSUBSW: case X86_INS_PSUBUSB: case X86_INS_PSUBUSW: op->type = R_ANAL_OP_TYPE_SUB; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "-"); esilprintf (op, "%s,%s,$c,cf,=,$z,zf,=,$s,sf,=,$o,of,=", src, dst); // TODO: update flags free (src); free (dst); } if (INSOP(0).type == X86_OP_REG && INSOP(1).type == X86_OP_IMM) { if (INSOP(0).reg == X86_REG_RSP || INSOP(0).reg == X86_REG_ESP) { op->stackop = R_ANAL_STACK_INC; op->stackptr = INSOP(1).imm; } } break; case X86_INS_LIDT: op->type = R_ANAL_OP_TYPE_LOAD; op->family = R_ANAL_OP_FAMILY_PRIV; break; case X86_INS_SIDT: op->type = R_ANAL_OP_TYPE_STORE; op->family = R_ANAL_OP_FAMILY_PRIV; break; case X86_INS_RDRAND: case X86_INS_RDSEED: case X86_INS_RDMSR: case X86_INS_RDPMC: case X86_INS_RDTSC: case X86_INS_RDTSCP: case X86_INS_CRC32: case X86_INS_SHA1MSG1: case X86_INS_SHA1MSG2: case X86_INS_SHA1NEXTE: case X86_INS_SHA1RNDS4: case X86_INS_SHA256MSG1: case X86_INS_SHA256MSG2: case X86_INS_SHA256RNDS2: case X86_INS_AESDECLAST: case X86_INS_AESDEC: case X86_INS_AESENCLAST: case X86_INS_AESENC: case X86_INS_AESIMC: case X86_INS_AESKEYGENASSIST: // AES instructions op->family = R_ANAL_OP_FAMILY_CRYPTO; op->type = R_ANAL_OP_TYPE_MOV; // XXX break; case X86_INS_AND: case X86_INS_ANDN: case X86_INS_ANDPD: case X86_INS_ANDPS: case X86_INS_ANDNPD: case X86_INS_ANDNPS: op->type = R_ANAL_OP_TYPE_AND; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "&"); // TODO: update of = cf = 0 // TODO: update sf, zf and pf // TODO: af is undefined esilprintf (op, "0,of,=,0,cf,=," // set carry and overflow flags "%s,%s," // set reg value "$z,zf,=," // update zero flag "$s,sf,=," // update sign flag "$o,pf,=", // update parity flag // TODO: add sign and parity flags here src, dst); free (src); free (dst); } break; case X86_INS_DIV: case X86_INS_IDIV: op->type = R_ANAL_OP_TYPE_DIV; if (a->decode) { int width = INSOP(0).size; char *dst = getarg (&gop, 0, 0, NULL); const char *r_ax = (width==2)?"ax": (width==4)?"eax":"rax"; const char *r_dx = (width==2)?"dx": (width==4)?"edx":"rdx"; // TODO update flags & handle signedness esilprintf (op, "%s,%s,%%,%s,=,%s,%s,/,%s,=", dst, r_ax, r_dx, dst, r_ax, r_ax); free (dst); } break; case X86_INS_MUL: case X86_INS_MULX: case X86_INS_MULPD: case X86_INS_MULPS: case X86_INS_MULSD: case X86_INS_MULSS: op->type = R_ANAL_OP_TYPE_MUL; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "*"); if (!src && dst) { switch (dst[0]) { case 'r': src = strdup ("rax"); break; case 'e': src = strdup ("eax"); break; default: src = strdup ("al"); break; } } esilprintf (op, "%s,%s", src, dst); free (src); free (dst); } break; case X86_INS_PACKSSDW: case X86_INS_PACKSSWB: case X86_INS_PACKUSWB: op->type = R_ANAL_OP_TYPE_MOV; op->family = R_ANAL_OP_FAMILY_MMX; break; case X86_INS_PADDB: case X86_INS_PADDD: case X86_INS_PADDW: case X86_INS_PADDSB: case X86_INS_PADDSW: case X86_INS_PADDUSB: case X86_INS_PADDUSW: op->type = R_ANAL_OP_TYPE_ADD; op->family = R_ANAL_OP_FAMILY_MMX; break; case X86_INS_FADD: case X86_INS_FADDP: op->family = R_ANAL_OP_FAMILY_FPU; /* pass thru */ case X86_INS_ADD: case X86_INS_ADDPS: case X86_INS_ADDSD: case X86_INS_ADDSS: case X86_INS_ADDSUBPD: case X86_INS_ADDSUBPS: case X86_INS_ADDPD: case X86_INS_XADD: op->type = R_ANAL_OP_TYPE_ADD; if (a->decode) { if (INSOP(0).type == X86_OP_MEM) { char *src = getarg (&gop, 1, 0, NULL); char *src2 = getarg (&gop, 0, 0, NULL); char *dst = getarg (&gop, 0, 1, NULL); // TODO: update flags esilprintf (op, "%s,%s,+,%s", src, src2, dst); free (src); free (src2); free (dst); } else { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "+"); esilprintf (op, "%s,%s", src, dst); // TODO: update flags free (src); free (dst); } } if (INSOP(0).type == X86_OP_REG && INSOP(1).type == X86_OP_IMM) { if (INSOP(0).reg == X86_REG_RSP || INSOP(0).reg == X86_REG_ESP) { op->stackop = R_ANAL_STACK_INC; op->stackptr = -INSOP(1).imm; } } break; /* Direction flag */ case X86_INS_CLD: op->type = R_ANAL_OP_TYPE_MOV; op->family = R_ANAL_OP_FAMILY_CPU; if (a->decode) esilprintf (op, "0,df,="); break; case X86_INS_STD: op->type = R_ANAL_OP_TYPE_MOV; op->family = R_ANAL_OP_FAMILY_CPU; if (a->decode) esilprintf (op, "1,df,="); break; } switch (insn->id) { case X86_INS_MOVAPS: //cvtss2sd case X86_INS_ADDSD: //cvtss2sd case X86_INS_SUBSD: //cvtss2sd case X86_INS_MULSD: //cvtss2sd case X86_INS_CVTSS2SD: //cvtss2sd case X86_INS_MOVSS: case X86_INS_MOVSD: op->family = R_ANAL_OP_FAMILY_MMX; break; } } //#if X86_GRP_PRIVILEGE>0 if (insn) { #if HAVE_CSGRP_PRIVILEGE if (cs_insn_group (handle, insn, X86_GRP_PRIVILEGE)) op->family = R_ANAL_OP_FAMILY_PRIV; #endif #if !USE_ITER_API cs_free (insn, n); #endif } //cs_close (&handle); return op->size; }
static int analop(RAnal *a, RAnalOp *op, ut64 addr, const ut8 *buf, int len) { static csh handle = 0; static int omode = -1; int n, ret; cs_insn *insn; int mode = (a->bits==64)? CS_MODE_64: (a->bits==32)? CS_MODE_32: 0; mode |= CS_MODE_BIG_ENDIAN; if (mode != omode) { cs_close (&handle); handle = 0; omode = mode; } if (handle == 0) { ret = cs_open (CS_ARCH_PPC, mode, &handle); if (ret != CS_ERR_OK) { return -1; } cs_option (handle, CS_OPT_DETAIL, CS_OPT_ON); } op->delay = 0; op->type = R_ANAL_OP_TYPE_NULL; op->jump = UT64_MAX; op->fail = UT64_MAX; op->ptr = op->val = UT64_MAX; op->size = 4; // capstone-next n = cs_disasm (handle, (const ut8*)buf, len, addr, 1, &insn); if (n<1) { op->type = R_ANAL_OP_TYPE_ILL; } else { struct Getarg gop = { .handle = handle, .insn = insn, .bits = a->bits }; op->size = insn->size; switch (insn->id) { case PPC_INS_MFLR: op->type = R_ANAL_OP_TYPE_PUSH; break; case PPC_INS_MTLR: op->type = R_ANAL_OP_TYPE_POP; break; case PPC_INS_MR: case PPC_INS_LI: case PPC_INS_LIS: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,%s,=", ARG(1), ARG(0)); break; break; case PPC_INS_RLWINM: op->type = R_ANAL_OP_TYPE_ROL; break; case PPC_INS_SC: op->type = R_ANAL_OP_TYPE_SWI; esilprintf (op, "0,$"); break; case PPC_INS_NOP: op->type = R_ANAL_OP_TYPE_NOP; esilprintf (op, ","); break; case PPC_INS_STW: case PPC_INS_STWU: case PPC_INS_STWUX: case PPC_INS_STWX: op->type = R_ANAL_OP_TYPE_STORE; esilprintf (op, "%s,%s", ARG(0), ARG2(1, "=[4]")); break; case PPC_INS_STB: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,%s", ARG(0), ARG2(1, "=[1]")); break; case PPC_INS_STH: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,%s", ARG(0), ARG2(1, "=[2]")); break; case PPC_INS_STWBRX: case PPC_INS_STWCX: op->type = R_ANAL_OP_TYPE_STORE; break; case PPC_INS_LA: case PPC_INS_LBZ: case PPC_INS_LBZU: case PPC_INS_LBZUX: case PPC_INS_LBZX: case PPC_INS_LD: case PPC_INS_LDARX: case PPC_INS_LDBRX: case PPC_INS_LDU: case PPC_INS_LDUX: case PPC_INS_LDX: case PPC_INS_LFD: case PPC_INS_LFDU: case PPC_INS_LFDUX: case PPC_INS_LFDX: case PPC_INS_LFIWAX: case PPC_INS_LFIWZX: case PPC_INS_LFS: case PPC_INS_LFSU: case PPC_INS_LFSUX: case PPC_INS_LFSX: case PPC_INS_LHA: case PPC_INS_LHAU: case PPC_INS_LHAUX: case PPC_INS_LHAX: case PPC_INS_LHBRX: case PPC_INS_LHZ: case PPC_INS_LHZU: case PPC_INS_LWA: case PPC_INS_LWARX: case PPC_INS_LWAUX: case PPC_INS_LWAX: case PPC_INS_LWBRX: case PPC_INS_LWZ: case PPC_INS_LWZU: case PPC_INS_LWZUX: case PPC_INS_LWZX: op->type = R_ANAL_OP_TYPE_LOAD; esilprintf (op, "%s,[4],%s,=", ARG(1), ARG(0)); break; case PPC_INS_SLW: case PPC_INS_SLWI: op->type = R_ANAL_OP_TYPE_SHL; esilprintf (op, "%s,%s,<<,%s,=", ARG(2), ARG(1), ARG(0)); break; case PPC_INS_SRW: case PPC_INS_SRWI: op->type = R_ANAL_OP_TYPE_SHR; esilprintf (op, "%s,%s,>>,%s,=", ARG(2), ARG(1), ARG(0)); break; case PPC_INS_CMPW: case PPC_INS_CMPWI: case PPC_INS_CMPLWI: op->type = R_ANAL_OP_TYPE_CMP; esilprintf (op, "%s,%s,==", ARG(1), ARG(0)); break; case PPC_INS_MULLI: case PPC_INS_MULLW: op->type = R_ANAL_OP_TYPE_MUL; esilprintf (op, "%s,%s,*,%s,=", ARG(2), ARG(1), ARG(0)); break; case PPC_INS_SUB: case PPC_INS_SUBC: case PPC_INS_SUBFIC: case PPC_INS_SUBFZE: op->type = R_ANAL_OP_TYPE_SUB; esilprintf (op, "%s,%s,-,%s,=", ARG(2), ARG(1), ARG(0)); break; case PPC_INS_ADD: case PPC_INS_ADDI: case PPC_INS_ADDC: case PPC_INS_ADDE: case PPC_INS_ADDIC: case PPC_INS_ADDIS: case PPC_INS_ADDME: case PPC_INS_ADDZE: op->type = R_ANAL_OP_TYPE_ADD; esilprintf (op, "%s,%s,+,%s,=", ARG(2), ARG(1), ARG(0)); break; case PPC_INS_MTSPR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,%s,=", ARG(1), ARG(0)); break; case PPC_INS_BCTR: // switch table here op->type = R_ANAL_OP_TYPE_UJMP; esilprintf (op, "ctr,pc,="); break; case PPC_INS_BC: op->type = R_ANAL_OP_TYPE_UJMP; esilprintf (op, "%s,pc,=", ARG(0)); break; case PPC_INS_B: case PPC_INS_BA: op->type = R_ANAL_OP_TYPE_JMP; op->jump = (ut64)(ut32)insn->detail->ppc.operands[0].imm; switch (insn->detail->ppc.operands[0].type) { case PPC_OP_CRX: op->type = R_ANAL_OP_TYPE_CJMP; break; case PPC_OP_REG: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = (ut64)(ut32)insn->detail->ppc.operands[1].imm; op->fail = addr+4; //op->type = R_ANAL_OP_TYPE_UJMP; default: break; } break; case PPC_INS_NOR: op->type = R_ANAL_OP_TYPE_NOR; //esilprintf (op, "%s,%s,^,%s,=", ARG(1), ARG(2), ARG(0)); break; case PPC_INS_XOR: case PPC_INS_XORI: case PPC_INS_XORIS: op->type = R_ANAL_OP_TYPE_XOR; esilprintf (op, "%s,%s,^,%s,=", ARG(1), ARG(2), ARG(0)); break; case PPC_INS_DIVD: case PPC_INS_DIVDU: case PPC_INS_DIVW: case PPC_INS_DIVWU: op->type = R_ANAL_OP_TYPE_DIV; break; case PPC_INS_BL: case PPC_INS_BLA: op->type = R_ANAL_OP_TYPE_CALL; op->jump = (ut64)(ut32)insn->detail->ppc.operands[0].imm; op->fail = addr+4; esilprintf (op, "pc,lr,=,%s,pc,=", ARG(0)); break; case PPC_INS_BLR: case PPC_INS_BLRL: op->type = R_ANAL_OP_TYPE_RET; esilprintf (op, "lr,pc,="); break; case PPC_INS_AND: case PPC_INS_NAND: case PPC_INS_ANDI: case PPC_INS_ANDIS: op->type = R_ANAL_OP_TYPE_AND; break; case PPC_INS_OR: case PPC_INS_ORC: case PPC_INS_ORI: case PPC_INS_ORIS: op->type = R_ANAL_OP_TYPE_OR; esilprintf (op, "%s,%s,|,%s,=", ARG(2), ARG(1), ARG(0)); break; } cs_free (insn, n); //cs_close (&handle); } return op->size; } RAnalPlugin r_anal_plugin_ppc_cs = { .name = "ppc", .desc = "Capstone PowerPC analysis", .license = "BSD", .arch = R_SYS_ARCH_PPC, .bits = 32|64, .op = &analop, .set_reg_profile = &set_reg_profile, }; #ifndef CORELIB struct r_lib_struct_t radare_plugin = { .type = R_LIB_TYPE_ANAL, .data = &r_anal_plugin_ppc_cs, .version = R2_VERSION };
