/* restore program counter after breakpoint hit */ static int r_debug_recoil(RDebug *dbg) { int recoil; RRegItem *ri; if (r_debug_is_dead (dbg)) return R_FALSE; r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE); ri = r_reg_get (dbg->reg, dbg->reg->name[R_REG_NAME_PC], -1); dbg->reason.bpi = NULL; if (ri) { ut64 addr = r_reg_get_value (dbg->reg, ri); recoil = r_bp_recoil (dbg->bp, addr); //eprintf ("[R2] Breakpoint recoil at 0x%"PFMT64x" = %d\n", addr, recoil); #if __arm__ if (recoil<1) recoil = 0; // XXX Hack :D #else if (recoil<1) recoil = 0; //1; // XXX Hack :D (x86 only?) #endif if (recoil) { dbg->reason.type = R_DEBUG_REASON_BREAKPOINT; dbg->reason.bpi = r_bp_get_at (dbg->bp, addr-recoil); dbg->reason.addr = addr - recoil; r_reg_set_value (dbg->reg, ri, addr-recoil); if (r_reg_get_value (dbg->reg, ri) != (addr-recoil)) { eprintf ("r_debug_recoil: Cannot set program counter\n"); return R_FALSE; } r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_TRUE); //eprintf ("[BP Hit] Setting pc to 0x%"PFMT64x"\n", (addr-recoil)); return R_TRUE; } } else eprintf ("r_debug_recoil: Cannot get program counter\n"); return R_FALSE; }
/* restore program counter after breakpoint hit */ static int r_debug_recoil(RDebug *dbg) { int recoil; RRegItem *ri; if (r_debug_is_dead (dbg)) { return false; } r_debug_reg_sync (dbg, R_REG_TYPE_GPR, false); ri = r_reg_get (dbg->reg, dbg->reg->name[R_REG_NAME_PC], -1); dbg->reason.bpi = NULL; if (ri) { ut64 addr = r_reg_get_value (dbg->reg, ri); recoil = r_bp_recoil (dbg->bp, addr - dbg->bpsize); //eprintf ("[R2] Breakpoint recoil at 0x%"PFMT64x" = %d\n", addr, recoil); if (recoil < 1) recoil = 0; // XXX Hack :D if (recoil) { dbg->in_recoil = true; dbg->reason.type = R_DEBUG_REASON_BREAKPOINT; dbg->reason.bpi = r_bp_get_at (dbg->bp, addr-recoil); dbg->reason.addr = addr - recoil; r_reg_set_value (dbg->reg, ri, addr-recoil); if (r_reg_get_value (dbg->reg, ri) != (addr-recoil)) { eprintf ("r_debug_recoil: Cannot set program counter\n"); return false; } r_debug_reg_sync (dbg, R_REG_TYPE_GPR, true); //eprintf ("[BP Hit] Setting pc to 0x%"PFMT64x"\n", (addr-recoil)); return true; } } else { eprintf ("r_debug_recoil: Cannot get program counter\n"); } return false; }
/* * Save 4096 bytes from %esp * TODO: Add support for reverse stack architectures * Also known as r_debug_inject() */ R_API ut64 r_debug_execute(RDebug *dbg, const ut8 *buf, int len, int restore) { int orig_sz; ut8 stackbackup[4096]; ut8 *backup, *orig = NULL; RRegItem *ri, *risp, *ripc; ut64 rsp, rpc, ra0 = 0LL; if (r_debug_is_dead (dbg)) return R_FALSE; ripc = r_reg_get (dbg->reg, dbg->reg->name[R_REG_NAME_PC], R_REG_TYPE_GPR); risp = r_reg_get (dbg->reg, dbg->reg->name[R_REG_NAME_SP], R_REG_TYPE_GPR); if (ripc) { r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE); orig = r_reg_get_bytes (dbg->reg, -1, &orig_sz); if (orig == NULL) { eprintf ("Cannot get register arena bytes\n"); return 0LL; } rpc = r_reg_get_value (dbg->reg, ripc); rsp = r_reg_get_value (dbg->reg, risp); backup = malloc (len); if (backup == NULL) { free (orig); return 0LL; } dbg->iob.read_at (dbg->iob.io, rpc, backup, len); dbg->iob.read_at (dbg->iob.io, rsp, stackbackup, len); r_bp_add_sw (dbg->bp, rpc+len, dbg->bpsize, R_BP_PROT_EXEC); /* execute code here */ dbg->iob.write_at (dbg->iob.io, rpc, buf, len); //r_bp_add_sw (dbg->bp, rpc+len, 4, R_BP_PROT_EXEC); r_debug_continue (dbg); //r_bp_del (dbg->bp, rpc+len); /* TODO: check if stopped in breakpoint or not */ r_bp_del (dbg->bp, rpc+len); dbg->iob.write_at (dbg->iob.io, rpc, backup, len); if (restore) { dbg->iob.write_at (dbg->iob.io, rsp, stackbackup, len); } r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE); ri = r_reg_get (dbg->reg, dbg->reg->name[R_REG_NAME_A0], R_REG_TYPE_GPR); ra0 = r_reg_get_value (dbg->reg, ri); if (restore) { r_reg_set_bytes (dbg->reg, -1, orig, orig_sz); } else { r_reg_set_value (dbg->reg, ripc, rpc); } r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_TRUE); free (backup); free (orig); eprintf ("ra0=0x%08"PFMT64x"\n", ra0); } else eprintf ("r_debug_execute: Cannot get program counter\n"); return (ra0); }
R_API int r_debug_esil_stepi (RDebug *d) { RAnalOp op; ut8 obuf[64]; int ret = 1; dbg = d; if (!ESIL) { ESIL = r_anal_esil_new (R_TRUE); // TODO setup something? } r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE); opc = r_debug_reg_get (dbg, dbg->reg->name[R_REG_NAME_PC]); dbg->iob.read_at (dbg->iob.io, opc, obuf, sizeof (obuf)); //dbg->iob.read_at (dbg->iob.io, npc, buf, sizeof (buf)); //dbg->anal->reg = dbg->reg; // hack ESIL->cb.hook_mem_read = &esilbreak_mem_read; ESIL->cb.hook_mem_write = &esilbreak_mem_write; ESIL->cb.hook_reg_read = &esilbreak_reg_read; ESIL->cb.hook_reg_write = &esilbreak_reg_write; if (prestep) { // required when a exxpression is like <= == .. // otherwise it will stop at the next instruction if (r_debug_step (dbg, 1)<1) { eprintf ("Step failed\n"); return 0; } r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE); // npc = r_debug_reg_get (dbg, dbg->reg->name[R_REG_NAME_PC]); } if (r_anal_op (dbg->anal, &op, opc, obuf, sizeof (obuf))) { if (esilbreak_check_pc (dbg, opc)) { eprintf ("STOP AT 0x%08"PFMT64x"\n", opc); ret = 0; } else { r_anal_esil_set_pc (ESIL, opc); eprintf ("0x%08"PFMT64x" %s\n", opc, R_STRBUF_SAFEGET (&op.esil)); (void)r_anal_esil_parse (ESIL, R_STRBUF_SAFEGET (&op.esil)); //r_anal_esil_dumpstack (ESIL); r_anal_esil_stack_free (ESIL); ret = 1; } } if (!prestep) { if (ret && !has_match) { if (r_debug_step (dbg, 1)<1) { eprintf ("Step failed\n"); return 0; } r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE); // npc = r_debug_reg_get (dbg, dbg->reg->name[R_REG_NAME_PC]); } } return ret; }
R_API void r_anal_type_match(RCore *core, RAnalFunction *fcn) { bool esil_var[STATES_SIZE] = {false}; if (!core ) { return; } if (!r_anal_emul_init (core, esil_var) || !fcn ) { r_anal_emul_restore (core, esil_var); return; } const char *pc = r_reg_get_name (core->anal->reg, R_REG_NAME_PC); ut64 addr = fcn->addr; r_reg_setv (core->dbg->reg, pc, fcn->addr); r_debug_reg_sync (core->dbg, -1, true); r_cons_break (NULL, NULL); while (!r_cons_is_breaked ()) { RAnalOp *op = r_core_anal_op (core, addr); int loop_count = sdb_num_get ( core->anal->esil->db_trace, sdb_fmt (-1, "0x%"PFMT64x".count", addr), 0); if (loop_count > LOOP_MAX) { eprintf ("Unfortunately your evilly engineered %s function trapped my most innocent `aftm` in an infinite loop.\n", fcn->name); eprintf ("I kept trace log for you to review and find out how bad things were going to happen by yourself.\n"); eprintf ("You can view this log by `ate`. Meanwhile, I will train on how to behave with such behaviour without bothering you.\n"); return; } sdb_num_set (core->anal->esil->db_trace, sdb_fmt (-1, "0x%"PFMT64x".count", addr), loop_count + 1, 0); if (!op || op->type == R_ANAL_OP_TYPE_RET) { r_anal_emul_restore (core, esil_var); return; } if (op->type == R_ANAL_OP_TYPE_CALL) { RAnalFunction *fcn_call = r_anal_get_fcn_in (core->anal, op->jump, -1); //eprintf ("in the middle of %s\n", fcn_call->name); if (fcn_call) { type_match (core, addr, fcn_call->name); } else { eprintf ("Cannot find function at 0x%08"PFMT64x"\n", op->jump); } addr += op->size; r_anal_op_free (op); r_reg_setv (core->dbg->reg, pc, addr); r_debug_reg_sync (core->dbg, -1, true); r_anal_esil_set_pc (core->anal->esil, addr); addr += stack_clean (core, addr, fcn); r_reg_setv (core->dbg->reg, pc, addr); r_debug_reg_sync (core->dbg, -1, true); r_anal_esil_set_pc (core->anal->esil, addr); continue; } else { r_core_esil_step (core, UT64_MAX, NULL); r_anal_op_free (op); } r_core_cmd0 (core, ".ar*"); addr = r_reg_getv (core->anal->reg, pc); } r_cons_break_end (); r_anal_emul_restore (core, esil_var); }
R_API int r_debug_continue_until_optype(RDebug *dbg, int type, int over) { int ret, n = 0; ut64 pc, buf_pc = 0; RAnalOp op; ut8 buf[DBG_BUF_SIZE]; if (r_debug_is_dead (dbg)) { return R_FALSE; } if (!dbg->anal || !dbg->reg) { eprintf ("Undefined pointer at dbg->anal\n"); return R_FALSE; } r_debug_step (dbg, 1); r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE); // Initial refill buf_pc = r_debug_reg_get (dbg, dbg->reg->name[R_REG_NAME_PC]); dbg->iob.read_at (dbg->iob.io, buf_pc, buf, sizeof (buf)); // step first, we dont want to check current optype for (;;) { r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE); pc = r_debug_reg_get (dbg, dbg->reg->name[R_REG_NAME_PC]); // Try to keep the buffer full if (pc - buf_pc > sizeof (buf)) { buf_pc = pc; dbg->iob.read_at (dbg->iob.io, buf_pc, buf, sizeof (buf)); } // Analyze the opcode if (!r_anal_op (dbg->anal, &op, pc, buf + (pc - buf_pc), sizeof (buf) - (pc - buf_pc))) { eprintf ("Decode error at %"PFMT64x"\n", pc); return R_FALSE; } if (op.type == type) break; // Step over and repeat ret = over ? r_debug_step_over (dbg, 1) : r_debug_step (dbg, 1); if (!ret) { eprintf ("r_debug_step: failed\n"); break; } n++; } return n; }
R_API int r_debug_continue_syscalls(RDebug *dbg, int *sc, int n_sc) { int i, reg, ret = R_FALSE; if (!dbg || !dbg->h || r_debug_is_dead (dbg)) return R_FALSE; if (!dbg->h->contsc) { /* user-level syscall tracing */ r_debug_continue_until_optype (dbg, R_ANAL_OP_TYPE_SWI, 0); return show_syscall (dbg, "a0"); } if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE)) { eprintf ("--> cannot read registers\n"); return -1; } { int err; reg = (int)r_debug_reg_get_err (dbg, "sn", &err); if (err) { eprintf ("Cannot find 'sn' register for current arch-os.\n"); return -1; } } for (;;) { if (r_cons_singleton()->breaked) break; #if __linux__ // step is needed to avoid dupped contsc results r_debug_step (dbg, 1); #endif dbg->h->contsc (dbg, dbg->pid, 0); // TODO handle return value // wait until continuation r_debug_wait (dbg); if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE)) { eprintf ("--> cannot sync regs, process is probably dead\n"); return -1; } reg = show_syscall (dbg, "sn"); if (n_sc == -1) continue; if (n_sc == 0) { break; } for (i=0; i<n_sc; i++) { if (sc[i] == reg) return reg; } // TODO: must use r_core_cmd(as)..import code from rcore } return ret; }
// XXX: this function uses 'oeax' which is linux-i386-specific R_API int r_debug_continue_syscall(struct r_debug_t *dbg, int sc) { int reg, ret = R_FALSE; if (r_debug_is_dead (dbg)) return R_FALSE; if (dbg && dbg->h) { if (dbg->h->contsc) { do { ret = dbg->h->contsc (dbg, dbg->pid, sc); if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE)) { eprintf ("--> eol\n"); sc = 0; break; } reg = (int)r_debug_reg_get (dbg, "oeax"); // XXX eprintf ("--> syscall %d\n", reg); if (reg == 0LL) break; // TODO: must use r_core_cmd(as)..import code from rcore } while (sc != 0 && sc != reg); } else { r_debug_continue_until_optype (dbg, R_ANAL_OP_TYPE_SWI, 0); reg = (int)r_debug_reg_get (dbg, "oeax"); // XXX eprintf ("--> syscall %d\n", reg); } } return ret; }
R_API int r_debug_continue_syscalls(RDebug *dbg, int *sc, int n_sc) { const char *sysname; int i, reg, ret = R_FALSE; if (!dbg || !dbg->h || r_debug_is_dead (dbg)) return R_FALSE; if (!dbg->h->contsc) { /* user-level syscall tracing */ r_debug_continue_until_optype (dbg, R_ANAL_OP_TYPE_SWI, 0); reg = (int)r_debug_reg_get (dbg, "a0"); // XXX sysname = r_syscall_get_i (dbg->anal->syscall, reg, -1); if (!sysname) sysname = "unknown"; eprintf ("--> syscall %d %s\n", reg, sysname); return reg; } if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE)) { eprintf ("--> cannot read registers\n"); return -1; } reg = (int)r_debug_reg_get (dbg, "sn"); if (reg == (int)UT64_MAX) { eprintf ("Cannot find 'sn' register for current arch-os.\n"); return -1; } for (;;) { dbg->h->contsc (dbg, dbg->pid, 0); // TODO handle return value if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, R_FALSE)) { eprintf ("--> eol\n"); return -1; } reg = (int)r_debug_reg_get (dbg, "sn"); if (reg == (int)UT64_MAX) return -1; sysname = r_syscall_get_i (dbg->anal->syscall, reg, -1); if (!sysname) sysname = "unknown"; eprintf ("--> syscall %d %s\n", reg, sysname); for (i=0; i<n_sc; i++) { if (sc[i] == reg) return reg; } // TODO: must use r_core_cmd(as)..import code from rcore } return ret; }
static int __esil_step(RDebug *dbg) { int oplen; ut8 buf[64]; ut64 pc = 0LL; // getreg("pc") RAnalOp op; pc = r_debug_reg_sync(dbg, R_REG_TYPE_GPR, false); pc = r_debug_reg_get (dbg, "PC"); eprintf ("PC = 0x%" PFMT64x "\n", pc); /// XXX. hack to trick vaddr issue //pc = 0x100001478; //memset (buf, 0, sizeof (buf)); dbg->iob.read_at (dbg->iob.io, pc, buf, 64); eprintf ("READ 0x%08"PFMT64x" %02x %02x %02x\n", pc, buf[0], buf[1], buf[2]); oplen = r_anal_op (dbg->anal, &op, pc, buf, sizeof (buf)); if (oplen > 0) { if (*R_STRBUF_SAFEGET (&op.esil)) { eprintf ("ESIL: %s\n", R_STRBUF_SAFEGET (&op.esil)); r_anal_esil_parse (dbg->anal->esil, R_STRBUF_SAFEGET (&op.esil)); } } eprintf ("TODO: ESIL STEP\n"); return true; }
