/* restore program counter after breakpoint hit */
static int r_debug_recoil(RDebug *dbg) {
int recoil;
RRegItem *ri;
if (r_debug_is_dead (dbg))
return R_FALSE;
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE);
ri = r_reg_get (dbg->reg, dbg->reg->name[R_REG_NAME_PC], -1);
dbg->reason.bpi = NULL;
if (ri) {
ut64 addr = r_reg_get_value (dbg->reg, ri);
recoil = r_bp_recoil (dbg->bp, addr);
//eprintf ("[R2] Breakpoint recoil at 0x%"PFMT64x" = %d\n", addr, recoil);
#if __arm__
if (recoil<1) recoil = 0; // XXX Hack :D
#else
if (recoil<1) recoil = 0; //1; // XXX Hack :D (x86 only?)
#endif
if (recoil) {
dbg->reason.type = R_DEBUG_REASON_BREAKPOINT;
dbg->reason.bpi = r_bp_get_at (dbg->bp, addr-recoil);
dbg->reason.addr = addr - recoil;
r_reg_set_value (dbg->reg, ri, addr-recoil);
if (r_reg_get_value (dbg->reg, ri) != (addr-recoil)) {
eprintf ("r_debug_recoil: Cannot set program counter\n");
return R_FALSE;
}
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_TRUE);
//eprintf ("[BP Hit] Setting pc to 0x%"PFMT64x"\n", (addr-recoil));
return R_TRUE;
}
} else eprintf ("r_debug_recoil: Cannot get program counter\n");
return R_FALSE;
}
/* restore program counter after breakpoint hit */
static int r_debug_recoil(RDebug *dbg) {
int recoil;
RRegItem *ri;
if (r_debug_is_dead (dbg)) {
return false;
}
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, false);
ri = r_reg_get (dbg->reg, dbg->reg->name[R_REG_NAME_PC], -1);
dbg->reason.bpi = NULL;
if (ri) {
ut64 addr = r_reg_get_value (dbg->reg, ri);
recoil = r_bp_recoil (dbg->bp, addr - dbg->bpsize);
//eprintf ("[R2] Breakpoint recoil at 0x%"PFMT64x" = %d\n", addr, recoil);
if (recoil < 1)
recoil = 0; // XXX Hack :D
if (recoil) {
dbg->in_recoil = true;
dbg->reason.type = R_DEBUG_REASON_BREAKPOINT;
dbg->reason.bpi = r_bp_get_at (dbg->bp, addr-recoil);
dbg->reason.addr = addr - recoil;
r_reg_set_value (dbg->reg, ri, addr-recoil);
if (r_reg_get_value (dbg->reg, ri) != (addr-recoil)) {
eprintf ("r_debug_recoil: Cannot set program counter\n");
return false;
}
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, true);
//eprintf ("[BP Hit] Setting pc to 0x%"PFMT64x"\n", (addr-recoil));
return true;
}
} else {
eprintf ("r_debug_recoil: Cannot get program counter\n");
}
return false;
}
/*
* Save 4096 bytes from %esp
* TODO: Add support for reverse stack architectures
* Also known as r_debug_inject()
*/
R_API ut64 r_debug_execute(RDebug *dbg, const ut8 *buf, int len, int restore) {
int orig_sz;
ut8 stackbackup[4096];
ut8 *backup, *orig = NULL;
RRegItem *ri, *risp, *ripc;
ut64 rsp, rpc, ra0 = 0LL;
if (r_debug_is_dead (dbg))
return R_FALSE;
ripc = r_reg_get (dbg->reg, dbg->reg->name[R_REG_NAME_PC], R_REG_TYPE_GPR);
risp = r_reg_get (dbg->reg, dbg->reg->name[R_REG_NAME_SP], R_REG_TYPE_GPR);
if (ripc) {
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE);
orig = r_reg_get_bytes (dbg->reg, -1, &orig_sz);
if (orig == NULL) {
eprintf ("Cannot get register arena bytes\n");
return 0LL;
}
rpc = r_reg_get_value (dbg->reg, ripc);
rsp = r_reg_get_value (dbg->reg, risp);
backup = malloc (len);
if (backup == NULL) {
free (orig);
return 0LL;
}
dbg->iob.read_at (dbg->iob.io, rpc, backup, len);
dbg->iob.read_at (dbg->iob.io, rsp, stackbackup, len);
r_bp_add_sw (dbg->bp, rpc+len, dbg->bpsize, R_BP_PROT_EXEC);
/* execute code here */
dbg->iob.write_at (dbg->iob.io, rpc, buf, len);
//r_bp_add_sw (dbg->bp, rpc+len, 4, R_BP_PROT_EXEC);
r_debug_continue (dbg);
//r_bp_del (dbg->bp, rpc+len);
/* TODO: check if stopped in breakpoint or not */
r_bp_del (dbg->bp, rpc+len);
dbg->iob.write_at (dbg->iob.io, rpc, backup, len);
if (restore) {
dbg->iob.write_at (dbg->iob.io, rsp, stackbackup, len);
}
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE);
ri = r_reg_get (dbg->reg, dbg->reg->name[R_REG_NAME_A0], R_REG_TYPE_GPR);
ra0 = r_reg_get_value (dbg->reg, ri);
if (restore) {
r_reg_set_bytes (dbg->reg, -1, orig, orig_sz);
} else {
r_reg_set_value (dbg->reg, ripc, rpc);
}
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_TRUE);
free (backup);
free (orig);
eprintf ("ra0=0x%08"PFMT64x"\n", ra0);
} else eprintf ("r_debug_execute: Cannot get program counter\n");
return (ra0);
}
R_API int r_debug_esil_stepi (RDebug *d) {
RAnalOp op;
ut8 obuf[64];
int ret = 1;
dbg = d;
if (!ESIL) {
ESIL = r_anal_esil_new (R_TRUE);
// TODO setup something?
}
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE);
opc = r_debug_reg_get (dbg, dbg->reg->name[R_REG_NAME_PC]);
dbg->iob.read_at (dbg->iob.io, opc, obuf, sizeof (obuf));
//dbg->iob.read_at (dbg->iob.io, npc, buf, sizeof (buf));
//dbg->anal->reg = dbg->reg; // hack
ESIL->cb.hook_mem_read = &esilbreak_mem_read;
ESIL->cb.hook_mem_write = &esilbreak_mem_write;
ESIL->cb.hook_reg_read = &esilbreak_reg_read;
ESIL->cb.hook_reg_write = &esilbreak_reg_write;
if (prestep) {
// required when a exxpression is like <= == ..
// otherwise it will stop at the next instruction
if (r_debug_step (dbg, 1)<1) {
eprintf ("Step failed\n");
return 0;
}
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE);
// npc = r_debug_reg_get (dbg, dbg->reg->name[R_REG_NAME_PC]);
}
if (r_anal_op (dbg->anal, &op, opc, obuf, sizeof (obuf))) {
if (esilbreak_check_pc (dbg, opc)) {
eprintf ("STOP AT 0x%08"PFMT64x"\n", opc);
ret = 0;
} else {
r_anal_esil_set_pc (ESIL, opc);
eprintf ("0x%08"PFMT64x" %s\n", opc, R_STRBUF_SAFEGET (&op.esil));
(void)r_anal_esil_parse (ESIL, R_STRBUF_SAFEGET (&op.esil));
//r_anal_esil_dumpstack (ESIL);
r_anal_esil_stack_free (ESIL);
ret = 1;
}
}
if (!prestep) {
if (ret && !has_match) {
if (r_debug_step (dbg, 1)<1) {
eprintf ("Step failed\n");
return 0;
}
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE);
// npc = r_debug_reg_get (dbg, dbg->reg->name[R_REG_NAME_PC]);
}
}
return ret;
}
R_API void r_anal_type_match(RCore *core, RAnalFunction *fcn) {
bool esil_var[STATES_SIZE] = {false};
if (!core ) {
return;
}
if (!r_anal_emul_init (core, esil_var) || !fcn ) {
r_anal_emul_restore (core, esil_var);
return;
}
const char *pc = r_reg_get_name (core->anal->reg, R_REG_NAME_PC);
ut64 addr = fcn->addr;
r_reg_setv (core->dbg->reg, pc, fcn->addr);
r_debug_reg_sync (core->dbg, -1, true);
r_cons_break (NULL, NULL);
while (!r_cons_is_breaked ()) {
RAnalOp *op = r_core_anal_op (core, addr);
int loop_count = sdb_num_get ( core->anal->esil->db_trace, sdb_fmt (-1, "0x%"PFMT64x".count", addr), 0);
if (loop_count > LOOP_MAX) {
eprintf ("Unfortunately your evilly engineered %s function trapped my most innocent `aftm` in an infinite loop.\n", fcn->name);
eprintf ("I kept trace log for you to review and find out how bad things were going to happen by yourself.\n");
eprintf ("You can view this log by `ate`. Meanwhile, I will train on how to behave with such behaviour without bothering you.\n");
return;
}
sdb_num_set (core->anal->esil->db_trace, sdb_fmt (-1, "0x%"PFMT64x".count", addr), loop_count + 1, 0);
if (!op || op->type == R_ANAL_OP_TYPE_RET) {
r_anal_emul_restore (core, esil_var);
return;
}
if (op->type == R_ANAL_OP_TYPE_CALL) {
RAnalFunction *fcn_call = r_anal_get_fcn_in (core->anal, op->jump, -1);
//eprintf ("in the middle of %s\n", fcn_call->name);
if (fcn_call) {
type_match (core, addr, fcn_call->name);
} else {
eprintf ("Cannot find function at 0x%08"PFMT64x"\n", op->jump);
}
addr += op->size;
r_anal_op_free (op);
r_reg_setv (core->dbg->reg, pc, addr);
r_debug_reg_sync (core->dbg, -1, true);
r_anal_esil_set_pc (core->anal->esil, addr);
addr += stack_clean (core, addr, fcn);
r_reg_setv (core->dbg->reg, pc, addr);
r_debug_reg_sync (core->dbg, -1, true);
r_anal_esil_set_pc (core->anal->esil, addr);
continue;
} else {
r_core_esil_step (core, UT64_MAX, NULL);
r_anal_op_free (op);
}
r_core_cmd0 (core, ".ar*");
addr = r_reg_getv (core->anal->reg, pc);
}
r_cons_break_end ();
r_anal_emul_restore (core, esil_var);
}
R_API int r_debug_continue_until_optype(RDebug *dbg, int type, int over) {
int ret, n = 0;
ut64 pc, buf_pc = 0;
RAnalOp op;
ut8 buf[DBG_BUF_SIZE];
if (r_debug_is_dead (dbg)) {
return R_FALSE;
}
if (!dbg->anal || !dbg->reg) {
eprintf ("Undefined pointer at dbg->anal\n");
return R_FALSE;
}
r_debug_step (dbg, 1);
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE);
// Initial refill
buf_pc = r_debug_reg_get (dbg, dbg->reg->name[R_REG_NAME_PC]);
dbg->iob.read_at (dbg->iob.io, buf_pc, buf, sizeof (buf));
// step first, we dont want to check current optype
for (;;) {
r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE);
pc = r_debug_reg_get (dbg, dbg->reg->name[R_REG_NAME_PC]);
// Try to keep the buffer full
if (pc - buf_pc > sizeof (buf)) {
buf_pc = pc;
dbg->iob.read_at (dbg->iob.io, buf_pc, buf, sizeof (buf));
}
// Analyze the opcode
if (!r_anal_op (dbg->anal, &op, pc, buf + (pc - buf_pc), sizeof (buf) - (pc - buf_pc))) {
eprintf ("Decode error at %"PFMT64x"\n", pc);
return R_FALSE;
}
if (op.type == type)
break;
// Step over and repeat
ret = over ?
r_debug_step_over (dbg, 1) :
r_debug_step (dbg, 1);
if (!ret) {
eprintf ("r_debug_step: failed\n");
break;
}
n++;
}
return n;
}
R_API int r_debug_continue_syscalls(RDebug *dbg, int *sc, int n_sc) {
int i, reg, ret = R_FALSE;
if (!dbg || !dbg->h || r_debug_is_dead (dbg))
return R_FALSE;
if (!dbg->h->contsc) {
/* user-level syscall tracing */
r_debug_continue_until_optype (dbg, R_ANAL_OP_TYPE_SWI, 0);
return show_syscall (dbg, "a0");
}
if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE)) {
eprintf ("--> cannot read registers\n");
return -1;
}
{
int err;
reg = (int)r_debug_reg_get_err (dbg, "sn", &err);
if (err) {
eprintf ("Cannot find 'sn' register for current arch-os.\n");
return -1;
}
}
for (;;) {
if (r_cons_singleton()->breaked)
break;
#if __linux__
// step is needed to avoid dupped contsc results
r_debug_step (dbg, 1);
#endif
dbg->h->contsc (dbg, dbg->pid, 0); // TODO handle return value
// wait until continuation
r_debug_wait (dbg);
if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE)) {
eprintf ("--> cannot sync regs, process is probably dead\n");
return -1;
}
reg = show_syscall (dbg, "sn");
if (n_sc == -1)
continue;
if (n_sc == 0) {
break;
}
for (i=0; i<n_sc; i++) {
if (sc[i] == reg)
return reg;
}
// TODO: must use r_core_cmd(as)..import code from rcore
}
return ret;
}
// XXX: this function uses 'oeax' which is linux-i386-specific
R_API int r_debug_continue_syscall(struct r_debug_t *dbg, int sc) {
int reg, ret = R_FALSE;
if (r_debug_is_dead (dbg))
return R_FALSE;
if (dbg && dbg->h) {
if (dbg->h->contsc) {
do {
ret = dbg->h->contsc (dbg, dbg->pid, sc);
if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE)) {
eprintf ("--> eol\n");
sc = 0;
break;
}
reg = (int)r_debug_reg_get (dbg, "oeax"); // XXX
eprintf ("--> syscall %d\n", reg);
if (reg == 0LL)
break;
// TODO: must use r_core_cmd(as)..import code from rcore
} while (sc != 0 && sc != reg);
} else {
r_debug_continue_until_optype (dbg, R_ANAL_OP_TYPE_SWI, 0);
reg = (int)r_debug_reg_get (dbg, "oeax"); // XXX
eprintf ("--> syscall %d\n", reg);
}
}
return ret;
}
R_API int r_debug_continue_syscalls(RDebug *dbg, int *sc, int n_sc) {
const char *sysname;
int i, reg, ret = R_FALSE;
if (!dbg || !dbg->h || r_debug_is_dead (dbg))
return R_FALSE;
if (!dbg->h->contsc) {
/* user-level syscall tracing */
r_debug_continue_until_optype (dbg, R_ANAL_OP_TYPE_SWI, 0);
reg = (int)r_debug_reg_get (dbg, "a0"); // XXX
sysname = r_syscall_get_i (dbg->anal->syscall, reg, -1);
if (!sysname) sysname = "unknown";
eprintf ("--> syscall %d %s\n", reg, sysname);
return reg;
}
if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE)) {
eprintf ("--> cannot read registers\n");
return -1;
}
reg = (int)r_debug_reg_get (dbg, "sn");
if (reg == (int)UT64_MAX) {
eprintf ("Cannot find 'sn' register for current arch-os.\n");
return -1;
}
for (;;) {
dbg->h->contsc (dbg, dbg->pid, 0); // TODO handle return value
if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE)) {
eprintf ("--> eol\n");
return -1;
}
reg = (int)r_debug_reg_get (dbg, "sn");
if (reg == (int)UT64_MAX)
return -1;
sysname = r_syscall_get_i (dbg->anal->syscall, reg, -1);
if (!sysname) sysname = "unknown";
eprintf ("--> syscall %d %s\n", reg, sysname);
for (i=0; i<n_sc; i++) {
if (sc[i] == reg)
return reg;
}
// TODO: must use r_core_cmd(as)..import code from rcore
}
return ret;
}
static int __esil_step(RDebug *dbg) {
int oplen;
ut8 buf[64];
ut64 pc = 0LL; // getreg("pc")
RAnalOp op;
pc = r_debug_reg_sync(dbg, R_REG_TYPE_GPR, false);
pc = r_debug_reg_get (dbg, "PC");
eprintf ("PC = 0x%" PFMT64x "\n", pc);
/// XXX. hack to trick vaddr issue
//pc = 0x100001478;
//memset (buf, 0, sizeof (buf));
dbg->iob.read_at (dbg->iob.io, pc, buf, 64);
eprintf ("READ 0x%08"PFMT64x" %02x %02x %02x\n", pc, buf[0], buf[1], buf[2]);
oplen = r_anal_op (dbg->anal, &op, pc, buf, sizeof (buf));
if (oplen > 0) {
if (*R_STRBUF_SAFEGET (&op.esil)) {
eprintf ("ESIL: %s\n", R_STRBUF_SAFEGET (&op.esil));
r_anal_esil_parse (dbg->anal->esil, R_STRBUF_SAFEGET (&op.esil));
}
}
eprintf ("TODO: ESIL STEP\n");
return true;
}
/*
* Recoiling after a breakpoint has two stages:
* 1. remove the breakpoint and fix the program counter.
* 2. on resume, single step once and then replace the breakpoint.
*
* Thus, we have two functions to handle these situations.
* r_debug_bp_hit handles stage 1.
* r_debug_recoil handles stage 2.
*/
static int r_debug_bp_hit(RDebug *dbg, RRegItem *pc_ri, ut64 pc) {
RBreakpointItem *b;
/* if we are tracing, update the tracing data */
if (dbg->trace->enabled) {
r_debug_trace_pc (dbg, pc);
}
/* remove all sw breakpoints for now. we'll set them back in stage 2
*
* this is necessary because while stopped we don't want any breakpoints in
* the code messing up our analysis.
*/
if (!r_bp_restore (dbg->bp, false)) { // unset sw breakpoints
return false;
}
/* if we are recoiling, tell r_debug_step that we ignored a breakpoint
* event */
if (!dbg->swstep && dbg->recoil_mode != R_DBG_RECOIL_NONE) {
dbg->reason.bp_addr = 0;
return true;
}
/* see if we really have a breakpoint here... */
b = r_bp_get_at (dbg->bp, pc - dbg->bpsize);
if (!b) { /* we don't. nothing left to do */
return true;
}
/* set the pc value back */
pc -= b->size;
if (!r_reg_set_value (dbg->reg, pc_ri, pc)) {
eprintf ("failed to set PC!\n");
return false;
}
if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, true)) {
eprintf ("cannot set registers!\n");
return false;
}
/* if we are on a software stepping breakpoint, we hide what is going on... */
if (b->swstep) {
dbg->reason.bp_addr = 0;
return true;
}
/* setup our stage 2 */
dbg->reason.bp_addr = b->addr;
/* inform the user of what happened */
eprintf ("hit %spoint at: %"PFMT64x "\n",
b->trace ? "trace" : "break", pc);
/* now that we've cleaned up after the breakpoint, call the other
* potential breakpoint handlers
*/
if (dbg->corebind.core && dbg->corebind.bphit) {
dbg->corebind.bphit (dbg->corebind.core, b);
}
/* XXX(jjd): i don't think this goes here...
if (b->trace) {
r_debug_step (dbg, 1);
goto repeat;
}
*/
return true;
}
/*
* Recoiling after a breakpoint has two stages:
* 1. remove the breakpoint and fix the program counter.
* 2. on resume, single step once and then replace the breakpoint.
*
* Thus, we have two functions to handle these situations.
* r_debug_bp_hit handles stage 1.
* r_debug_recoil handles stage 2.
*/
static int r_debug_bp_hit(RDebug *dbg, RRegItem *pc_ri, ut64 pc, RBreakpointItem **pb) {
RBreakpointItem *b;
if (!pb) {
eprintf ("BreakpointItem is NULL!\n");
return false;
}
/* initialize the output parameter */
*pb = NULL;
/* if we are tracing, update the tracing data */
if (dbg->trace->enabled) {
r_debug_trace_pc (dbg, pc);
}
/* remove all sw breakpoints for now. we'll set them back in stage 2
*
* this is necessary because while stopped we don't want any breakpoints in
* the code messing up our analysis.
*/
if (!r_bp_restore (dbg->bp, false)) { // unset sw breakpoints
return false;
}
/* if we are recoiling, tell r_debug_step that we ignored a breakpoint
* event */
if (!dbg->swstep && dbg->recoil_mode != R_DBG_RECOIL_NONE) {
dbg->reason.bp_addr = 0;
return true;
}
/* The MIPS ptrace has a different behaviour */
# if __mips__
/* see if we really have a breakpoint here... */
b = r_bp_get_at (dbg->bp, pc);
if (!b) { /* we don't. nothing left to do */
return true;
}
# else
int pc_off = dbg->bpsize;
/* see if we really have a breakpoint here... */
b = r_bp_get_at (dbg->bp, pc - dbg->bpsize);
if (!b) { /* we don't. nothing left to do */
/* Some targets set pc to breakpoint */
b = r_bp_get_at (dbg->bp, pc);
if (!b) {
return true;
}
pc_off = 0;
}
/* set the pc value back */
if (pc_off) {
pc -= pc_off;
if (!r_reg_set_value (dbg->reg, pc_ri, pc)) {
eprintf ("failed to set PC!\n");
return false;
}
if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, true)) {
eprintf ("cannot set registers!\n");
return false;
}
}
# endif
*pb = b;
/* if we are on a software stepping breakpoint, we hide what is going on... */
if (b->swstep) {
dbg->reason.bp_addr = 0;
return true;
}
/* setup our stage 2 */
dbg->reason.bp_addr = b->addr;
/* inform the user of what happened */
if (dbg->hitinfo) {
eprintf ("hit %spoint at: %"PFMT64x "\n",
b->trace ? "trace" : "break", pc);
}
/* now that we've cleaned up after the breakpoint, call the other
* potential breakpoint handlers
*/
if (dbg->corebind.core && dbg->corebind.bphit) {
dbg->corebind.bphit (dbg->corebind.core, b);
}
return true;
}