static int analop(RAnal *a, RAnalOp *op, ut64 addr, const ut8 *buf, int len) { static int omode = 0; #if USE_ITER_API static #endif cs_insn *insn = NULL; int mode = (a->bits==64)? CS_MODE_64: (a->bits==32)? CS_MODE_32: (a->bits==16)? CS_MODE_16: 0; int n, ret; int regsz = 4; if (handle && mode != omode) { cs_close (&handle); handle = 0; } omode = mode; if (handle == 0) { ret = cs_open (CS_ARCH_X86, mode, &handle); if (ret != CS_ERR_OK) { handle = 0; return 0; } } #if 0 if (len>3 && !memcmp (buf, "\xff\xff\xff\xff", 4)) return 0; #endif switch (a->bits) { case 64: regsz = 8; break; case 16: regsz = 2; break; default: regsz = 4; break; // 32 } memset (op, '\0', sizeof (RAnalOp)); op->cycles = 1; // aprox op->type = R_ANAL_OP_TYPE_NULL; op->jump = UT64_MAX; op->fail = UT64_MAX; op->ptr = op->val = UT64_MAX; op->src[0] = NULL; op->src[1] = NULL; op->size = 0; op->delay = 0; r_strbuf_init (&op->esil); cs_option (handle, CS_OPT_DETAIL, CS_OPT_ON); // capstone-next #if USE_ITER_API { ut64 naddr = addr; size_t size = len; if (insn == NULL) insn = cs_malloc (handle); n = cs_disasm_iter (handle, (const uint8_t**)&buf, &size, (uint64_t*)&naddr, insn); } #else n = cs_disasm (handle, (const ut8*)buf, len, addr, 1, &insn); #endif struct Getarg gop = { .handle = handle, .insn = insn, .bits = a->bits }; if (n<1) { op->type = R_ANAL_OP_TYPE_ILL; } else { int rs = a->bits/8; const char *pc = (a->bits==16)?"ip": (a->bits==32)?"eip":"rip"; const char *sp = (a->bits==16)?"sp": (a->bits==32)?"esp":"rsp"; const char *bp = (a->bits==16)?"bp": (a->bits==32)?"ebp":"rbp"; op->size = insn->size; op->family = R_ANAL_OP_FAMILY_CPU; // almost everything is CPU op->prefix = 0; switch (insn->detail->x86.prefix[0]) { case X86_PREFIX_REPNE: op->prefix |= R_ANAL_OP_PREFIX_REPNE; break; case X86_PREFIX_REP: op->prefix |= R_ANAL_OP_PREFIX_REP; break; case X86_PREFIX_LOCK: op->prefix |= R_ANAL_OP_PREFIX_LOCK; break; } switch (insn->id) { case X86_INS_FNOP: op->family = R_ANAL_OP_FAMILY_FPU; /* fallthru */ case X86_INS_NOP: case X86_INS_PAUSE: op->type = R_ANAL_OP_TYPE_NOP; if (a->decode) esilprintf (op, ","); break; case X86_INS_HLT: op->type = R_ANAL_OP_TYPE_TRAP; break; case X86_INS_FBLD: case X86_INS_FBSTP: case X86_INS_FCOMPP: case X86_INS_FDECSTP: case X86_INS_FEMMS: case X86_INS_FFREE: case X86_INS_FICOM: case X86_INS_FICOMP: case X86_INS_FINCSTP: case X86_INS_FNCLEX: case X86_INS_FNINIT: case X86_INS_FNSTCW: case X86_INS_FNSTSW: case X86_INS_FPATAN: case X86_INS_FPREM: case X86_INS_FPREM1: case X86_INS_FPTAN: #if CS_API_MAJOR >=4 case X86_INS_FFREEP: #endif case X86_INS_FRNDINT: case X86_INS_FRSTOR: case X86_INS_FNSAVE: case X86_INS_FSCALE: case X86_INS_FSETPM: case X86_INS_FSINCOS: case X86_INS_FNSTENV: case X86_INS_FXAM: case X86_INS_FXSAVE: case X86_INS_FXSAVE64: case X86_INS_FXTRACT: case X86_INS_FYL2X: case X86_INS_FYL2XP1: case X86_INS_FISTTP: case X86_INS_FSQRT: case X86_INS_FXCH: op->family = R_ANAL_OP_FAMILY_FPU; op->type = R_ANAL_OP_TYPE_STORE; break; case X86_INS_FTST: case X86_INS_FUCOMPI: case X86_INS_FUCOMI: case X86_INS_FUCOMPP: case X86_INS_FUCOMP: case X86_INS_FUCOM: op->family = R_ANAL_OP_FAMILY_FPU; op->type = R_ANAL_OP_TYPE_CMP; break; case X86_INS_FABS: op->type = R_ANAL_OP_TYPE_ABS; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_FLDCW: case X86_INS_FLDENV: case X86_INS_FLDL2E: case X86_INS_FLDL2T: case X86_INS_FLDLG2: case X86_INS_FLDLN2: case X86_INS_FLDPI: case X86_INS_FLDZ: case X86_INS_FLD1: case X86_INS_FLD: op->type = R_ANAL_OP_TYPE_LOAD; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_FIST: case X86_INS_FISTP: case X86_INS_FST: case X86_INS_FSTP: case X86_INS_FSTPNCE: case X86_INS_FXRSTOR: case X86_INS_FXRSTOR64: op->type = R_ANAL_OP_TYPE_STORE; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_FDIV: case X86_INS_FIDIV: case X86_INS_FDIVP: case X86_INS_FDIVR: case X86_INS_FIDIVR: case X86_INS_FDIVRP: op->type = R_ANAL_OP_TYPE_DIV; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_FSUBR: case X86_INS_FISUBR: case X86_INS_FSUBRP: case X86_INS_FSUB: case X86_INS_FISUB: case X86_INS_FSUBP: op->type = R_ANAL_OP_TYPE_SUB; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_FMUL: case X86_INS_FIMUL: case X86_INS_FMULP: op->type = R_ANAL_OP_TYPE_MUL; op->family = R_ANAL_OP_FAMILY_FPU; break; case X86_INS_CLI: case X86_INS_STI: op->type = R_ANAL_OP_TYPE_SWI; op->family = R_ANAL_OP_FAMILY_PRIV; break; case X86_INS_CLC: case X86_INS_STC: case X86_INS_CLAC: case X86_INS_CLGI: case X86_INS_CLTS: #if CS_API_MAJOR >= 4 case X86_INS_CLWB: #endif case X86_INS_STAC: case X86_INS_STGI: op->type = R_ANAL_OP_TYPE_MOV; break; // cmov case X86_INS_SETNE: case X86_INS_SETNO: case X86_INS_SETNP: case X86_INS_SETNS: case X86_INS_SETO: case X86_INS_SETP: case X86_INS_SETS: case X86_INS_SETL: case X86_INS_SETLE: case X86_INS_SETB: case X86_INS_SETG: case X86_INS_SETAE: case X86_INS_SETA: case X86_INS_SETBE: case X86_INS_SETE: case X86_INS_SETGE: op->type = R_ANAL_OP_TYPE_CMOV; op->family = 0; if (a->decode) { char *dst = getarg (&gop, 0, 0, NULL); switch (insn->id) { case X86_INS_SETE: esilprintf (op, "zf,%s,=", dst); break; case X86_INS_SETNE: esilprintf (op, "zf,!,%s,=", dst); break; case X86_INS_SETO: esilprintf (op, "of,%s,=", dst); break; case X86_INS_SETNO: esilprintf (op, "of,!,%s,=", dst); break; case X86_INS_SETP: esilprintf (op, "pf,%s,=", dst); break; case X86_INS_SETNP: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETS: esilprintf (op, "sf,%s,=", dst); break; case X86_INS_SETNS: esilprintf (op, "sf,!,%s,=", dst); break; case X86_INS_SETB: esilprintf (op, "cf,%s,=", dst); break; case X86_INS_SETAE: esilprintf (op, "cf,!,%s,=", dst); break; /* TODO */ #if 0 SETLE/SETNG Sets the byte in the operand to 1 if the Zero Flag is set or the Sign Flag is not equal to the Overflow Flag, otherwise sets the operand to 0. SETBE/SETNA Sets the byte in the operand to 1 if the Carry Flag or the Zero Flag is set, otherwise sets the operand to 0. SETL/SETNGE Sets the byte in the operand to 1 if the Sign Flag is not equal to the Overflow Flag, otherwise sets the operand to 0. case X86_INS_SETL: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETLE: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETG: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETA: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETBE: esilprintf (op, "pf,!,%s,=", dst); break; case X86_INS_SETGE: esilprintf (op, "pf,!,%s,=", dst); break; break; #endif } free (dst); } break; // cmov case X86_INS_FCMOVBE: case X86_INS_FCMOVB: case X86_INS_FCMOVNBE: case X86_INS_FCMOVNB: case X86_INS_FCMOVE: case X86_INS_FCMOVNE: case X86_INS_FCMOVNU: case X86_INS_FCMOVU: op->family = R_ANAL_OP_FAMILY_FPU; op->type = R_ANAL_OP_TYPE_MOV; break; case X86_INS_CMOVA: case X86_INS_CMOVAE: case X86_INS_CMOVB: case X86_INS_CMOVBE: case X86_INS_CMOVE: case X86_INS_CMOVG: case X86_INS_CMOVGE: case X86_INS_CMOVL: case X86_INS_CMOVLE: case X86_INS_CMOVNE: case X86_INS_CMOVNO: case X86_INS_CMOVNP: case X86_INS_CMOVNS: case X86_INS_CMOVO: case X86_INS_CMOVP: case X86_INS_CMOVS: op->type = R_ANAL_OP_TYPE_CMOV; break; // mov case X86_INS_MOVSS: case X86_INS_MOV: case X86_INS_MOVAPS: case X86_INS_MOVAPD: case X86_INS_MOVZX: case X86_INS_MOVUPS: case X86_INS_MOVABS: case X86_INS_MOVHPD: case X86_INS_MOVHPS: case X86_INS_MOVLPD: case X86_INS_MOVLPS: case X86_INS_MOVBE: case X86_INS_MOVSB: case X86_INS_MOVSD: case X86_INS_MOVSQ: case X86_INS_MOVSX: case X86_INS_MOVSXD: case X86_INS_MOVSW: case X86_INS_MOVD: case X86_INS_MOVQ: case X86_INS_MOVDQ2Q: { op->type = R_ANAL_OP_TYPE_MOV; op->ptr = UT64_MAX; switch (INSOP(0).type) { case X86_OP_MEM: op->ptr = INSOP(0).mem.disp; op->refptr = INSOP(0).size; if (INSOP(0).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(0).mem.base == X86_REG_RBP || INSOP(0).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_SET; op->stackptr = regsz; } else { if (op->ptr < 0x1000) op->ptr = UT64_MAX; } if (a->decode) { if (op->prefix & R_ANAL_OP_PREFIX_REP) { int width = INSOP(0).size; const char *src = cs_reg_name(handle, INSOP(1).mem.base); const char *dst = cs_reg_name(handle, INSOP(0).mem.base); const char *counter = (a->bits==16)?"cx": (a->bits==32)?"ecx":"rcx"; esilprintf (op, "%s,!,?{,BREAK,},%s,NUM,%s,NUM,"\ "%s,[%d],%s,=[%d],df,?{,%d,%s,-=,%d,%s,-=,},"\ "df,!,?{,%d,%s,+=,%d,%s,+=,},%s,--=,%s," \ "?{,8,GOTO,},%s,=,%s,=", counter, src, dst, src, width, dst, width, width, src, width, dst, width, src, width, dst, counter, counter, dst, src); } else { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, NULL); esilprintf (op, "%s,%s", src, dst); free (src); free (dst); } } break; case X86_OP_REG: { char *dst = getarg (&gop, 0, 0, NULL); op->dst = r_anal_value_new (); op->dst->reg = r_reg_get (a->reg, dst, R_REG_TYPE_GPR); op->src[0] = r_anal_value_new (); if (INSOP(1).type == X86_OP_MEM) { op->src[0]->delta = INSOP(1).mem.disp; } free (dst); } default: if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,=", src, dst); free (src); free (dst); } break; } if (op->refptr<1 || op->ptr == UT64_MAX) { switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; op->refptr = INSOP(1).size; if (INSOP(1).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(1).mem.base == X86_REG_RBP || INSOP(1).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_GET; op->stackptr = regsz; } break; case X86_OP_IMM: if (INSOP(1).imm > 10) op->ptr = INSOP(1).imm; break; default: break; } } } break; case X86_INS_ROL: case X86_INS_RCL: // TODO: RCL Still does not work as intended // - Set flags op->type = R_ANAL_OP_TYPE_ROL; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,<<<,%s,=", src, dst, dst); free (src); free (dst); } break; case X86_INS_ROR: case X86_INS_RCR: // TODO: RCR Still does not work as intended // - Set flags op->type = R_ANAL_OP_TYPE_ROR; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,>>>,%s,=", src, dst, dst); free (src); free (dst); } break; case X86_INS_SHL: case X86_INS_SHLD: case X86_INS_SHLX: // TODO: Set CF: Carry flag is the last bit shifted out due to // this operation. It is undefined for SHL and SHR where the // number of bits shifted is greater than the size of the // destination. op->type = R_ANAL_OP_TYPE_SHL; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "<<"); esilprintf (op, "%s,%s,$z,zf,=,$p,pf,=,$s,sf,=", src, dst); free (src); free (dst); } break; case X86_INS_SAR: case X86_INS_SARX: // TODO: Set CF. See case X86_INS_SHL for more details. op->type = R_ANAL_OP_TYPE_SAR; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, ">>"); esilprintf (op, "%s,%s,$z,zf,=,$p,pf,=,$s,sf,=", src, dst); free (src); free (dst); } break; case X86_INS_SAL: // TODO: Set CF: See case X86_INS_SAL for more details. op->type = R_ANAL_OP_TYPE_SAL; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "<<"); esilprintf (op, "%s,%s,$z,zf,=,$p,pf,=,$s,sf,=", src, dst); free (src); free (dst); } break; case X86_INS_SALC: op->type = R_ANAL_OP_TYPE_SAL; if (a->decode) { esilprintf (op, "$z,DUP,zf,=,al,="); } break; case X86_INS_SHR: case X86_INS_SHRD: case X86_INS_SHRX: // TODO: Set CF: See case X86_INS_SAL for more details. op->type = R_ANAL_OP_TYPE_SHR; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,>>=,$z,zf,=,$p,pf,=,$s,sf,=", src, dst); free (src); free (dst); } break; case X86_INS_CMP: case X86_INS_CMPPD: case X86_INS_CMPPS: case X86_INS_CMPSW: case X86_INS_CMPSD: case X86_INS_CMPSQ: case X86_INS_CMPSB: case X86_INS_CMPSS: case X86_INS_TEST: if (insn->id == X86_INS_TEST) { op->type = R_ANAL_OP_TYPE_ACMP; //compare via and if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "0,%s,%s,&,==,$z,zf,=,$p,pf,=,$s,sf,=,0,cf,=,0,of,=", src, dst); free (src); free (dst); } } else { op->type = R_ANAL_OP_TYPE_CMP; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,==,$z,zf,=,$b%d,cf,=,$p,pf,=,$s,sf,=", src, dst, (INSOP(0).size*8)); free (src); free (dst); } } switch (INSOP(0).type) { case X86_OP_MEM: op->ptr = INSOP(0).mem.disp; op->refptr = INSOP(0).size; if (INSOP(0).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(0).mem.base == X86_REG_RBP || INSOP(0).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_SET; op->stackptr = regsz; } op->ptr = INSOP(1).imm; break; default: switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; op->refptr = INSOP(1).size; if (INSOP(1).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(1).mem.base == X86_REG_RBP || INSOP(1).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_SET; op->stackptr = regsz; } break; case X86_OP_IMM: op->ptr = INSOP(1).imm; break; default: break; } break; } break; case X86_INS_LEA: op->type = R_ANAL_OP_TYPE_LEA; if (a->decode) { char *src = getarg (&gop, 0, 0, NULL); char *dst = getarg (&gop, 1, 2, NULL); esilprintf (op, "%s,%s,=", dst, src); free (src); free (dst); } switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; op->refptr = INSOP(1).size; switch (INSOP(1).mem.base) { case X86_REG_RIP: op->ptr += addr + op->size; break; case X86_REG_RBP: case X86_REG_EBP: op->stackop = R_ANAL_STACK_GET; op->stackptr = regsz; break; default: /* unhandled */ break; } break; case X86_OP_IMM: if (INSOP(1).imm > 10) op->ptr = INSOP(1).imm; break; default: break; } break; case X86_INS_ENTER: case X86_INS_PUSH: case X86_INS_PUSHAW: case X86_INS_PUSHAL: case X86_INS_PUSHF: { char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%d,%s,-=,%s,%s,=[%d]", rs, sp, dst, sp, rs); free (dst); } switch (INSOP(0).type) { case X86_OP_IMM: op->ptr = INSOP(0).imm; op->type = R_ANAL_OP_TYPE_PUSH; break; default: op->type = R_ANAL_OP_TYPE_UPUSH; break; } op->stackop = R_ANAL_STACK_INC; op->stackptr = regsz; break; case X86_INS_LEAVE: op->type = R_ANAL_OP_TYPE_POP; if (a->decode) { esilprintf (op, "%s,%s,=,%s,[%d],%s,=,%d,%s,+=", bp, sp, sp, rs, bp, rs, sp); } op->stackop = R_ANAL_STACK_INC; op->stackptr = -regsz; break; case X86_INS_POP: case X86_INS_POPF: case X86_INS_POPAW: case X86_INS_POPAL: case X86_INS_POPCNT: op->type = R_ANAL_OP_TYPE_POP; if (a->decode) { char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,[%d],%s,=,%d,%s,+=", sp, rs, dst, rs, sp); free (dst); } op->stackop = R_ANAL_STACK_INC; op->stackptr = -regsz; break; case X86_INS_RET: case X86_INS_RETF: case X86_INS_RETFQ: case X86_INS_IRET: case X86_INS_IRETD: case X86_INS_IRETQ: case X86_INS_SYSRET: op->type = R_ANAL_OP_TYPE_RET; if (a->decode) esilprintf (op, "%s,[%d],%s,=,%d,%s,+=", sp, rs, pc, rs, sp); op->stackop = R_ANAL_STACK_INC; op->stackptr = -regsz; break; case X86_INS_INT3: if (a->decode) esilprintf (op, "3,$"); op->type = R_ANAL_OP_TYPE_TRAP; // TRAP break; case X86_INS_INT1: if (a->decode) esilprintf (op, "1,$"); op->type = R_ANAL_OP_TYPE_SWI; // TRAP break; case X86_INS_INT: if (a->decode) esilprintf (op, "%d,$", R_ABS((int)INSOP(0).imm)); op->type = R_ANAL_OP_TYPE_SWI; break; case X86_INS_SYSCALL: op->type = R_ANAL_OP_TYPE_SWI; break; case X86_INS_INTO: case X86_INS_VMCALL: case X86_INS_VMMCALL: op->type = R_ANAL_OP_TYPE_TRAP; if (a->decode) esilprintf (op, "%d,$", (int)INSOP(0).imm); break; case X86_INS_JL: case X86_INS_JLE: case X86_INS_JA: case X86_INS_JAE: case X86_INS_JB: case X86_INS_JBE: case X86_INS_JCXZ: case X86_INS_JECXZ: case X86_INS_JRCXZ: case X86_INS_JO: case X86_INS_JNO: case X86_INS_JS: case X86_INS_JNS: case X86_INS_JP: case X86_INS_JNP: case X86_INS_JE: case X86_INS_JNE: case X86_INS_JG: case X86_INS_JGE: case X86_INS_LOOP: case X86_INS_LOOPE: case X86_INS_LOOPNE: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = INSOP(0).imm; op->fail = addr+op->size; const char *cnt = (a->bits==16)?"cx":(a->bits==32)?"ecx":"rcx"; if (a->decode) { char *dst = getarg (&gop, 0, 2, NULL); switch (insn->id) { case X86_INS_JL: esilprintf (op, "of,sf,^,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JLE: esilprintf (op, "of,sf,^,zf,|,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JA: esilprintf (op, "cf,zf,|,!,?{,%s,%s,=,}",dst, pc); break; case X86_INS_JAE: esilprintf (op, "cf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JB: esilprintf (op, "cf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JO: esilprintf (op, "of,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNO: esilprintf (op, "of,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JE: esilprintf (op, "zf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JGE: esilprintf (op, "of,!,sf,^,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNE: esilprintf (op, "zf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JG: esilprintf (op, "sf,of,!,^,zf,!,&,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JS: esilprintf (op, "sf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNS: esilprintf (op, "sf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JP: esilprintf (op, "pf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNP: esilprintf (op, "pf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JBE: esilprintf (op, "zf,cf,|,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JCXZ: esilprintf (op, "cx,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JECXZ: esilprintf (op, "ecx,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JRCXZ: esilprintf (op, "rcx,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_LOOP: esilprintf (op, "1,%s,-=,%s,?{,%s,%s,=,}", cnt, cnt, dst, pc); break; case X86_INS_LOOPE: esilprintf (op, "1,%s,-=,%s,?{,zf,?{,%s,%s,=,},}", cnt, cnt, dst, pc); break; case X86_INS_LOOPNE: esilprintf (op, "1,%s,-=,%s,?{,zf,!,?{,%s,%s,=,},}", cnt, cnt, dst, pc); break; } free (dst); } break; case X86_INS_CALL: case X86_INS_LCALL: switch (INSOP(0).type) { case X86_OP_IMM: op->type = R_ANAL_OP_TYPE_CALL; // TODO: what if UCALL? // TODO: use imm_size op->jump = INSOP(0).imm; op->fail = addr+op->size; break; case X86_OP_MEM: op->type = R_ANAL_OP_TYPE_UCALL; op->jump = UT64_MAX; if (INSOP(0).mem.base == 0) { op->ptr = INSOP(0).mem.disp; } break; default: op->type = R_ANAL_OP_TYPE_UCALL; op->jump = UT64_MAX; break; } if (a->decode) { char* arg = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s," "%d,%s,-=,%s," "=[]," "%s,%s,=", pc, rs, sp, sp, arg, pc); free (arg); } break; case X86_INS_JMP: case X86_INS_LJMP: if (a->decode) { char *src = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,=", src, pc); free (src); } // TODO: what if UJMP? switch (INSOP(0).type) { case X86_OP_IMM: op->jump = INSOP(0).imm; op->type = R_ANAL_OP_TYPE_JMP; if (a->decode) { ut64 dst = INSOP(0).imm; esilprintf (op, "0x%"PFMT64x",%s,=", dst, pc); } break; case X86_OP_MEM: op->type = R_ANAL_OP_TYPE_UJMP; op->ptr = INSOP(0).mem.disp; if (INSOP(0).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; op->refptr = 8; } else { cs_x86_op in = INSOP(0); if (in.mem.index == 0 && in.mem.base == 0 && in.mem.scale == 1) { if (a->decode) { esilprintf (op, "0x%"PFMT64x",[],%s,=", op->ptr, pc); } } } break; case X86_OP_REG: { char *src = getarg (&gop, 0, 0, NULL); op->src[0] = r_anal_value_new (); op->src[0]->reg = r_reg_get (a->reg, src, R_REG_TYPE_GPR); free (src); //XXX fallthrough } case X86_OP_FP: default: // other? op->type = R_ANAL_OP_TYPE_UJMP; op->ptr = UT64_MAX; break; } break; case X86_INS_IN: case X86_INS_INSW: case X86_INS_INSD: case X86_INS_INSB: op->type = R_ANAL_OP_TYPE_IO; op->type2 = 0; break; case X86_INS_OUT: case X86_INS_OUTSB: case X86_INS_OUTSD: case X86_INS_OUTSW: op->type = R_ANAL_OP_TYPE_IO; op->type2 = 1; break; case X86_INS_VXORPD: case X86_INS_VXORPS: case X86_INS_VPXORD: case X86_INS_VPXORQ: case X86_INS_VPXOR: case X86_INS_XORPS: case X86_INS_KXORW: case X86_INS_PXOR: case X86_INS_XOR: op->type = R_ANAL_OP_TYPE_XOR; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "^"); esilprintf (op, "%s,%s,$z,zf,=,$p,pf,=,$s,sf,=,0,cf,=,0,of,=", src, dst); free (src); free (dst); } break; case X86_INS_OR: // The OF and CF flags are cleared; the SF, ZF, and PF flags are // set according to the result. The state of the AF flag is // undefined. op->type = R_ANAL_OP_TYPE_OR; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "%s,%s,|=,0,of,=,0,cf,=,$s,sf,=,$z,zf,=,$p,pf,=", src, dst); free (src); free (dst); } break; case X86_INS_INC: // The CF flag is not affected. The OF, SF, ZF, AF, and PF flags // are set according to the result. op->type = R_ANAL_OP_TYPE_ADD; op->val = 1; if (a->decode) { char *src = getarg (&gop, 0, 0, NULL); if (strchr (src, '[')) { char *dst = r_str_replace (strdup (src), "[", "=[", 1); esilprintf (op, "1,%s,++,%s,$o,of,=,$s,sf,=,$z,zf,=,$p,pf,=", src, dst); free (dst); } else { esilprintf (op, "%s,++=,$o,of,=,$s,sf,=,$z,zf,=,$p,pf,=", src); } free (src); } break; case X86_INS_DEC: // The CF flag is not affected. The OF, SF, ZF, AF, and PF flags // are set according to the result. op->type = R_ANAL_OP_TYPE_SUB; op->val = 1; if (a->decode) { char *src = getarg (&gop, 0, 0, NULL); //esilprintf (op, "%s,--=,$o,of,=,$s,sf,=,$z,zf,=,$p,pf,=", src); esilprintf (op, "1,%s,[4],-,%s,=[4],$o,of,=,$s,sf,=,$z,zf,=,$p,pf,=", src, src); free (src); } break; case X86_INS_PSUBB: case X86_INS_PSUBW: case X86_INS_PSUBD: case X86_INS_PSUBQ: case X86_INS_PSUBSB: case X86_INS_PSUBSW: case X86_INS_PSUBUSB: case X86_INS_PSUBUSW: op->type = R_ANAL_OP_TYPE_SUB; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "-"); esilprintf (op, "%s,%s", src, dst); free(src); free(dst); } break; case X86_INS_SUB: op->type = R_ANAL_OP_TYPE_SUB; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "-"); // Set OF, SF, ZF, AF, PF, and CF flags. // We use $b rather than $c here as the carry flag really // represents a "borrow" esilprintf (op, "%s,%s,$o,of,=,$s,sf,=,$z,zf,=,$p,pf,=,$b,cf,=", src, dst); free (src); free (dst); } if (INSOP(0).type == X86_OP_REG && INSOP(1).type == X86_OP_IMM) { if (INSOP(0).reg == X86_REG_RSP || INSOP(0).reg == X86_REG_ESP) { op->stackop = R_ANAL_STACK_INC; op->stackptr = INSOP(1).imm; } } break; case X86_INS_SBB: // dst = dst - (src + cf) op->type = R_ANAL_OP_TYPE_SUB; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); esilprintf (op, "cf,%s,+,%s,-=,$o,of,=,$s,sf,=,$z,zf,=,$p,pf,=,$b,cf,=", src, dst); free (src); free (dst); } break; case X86_INS_LIDT: op->type = R_ANAL_OP_TYPE_LOAD; op->family = R_ANAL_OP_FAMILY_PRIV; break; case X86_INS_SIDT: op->type = R_ANAL_OP_TYPE_STORE; op->family = R_ANAL_OP_FAMILY_PRIV; break; case X86_INS_RDRAND: case X86_INS_RDSEED: case X86_INS_RDMSR: case X86_INS_RDPMC: case X86_INS_RDTSC: case X86_INS_RDTSCP: case X86_INS_CRC32: case X86_INS_SHA1MSG1: case X86_INS_SHA1MSG2: case X86_INS_SHA1NEXTE: case X86_INS_SHA1RNDS4: case X86_INS_SHA256MSG1: case X86_INS_SHA256MSG2: case X86_INS_SHA256RNDS2: case X86_INS_AESDECLAST: case X86_INS_AESDEC: case X86_INS_AESENCLAST: case X86_INS_AESENC: case X86_INS_AESIMC: case X86_INS_AESKEYGENASSIST: // AES instructions op->family = R_ANAL_OP_FAMILY_CRYPTO; op->type = R_ANAL_OP_TYPE_MOV; // XXX break; case X86_INS_AND: case X86_INS_ANDN: case X86_INS_ANDPD: case X86_INS_ANDPS: case X86_INS_ANDNPD: case X86_INS_ANDNPS: op->type = R_ANAL_OP_TYPE_AND; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "&"); esilprintf (op, "%s,%s,0,of,=,0,cf,=,$z,zf,=,$s,sf,=,$o,pf,=", src, dst); free (src); free (dst); } break; case X86_INS_IDIV: op->type = R_ANAL_OP_TYPE_DIV; if (a->decode) { char *a0 = getarg (&gop, 0, 0, NULL); char *a1 = getarg (&gop, 1, 0, NULL); char *a2 = getarg (&gop, 2, 0, NULL); // TODO update flags & handle signedness if (!a2 && !a1) { // TODO: IDIV rbx not implemented. this is just a workaround // http://www.tptp.cc/mirrors/siyobik.info/instruction/IDIV.html // Divides (signed) the value in the AX, DX:AX, or EDX:EAX registers (dividend) by the source operand (divisor) and stores the result in the AX (AH:AL), DX:AX, or EDX:EAX registers. The source operand can be a general-purpose register or a memory location. The action of this instruction depends on the operand size (dividend/divisor), as shown in the following table: // IDIV RBX == RDX:RAX /= RBX esilprintf (op, "%s,%s,/=", a0, "rax"); } else { esilprintf (op, "%s,%s,/,%s,=", a2, a1, a0); } free (a0); free (a1); free (a2); } break; case X86_INS_DIV: op->type = R_ANAL_OP_TYPE_DIV; if (a->decode) { int width = INSOP(0).size; char *dst = getarg (&gop, 0, 0, NULL); const char *r_ax = (width==2)?"ax": (width==4)?"eax":"rax"; const char *r_dx = (width==2)?"dx": (width==4)?"edx":"rdx"; // TODO update flags & handle signedness esilprintf (op, "%s,%s,%%,%s,=,%s,%s,/,%s,=", dst, r_ax, r_dx, dst, r_ax, r_ax); free (dst); } break; case X86_INS_IMUL: op->type = R_ANAL_OP_TYPE_MUL; if (a->decode) { char *a0 = getarg (&gop, 0, 0, NULL); char *a1 = getarg (&gop, 1, 0, NULL); char *a2 = getarg (&gop, 2, 0, NULL); if (a2) { // TODO update flags & handle signedness esilprintf (op, "%s,%s,*,%s,=", a2, a1, a0); free (a2); } else { if (a1) { esilprintf (op, "%s,%s,*=", a1, a0); } else { esilprintf (op, "%s,%s,*=", a0, "rax"); } } free (a0); free (a1); } break; case X86_INS_MUL: case X86_INS_MULX: case X86_INS_MULPD: case X86_INS_MULPS: case X86_INS_MULSD: case X86_INS_MULSS: op->type = R_ANAL_OP_TYPE_MUL; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "*"); if (!src && dst) { switch (dst[0]) { case 'r': src = strdup ("rax"); break; case 'e': src = strdup ("eax"); break; default: src = strdup ("al"); break; } } esilprintf (op, "%s,%s", src, dst); free (src); free (dst); } break; case X86_INS_PACKSSDW: case X86_INS_PACKSSWB: case X86_INS_PACKUSWB: op->type = R_ANAL_OP_TYPE_MOV; op->family = R_ANAL_OP_FAMILY_MMX; break; case X86_INS_PADDB: case X86_INS_PADDD: case X86_INS_PADDW: case X86_INS_PADDSB: case X86_INS_PADDSW: case X86_INS_PADDUSB: case X86_INS_PADDUSW: op->type = R_ANAL_OP_TYPE_ADD; op->family = R_ANAL_OP_FAMILY_MMX; break; case X86_INS_XCHG: op->type = R_ANAL_OP_TYPE_MOV; op->family = R_ANAL_OP_FAMILY_CPU; { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, NULL); esilprintf (op, "%s,%s,%s,=,%s,=", src, dst, src, dst); free (src); free (dst); } break; case X86_INS_XADD: /* xchg + add */ op->type = R_ANAL_OP_TYPE_ADD; op->family = R_ANAL_OP_FAMILY_CPU; { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, NULL); if (src == dst) { esilprintf (op, "%s,%s,+,%s", src, dst, dst); } else { esilprintf (op, "%s,%s,%s,=,%s,=," "%s,%s,+,%s", src, dst, src, dst, src, dst, dst); } free (src); free (dst); } break; case X86_INS_FADD: case X86_INS_FADDP: op->family = R_ANAL_OP_FAMILY_FPU; /* pass thru */ case X86_INS_ADDPS: case X86_INS_ADDSD: case X86_INS_ADDSS: case X86_INS_ADDSUBPD: case X86_INS_ADDSUBPS: case X86_INS_ADDPD: // The OF, SF, ZF, AF, CF, and PF flags are set according to the // result. op->type = R_ANAL_OP_TYPE_ADD; if (a->decode) { if (INSOP(0).type == X86_OP_MEM) { char *src = getarg (&gop, 1, 0, NULL); char *src2 = getarg (&gop, 0, 0, NULL); char *dst = getarg (&gop, 0, 1, NULL); esilprintf (op, "%s,%s,+,%s", src, src2, dst); free (src); free (src2); free (dst); } else { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "+"); esilprintf (op, "%s,%s", src, dst); free (src); free (dst); } } if (INSOP(0).type == X86_OP_REG && INSOP(1).type == X86_OP_IMM) { if (INSOP(0).reg == X86_REG_RSP || INSOP(0).reg == X86_REG_ESP) { op->stackop = R_ANAL_STACK_INC; op->stackptr = -INSOP(1).imm; } } break; case X86_INS_ADD: // The OF, SF, ZF, AF, CF, and PF flags are set according to the // result. op->type = R_ANAL_OP_TYPE_ADD; if (a->decode) { if (INSOP(0).type == X86_OP_MEM) { char *src = getarg (&gop, 1, 0, NULL); char *src2 = getarg (&gop, 0, 0, NULL); char *dst = getarg (&gop, 0, 1, NULL); esilprintf (op, "%s,%s,+,%s,$o,of,=,$s,sf,=,$z,zf,=,$p,pf,=,$c,cf,=", src, src2, dst); free (src); free (src2); free (dst); } else { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 1, "+"); esilprintf (op, "%s,%s,$o,of,=,$s,sf,=,$z,zf,=,$p,pf,=,$c,cf,=", src, dst); free (src); free (dst); } } if (INSOP(0).type == X86_OP_REG && INSOP(1).type == X86_OP_IMM) { if (INSOP(0).reg == X86_REG_RSP || INSOP(0).reg == X86_REG_ESP) { op->stackop = R_ANAL_STACK_INC; op->stackptr = -INSOP(1).imm; } } break; case X86_INS_ADC: op->type = R_ANAL_OP_TYPE_ADD; if (a->decode) { char *src = getarg (&gop, 1, 0, NULL); char *dst = getarg (&gop, 0, 0, NULL); // dst = dst + src + cf // NOTE: We would like to add the carry first before adding the // source to ensure that the flag computation from $c belongs // to the operation of adding dst += src rather than the one // that adds carry (as esil only keeps track of the last // addition to set the flags). esilprintf (op, "cf,%s,+,%s,+=,$o,of,=,$s,sf,=,$z,zf,=,$p,pf,=,$c,cf,=", src, dst); free (src); free (dst); } break; /* Direction flag */ case X86_INS_CLD: op->type = R_ANAL_OP_TYPE_MOV; if (a->decode) esilprintf (op, "0,df,="); break; case X86_INS_STD: op->type = R_ANAL_OP_TYPE_MOV; if (a->decode) esilprintf (op, "1,df,="); break; } switch (insn->id) { case X86_INS_MOVAPS: //cvtss2sd case X86_INS_ADDSD: //cvtss2sd case X86_INS_SUBSD: //cvtss2sd case X86_INS_MULSD: //cvtss2sd case X86_INS_CVTSS2SD: //cvtss2sd case X86_INS_MOVSS: case X86_INS_MOVSD: op->family = R_ANAL_OP_FAMILY_MMX; break; } } //#if X86_GRP_PRIVILEGE>0 if (insn) { #if HAVE_CSGRP_PRIVILEGE if (cs_insn_group (handle, insn, X86_GRP_PRIVILEGE)) op->family = R_ANAL_OP_FAMILY_PRIV; #endif #if !USE_ITER_API cs_free (insn, n); #endif } //cs_close (&handle); return op->size; }
static int bpf_anal(RAnal *anal, RAnalOp *op, ut64 addr, const ut8 *data, int len) { RBpfSockFilter *f = (RBpfSockFilter *)data; memset (op, '\0', sizeof (RAnalOp)); op->jump = UT64_MAX; op->fail = UT64_MAX; op->ptr = op->val = UT64_MAX; op->type = R_ANAL_OP_TYPE_UNK; op->size = 8; op->addr = addr; r_strbuf_init (&op->esil); switch (f->code) { case BPF_RET | BPF_A: op->type = R_ANAL_OP_TYPE_RET; esilprintf (op, "A,R0,=,0,$"); break; case BPF_RET | BPF_K: case BPF_RET | BPF_X: op->type = R_ANAL_OP_TYPE_RET; if (BPF_SRC (f->code) == BPF_K) { esilprintf (op, "%" PFMT64d ",R0,=,0,$", f->k); } else if (BPF_SRC (f->code) == BPF_X) { esilprintf (op, "X,R0,=,0,$"); } break; case BPF_MISC_TAX: op->type = R_ANAL_OP_TYPE_MOV; SET_REG_SRC_DST (op, "A", "X"); esilprintf (op, "A,X,="); break; case BPF_MISC_TXA: op->type = R_ANAL_OP_TYPE_MOV; SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "X,A,="); break; case BPF_ST: if (INSIDE_M (f->k)) { op->type = R_ANAL_OP_TYPE_MOV; SET_REG_SRC_DST (op, "A", M[f->k]); esilprintf (op, "A,M[%" PFMT64d "],=", f->k); } else { op->type = R_ANAL_OP_TYPE_ILL; } break; case BPF_STX: if (INSIDE_M (f->k)) { op->type = R_ANAL_OP_TYPE_MOV; SET_REG_SRC_DST (op, "X", M[f->k]); esilprintf (op, "X,M[%" PFMT64d "],=", f->k); } else { op->type = R_ANAL_OP_TYPE_ILL; } break; case BPF_LD_W | BPF_LEN: op->type = R_ANAL_OP_TYPE_MOV; SET_REG_SRC_DST (op, "len", "A"); esilprintf (op, "len,A,=", f->k); break; case BPF_LDX | BPF_LEN: op->type = R_ANAL_OP_TYPE_MOV; SET_REG_SRC_DST (op, "len", "X"); esilprintf (op, "len,X,=", f->k); break; case BPF_LD_W | BPF_ABS: EMIT_LOAD (op, anal->gp + f->k, 4); SET_A_DST (op); esilprintf (op, "len,%" PFMT64d ",>,?{,0,R0,=,0,$,BREAK,},%" PFMT64d ",[4],A,=", f->k + 4, op->ptr); break; case BPF_LD_H | BPF_ABS: EMIT_LOAD (op, anal->gp + f->k, 2); SET_A_DST (op); esilprintf (op, "len,%" PFMT64d ",>,?{,0,R0,=,0,$,BREAK,}," "%" PFMT64d ",[2],A,=", f->k + 2, op->ptr); break; case BPF_LD_B | BPF_ABS: EMIT_LOAD (op, anal->gp + f->k, 1); SET_A_DST (op); esilprintf (op, "len,%" PFMT64d ",>,?{,0,R0,=,0,$,BREAK,}," "%" PFMT64d ",[1],A,=", f->k + 1, op->ptr); break; case BPF_LD_W | BPF_IND: op->type = R_ANAL_OP_TYPE_LOAD; op->ptrsize = 4; SET_A_DST (op); esilprintf (op, "len,%" PFMT64d ",X,+,0xffffffff,&,>,?{,0,R0,=,0,$,BREAK,}," "%" PFMT64d ",X,+,0xffffffff,&,[4],A,=", (st32)f->k + 4, anal->gp + (st32)f->k); break; case BPF_LD_H | BPF_IND: op->type = R_ANAL_OP_TYPE_LOAD; op->ptrsize = 2; SET_A_DST (op); esilprintf (op, "len,%" PFMT64d ",X,+,0xffffffff,&,>,?{,0,R0,=,0,$,BREAK,}," "%" PFMT64d ",X,+,0xffffffff,&,[2],A,=", (st32)f->k + 2, anal->gp + (st32)f->k); break; case BPF_LD_B | BPF_IND: op->type = R_ANAL_OP_TYPE_LOAD; op->ptrsize = 1; SET_A_DST (op); esilprintf (op, "len,%" PFMT64d ",X,+,0xffffffff,&,>,?{,0,R0,=,0,$,BREAK,}," "%" PFMT64d ",X,+,0xffffffff,&,[1],A,=", (st32)f->k + 1, anal->gp + (st32)f->k); break; case BPF_LD | BPF_IMM: op->type = R_ANAL_OP_TYPE_MOV; op->val = f->k; SET_REG_DST_IMM (op, "A", f->k); esilprintf (op, "0x%08" PFMT64x ",A,=", f->k); break; case BPF_LDX | BPF_IMM: op->type = R_ANAL_OP_TYPE_MOV; op->val = f->k; SET_REG_DST_IMM (op, "X", f->k); esilprintf (op, "0x%08" PFMT64x ",X,=", f->k); break; case BPF_LDX_B | BPF_MSH: op->type = R_ANAL_OP_TYPE_LOAD; op->ptrsize = 1; op->ptr = anal->gp + f->k; SET_A_DST (op); esilprintf (op, "%" PFMT64d ",[1],0xf,&,4,*,X,=", op->ptr); break; case BPF_LD | BPF_MEM: op->type = R_ANAL_OP_TYPE_MOV; if (INSIDE_M (f->k)) { SET_REG_SRC_DST (op, M[f->k], "A"); esilprintf (op, "M[%" PFMT64d "],A,=", f->k); } else { op->type = R_ANAL_OP_TYPE_ILL; } break; case BPF_LDX | BPF_MEM: op->type = R_ANAL_OP_TYPE_MOV; if (INSIDE_M (f->k)) { SET_REG_SRC_DST (op, M[f->k], "X"); esilprintf (op, "M[%" PFMT64d "],X,=", f->k); } else { op->type = R_ANAL_OP_TYPE_ILL; } break; case BPF_JMP_JA: op->type = R_ANAL_OP_TYPE_JMP; op->jump = addr + 8 + f->k * 8; esilprintf (op, "%" PFMT64d ",pc,=", op->jump); break; case BPF_JMP_JGT | BPF_X: case BPF_JMP_JGT | BPF_K: EMIT_CJMP (op, addr, f); op->cond = R_ANAL_COND_GT; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; esilprintf (op, "%" PFMT64d ",A,>,?{,%" PFMT64d ",pc,=,BREAK,},%" PFMT64d ",pc,=", op->val, op->jump, op->fail); } else if (BPF_SRC (f->code) == BPF_X) { esilprintf (op, "X,A,>,?{,%" PFMT64d ",pc,=,BREAK,},%" PFMT64d ",pc,=", op->jump, op->fail); } else { op->type = R_ANAL_OP_TYPE_ILL; } break; case BPF_JMP_JGE | BPF_X: case BPF_JMP_JGE | BPF_K: EMIT_CJMP (op, addr, f); op->cond = R_ANAL_COND_GE; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; esilprintf (op, "%" PFMT64d ",A,>=,?{,%" PFMT64d ",pc,=,BREAK,},%" PFMT64d ",pc,=", op->val, op->jump, op->fail); } else { esilprintf (op, "X,A,>=,?{,%" PFMT64d ",pc,=,BREAK,},%" PFMT64d ",pc,=", op->jump, op->fail); } break; case BPF_JMP_JEQ | BPF_X: case BPF_JMP_JEQ | BPF_K: EMIT_CJMP (op, addr, f); op->cond = R_ANAL_COND_EQ; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; esilprintf (op, "%" PFMT64d ",A,==,$z,?{,%" PFMT64d ",pc,=,BREAK,},%" PFMT64d ",pc,=", op->val, op->jump, op->fail); } else { esilprintf (op, "X,A,==,$z,?{,%" PFMT64d ",pc,=,BREAK,},%" PFMT64d ",pc,=", op->jump, op->fail); } break; case BPF_JMP_JSET | BPF_X: case BPF_JMP_JSET | BPF_K: EMIT_CJMP (op, addr, f); if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; esilprintf (op, "%" PFMT64d ",A,&,?{,%" PFMT64d ",pc,=,BREAK,},%" PFMT64d ",pc,=", op->val, op->jump, op->fail); } else { esilprintf (op, "X,A,&,!,?{,%" PFMT64d ",pc,=,BREAK,},%" PFMT64d ",pc,=", op->val, op->jump, op->fail); } break; case BPF_ALU_NEG: op->type = R_ANAL_OP_TYPE_NOT; esilprintf (op, "A,0,-,A,="); SET_REG_SRC_DST (op, "A", "A"); break; case BPF_ALU_LSH | BPF_X: case BPF_ALU_LSH | BPF_K: op->type = R_ANAL_OP_TYPE_SHL; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; SET_REG_DST_IMM (op, "A", f->k); esilprintf (op, "%" PFMT64d ",A,<<=", f->k); } else { SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "X,A,<<="); } break; case BPF_ALU_RSH | BPF_X: case BPF_ALU_RSH | BPF_K: op->type = R_ANAL_OP_TYPE_SHR; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; SET_REG_DST_IMM (op, "A", f->k); esilprintf (op, "%" PFMT64d ",A,>>=", f->k); } else { SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "X,A,>>="); } break; case BPF_ALU_ADD | BPF_X: case BPF_ALU_ADD | BPF_K: op->type = R_ANAL_OP_TYPE_ADD; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; SET_REG_DST_IMM (op, "A", op->val); esilprintf (op, "%" PFMT64d ",A,+=", op->val); } else { SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "X,A,+="); } break; case BPF_ALU_SUB | BPF_X: case BPF_ALU_SUB | BPF_K: op->type = R_ANAL_OP_TYPE_SUB; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; SET_REG_DST_IMM (op, "A", op->val); esilprintf (op, "%" PFMT64d ",A,-=", op->val); } else { SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "X,A,-="); } break; case BPF_ALU_MUL | BPF_X: case BPF_ALU_MUL | BPF_K: op->type = R_ANAL_OP_TYPE_MUL; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; SET_REG_DST_IMM (op, "A", f->k); esilprintf (op, "%" PFMT64d ",A,*=", f->k); } else { SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "X,A,*="); } break; case BPF_ALU_DIV | BPF_X: case BPF_ALU_DIV | BPF_K: op->type = R_ANAL_OP_TYPE_DIV; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; SET_REG_DST_IMM (op, "A", f->k); if (f->k == 0) { esilprintf (op, "0,R0,=,0,$"); } else { esilprintf (op, "%" PFMT64d ",A,/=", f->k); } } else { SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "0,X,==,$z,?{,0,R0,=,0,$,BREAK,},X,A,/="); } break; case BPF_ALU_MOD | BPF_X: case BPF_ALU_MOD | BPF_K: op->type = R_ANAL_OP_TYPE_MOD; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; SET_REG_DST_IMM (op, "A", f->k); if (f->k == 0) { esilprintf (op, "0,R0,=,0,$"); } else { esilprintf (op, "%" PFMT64d ",A,%%=", f->k); } } else { SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "0,X,==,$z,?{,0,R0,=,0,$,BREAK,},X,A,%%="); } break; case BPF_ALU_AND | BPF_X: case BPF_ALU_AND | BPF_K: op->type = R_ANAL_OP_TYPE_AND; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; SET_REG_DST_IMM (op, "A", f->k); esilprintf (op, "%" PFMT64d ",A,&=", f->k); } else { SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "X,A,&="); } break; case BPF_ALU_OR | BPF_X: case BPF_ALU_OR | BPF_K: op->type = R_ANAL_OP_TYPE_OR; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; SET_REG_DST_IMM (op, "A", f->k); esilprintf (op, "%" PFMT64d ",A,|=", f->k); } else { SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "X,A,|,A,="); } break; case BPF_ALU_XOR | BPF_X: case BPF_ALU_XOR | BPF_K: op->type = R_ANAL_OP_TYPE_XOR; if (BPF_SRC (f->code) == BPF_K) { op->val = f->k; SET_REG_DST_IMM (op, "A", f->k); esilprintf (op, "%" PFMT64d ",A,^=", f->k); } else { SET_REG_SRC_DST (op, "X", "A"); esilprintf (op, "X,A,^="); } break; default: op->type = R_ANAL_OP_TYPE_ILL; break; } return op->size; }
static int dalvik_op(RAnal *anal, RAnalOp *op, ut64 addr, const ut8 *data, int len) { int sz = dalvik_opcodes[data[0]].len; if (!op || sz >= len) { return sz; } memset (op, '\0', sizeof (RAnalOp)); op->type = R_ANAL_OP_TYPE_UNK; op->ptr = UT64_MAX; op->val = UT64_MAX; op->jump = UT64_MAX; op->fail = UT64_MAX; op->refptr = 0; op->size = sz; op->nopcode = 1; // Necessary?? op->id = data[0]; ut32 vA = 0; ut32 vB = 0; ut32 vC = 0; if (len > 3) { vA = data[1]; vB = data[2]; vC = data[3]; } switch (data[0]) { case 0xca: // rem-float: op->family = R_ANAL_OP_FAMILY_FPU; /* pass thru */ case 0x1b: // const-string/jumbo case 0x14: // const case 0x15: // const case 0x16: // const case 0x17: // const case 0x42: // const case 0x12: // const/4 op->type = R_ANAL_OP_TYPE_MOV; { ut32 vB = (data[1] & 0x0f); ut32 vA = (data[1] & 0xf0) >> 4; // op->stackop = R_ANAL_STACK_SET; op->ptr = -vA; // why op->val = vA; esilprintf (op, "0x%"PFMT64x",v%d,=", vA, vB); } break; case 0x01: // move case 0x07: // move-object case 0x04: // mov-wide { ut32 vB = (data[1] & 0x0f); ut32 vA = (data[1] & 0xf0) >> 4; if (vA == vB) { op->type = R_ANAL_OP_TYPE_NOP; esilprintf (op, ","); } else { op->type = R_ANAL_OP_TYPE_MOV; op->stackop = R_ANAL_STACK_SET; op->ptr = -vA; esilprintf (op, "v%d,v%d,=", vA, vB); } } break; case 0x02: // move/from16 case 0x03: // move/16 case 0x05: // move-wide/from16 case 0x06: // mov-wide&17 case 0x08: // move-object/from16 case 0x09: // move-object/16 case 0x13: // const/16 op->type = R_ANAL_OP_TYPE_MOV; if (len > 2) { int vA = (int) data[1]; ut32 vB = (data[3] << 8) | data[2]; esilprintf (op, "v%d,v%d,=", vA, vB); op->val = vB; } break; case 0x18: // const-wide case 0x19: // const-wide // 180001000101. const-wide v0:v1, 0x18201cd01010001 op->type = R_ANAL_OP_TYPE_MOV; break; case 0x0a: // move-result case 0x0d: // move-exception case 0x0c: // move-result-object case 0x0b: // move-result-wide // TODO: add MOVRET OP TYPE ?? op->type = R_ANAL_OP_TYPE_MOV; { ut32 vA = data[1]; esilprintf (op, "sp,v%d,=[8],8,sp,+=,8", vA); } break; case 0x1a: // const-string op->type = R_ANAL_OP_TYPE_MOV; op->datatype = R_ANAL_DATATYPE_STRING; if (len > 2) { ut32 vA = data[1]; ut32 vB = (data[3]<<8) | data[2]; ut64 offset = R_ANAL_GET_OFFSET (anal, 's', vB); op->ptr = offset; op->refptr = 0; esilprintf (op, "0x%"PFMT64x",v%d,=", offset, vA); } break; case 0x1c: // const-class op->type = R_ANAL_OP_TYPE_MOV; op->datatype = R_ANAL_DATATYPE_CLASS; break; case 0x89: // float-to-double case 0x8a: // double-to-int case 0x87: // double-to-int case 0x8c: // double-to-float case 0x8b: // double-to-long case 0x88: // float-to-long case 0x86: // long-to-double op->family = R_ANAL_OP_FAMILY_FPU; /* pass thru */ case 0x81: // int-to-long case 0x82: // int-to-float case 0x85: // long-to-float case 0x83: // int-to-double case 0x8d: // int-to-byte case 0x8e: // int-to-char op->type = R_ANAL_OP_TYPE_CAST; { ut32 vA = (data[1] & 0x0f); ut32 vB = (data[1] & 0xf0) >> 4; esilprintf (op, "v%d,0xff,&,v%d,=", vB, vA); } break; case 0x8f: // int-to-short op->type = R_ANAL_OP_TYPE_CAST; // op->datatype = R_ANAL_DATATYPE_INT32 | R_ANAL_DATATYPE_INT16; { ut32 vA = (data[1] & 0x0f); ut32 vB = (data[1] & 0xf0) >> 4; esilprintf (op, "v%d,0xffff,&,v%d,=", vB, vA); } break; case 0x84: // long-to-int op->type = R_ANAL_OP_TYPE_CAST; { ut32 vA = (data[1] & 0x0f); ut32 vB = (data[1] & 0xf0) >> 4; esilprintf (op, "v%d,0xffffffff,&,v%d,=", vB, vA); } break; case 0x20: // instance-of { op->type = R_ANAL_OP_TYPE_CMP; esilprintf (op, "%d,instanceof,%d,-,!,v%d,=", vC, vB, vA); } break; case 0x21: // array-length op->type = R_ANAL_OP_TYPE_LENGTH; op->datatype = R_ANAL_DATATYPE_ARRAY; break; case 0x44: // aget case 0x45: //aget-bool case 0x46: case 0x47: //aget-bool case 0x48: //aget-byte case 0x49: //aget-char case 0x4a: //aget-short case 0x52: //iget case 0x58: //iget-short case 0x53: //iget-wide case 0x56: //iget-byte case 0x57: //iget-char case 0xea: //sget-wide-volatile case 0xf4: //iget-byte case 0x66: //sget-short case 0xfd: //sget-object case 0x55: //iget-bool case 0x60: // sget case 0x61: // case 0x64: // sget-byte case 0x65: // sget-char case 0xe3: //iget-volatile case 0xe4: // case 0xe5: // sget case 0xe6: // sget case 0xe7: // iget-object-volatile case 0xe8: //iget-bool case 0xf3: //iget-bool case 0xf8: //iget-bool case 0xf2: //iget-quick op->type = R_ANAL_OP_TYPE_LOAD; break; case 0x54: // iget-object { op->type = R_ANAL_OP_TYPE_LOAD; ut32 vA = (data[1] & 0x0f); ut32 vB = (data[1] & 0xf0) >> 4; ut32 vC = (data[2] & 0x0f); esilprintf (op, "%d,v%d,iget,v%d,=", vC, vB, vA); } break; case 0x63: // sget-boolean { const char *vT = "-boolean"; op->datatype = R_ANAL_DATATYPE_BOOLEAN; op->type = R_ANAL_OP_TYPE_LOAD; ut32 vA = (data[1] & 0x0f); ut32 vB = (data[1] & 0xf0) >> 4; ut32 vC = (data[2] & 0x0f); esilprintf (op, "%d,%d,sget%s,v%d,=", vC, vB, vT, vA); } break; case 0x62: // sget-object { const char *vT = "-object"; op->datatype = R_ANAL_DATATYPE_OBJECT; op->type = R_ANAL_OP_TYPE_LOAD; ut32 vA = (data[1] & 0x0f); ut32 vB = (data[1] & 0xf0) >> 4; ut32 vC = (data[2] & 0x0f); esilprintf (op, "%d,%d,sget%s,v%d,=", vC, vB, vT, vA); } break; case 0x6b: //sput-byte case 0x6d: //sput-short case 0xeb: //sput-wide-volatile case 0x4b: //aput case 0x4c: //aput-wide case 0x4d: // aput-object case 0x4e: // aput-bool case 0x4f: // case 0x5e: //iput-char case 0xfc: //iput-object-volatile case 0xf5: //iput-quick case 0x5c: //iput-bool case 0x69: //sput-object case 0x5f: //iput-wide case 0xe9: //iput-wide-volatile case 0xf6: //iput-wide case 0xf7: //iput-wide case 0x67: //iput-wide case 0x59: //iput-wide case 0x5a: //iput-wide case 0x5b: //iput-wide case 0x5d: //iput-wide case 0x50: // case 0x51: // aput-short case 0x68: // sput-wide case 0x6a: // sput-boolean case 0x6c: // sput-wide case 0xfe: // sput op->type = R_ANAL_OP_TYPE_STORE; { ut32 vA = (data[1] & 0x0f); ut32 vB = (data[1] & 0xf0) >> 4; esilprintf (op, "TODO,v%d,v%d,=", vA, vB); } break; case 0xad: // mul-double op->family = R_ANAL_OP_FAMILY_FPU; op->type = R_ANAL_OP_TYPE_MUL; esilprintf (op, "v%d,v%d,*,v%d,=", vC, vB, vA); break; case 0x9d: case 0xc8: // mul-float op->family = R_ANAL_OP_FAMILY_FPU; /* fall through */ case 0xcd: case 0xd2: case 0x92: case 0xb2: op->type = R_ANAL_OP_TYPE_MUL; break; case 0x7c: // not-int case 0x7e: // not-long op->type = R_ANAL_OP_TYPE_NOT; break; case 0xa4: // shr-long case 0xba: // ushr-int/2addr case 0xe2: // ushr-int case 0xa5: // ushr-long case 0x9a: // ushr-long case 0xc5: // ushr-long/2addr case 0xc4: // shr-long/2addr case 0xe1: // shr-int/lit8 case 0x99: // shr-int op->type = R_ANAL_OP_TYPE_SHR; break; case 0xaa: // rem-float case 0xcf: // rem-double case 0xaf: // rem-double op->family = R_ANAL_OP_FAMILY_FPU; /* pass thru */ case 0xb4: // rem-int/2addr case 0xdc: // rem-int/lit8 case 0xd4: // rem-int case 0xbf: // rem-long/2addr case 0x9f: // rem-long case 0x94: // rem-int op->type = R_ANAL_OP_TYPE_MOD; // mod = rem break; case 0xd7: case 0xd9: case 0xda: case 0xde: case 0x95: // and-int case 0x96: // or-int op->type = R_ANAL_OP_TYPE_OR; break; case 0xc2: // xor-long case 0x97: // xor-int case 0xdf: // xor-int/lit16 case 0xa2: // xor-long op->type = R_ANAL_OP_TYPE_XOR; break; case 0xc9: // div-float op->family = R_ANAL_OP_FAMILY_FPU; /* pass thru */ case 0x93: // div-int case 0xd3: // div-int/lit16 case 0xdb: // div-int/lit8 case 0xce: // div-double case 0x9e: // div-double case 0xbe: // div-double case 0xae: // div-double case 0xa9: // div-float case 0xb3: // div-int/2addr op->type = R_ANAL_OP_TYPE_DIV; break; case 0x0e: // return-void case 0x0f: // return case 0x10: // return-wide case 0x11: // return-object case 0xf1: // return-void-barrier op->type = R_ANAL_OP_TYPE_RET; op->eob = true; //TODO: handle return if(0x0e) {} else {} if (data[0] == 0x0e) {// return-void esilprintf (op, "sp,[8],ip,=,8,sp,+="); } else { ut32 vA = data[1]; esilprintf (op, "sp,[8],ip,=,8,sp,+=,8,sp,-=,v%d,sp,=[8]", vA); } break; case 0x28: // goto op->jump = addr + ((char)data[1])*2; op->type = R_ANAL_OP_TYPE_JMP; op->eob = true; esilprintf (op, "0x%"PFMT64x",ip,=", op->jump); break; case 0x29: // goto/16 if (len > 3) { op->jump = addr + (short)(data[2]|data[3]<<8)*2; op->type = R_ANAL_OP_TYPE_JMP; op->eob = true; esilprintf (op, "0x%"PFMT64x",ip,=", op->jump); } break; case 0x2a: // goto/32 if (len > 5) { op->jump = addr + (int)(data[2]|(data[3]<<8)|(data[4]<<16)|(data[5]<<24))*2; op->type = R_ANAL_OP_TYPE_JMP; op->eob = true; esilprintf (op, "0x%"PFMT64x",ip,=", op->jump); } break; case 0x2c: case 0x2b: op->type = R_ANAL_OP_TYPE_SWITCH; break; case 0x3e: // glitch 0 width instruction .. invalid instruction case 0x43: op->type = R_ANAL_OP_TYPE_ILL; esilprintf (op, ","); op->size = 1; op->eob = true; break; case 0x2d: // cmpl-float case 0x2e: // cmpg-float case 0x3f: // cmpg-float // ???? wrong disasm imho 2e0f12003f0f case 0x2f: // cmpl-double case 0x30: // cmlg-double case 0x31: // cmp-long case 0x1f: // check-cast op->type = R_ANAL_OP_TYPE_CMP; break; case 0x32: // if-eq case 0x33: // if-ne case 0x34: // if-lt case 0x35: // if-ge case 0x36: // if-gt case 0x37: // if-le op->type = R_ANAL_OP_TYPE_CJMP; //XXX fix this better the check is to avoid an oob if (len > 2) { op->jump = addr + (len>3?(short)(data[2]|data[3]<<8)*2 : 0); op->fail = addr + sz; op->eob = true; ut32 vA = data[1]; ut32 vB = data[2]; const char *cond = getCond (data[0]); esilprintf (op, "v%d,v%d,==,%s,?{,%"PFMT64d",ip,=}", vB, vA, cond, op->jump); } break; case 0x38: // if-eqz case 0x39: // if-nez case 0x3a: // if-ltz case 0x3b: // if-gez case 0x3c: // if-gtz case 0x3d: // if-lez op->type = R_ANAL_OP_TYPE_CJMP; //XXX fix this better the check is to avoid an oob if (len > 2) { op->jump = addr + (len>3?(short)(data[2]|data[3]<<8)*2 : 0); op->fail = addr + sz; op->eob = true; ut32 vA = data[1]; const char *cond = getCondz (data[0]); esilprintf (op, "v%d,%s,?{,%"PFMT64d",ip,=}", vA, cond, op->jump); } break; case 0xec: // breakpoint op->type = R_ANAL_OP_TYPE_TRAP; esilprintf (op, "TRAP"); break; case 0x1d: // monitor-enter op->type = R_ANAL_OP_TYPE_PUSH; op->stackop = R_ANAL_STACK_INC; op->stackptr = 1; esilprintf (op, ","); break; case 0x1e: // monitor-exit /// wrong type? op->type = R_ANAL_OP_TYPE_POP; op->stackop = R_ANAL_STACK_INC; op->stackptr = -1; esilprintf (op, ","); break; case 0x6f: // invoke-super case 0xfa: // invoke-super-quick case 0x70: // invoke-direct case 0x71: // invoke-static case 0x72: // invoke-interface case 0x73: // case 0x74: // case 0x75: // case 0x76: // invoke-direct case 0x77: // case 0x78: // invokeinterface/range case 0xb9: // invokeinterface case 0xb7: // invokespecial case 0xb8: // invokestatic case 0xb6: // invokevirtual case 0x6e: // invoke-virtual case 0xf0: // invoke-object-init-range case 0xf9: // invoke-virtual-quick/range case 0xfb: // invoke-super-quick/range if (len > 2) { //XXX fix this better since the check avoid an oob //but the jump will be incorrect ut32 vB = len > 3?(data[3] << 8) | data[2] : 0; op->jump = anal->binb.get_offset (anal->binb.bin, 'm', vB); op->fail = addr + sz; op->type = R_ANAL_OP_TYPE_CALL; // TODO: handle /range instructions esilprintf (op, "8,sp,-=,0x%"PFMT64x",sp,=[8],0x%"PFMT64x",ip,=", addr); } break; case 0x27: // throw { ut32 vA = data[1]; op->type = R_ANAL_OP_TYPE_TRAP; esilprintf (op, "v%d,TRAP", vA); } break; case 0xee: // execute-inline case 0xef: // execute-inline/range op->type = R_ANAL_OP_TYPE_SWI; break; case 0xed: // throw-verification-error op->type = R_ANAL_OP_TYPE_TRAP; break; case 0x22: // new-instance op->type = R_ANAL_OP_TYPE_NEW; if (len > 2) { int vA = (int) data[1]; int vB = (data[3] << 8) | data[2]; // resolve class name for vB ut64 off = R_ANAL_GET_OFFSET (anal, 't', vB); op->ptr = off; esilprintf (op, "%d,new,v%d,=", off, vA); } break; case 0x23: // new-array op->type = R_ANAL_OP_TYPE_NEW; // 0x1c, 0x1f, 0x22 if (len > 2) { ut32 vA = (data[1] & 0x0f); ut32 vB = (data[1] & 0xf0) >> 4; ut32 vC = (int) data[2] | (data[3]<<8); esilprintf (op, "%d,%d,new-array,v%d,=",vC, vB, vA); } break; case 0x24: // filled-new-array case 0x25: // filled-new-array-range case 0x26: // filled-new-array-data op->type = R_ANAL_OP_TYPE_NEW; // 0x1c, 0x1f, 0x22 if (len > 2) { //int vA = (int) data[1]; int vB = (data[3] << 8) | data[2]; // resolve class name for vB ut64 off = R_ANAL_GET_OFFSET (anal, 't', vB); op->ptr = off; } break; case 0x00: // nop op->type = R_ANAL_OP_TYPE_NOP; esilprintf (op, ","); break; case 0x90: // add-int case 0x9b: // add-long case 0xa6: // add-float case 0xac: // add-double case 0xb0: // add-int/2addr case 0xbb: // add-long/2addr case 0xc6: // add-float/2addr case 0xcb: // add-double/2addr case 0xd0: // add-int/lit16 case 0xd8: // add-int/lit8 { op->type = R_ANAL_OP_TYPE_ADD; ut32 vB = (data[1] & 0x0f); ut32 vA = (data[1] & 0xf0) >> 4; esilprintf (op, "v%d,v%d,+=", vB, vA); } break; case 0xa7: // sub-float case 0xcc: // sub-double op->family = R_ANAL_OP_FAMILY_FPU; /* fall thru */ case 0xc7: case 0xbc: case 0x91: case 0xb1: //sub-int/2addr case 0xd1: //sub-int/2addr case 0x9c: //sub-long op->type = R_ANAL_OP_TYPE_SUB; esilprintf (op, "v%d,v%d,-,v%d,=", vC, vB, vA); break; case 0x7b: // neg-int case 0x7d: // neg-long case 0x7f: // neg-float case 0x80: // neg-double op->type = R_ANAL_OP_TYPE_NOT; break; case 0xa0: // and-long case 0xc0: // and-long case 0xdd: // and-long case 0xd5: // and-long case 0xb5: // and-int op->type = R_ANAL_OP_TYPE_AND; break; case 0xd6: // orint/lit16 case 0xc1: // or-long/2addr case 0xa1: // or-long op->type = R_ANAL_OP_TYPE_OR; break; case 0xe0: //lshl case 0xc3: //lshl case 0xa3: // shl-long case 0x98: // shl-long op->type = R_ANAL_OP_TYPE_SHL; break; }
static int analop(RAnal *a, RAnalOp *op, ut64 addr, const ut8 *buf, int len) { csh handle; cs_insn *insn; int mode = (a->bits==64)? CS_MODE_64: (a->bits==32)? CS_MODE_32: (a->bits==16)? CS_MODE_16: 0; int n, ret = cs_open (CS_ARCH_X86, mode, &handle); op->type = R_ANAL_OP_TYPE_NULL; op->jump = UT64_MAX; op->fail = UT64_MAX; op->ptr = op->val = UT64_MAX; op->size = 0; op->delay = 0; r_strbuf_init (&op->esil); if (ret == CS_ERR_OK) { cs_option (handle, CS_OPT_DETAIL, CS_OPT_ON); // capstone-next n = cs_disasm (handle, (const ut8*)buf, len, addr, 1, &insn); if (n<1) { op->type = R_ANAL_OP_TYPE_ILL; } else { int rs = a->bits/8; const char *pc = (a->bits==16)?"ip": (a->bits==32)?"eip":"rip"; const char *sp = (a->bits==16)?"sp": (a->bits==32)?"esp":"rsp"; op->size = insn->size; op->prefix = 0; switch (insn->detail->x86.prefix[0]) { case X86_PREFIX_REPNE: op->prefix |= R_ANAL_OP_PREFIX_REPNE; case X86_PREFIX_REP: op->prefix |= R_ANAL_OP_PREFIX_REP; case X86_PREFIX_LOCK: op->prefix |= R_ANAL_OP_PREFIX_LOCK; } switch (insn->id) { case X86_INS_FNOP: case X86_INS_NOP: op->type = R_ANAL_OP_TYPE_NOP; if (a->decode) esilprintf (op, ""); break; case X86_INS_HLT: op->type = R_ANAL_OP_TYPE_TRAP; break; case X86_INS_CLI: case X86_INS_STI: case X86_INS_CLC: case X86_INS_STC: break; case X86_INS_MOV: case X86_INS_MOVZX: case X86_INS_MOVABS: case X86_INS_MOVHPD: case X86_INS_MOVHPS: case X86_INS_MOVLPD: case X86_INS_MOVLPS: case X86_INS_MOVBE: case X86_INS_MOVSB: case X86_INS_MOVSD: case X86_INS_MOVSQ: case X86_INS_MOVSS: case X86_INS_MOVSW: case X86_INS_MOVD: case X86_INS_MOVQ: case X86_INS_MOVDQ2Q: op->type = R_ANAL_OP_TYPE_MOV; switch (INSOP(0).type) { case X86_OP_MEM: op->ptr = INSOP(0).mem.disp; break; } switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; break; } break; case X86_INS_CMP: case X86_INS_VCMP: case X86_INS_CMPPD: case X86_INS_CMPPS: case X86_INS_CMPSW: case X86_INS_CMPSD: case X86_INS_CMPSQ: case X86_INS_CMPSB: case X86_INS_CMPSS: case X86_INS_TEST: op->type = R_ANAL_OP_TYPE_CMP; break; case X86_INS_LEA: op->type = R_ANAL_OP_TYPE_LEA; switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; break; } break; case X86_INS_ENTER: case X86_INS_PUSH: case X86_INS_PUSHAW: case X86_INS_PUSHAL: case X86_INS_PUSHF: op->type = R_ANAL_OP_TYPE_PUSH; break; case X86_INS_LEAVE: case X86_INS_POP: case X86_INS_POPAW: case X86_INS_POPAL: case X86_INS_POPF: case X86_INS_POPCNT: op->type = R_ANAL_OP_TYPE_POP; break; case X86_INS_RET: case X86_INS_RETF: case X86_INS_IRET: case X86_INS_IRETD: case X86_INS_IRETQ: case X86_INS_SYSRET: op->type = R_ANAL_OP_TYPE_RET; if (a->decode) esilprintf (op, "%s,[%d],%s,=,%d,%s,+=", sp, rs, pc, rs, sp); break; case X86_INS_INT1: case X86_INS_INT3: case X86_INS_INTO: case X86_INS_INT: case X86_INS_VMCALL: case X86_INS_VMMCALL: case X86_INS_SYSCALL: op->type = R_ANAL_OP_TYPE_TRAP; if (a->decode) esilprintf (op, "%d,$", (int)INSOP(0).imm); break; case X86_INS_JL: case X86_INS_JLE: case X86_INS_JA: case X86_INS_JAE: case X86_INS_JB: case X86_INS_JBE: case X86_INS_JCXZ: case X86_INS_JECXZ: case X86_INS_JO: case X86_INS_JNO: case X86_INS_JS: case X86_INS_JNS: case X86_INS_JP: case X86_INS_JNP: case X86_INS_JE: case X86_INS_JNE: case X86_INS_JG: case X86_INS_JGE: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = INSOP(0).imm; op->fail = addr+op->size; if (a->decode) { if (INSOP(0).type==X86_OP_IMM) { // TODO } } break; case X86_INS_CALL: case X86_INS_LCALL: if (INSOP(0).type==X86_OP_IMM) { op->type = R_ANAL_OP_TYPE_CALL; // TODO: what if UCALL? // TODO: use imm_size op->jump = INSOP(0).imm; op->fail = addr+op->size; } else { op->type = R_ANAL_OP_TYPE_UCALL; } break; case X86_INS_JMP: case X86_INS_LJMP: // TODO: what if UJMP? op->jump = INSOP(0).imm; op->type = R_ANAL_OP_TYPE_JMP; if (a->decode) { ut64 dst = INSOP(0).imm; esilprintf (op, "0x%"PFMT64x",%s,=", dst, pc); } break; case X86_INS_IN: case X86_INS_INSW: case X86_INS_INSD: case X86_INS_INSB: case X86_INS_OUT: case X86_INS_OUTSB: case X86_INS_OUTSD: case X86_INS_OUTSW: op->type = R_ANAL_OP_TYPE_IO; break; case X86_INS_VXORPD: case X86_INS_VXORPS: case X86_INS_VPXORD: case X86_INS_VPXORQ: case X86_INS_VPXOR: case X86_INS_KXORW: case X86_INS_PXOR: case X86_INS_XOR: op->type = R_ANAL_OP_TYPE_XOR; break; case X86_INS_OR: op->type = R_ANAL_OP_TYPE_OR; break; case X86_INS_SUB: case X86_INS_DEC: case X86_INS_PSUBB: case X86_INS_PSUBW: case X86_INS_PSUBD: case X86_INS_PSUBQ: case X86_INS_PSUBSB: case X86_INS_PSUBSW: case X86_INS_PSUBUSB: case X86_INS_PSUBUSW: op->type = R_ANAL_OP_TYPE_SUB; break; case X86_INS_AND: case X86_INS_ANDN: case X86_INS_ANDPD: case X86_INS_ANDPS: case X86_INS_ANDNPD: case X86_INS_ANDNPS: op->type = R_ANAL_OP_TYPE_AND; break; case X86_INS_DIV: op->type = R_ANAL_OP_TYPE_DIV; break; case X86_INS_MUL: op->type = R_ANAL_OP_TYPE_MUL; break; case X86_INS_INC: case X86_INS_ADD: case X86_INS_FADD: case X86_INS_ADDPD: op->type = R_ANAL_OP_TYPE_ADD; break; } } cs_free (insn, n); cs_close (&handle); } return op->size; }
static int analop(RAnal *a, RAnalOp *op, ut64 addr, const ut8 *buf, int len) { csh handle; #if USE_ITER_API static #endif cs_insn *insn = NULL; int mode = (a->bits==64)? CS_MODE_64: (a->bits==32)? CS_MODE_32: (a->bits==16)? CS_MODE_16: 0; int n, ret = cs_open (CS_ARCH_X86, mode, &handle); int regsz = 4; if (ret != CS_ERR_OK) { return 0; } switch (a->bits) { case 64: regsz = 8; break; case 16: regsz = 2; break; default: case 32: regsz = 4; break; } memset (op, '\0', sizeof (RAnalOp)); op->type = R_ANAL_OP_TYPE_NULL; op->jump = UT64_MAX; op->fail = UT64_MAX; op->ptr = op->val = UT64_MAX; op->src[0] = NULL; op->src[1] = NULL; op->size = 0; op->delay = 0; r_strbuf_init (&op->esil); cs_option (handle, CS_OPT_DETAIL, CS_OPT_ON); // capstone-next #if USE_ITER_API { ut64 naddr = addr; size_t size = len; if (insn == NULL) insn = cs_malloc (handle); n = cs_disasm_iter (handle, (const uint8_t**)&buf, &size, (uint64_t*)&naddr, insn); } #else n = cs_disasm (handle, (const ut8*)buf, len, addr, 1, &insn); #endif if (n<1) { op->type = R_ANAL_OP_TYPE_ILL; } else { int rs = a->bits/8; const char *pc = (a->bits==16)?"ip": (a->bits==32)?"eip":"rip"; const char *sp = (a->bits==16)?"sp": (a->bits==32)?"esp":"rsp"; const char *bp = (a->bits==16)?"bp": (a->bits==32)?"ebp":"rbp"; op->size = insn->size; op->prefix = 0; switch (insn->detail->x86.prefix[0]) { case X86_PREFIX_REPNE: op->prefix |= R_ANAL_OP_PREFIX_REPNE; case X86_PREFIX_REP: op->prefix |= R_ANAL_OP_PREFIX_REP; case X86_PREFIX_LOCK: op->prefix |= R_ANAL_OP_PREFIX_LOCK; } switch (insn->id) { case X86_INS_FNOP: case X86_INS_NOP: op->type = R_ANAL_OP_TYPE_NOP; if (a->decode) esilprintf (op, ","); break; case X86_INS_HLT: op->type = R_ANAL_OP_TYPE_TRAP; break; case X86_INS_CLI: case X86_INS_STI: case X86_INS_CLC: case X86_INS_STC: break; // cmov case X86_INS_CMOVA: case X86_INS_CMOVAE: case X86_INS_CMOVB: case X86_INS_CMOVBE: case X86_INS_FCMOVBE: case X86_INS_FCMOVB: case X86_INS_CMOVE: case X86_INS_FCMOVE: case X86_INS_CMOVG: case X86_INS_CMOVGE: case X86_INS_CMOVL: case X86_INS_CMOVLE: case X86_INS_FCMOVNBE: case X86_INS_FCMOVNB: case X86_INS_CMOVNE: case X86_INS_FCMOVNE: case X86_INS_CMOVNO: case X86_INS_CMOVNP: case X86_INS_FCMOVNU: case X86_INS_CMOVNS: case X86_INS_CMOVO: case X86_INS_CMOVP: case X86_INS_FCMOVU: case X86_INS_CMOVS: // mov case X86_INS_MOV: case X86_INS_MOVZX: case X86_INS_MOVABS: case X86_INS_MOVHPD: case X86_INS_MOVHPS: case X86_INS_MOVLPD: case X86_INS_MOVLPS: case X86_INS_MOVBE: case X86_INS_MOVSB: case X86_INS_MOVSD: case X86_INS_MOVSQ: case X86_INS_MOVSS: case X86_INS_MOVSW: case X86_INS_MOVD: case X86_INS_MOVQ: case X86_INS_MOVDQ2Q: { op->type = R_ANAL_OP_TYPE_MOV; switch (INSOP(0).type) { case X86_OP_MEM: op->ptr = INSOP(0).mem.disp; op->refptr = INSOP(0).size; if (INSOP(0).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(0).mem.base == X86_REG_RBP || INSOP(0).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_SET; op->stackptr = regsz; } if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 1); esilprintf (op, "%s,%s", src, dst); free (src); free (dst); } break; default: if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,=", src, dst); free (src); free (dst); } break; } switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; op->refptr = INSOP(1).size; if (INSOP(1).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(1).mem.base == X86_REG_RBP || INSOP(1).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_GET; op->stackptr = regsz; } break; case X86_OP_IMM: if (INSOP(1).imm > 10) op->ptr = INSOP(1).imm; break; default: break; } } break; case X86_INS_SHL: case X86_INS_SHLD: case X86_INS_SHLX: op->type = R_ANAL_OP_TYPE_SHL; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,<<=,cz,%%z,zf,=", src, dst); free (src); free (dst); } break; case X86_INS_SAR: case X86_INS_SARX: op->type = R_ANAL_OP_TYPE_SAR; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,>>=,%%z,zf,=", src, dst); free (src); free (dst); } break; case X86_INS_SAL: case X86_INS_SALC: op->type = R_ANAL_OP_TYPE_SAL; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,<<=,%%z,zf,=", src, dst); free (src); free (dst); } break; case X86_INS_SHR: case X86_INS_SHRD: case X86_INS_SHRX: op->type = R_ANAL_OP_TYPE_SHR; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,>>=,cz,%%z,zf,=", src, dst); free (src); free (dst); } break; case X86_INS_CMP: case X86_INS_VCMP: case X86_INS_CMPPD: case X86_INS_CMPPS: case X86_INS_CMPSW: case X86_INS_CMPSD: case X86_INS_CMPSQ: case X86_INS_CMPSB: case X86_INS_CMPSS: case X86_INS_TEST: op->type = R_ANAL_OP_TYPE_CMP; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,==,%%z,zf,=", src, dst); free (src); free (dst); } switch (INSOP(0).type) { case X86_OP_MEM: op->ptr = INSOP(0).mem.disp; op->refptr = INSOP(0).size; if (INSOP(0).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(0).mem.base == X86_REG_RBP || INSOP(0).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_SET; op->stackptr = regsz; } break; default: switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; op->refptr = INSOP(1).size; if (INSOP(1).mem.base == X86_REG_RIP) { op->ptr += addr + insn->size; } else if (INSOP(1).mem.base == X86_REG_RBP || INSOP(1).mem.base == X86_REG_EBP) { op->stackop = R_ANAL_STACK_SET; op->stackptr = regsz; } break; case X86_OP_IMM: op->ptr = INSOP(1).imm; break; default: break; } break; } break; case X86_INS_LEA: op->type = R_ANAL_OP_TYPE_LEA; if (a->decode) { char *src = getarg (handle, insn, 0, 0); char *dst = getarg (handle, insn, 1, 2); esilprintf (op, "%s,%s,=", dst, src); free (src); free (dst); } switch (INSOP(1).type) { case X86_OP_MEM: op->ptr = INSOP(1).mem.disp; op->refptr = INSOP(1).size; switch (INSOP(1).mem.base) { case X86_REG_RIP: op->ptr += addr + op->size; break; case X86_REG_RBP: case X86_REG_EBP: op->stackop = R_ANAL_STACK_GET; op->stackptr = regsz; break; } break; case X86_OP_IMM: if (INSOP(1).imm > 10) op->ptr = INSOP(1).imm; break; default: break; } break; case X86_INS_ENTER: case X86_INS_PUSH: case X86_INS_PUSHAW: case X86_INS_PUSHAL: case X86_INS_PUSHF: { char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%d,%s,-=,%s,%s,=[%d]", rs, sp, dst, sp, rs); free (dst); } switch (INSOP(0).type) { case X86_OP_IMM: op->ptr = INSOP(0).imm; op->type = R_ANAL_OP_TYPE_PUSH; break; default: op->type = R_ANAL_OP_TYPE_UPUSH; break; } op->stackop = R_ANAL_STACK_INC; op->stackptr = regsz; break; case X86_INS_LEAVE: op->type = R_ANAL_OP_TYPE_POP; if (a->decode) { esilprintf (op, "%s,%s,=,%s,[%d],%s,%d,%s,-=", bp, sp, sp, rs, bp, rs, sp); } op->stackop = R_ANAL_STACK_INC; op->stackptr = -regsz; break; case X86_INS_POP: case X86_INS_POPAW: case X86_INS_POPAL: case X86_INS_POPF: case X86_INS_POPCNT: op->type = R_ANAL_OP_TYPE_POP; if (a->decode) { char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,[%d],%s,=,%d,%s,+=", sp, rs, dst, rs, sp); free (dst); } op->stackop = R_ANAL_STACK_INC; op->stackptr = -regsz; break; case X86_INS_RET: case X86_INS_RETF: case X86_INS_IRET: case X86_INS_IRETD: case X86_INS_IRETQ: case X86_INS_SYSRET: op->type = R_ANAL_OP_TYPE_RET; if (a->decode) esilprintf (op, "%s,[%d],%s,=,%d,%s,+=", sp, rs, pc, rs, sp); op->stackop = R_ANAL_STACK_INC; op->stackptr = -regsz; break; case X86_INS_INT: if (a->decode) esilprintf (op, "%d,$", (int)INSOP(0).imm); op->type = R_ANAL_OP_TYPE_SWI; break; case X86_INS_INT1: case X86_INS_INT3: case X86_INS_INTO: case X86_INS_VMCALL: case X86_INS_VMMCALL: case X86_INS_SYSCALL: op->type = R_ANAL_OP_TYPE_TRAP; if (a->decode) esilprintf (op, "%d,$", (int)INSOP(0).imm); break; case X86_INS_JL: case X86_INS_JLE: case X86_INS_JA: case X86_INS_JAE: case X86_INS_JB: case X86_INS_JBE: case X86_INS_JCXZ: case X86_INS_JECXZ: case X86_INS_JRCXZ: case X86_INS_JO: case X86_INS_JNO: case X86_INS_JS: case X86_INS_JNS: case X86_INS_JP: case X86_INS_JNP: case X86_INS_JE: case X86_INS_JNE: case X86_INS_JG: case X86_INS_JGE: case X86_INS_LOOP: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = INSOP(0).imm; op->fail = addr+op->size; if (a->decode) { char *dst = getarg (handle, insn, 0, 2); switch (insn->id) { case X86_INS_JL: esilprintf (op, "of,sf,^,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JLE: esilprintf (op, "of,sf,^,zf,|,%s,%s,=", dst, pc); break; case X86_INS_JA: esilprintf (op, "cf,!,zf,!,&,?{,%s,%s,=,}",dst, pc); break; case X86_INS_JAE: esilprintf (op, "cf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JB: esilprintf (op, "cf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JO: esilprintf (op, "of,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNO: esilprintf (op, "of,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JE: esilprintf (op, "zf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JGE: esilprintf (op, "of,!,sf,^,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNE: esilprintf (op, "zf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JG: esilprintf (op, "sf,of,!,^,zf,!,&,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JS: esilprintf (op, "sf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNS: esilprintf (op, "sf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JP: esilprintf (op, "pf,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JNP: esilprintf (op, "pf,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JBE: esilprintf (op, "zf,cf,&,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JCXZ: esilprintf (op, "cx,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JECXZ: esilprintf (op, "ecx,!,?{,%s,%s,=,}", dst, pc); break; case X86_INS_JRCXZ: esilprintf (op, "rcx,!,?{,%s,%s,=,}", dst, pc); break; } free (dst); } break; case X86_INS_CALL: case X86_INS_LCALL: switch (INSOP(0).type) { case X86_OP_IMM: op->type = R_ANAL_OP_TYPE_CALL; // TODO: what if UCALL? // TODO: use imm_size op->jump = INSOP(0).imm; op->fail = addr+op->size; break; case X86_OP_MEM: op->type = R_ANAL_OP_TYPE_UCALL; op->jump = UT64_MAX; if (INSOP(0).mem.base == 0) { op->ptr = INSOP(0).mem.disp; } break; default: op->type = R_ANAL_OP_TYPE_UCALL; op->jump = UT64_MAX; break; } if (a->decode) { char* arg = getarg (handle, insn, 0, 1); esilprintf (op, "%d,%s,+," "%d,%s,-=,%s," "=[]," "%s,%s,=", op->size, pc, rs, sp, sp, arg, pc); free (arg); } break; case X86_INS_JMP: case X86_INS_LJMP: if (a->decode) { char *src = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,=", src, pc); free (src); } // TODO: what if UJMP? if (INSOP(0).type == X86_OP_IMM) { op->jump = INSOP(0).imm; op->type = R_ANAL_OP_TYPE_JMP; if (a->decode) { ut64 dst = INSOP(0).imm; esilprintf (op, "0x%"PFMT64x",%s,=", dst, pc); } } else { op->type = R_ANAL_OP_TYPE_UJMP; } break; case X86_INS_IN: case X86_INS_INSW: case X86_INS_INSD: case X86_INS_INSB: case X86_INS_OUT: case X86_INS_OUTSB: case X86_INS_OUTSD: case X86_INS_OUTSW: op->type = R_ANAL_OP_TYPE_IO; break; case X86_INS_VXORPD: case X86_INS_VXORPS: case X86_INS_VPXORD: case X86_INS_VPXORQ: case X86_INS_VPXOR: case X86_INS_KXORW: case X86_INS_PXOR: case X86_INS_XOR: op->type = R_ANAL_OP_TYPE_XOR; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,^=", src, dst); free (src); free (dst); } break; case X86_INS_OR: op->type = R_ANAL_OP_TYPE_OR; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,|=", src, dst); free (src); free (dst); } break; case X86_INS_SUB: case X86_INS_DEC: case X86_INS_PSUBB: case X86_INS_PSUBW: case X86_INS_PSUBD: case X86_INS_PSUBQ: case X86_INS_PSUBSB: case X86_INS_PSUBSW: case X86_INS_PSUBUSB: case X86_INS_PSUBUSW: op->type = R_ANAL_OP_TYPE_SUB; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,-=,%%c,cf,=,%%z,zf,=,%%s,sf,=,%%o,of,=", src, dst); // TODO: update flags free (src); free (dst); } if (INSOP(0).type == X86_OP_REG && INSOP(1).type == X86_OP_IMM) { if (INSOP(0).reg == X86_REG_RSP || INSOP(0).reg == X86_REG_ESP) { op->stackop = R_ANAL_STACK_INC; op->stackptr = INSOP(1).imm; } } break; case X86_INS_AND: case X86_INS_ANDN: case X86_INS_ANDPD: case X86_INS_ANDPS: case X86_INS_ANDNPD: case X86_INS_ANDNPS: op->type = R_ANAL_OP_TYPE_AND; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,&=", src, dst); free (src); free (dst); } break; case X86_INS_DIV: op->type = R_ANAL_OP_TYPE_DIV; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,/=", src, dst); free (src); free (dst); } break; case X86_INS_MUL: op->type = R_ANAL_OP_TYPE_MUL; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,*=", src, dst); free (src); free (dst); } break; case X86_INS_INC: op->type = R_ANAL_OP_TYPE_ADD; if (a->decode) { char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "1,%s,+=", dst); free (dst); } break; case X86_INS_ADD: case X86_INS_FADD: case X86_INS_ADDPD: op->type = R_ANAL_OP_TYPE_ADD; if (a->decode) { char *src = getarg (handle, insn, 1, 0); char *dst = getarg (handle, insn, 0, 0); esilprintf (op, "%s,%s,+=", src, dst); free (src); free (dst); } if (INSOP(0).type == X86_OP_REG && INSOP(1).type == X86_OP_IMM) { if (INSOP(0).reg == X86_REG_RSP || INSOP(0).reg == X86_REG_ESP) { op->stackop = R_ANAL_STACK_INC; op->stackptr = -INSOP(1).imm; } } break; } } #if !USE_ITER_API cs_free (insn, n); #endif cs_close (&handle); return op->size; }
static int analop(RAnal *a, RAnalOp *op, ut64 addr, const ut8 *buf, int len) { static csh handle = 0; static int omode = -1, obits = -1; int n, ret; cs_insn *insn; int mode = (a->bits == 64) ? CS_MODE_64 : (a->bits == 32) ? CS_MODE_32 : 0; mode |= a->big_endian ? CS_MODE_BIG_ENDIAN : CS_MODE_LITTLE_ENDIAN; op->delay = 0; op->type = R_ANAL_OP_TYPE_NULL; op->jump = UT64_MAX; op->fail = UT64_MAX; op->ptr = op->val = UT64_MAX; if (a->cpu && strncmp (a->cpu, "vle", 3) == 0) { // vle is big-endian only if (!a->big_endian) { return -1; } ret = analop_vle (a, op, addr, buf, len); if (ret >= 0) { return op->size; } } if (mode != omode || a->bits != obits) { cs_close (&handle); handle = 0; omode = mode; obits = a->bits; } if (handle == 0) { ret = cs_open (CS_ARCH_PPC, mode, &handle); if (ret != CS_ERR_OK) { return -1; } cs_option (handle, CS_OPT_DETAIL, CS_OPT_ON); } op->size = 4; r_strbuf_init (&op->esil); r_strbuf_set (&op->esil, ""); // capstone-next n = cs_disasm (handle, (const ut8*)buf, len, addr, 1, &insn); if (n < 1) { op->type = R_ANAL_OP_TYPE_ILL; } else { opex (&op->opex, handle, insn); struct Getarg gop = { .handle = handle, .insn = insn, .bits = a->bits }; op->size = insn->size; op->id = insn->id; switch (insn->id) { #if CS_API_MAJOR >= 4 case PPC_INS_CMPB: #endif case PPC_INS_CMPD: case PPC_INS_CMPDI: case PPC_INS_CMPLD: case PPC_INS_CMPLDI: case PPC_INS_CMPLW: case PPC_INS_CMPLWI: case PPC_INS_CMPW: case PPC_INS_CMPWI: op->type = R_ANAL_OP_TYPE_CMP; op->sign = true; if (ARG (2)[0] == '\0') esilprintf (op, "%s,%s,-,0xff,&,cr0,=", ARG (1), ARG (0)); else esilprintf (op, "%s,%s,-,0xff,&,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_MFLR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "lr,%s,=", ARG (0)); break; case PPC_INS_MTLR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,lr,=", ARG (0)); break; case PPC_INS_MR: case PPC_INS_LI: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,%s,=", ARG (1), ARG (0)); break; case PPC_INS_LIS: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s0000,%s,=", ARG (1), ARG (0)); break; case PPC_INS_CLRLWI: op->type = R_ANAL_OP_TYPE_AND; esilprintf (op, "%s,%s,&,%s,=", ARG (1), cmask32 (ARG (2), "0x1F"), ARG (0)); break; case PPC_INS_RLWINM: op->type = R_ANAL_OP_TYPE_ROL; esilprintf (op, "%s,%s,<<<,%s,&,%s,=", ARG (2), ARG (1), cmask32 (ARG (3), ARG (4)), ARG (0)); break; case PPC_INS_SC: op->type = R_ANAL_OP_TYPE_SWI; esilprintf (op, "0,$"); break; case PPC_INS_EXTSB: op->sign = true; op->type = R_ANAL_OP_TYPE_MOV; if (a->bits == 64) esilprintf (op, "%s,0x80,&,?{,0xFFFFFFFFFFFFFF00,%s,|,%s,=,}", ARG (1), ARG (1), ARG (0)); else esilprintf (op, "%s,0x80,&,?{,0xFFFFFF00,%s,|,%s,=,}", ARG (1), ARG (1), ARG (0)); break; case PPC_INS_EXTSH: op->sign = true; if (a->bits == 64) esilprintf (op, "%s,0x8000,&,?{,0xFFFFFFFFFFFF0000,%s,|,%s,=,}", ARG (1), ARG (1), ARG (0)); else esilprintf (op, "%s,0x8000,&,?{,0xFFFF0000,%s,|,%s,=,}", ARG (1), ARG (1), ARG (0)); break; case PPC_INS_EXTSW: op->sign = true; esilprintf (op, "%s,0x80000000,&,?{,0xFFFFFFFF00000000,%s,|,%s,=,}", ARG (1), ARG (1), ARG (0)); break; case PPC_INS_SYNC: case PPC_INS_ISYNC: case PPC_INS_LWSYNC: case PPC_INS_MSYNC: case PPC_INS_PTESYNC: case PPC_INS_TLBSYNC: case PPC_INS_SLBIA: case PPC_INS_SLBIE: case PPC_INS_SLBMFEE: case PPC_INS_SLBMTE: case PPC_INS_EIEIO: case PPC_INS_NOP: op->type = R_ANAL_OP_TYPE_NOP; esilprintf (op, ","); break; case PPC_INS_STW: case PPC_INS_STWU: case PPC_INS_STWUX: case PPC_INS_STWX: case PPC_INS_STWCX: op->type = R_ANAL_OP_TYPE_STORE; esilprintf (op, "%s,%s", ARG (0), ARG2 (1, "=[4]")); break; case PPC_INS_STWBRX: op->type = R_ANAL_OP_TYPE_STORE; break; case PPC_INS_STB: case PPC_INS_STBU: op->type = R_ANAL_OP_TYPE_STORE; esilprintf (op, "%s,%s", ARG (0), ARG2 (1, "=[1]")); break; case PPC_INS_STH: case PPC_INS_STHU: op->type = R_ANAL_OP_TYPE_STORE; esilprintf (op, "%s,%s", ARG (0), ARG2 (1, "=[2]")); break; case PPC_INS_STD: case PPC_INS_STDU: op->type = R_ANAL_OP_TYPE_STORE; esilprintf (op, "%s,%s", ARG (0), ARG2 (1, "=[8]")); break; case PPC_INS_LBZ: #if CS_API_MAJOR >= 4 case PPC_INS_LBZCIX: #endif case PPC_INS_LBZU: case PPC_INS_LBZUX: case PPC_INS_LBZX: op->type = R_ANAL_OP_TYPE_LOAD; esilprintf (op, "%s,%s,=", ARG2 (1, "[1]"), ARG (0)); break; case PPC_INS_LD: case PPC_INS_LDARX: #if CS_API_MAJOR >= 4 case PPC_INS_LDCIX: #endif case PPC_INS_LDU: case PPC_INS_LDUX: case PPC_INS_LDX: op->type = R_ANAL_OP_TYPE_LOAD; esilprintf (op, "%s,%s,=", ARG2 (1, "[8]"), ARG (0)); break; case PPC_INS_LDBRX: op->type = R_ANAL_OP_TYPE_LOAD; break; case PPC_INS_LFD: case PPC_INS_LFDU: case PPC_INS_LFDUX: case PPC_INS_LFDX: case PPC_INS_LFIWAX: case PPC_INS_LFIWZX: case PPC_INS_LFS: case PPC_INS_LFSU: case PPC_INS_LFSUX: case PPC_INS_LFSX: op->type = R_ANAL_OP_TYPE_LOAD; esilprintf (op, "%s,%s,=", ARG2 (1, "[4]"), ARG (0)); break; case PPC_INS_LHA: case PPC_INS_LHAU: case PPC_INS_LHAUX: case PPC_INS_LHAX: case PPC_INS_LHZ: case PPC_INS_LHZU: op->type = R_ANAL_OP_TYPE_LOAD; esilprintf (op, "%s,%s,=", ARG2 (1, "[2]"), ARG (0)); break; case PPC_INS_LHBRX: op->type = R_ANAL_OP_TYPE_LOAD; break; case PPC_INS_LWA: case PPC_INS_LWARX: case PPC_INS_LWAUX: case PPC_INS_LWAX: case PPC_INS_LWZ: #if CS_API_MAJOR >= 4 case PPC_INS_LWZCIX: #endif case PPC_INS_LWZU: case PPC_INS_LWZUX: case PPC_INS_LWZX: op->type = R_ANAL_OP_TYPE_LOAD; esilprintf (op, "%s,%s,=", ARG2 (1, "[4]"), ARG (0)); break; case PPC_INS_LWBRX: op->type = R_ANAL_OP_TYPE_LOAD; break; case PPC_INS_SLW: case PPC_INS_SLWI: op->type = R_ANAL_OP_TYPE_SHL; esilprintf (op, "%s,%s,<<,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_SRW: case PPC_INS_SRWI: op->type = R_ANAL_OP_TYPE_SHR; esilprintf (op, "%s,%s,>>,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_MULLI: op->sign = true; case PPC_INS_MULLW: case PPC_INS_MULLD: op->type = R_ANAL_OP_TYPE_MUL; esilprintf (op, "%s,%s,*,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_SUB: case PPC_INS_SUBC: case PPC_INS_SUBF: case PPC_INS_SUBFIC: case PPC_INS_SUBFZE: op->type = R_ANAL_OP_TYPE_SUB; esilprintf (op, "%s,%s,-,%s,=", ARG (1), ARG (2), ARG (0)); break; case PPC_INS_ADD: case PPC_INS_ADDI: op->sign = true; op->type = R_ANAL_OP_TYPE_ADD; esilprintf (op, "%s,%s,+,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_ADDC: case PPC_INS_ADDIC: op->type = R_ANAL_OP_TYPE_ADD; esilprintf (op, "%s,%s,+,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_ADDE: case PPC_INS_ADDIS: case PPC_INS_ADDME: case PPC_INS_ADDZE: op->type = R_ANAL_OP_TYPE_ADD; esilprintf (op, "%s,%s,+,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_MTSPR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,%s,=", ARG (1), PPCSPR (0)); break; case PPC_INS_BCTR: // switch table here op->type = R_ANAL_OP_TYPE_UJMP; esilprintf (op, "ctr,pc,="); break; case PPC_INS_BCTRL: // switch table here op->type = R_ANAL_OP_TYPE_CALL; esilprintf (op, "pc,lr,=,ctr,pc,="); break; case PPC_INS_B: case PPC_INS_BC: op->jump = ARG (1)[0] == '\0' ? IMM (0) : IMM (1); op->type = R_ANAL_OP_TYPE_CJMP; op->fail = addr + op->size; switch (insn->detail->ppc.bc) { case PPC_BC_LT: if (ARG (1)[0] == '\0') { esilprintf (op, "0,cr0,<,?{,%s,pc,=,},", ARG (0)); } else { esilprintf (op, "0,%s,<,?{,%s,pc,=,},", ARG (0), ARG (1)); } break; case PPC_BC_LE: if (ARG (1)[0] == '\0') { esilprintf (op, "0,cr0,<=,?{,%s,pc,=,},", ARG (0)); } else { esilprintf (op, "0,%s,<=,?{,%s,pc,=,},", ARG (0), ARG (1)); } break; case PPC_BC_EQ: if (ARG (1)[0] == '\0') { esilprintf (op, "0,cr0,==,?{,%s,pc,=,},", ARG (0)); } else { esilprintf (op, "0,%s,==,?{,%s,pc,=,},", ARG (0), ARG (1)); } break; case PPC_BC_GE: if (ARG (1)[0] == '\0') { esilprintf (op, "0,cr0,>=,?{,%s,pc,=,},", ARG (0)); } else { esilprintf (op, "0,%s,>=,?{,%s,pc,=,},", ARG (0), ARG (1)); } break; case PPC_BC_GT: if (ARG (1)[0] == '\0') { esilprintf (op, "0,cr0,>,?{,%s,pc,=,},", ARG (0)); } else { esilprintf (op, "0,%s,>,?{,%s,pc,=,},", ARG (0), ARG (1)); } break; case PPC_BC_NE: if (ARG (1)[0] == '\0') { esilprintf (op, "cr0,?{,%s,pc,=,},", ARG (0)); } else { esilprintf (op, "%s,?{,%s,pc,=,},", ARG (0), ARG (1)); } break; case PPC_BC_INVALID: op->type = R_ANAL_OP_TYPE_JMP; esilprintf (op, "%s,pc,=", ARG (0)); case PPC_BC_UN: // unordered case PPC_BC_NU: // not unordered case PPC_BC_SO: // summary overflow case PPC_BC_NS: // not summary overflow default: break; } break; case PPC_INS_BA: switch (insn->detail->ppc.operands[0].type) { case PPC_OP_CRX: op->type = R_ANAL_OP_TYPE_CJMP; op->fail = addr + op->size; break; case PPC_OP_REG: if (op->type == R_ANAL_OP_TYPE_CJMP) { op->type = R_ANAL_OP_TYPE_UCJMP; } else { op->type = R_ANAL_OP_TYPE_CJMP; } op->jump = IMM (1); op->fail = addr + op->size; //op->type = R_ANAL_OP_TYPE_UJMP; default: break; } break; case PPC_INS_BDNZ: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = IMM (0); op->fail = addr + op->size; esilprintf (op, "1,ctr,-=,ctr,?{,%s,pc,=,}", ARG (0)); break; case PPC_INS_BDNZA: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = IMM (0); op->fail = addr + op->size; break; case PPC_INS_BDNZL: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = IMM (0); op->fail = addr + op->size; break; case PPC_INS_BDNZLA: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = IMM (0); op->fail = addr + op->size; break; case PPC_INS_BDNZLR: op->type = R_ANAL_OP_TYPE_CJMP; op->fail = addr + op->size; esilprintf (op, "1,ctr,-=,ctr,?{,lr,pc,=,},"); break; case PPC_INS_BDNZLRL: op->fail = addr + op->size; op->type = R_ANAL_OP_TYPE_CJMP; break; case PPC_INS_BDZ: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = IMM (0); op->fail = addr + op->size; esilprintf (op, "1,ctr,-=,ctr,0,==,?{,%s,pc,=,}", ARG (0)); break; case PPC_INS_BDZA: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = IMM (0); op->fail = addr + op->size; break; case PPC_INS_BDZL: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = IMM (0); op->fail = addr + op->size; break; case PPC_INS_BDZLA: op->type = R_ANAL_OP_TYPE_CJMP; op->jump = IMM (0); op->fail = addr + op->size; break; case PPC_INS_BDZLR: op->type = R_ANAL_OP_TYPE_CJMP; op->fail = addr + op->size; esilprintf (op, "1,ctr,-=,ctr,0,==,?{,lr,pc,=,}"); break; case PPC_INS_BDZLRL: op->type = R_ANAL_OP_TYPE_CJMP; op->fail = addr + op->size; break; case PPC_INS_BLR: case PPC_INS_BLRL: case PPC_INS_BCLR: case PPC_INS_BCLRL: op->type = R_ANAL_OP_TYPE_CRET; op->fail = addr + op->size; switch (insn->detail->ppc.bc) { case PPC_BC_INVALID: op->type = R_ANAL_OP_TYPE_RET; esilprintf (op, "lr,pc,="); break; case PPC_BC_LT: if (ARG (0)[0] == '\0') { esilprintf (op, "0,cr0,<,?{,lr,pc,=,},"); } else { esilprintf (op, "0,%s,<,?{,lr,pc,=,},", ARG (0)); } break; case PPC_BC_LE: if (ARG (0)[0] == '\0') { esilprintf (op, "0,cr0,<=,?{,lr,pc,=,},"); } else { esilprintf (op, "0,%s,<=,?{,lr,pc,=,},", ARG (0)); } break; case PPC_BC_EQ: if (ARG (0)[0] == '\0') { esilprintf (op, "0,cr0,==,?{,lr,pc,=,},"); } else { esilprintf (op, "0,%s,==,?{,lr,pc,=,},", ARG (0)); } break; case PPC_BC_GE: if (ARG (0)[0] == '\0') { esilprintf (op, "0,cr0,>=,?{,lr,pc,=,},"); } else { esilprintf (op, "0,%s,>=,?{,lr,pc,=,},", ARG (0)); } break; case PPC_BC_GT: if (ARG (0)[0] == '\0') { esilprintf (op, "0,cr0,>,?{,lr,pc,=,},"); } else { esilprintf (op, "0,%s,>,?{,lr,pc,=,},", ARG (0)); } break; case PPC_BC_NE: if (ARG (0)[0] == '\0') { esilprintf (op, "cr0,?{,lr,pc,=,},"); } else { esilprintf (op, "%s,?{,lr,pc,=,},", ARG (0)); } break; case PPC_BC_UN: // unordered case PPC_BC_NU: // not unordered case PPC_BC_SO: // summary overflow case PPC_BC_NS: // not summary overflow default: break; } break; case PPC_INS_NOR: op->type = R_ANAL_OP_TYPE_NOR; esilprintf (op, "%s,%s,|,!,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_XOR: case PPC_INS_XORI: op->type = R_ANAL_OP_TYPE_XOR; esilprintf (op, "%s,%s,^,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_XORIS: op->type = R_ANAL_OP_TYPE_XOR; esilprintf (op, "16,%s,<<,%s,^,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_DIVD: case PPC_INS_DIVW: op->sign = true; op->type = R_ANAL_OP_TYPE_DIV; esilprintf (op, "%s,%s,/,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_DIVDU: case PPC_INS_DIVWU: op->type = R_ANAL_OP_TYPE_DIV; esilprintf (op, "%s,%s,/,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_BL: case PPC_INS_BLA: op->type = R_ANAL_OP_TYPE_CALL; op->jump = IMM (0); op->fail = addr + op->size; esilprintf (op, "pc,lr,=,%s,pc,=", ARG (0)); break; case PPC_INS_TRAP: op->sign = true; op->type = R_ANAL_OP_TYPE_TRAP; break; case PPC_INS_AND: case PPC_INS_NAND: case PPC_INS_ANDI: op->type = R_ANAL_OP_TYPE_AND; esilprintf (op, "%s,%s,&,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_ANDIS: op->type = R_ANAL_OP_TYPE_AND; esilprintf (op, "16,%s,<<,%s,&,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_OR: case PPC_INS_ORI: op->type = R_ANAL_OP_TYPE_OR; esilprintf (op, "%s,%s,|,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_ORIS: op->type = R_ANAL_OP_TYPE_OR; esilprintf (op, "16,%s,<<,%s,|,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_MFPVR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "pvr,%s,=", ARG (0)); break; case PPC_INS_MFSPR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,%s,=", PPCSPR (1), ARG (0)); break; case PPC_INS_MFCTR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "ctr,%s,=", ARG (0)); break; case PPC_INS_MFDCCR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "dccr,%s,=", ARG (0)); break; case PPC_INS_MFICCR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "iccr,%s,=", ARG (0)); break; case PPC_INS_MFDEAR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "dear,%s,=", ARG (0)); break; case PPC_INS_MFMSR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "msr,%s,=", ARG (0)); break; case PPC_INS_MTCTR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,ctr,=", ARG (0)); break; case PPC_INS_MTDCCR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,dccr,=", ARG (0)); break; case PPC_INS_MTICCR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,iccr,=", ARG (0)); break; case PPC_INS_MTDEAR: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,dear,=", ARG (0)); break; case PPC_INS_MTMSR: case PPC_INS_MTMSRD: op->type = R_ANAL_OP_TYPE_MOV; esilprintf (op, "%s,msr,=", ARG (0)); break; // Data Cache Block Zero case PPC_INS_DCBZ: op->type = R_ANAL_OP_TYPE_STORE; esilprintf (op, "%s,%s", ARG (0), ARG2 (1, ",=[128]")); break; case PPC_INS_CLRLDI: op->type = R_ANAL_OP_TYPE_AND; esilprintf (op, "%s,%s,&,%s,=", ARG (1), cmask64 (ARG (2), "0x3F"), ARG (0)); break; case PPC_INS_ROTLDI: op->type = R_ANAL_OP_TYPE_ROL; esilprintf (op, "%s,%s,<<<,%s,=", ARG (2), ARG (1), ARG (0)); break; case PPC_INS_RLDCL: case PPC_INS_RLDICL: op->type = R_ANAL_OP_TYPE_ROL; esilprintf (op, "%s,%s,<<<,%s,&,%s,=", ARG (2), ARG (1), cmask64 (ARG (3), "0x3F"), ARG (0)); break; case PPC_INS_RLDCR: case PPC_INS_RLDICR: op->type = R_ANAL_OP_TYPE_ROL; esilprintf (op, "%s,%s,<<<,%s,&,%s,=", ARG (2), ARG (1), cmask64 (0, ARG (3)), ARG (0)); break; } if (a->fillval) { op_fillval (op, handle, insn); } r_strbuf_fini (&op->esil); cs_free (insn, n); //cs_close (&handle); } return op->size; } static int archinfo(RAnal *a, int q) { if (a->cpu && !strncmp (a->cpu, "vle", 3)) { return 2; } return 4; } RAnalPlugin r_anal_plugin_ppc_cs = { .name = "ppc", .desc = "Capstone PowerPC analysis", .license = "BSD", .esil = true, .arch = "ppc", .bits = 32 | 64, .archinfo = archinfo, .op = &analop, .set_reg_profile = &set_reg_profile, }; #ifndef CORELIB RLibStruct radare_plugin = { .type = R_LIB_TYPE_ANAL, .data = &r_anal_plugin_ppc_cs, .version = R2_VERSION };