/* * Recoiling after a breakpoint has two stages: * 1. remove the breakpoint and fix the program counter. * 2. on resume, single step once and then replace the breakpoint. * * Thus, we have two functions to handle these situations. * r_debug_bp_hit handles stage 1. * r_debug_recoil handles stage 2. */ static int r_debug_bp_hit(RDebug *dbg, RRegItem *pc_ri, ut64 pc) { RBreakpointItem *b; /* if we are tracing, update the tracing data */ if (dbg->trace->enabled) { r_debug_trace_pc (dbg, pc); } /* remove all sw breakpoints for now. we'll set them back in stage 2 * * this is necessary because while stopped we don't want any breakpoints in * the code messing up our analysis. */ if (!r_bp_restore (dbg->bp, false)) { // unset sw breakpoints return false; } /* if we are recoiling, tell r_debug_step that we ignored a breakpoint * event */ if (!dbg->swstep && dbg->recoil_mode != R_DBG_RECOIL_NONE) { dbg->reason.bp_addr = 0; return true; } /* see if we really have a breakpoint here... */ b = r_bp_get_at (dbg->bp, pc - dbg->bpsize); if (!b) { /* we don't. nothing left to do */ return true; } /* set the pc value back */ pc -= b->size; if (!r_reg_set_value (dbg->reg, pc_ri, pc)) { eprintf ("failed to set PC!\n"); return false; } if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, true)) { eprintf ("cannot set registers!\n"); return false; } /* if we are on a software stepping breakpoint, we hide what is going on... */ if (b->swstep) { dbg->reason.bp_addr = 0; return true; } /* setup our stage 2 */ dbg->reason.bp_addr = b->addr; /* inform the user of what happened */ eprintf ("hit %spoint at: %"PFMT64x "\n", b->trace ? "trace" : "break", pc); /* now that we've cleaned up after the breakpoint, call the other * potential breakpoint handlers */ if (dbg->corebind.core && dbg->corebind.bphit) { dbg->corebind.bphit (dbg->corebind.core, b); } /* XXX(jjd): i don't think this goes here... if (b->trace) { r_debug_step (dbg, 1); goto repeat; } */ return true; }
/* * Recoiling after a breakpoint has two stages: * 1. remove the breakpoint and fix the program counter. * 2. on resume, single step once and then replace the breakpoint. * * Thus, we have two functions to handle these situations. * r_debug_bp_hit handles stage 1. * r_debug_recoil handles stage 2. */ static int r_debug_bp_hit(RDebug *dbg, RRegItem *pc_ri, ut64 pc, RBreakpointItem **pb) { RBreakpointItem *b; if (!pb) { eprintf ("BreakpointItem is NULL!\n"); return false; } /* initialize the output parameter */ *pb = NULL; /* if we are tracing, update the tracing data */ if (dbg->trace->enabled) { r_debug_trace_pc (dbg, pc); } /* remove all sw breakpoints for now. we'll set them back in stage 2 * * this is necessary because while stopped we don't want any breakpoints in * the code messing up our analysis. */ if (!r_bp_restore (dbg->bp, false)) { // unset sw breakpoints return false; } /* if we are recoiling, tell r_debug_step that we ignored a breakpoint * event */ if (!dbg->swstep && dbg->recoil_mode != R_DBG_RECOIL_NONE) { dbg->reason.bp_addr = 0; return true; } /* The MIPS ptrace has a different behaviour */ # if __mips__ /* see if we really have a breakpoint here... */ b = r_bp_get_at (dbg->bp, pc); if (!b) { /* we don't. nothing left to do */ return true; } # else int pc_off = dbg->bpsize; /* see if we really have a breakpoint here... */ b = r_bp_get_at (dbg->bp, pc - dbg->bpsize); if (!b) { /* we don't. nothing left to do */ /* