R_API void r_anal_type_match(RCore *core, RAnalFunction *fcn) {
bool esil_var[STATES_SIZE] = {false};
if (!core ) {
return;
}
if (!r_anal_emul_init (core, esil_var) || !fcn ) {
r_anal_emul_restore (core, esil_var);
return;
}
const char *pc = r_reg_get_name (core->anal->reg, R_REG_NAME_PC);
ut64 addr = fcn->addr;
r_reg_setv (core->dbg->reg, pc, fcn->addr);
r_debug_reg_sync (core->dbg, -1, true);
r_cons_break (NULL, NULL);
while (!r_cons_is_breaked ()) {
RAnalOp *op = r_core_anal_op (core, addr);
int loop_count = sdb_num_get ( core->anal->esil->db_trace, sdb_fmt (-1, "0x%"PFMT64x".count", addr), 0);
if (loop_count > LOOP_MAX) {
eprintf ("Unfortunately your evilly engineered %s function trapped my most innocent `aftm` in an infinite loop.\n", fcn->name);
eprintf ("I kept trace log for you to review and find out how bad things were going to happen by yourself.\n");
eprintf ("You can view this log by `ate`. Meanwhile, I will train on how to behave with such behaviour without bothering you.\n");
return;
}
sdb_num_set (core->anal->esil->db_trace, sdb_fmt (-1, "0x%"PFMT64x".count", addr), loop_count + 1, 0);
if (!op || op->type == R_ANAL_OP_TYPE_RET) {
r_anal_emul_restore (core, esil_var);
return;
}
if (op->type == R_ANAL_OP_TYPE_CALL) {
RAnalFunction *fcn_call = r_anal_get_fcn_in (core->anal, op->jump, -1);
//eprintf ("in the middle of %s\n", fcn_call->name);
if (fcn_call) {
type_match (core, addr, fcn_call->name);
} else {
eprintf ("Cannot find function at 0x%08"PFMT64x"\n", op->jump);
}
addr += op->size;
r_anal_op_free (op);
r_reg_setv (core->dbg->reg, pc, addr);
r_debug_reg_sync (core->dbg, -1, true);
r_anal_esil_set_pc (core->anal->esil, addr);
addr += stack_clean (core, addr, fcn);
r_reg_setv (core->dbg->reg, pc, addr);
r_debug_reg_sync (core->dbg, -1, true);
r_anal_esil_set_pc (core->anal->esil, addr);
continue;
} else {
r_core_esil_step (core, UT64_MAX, NULL);
r_anal_op_free (op);
}
r_core_cmd0 (core, ".ar*");
addr = r_reg_getv (core->anal->reg, pc);
}
r_cons_break_end ();
r_anal_emul_restore (core, esil_var);
}
static int stack_clean (RCore *core, ut64 addr, RAnalFunction *fcn) {
int offset, ret;
char *tmp, *str, *sig;
RAnalOp *op = r_core_anal_op (core, addr);
if (!op) {
return 0;
}
str = strdup (r_strbuf_get (&op->esil));
if (!str) {
return 0;
}
tmp = strchr (str, ',');
if (!tmp) {
free (str);
return 0;
}
*tmp++ = 0;
offset = r_num_math (core->num, str);
const char *sp = r_reg_get_name (core->anal->reg, R_REG_NAME_SP);
sig = sdb_fmt (-1, "%s,+=", sp);
ret = 0;
if (!strncmp (tmp, sig, strlen (sig))) {
const char *esil = sdb_fmt (-1, "%d,%s,-=", offset, sp);
r_anal_esil_parse (core->anal->esil, esil);
r_anal_esil_dumpstack (core->anal->esil);
r_anal_esil_stack_free (core->anal->esil);
r_core_esil_step (core, UT64_MAX, NULL);
ret = op->size;
}
r_anal_op_free (op);
free (str);
return ret;
}
void emu_free(emu *e)
{
if (e->reg == e->anal->reg)
e->reg = NULL;
else r_reg_free(e->reg);
r_io_free(e->io);
r_bin_free(e->bin);
r_lib_free(e->lib);
r_list_free(e->plugins);
r_asm_free(e->a);
r_asm_op_free(e->op);
r_anal_op_free(e->anop);
r_anal_free(e->anal);
if (e->vsections) {
RListIter *iter;
VSection *vs;
r_list_foreach(e->vsections, iter, vs)
virtual_section_rm_i(e, vs->id);
}
r_list_free(e->vsections);
if (e->screen) sdb_free (e->screen);
free(e);
}
ut64 analyzeStackBased(RCore *core, Sdb *db, ut64 addr, RList *delayed_commands) {
#define addCall(x) sdb_array_add_num (db, "calls", x, 0);
#define addUcall(x) sdb_array_add_num (db, "ucalls", x, 0);
#define addUjmp(x) sdb_array_add_num (db, "ujmps", x, 0);
#define addCjmp(x) sdb_array_add_num (db, "cjmps", x, 0);
#define addRet(x) sdb_array_add_num (db, "rets", x, 0);
#define bbAddOpcode(x) sdb_array_insert_num (db, sdb_fmt ("bb.%"PFMT64x, addr+cur), -1, x, 0);
ut64 oaddr = addr;
ut64 *value = NULL;
RAnalOp *op;
int cur = 0;
bool block_end = false;
RStack *stack = r_stack_newf (10, free);
addTarget (core, stack, db, addr);
while (!r_stack_is_empty (stack)) {
block_end = false;
value = (ut64*) r_stack_pop (stack);
if (!value) {
eprintf ("Failed to pop next address from stack\n");
break;
}
addr = *value;
free (value);
cur = 0;
while (!block_end) {
op = r_core_anal_op (core, addr + cur, R_ANAL_OP_MASK_BASIC);
if (!op || !op->mnemonic) {
eprintf ("Cannot analyze opcode at %"PFMT64d"\n", addr+cur);
oaddr = UT64_MAX;
break;
}
if (op->mnemonic[0] == '?') {
eprintf ("Cannot analyze opcode at %"PFMT64d"\n", addr+cur);
oaddr = UT64_MAX;
break;
}
bbAddOpcode (addr+cur);
switch (op->type) {
case R_ANAL_OP_TYPE_NOP:
// skip nops
if (cur == 0) {
cur -= op->size;
addr += op->size;
oaddr += op->size;
}
break;
case R_ANAL_OP_TYPE_CALL:
/* A call instruction implies that the destination
* is a new function unless the address is inside
* the same range than the current function */
addCall (op->jump);
r_list_append (delayed_commands, r_str_newf ("axC %"PFMT64d" %"PFMT64d, op->jump, addr + cur));
break;
case R_ANAL_OP_TYPE_UCALL:
case R_ANAL_OP_TYPE_ICALL:
case R_ANAL_OP_TYPE_RCALL:
case R_ANAL_OP_TYPE_IRCALL:
/* unknown calls depend on ESIL or DEBUG tracing
* information to know the destination, we can mark
* those 'calls' for later adding tracepoints in
* there to record all possible destinations */
addUcall (addr+cur);
if (op->ptr != UT64_MAX) {
r_list_append (delayed_commands, r_str_newf ("axC %"PFMT64d" %"PFMT64d, op->ptr, addr + cur));
}
break;
case R_ANAL_OP_TYPE_UJMP:
case R_ANAL_OP_TYPE_RJMP:
case R_ANAL_OP_TYPE_IJMP:
case R_ANAL_OP_TYPE_IRJMP:
/* an unknown jump use to go into computed destinations
* outside the current function, but it may result
* on an antidisasm trick */
addUjmp (addr + cur);
/* An unknown jump breaks the basic blocks */
block_end = true; // XXX more investigation here
break;
case R_ANAL_OP_TYPE_TRAP:
if (cur == 0) {
// skip leading int3
cur -= op->size;
addr += op->size;
oaddr += op->size;
} else {
block_end = true;
}
break;
case R_ANAL_OP_TYPE_RET:
addRet (addr + cur);
bbAdd (db, addr, addr + cur + op->size, UT64_MAX, UT64_MAX);
block_end = true;
break;
case R_ANAL_OP_TYPE_CJMP:
addCjmp (addr+cur);
bbAdd (db, addr, addr + cur + op->size, op->jump, addr + cur + op->size);
addTarget (core, stack, db, op->jump);
addTarget (core, stack, db, addr + cur + op->size);
block_end = true;
r_list_append (delayed_commands, r_str_newf ("axc %"PFMT64d" %"PFMT64d, op->jump, addr + cur));
break;
case R_ANAL_OP_TYPE_JMP:
addUjmp (addr+cur);
bbAdd (db, addr, addr + cur + op->size, op->jump, UT64_MAX);
addTarget (core, stack, db, op->jump);
block_end = true;
r_list_append (delayed_commands, r_str_newf ("axc %"PFMT64d" %"PFMT64d, op->jump, addr + cur));
break;
case R_ANAL_OP_TYPE_UNK:
case R_ANAL_OP_TYPE_ILL:
eprintf ("a2f: Invalid instruction\n");
block_end = true;
break;
default:
if (op->ptr != UT64_MAX) {
r_list_append (delayed_commands, r_str_newf ("axd %"PFMT64d" %"PFMT64d, op->ptr, addr + cur));
}
break;
}
cur += op->size;
r_anal_op_free (op);
op = NULL;
}
}
r_stack_free (stack);
return oaddr;
}
R_API int r_core_visual_cmd(RCore *core, int ch) {
RAsmOp op;
ut64 offset = core->offset;
char buf[4096];
int i, ret, offscreen, cols = core->print->cols, delta = 0;
ch = r_cons_arrow_to_hjkl (ch);
ch = visual_nkey (core, ch);
if (ch<2) return 1;
// do we need hotkeys for data references? not only calls?
if (ch>='0'&& ch<='9') {
ut64 off = core->asmqjmps[ch-'0'];
if (off != UT64_MAX) {
int delta = R_ABS ((st64)off-(st64)offset);
r_io_sundo_push (core->io, offset);
if (curset && delta<100) {
cursor = delta;
} else {
r_core_visual_seek_animation (core, off);
//r_core_seek (core, off, 1);
}
r_core_block_read (core, 1);
}
} else
switch (ch) {
case 0x0d:
{
r_cons_enable_mouse (R_TRUE);
RAnalOp *op = r_core_anal_op (core, core->offset+cursor);
if (op) {
if (op->type == R_ANAL_OP_TYPE_JMP ||
op->type == R_ANAL_OP_TYPE_CJMP ||
op->type == R_ANAL_OP_TYPE_CALL) {
r_io_sundo_push (core->io, offset);
r_core_visual_seek_animation(core, op->jump);
}
}
r_anal_op_free (op);
}
break;
case 90: // shift+tab
if (!strcmp (printfmt[0], "x"))
printfmt[0] = "pxa";
else printfmt[0] = "x";
break;
case 9: // tab
{ // XXX: unify diff mode detection
ut64 f = r_config_get_i (core->config, "diff.from");
ut64 t = r_config_get_i (core->config, "diff.to");
if (f == t && f == 0) {
core->print->col = core->print->col==1? 2: 1;
} else {
ut64 delta = offset - f;
r_core_seek (core, t+delta, 1);
r_config_set_i (core->config, "diff.from", t);
r_config_set_i (core->config, "diff.to", f);
}
}
break;
case 'a':
if (core->file && !(core->file->rwx & 2)) {
r_cons_printf ("\nFile has been opened in read-only mode. Use -w flag\n");
r_cons_any_key ();
return R_TRUE;
}
r_cons_printf ("Enter assembler opcodes separated with ';':\n");
showcursor (core, R_TRUE);
r_cons_flush ();
r_cons_set_raw (R_FALSE);
strcpy (buf, "wa ");
r_line_set_prompt (":> ");
if (r_cons_fgets (buf+3, 1000, 0, NULL) <0) buf[0]='\0';
if (*buf) {
if (curset) r_core_seek (core, core->offset + cursor, 0);
r_core_cmd (core, buf, R_TRUE);
if (curset) r_core_seek (core, core->offset - cursor, 1);
}
showcursor (core, R_FALSE);
r_cons_set_raw (R_TRUE);
break;
case '!':
r_cons_2048();
break;
case 'o':
visual_offset (core);
break;
case 'A':
{ int oc = curset;
ut64 off = curset? core->offset+cursor : core->offset;
curset = 0;
r_core_visual_asm (core, off);
curset = oc;
}
break;
case 'c':
setcursor (core, curset?0:1);
break;
case 'C':
color = color? 0: 1;
r_config_set_i (core->config, "scr.color", color);
break;
case 'd':
r_core_visual_define (core);
break;
case 'D':
setdiff (core);
break;
case 'f':
{
int range, min, max;
char name[256], *n;
r_line_set_prompt ("flag name: ");
showcursor (core, R_TRUE);
if (r_cons_fgets (name, sizeof (name), 0, NULL) >=0 && *name) {
n = r_str_chop (name);
if (*name=='-') {
if (*n) r_flag_unset (core->flags, n+1, NULL);
} else {
if (ocursor != -1) {
min = R_MIN (cursor, ocursor);
max = R_MAX (cursor, ocursor);
} else {
min = max = cursor;
}
range = max-min+1;
if (range<1) range = 1;
if (*n) r_flag_set (core->flags, n,
core->offset + min, range, 1);
}
}
}
showcursor (core, R_FALSE);
break;
case 'F':
r_flag_unset_i (core->flags, core->offset + cursor, NULL);
break;
case 'n':
r_core_seek_next (core, r_config_get (core->config, "scr.nkey"));
break;
case 'N':
r_core_seek_previous (core, r_config_get (core->config, "scr.nkey"));
break;
case 'i':
case 'I':
if (core->file && !(core->file->rwx & 2)) {
r_cons_printf ("\nFile has been opened in read-only mode. Use -w flag\n");
r_cons_any_key ();
return R_TRUE;
}
showcursor (core, R_TRUE);
r_cons_flush ();
r_cons_set_raw (0);
if (ch=='I') {
strcpy (buf, "wow ");
r_line_set_prompt ("insert hexpair block: ");
if (r_cons_fgets (buf+4, sizeof (buf)-5, 0, NULL) <0)
buf[0]='\0';
char *p = strdup (buf);
int cur = core->print->cur;
if (cur>=core->blocksize)
cur = core->print->cur-1;
snprintf (buf, sizeof (buf), "%s @ $$0!%i", p,
core->blocksize-cursor);
r_core_cmd (core, buf, 0);
free (p);
break;
}
delta = (ocursor!=-1)? R_MIN (cursor, ocursor): cursor;
if (core->print->col==2) {
strcpy (buf, "\"w ");
r_line_set_prompt ("insert string: ");
if (r_cons_fgets (buf+3, sizeof (buf)-4, 0, NULL) <0)
buf[0]='\0';
strcat (buf, "\"");
} else {
r_line_set_prompt ("insert hex: ");
if (ocursor != -1) {
int bs = R_ABS (cursor-ocursor)+1;
core->blocksize = bs;
strcpy (buf, "wow ");
} else {
strcpy (buf, "wx ");
}
if (r_cons_fgets (buf+strlen (buf), sizeof (buf)-strlen (buf), 0, NULL) <0)
buf[0]='\0';
}
if (curset) r_core_seek (core, core->offset + delta, 0);
r_core_cmd (core, buf, 1);
if (curset) r_core_seek (core, offset, 1);
r_cons_set_raw (1);
showcursor (core, R_FALSE);
break;
case 'R':
r_core_cmd0 (core, "ecr");
break;
case 'e':
r_core_visual_config (core);
break;
case 'E':
r_core_visual_colors (core);
break;
case 'M':
r_core_visual_mounts (core);
break;
case 't':
r_core_visual_trackflags (core);
break;
case 'x':
{
int count = 0;
RList *xrefs = NULL;
RAnalRef *refi;
RListIter *iter;
RAnalFunction *fun;
if ((xrefs = r_anal_xref_get (core->anal, core->offset))) {
r_cons_gotoxy (1, 1);
r_cons_printf ("[GOTO XREF]> \n");
if (r_list_empty (xrefs)) {
r_cons_printf ("\tNo XREF found at 0x%"PFMT64x"\n", core->offset);
r_cons_any_key ();
r_cons_clear00 ();
} else {
r_list_foreach (xrefs, iter, refi) {
fun = r_anal_fcn_find (core->anal, refi->addr, R_ANAL_FCN_TYPE_NULL);
r_cons_printf (" [%i] 0x%08"PFMT64x" %s XREF 0x%08"PFMT64x" (%s) \n", count,
refi->at,
refi->type==R_ANAL_REF_TYPE_CODE?"CODE (JMP)":
refi->type==R_ANAL_REF_TYPE_CALL?"CODE (CALL)":"DATA", refi->addr,
fun?fun->name:"unk");
if (++count > 9) break;
}
}
} else xrefs = NULL;
// TODO: return RAnalException *
R_API int r_anal_op_execute (RAnal *anal, RAnalOp *op) {
while (op) {
if (op->delay>0) {
anal->queued = r_anal_op_copy (op);
return R_FALSE;
}
switch (op->type) {
case R_ANAL_OP_TYPE_JMP:
case R_ANAL_OP_TYPE_UJMP:
case R_ANAL_OP_TYPE_CALL:
break;
case R_ANAL_OP_TYPE_ADD:
// dst = src[0] + src[1] + src[2]
r_anal_value_set_ut64 (anal, op->dst,
r_anal_value_to_ut64 (anal, op->src[0])+
r_anal_value_to_ut64 (anal, op->src[1])+
r_anal_value_to_ut64 (anal, op->src[2]));
break;
case R_ANAL_OP_TYPE_SUB:
// dst = src[0] + src[1] + src[2]
r_anal_value_set_ut64 (anal, op->dst,
r_anal_value_to_ut64 (anal, op->src[0])-
r_anal_value_to_ut64 (anal, op->src[1])-
r_anal_value_to_ut64 (anal, op->src[2]));
break;
case R_ANAL_OP_TYPE_DIV:
{
ut64 div = r_anal_value_to_ut64 (anal, op->src[1]);
if (div == 0) {
eprintf ("r_anal_op_execute: division by zero\n");
eprintf ("TODO: throw RAnalException\n");
} else r_anal_value_set_ut64 (anal, op->dst,
r_anal_value_to_ut64 (anal, op->src[0])/div);
}
break;
case R_ANAL_OP_TYPE_MUL:
r_anal_value_set_ut64 (anal, op->dst,
r_anal_value_to_ut64 (anal, op->src[0])*
r_anal_value_to_ut64 (anal, op->src[1]));
break;
case R_ANAL_OP_TYPE_MOV:
// dst = src[0]
r_anal_value_set_ut64 (anal, op->dst,
r_anal_value_to_ut64 (anal, op->src[0]));
break;
case R_ANAL_OP_TYPE_NOP:
// do nothing
break;
}
op = op->next;
}
if (anal->queued) {
if (op && op->delay>0) {
eprintf ("Exception! two consecutive delayed instructions\n");
return R_FALSE;
}
anal->queued->delay--;
if (anal->queued->delay == 0) {
r_anal_op_execute (anal, anal->queued);
r_anal_op_free (anal->queued);
anal->queued = NULL;
}
}
return R_TRUE;
}
R_API int r_anal_bb(RAnal *anal, RAnalBlock *bb, ut64 addr, ut8 *buf, ut64 len, int head) {
RAnalOp *op = NULL;
int oplen, idx = 0;
if (bb->addr == -1) {
bb->addr = addr;
}
len -= 16; // XXX: hack to avoid segfault by x86im
while (idx < len) {
// TODO: too slow object construction
if (!(op = r_anal_op_new ())) {
eprintf ("Error: new (op)\n");
return R_ANAL_RET_ERROR;
}
if ((oplen = r_anal_op (anal, op, addr + idx, buf + idx, len - idx)) == 0) {
r_anal_op_free (op);
op = NULL;
if (idx == 0) {
VERBOSE_ANAL eprintf ("Unknown opcode at 0x%08"PFMT64x"\n", addr+idx);
return R_ANAL_RET_END;
}
break;
}
if (oplen < 1) {
return R_ANAL_RET_END;
}
r_anal_bb_set_offset (bb, bb->ninstr, addr + idx - bb->addr);
idx += oplen;
bb->size += oplen;
bb->ninstr++;
#if R_ANAL_BB_HAS_OPS
r_list_append (bb->ops, op);
#endif
if (head) {
bb->type = R_ANAL_BB_TYPE_HEAD;
}
switch (op->type) {
case R_ANAL_OP_TYPE_CMP:
r_anal_cond_free (bb->cond);
bb->cond = r_anal_cond_new_from_op (op);
break;
case R_ANAL_OP_TYPE_CJMP:
if (bb->cond) {
// TODO: get values from anal backend
bb->cond->type = R_ANAL_COND_EQ;
} else VERBOSE_ANAL eprintf ("Unknown conditional for block 0x%"PFMT64x"\n", bb->addr);
bb->conditional = 1;
bb->fail = op->fail;
bb->jump = op->jump;
bb->type |= R_ANAL_BB_TYPE_BODY;
goto beach;
case R_ANAL_OP_TYPE_JMP:
bb->jump = op->jump;
bb->type |= R_ANAL_BB_TYPE_BODY;
goto beach;
case R_ANAL_OP_TYPE_UJMP:
bb->type |= R_ANAL_BB_TYPE_FOOT;
goto beach;
case R_ANAL_OP_TYPE_RET:
bb->type |= R_ANAL_BB_TYPE_LAST;
goto beach;
case R_ANAL_OP_TYPE_LEA:
{
RAnalValue *src = op->src[0];
if (src && src->reg && anal->reg) {
const char *pc = anal->reg->name[R_REG_NAME_PC];
RAnalValue *dst = op->dst;
if (dst && dst->reg && !strcmp (src->reg->name, pc)) {
int memref = anal->bits/8;
ut8 b[8];
ut64 ptr = idx+addr+src->delta;
anal->iob.read_at (anal->iob.io, ptr, b, memref);
r_anal_ref_add (anal, ptr, addr+idx-op->size, 'd');
}
}
}
}
r_anal_op_free (op);
}
return bb->size;
beach:
r_anal_op_free (op);
return R_ANAL_RET_END;
}
int main(int argc, char **argv) {
RLib *lib;
RAnal *anal = r_anal_new ();
RAnalOp *op = r_anal_op_new ();
ut8 *ptr, *buf = NULL, *data = NULL;
ut64 offset = 0x8048000LL;
char *arch = NULL;
int bin = false, len = 0, bits = 32;
int c, idx, ret, tlen, word;
lib = r_lib_new ("radare_plugin");
r_lib_add_handler (lib, R_LIB_TYPE_ANAL, "analysis plugins",
&__lib_anal_cb, &__lib_anal_dt, anal);
r_lib_opendir (lib, r_sys_getenv ("LIBR_PLUGINS"));
while ((c = getopt (argc, argv, "a:b:Bhl:Lo:")) != -1) {
switch (c) {
case 'a':
arch = optarg;
break;
case 'b':
bits = r_num_math (NULL, optarg);
break;
case 'B':
bin = true;
break;
case 'h':
return usage ();
case 'l':
len = r_num_math (NULL, optarg);
break;
case 'L':
return r_anal_list (anal);
case 'o':
offset = r_num_math (NULL, optarg);
break;
}
}
if (!argv[optind] || (bin && !len))
return usage ();
/* Set default options */
if (arch) {
if (!r_anal_use (anal, arch)) {
eprintf ("Invalid plugin\n");
return 1;
}
} else r_anal_use (anal, "x86");
if (!r_anal_set_bits (anal, bits))
r_anal_set_bits (anal, 32);
/* Get input & convert to bin if necessary */
if (argv[optind][0] == '-') {
idx = 0;
while (true) {
if (!(buf = realloc (buf, idx+1024)))
return 1;
fgets ((char*)buf+idx, 1024, stdin);
if ((!bin && feof (stdin)) ||(len && idx >= len))
break;
idx += 1023;
}
} else {
if (!(buf = (ut8 *)strdup (argv[optind])))
return 1;
}
if (bin) {
data = (ut8*)buf;
} else {
ptr = buf, word = tlen = 0;
while (ptr[0]) {
int p = *ptr;
if (p!= ' ' && p!= '\n' && p!= '\r')
if (0==(++word%2)) tlen++;
ptr += 1;
}
data = malloc (tlen+1);
if (!data) {
r_anal_free (anal);
r_anal_op_free (op);
return 1;
}
r_hex_str2bin ((char *)buf, data);
if (!len || len > tlen) len = tlen;
free (buf);
}
/* Analyze */
for (idx=ret=0; idx<len; idx+=ret) {
if (!(ret = analyze (anal, op, offset+idx, data+idx, len-idx))) {
eprintf ("Ooops\n");
free (data);
r_anal_free (anal);
r_anal_op_free (op);
return 1;
}
}
free (data);
r_anal_free (anal);
r_anal_op_free (op);
return 0;
}
ut64 analyzeIterative (RCore *core, Sdb *db, ut64 addr) {
#define addCall(x) sdb_array_add_num (db, "calls", x, 0);
#define addUcall(x) sdb_array_add_num (db, "ucalls", x, 0);
#define addUjmp(x) sdb_array_add_num (db, "ujmps", x, 0);
#define addCjmp(x) sdb_array_add_num (db, "cjmps", x, 0);
#define addRet(x) sdb_array_add_num (db, "rets", x, 0);
#define bbAddOpcode(x) sdb_array_insert_num (db, sdb_fmt (0, "bb.%"PFMT64x, bb_begin), -1, x, 0);
/* this loop creates basic blocks */
ut64 oaddr = addr;
RAnalOp *op;
int cur = 0;
int fcn_size = 0;
ut64 bb_end = addr;
ut64 bb_begin = addr;
eprintf ("-> 0x%08"PFMT64x"\n", addr);
for (;;) {
op = r_core_anal_op (core, addr + cur);
if (!op || !op->mnemonic) {
eprintf ("Cannot analyze opcode at %"PFMT64d"\n", addr+cur);
break;
}
eprintf ("0x%08"PFMT64x" %s\n", addr + cur, op->mnemonic);
if (op->mnemonic[0] == '?') {
eprintf ("Cannot analyze opcode at %"PFMT64d"\n", addr+cur);
break;
}
bb_end += op->size;
fcn_size += op->size;
bbAddOpcode (addr+cur);
switch (op->type) {
case R_ANAL_OP_TYPE_NOP:
/* If placed at the beginning..just skip them */
if (cur == 0) {
eprintf ("NOPSKIP %d\n", op->size);
oaddr += op->size;
bb_begin = addr = oaddr;
fcn_size -= op->size;
cur -= op->size;
}
break;
case R_ANAL_OP_TYPE_CALL:
/* A call instruction implies that the destination
* is a new function unless the address is inside
* the same range than the current function */
addCall (op->jump);
// add call reference
break;
case R_ANAL_OP_TYPE_UCALL:
/* unknown calls depend on ESIL or DEBUG tracing
* information to know the destination, we can mark
* those 'calls' for later adding tracepoints in
* there to record all possible destinations */
addUcall (addr+cur);
break;
case R_ANAL_OP_TYPE_UJMP:
/* an unknown jump use to go into computed destinations
* outside the current function, but it may result
* on an antidisasm trick */
addUjmp (addr+cur);
/* An unknown jump breaks the basic blocks */
goto endOfFunction;
case R_ANAL_OP_TYPE_TRAP:
addRet (addr + cur);
goto endOfFunction;
case R_ANAL_OP_TYPE_RET:
addRet (addr + cur);
goto endOfFunction;
case R_ANAL_OP_TYPE_CJMP:
/* jumps use to go into the same function, so we*/
addCjmp (op->jump);
bbAdd (db, bb_begin, bb_end, op->jump, bb_end);
bb_begin = bb_end;
break;
case R_ANAL_OP_TYPE_JMP:
/* jumps usually go to the same function, but they
* can be used */
goto endOfFunction;
case R_ANAL_OP_TYPE_UNK:
eprintf ("Unknown instruction at 0x%08"PFMT64x"\n", addr+cur);
goto endOfFunction;
case R_ANAL_OP_TYPE_ILL:
eprintf ("HLT\n");
goto endOfFunction;
}
cur += op->size;
r_anal_op_free (op);
op = NULL;
}
endOfFunction:
r_anal_op_free (op);
bbAdd (db, bb_begin, bb_end, UT64_MAX, UT64_MAX);
return oaddr;
}
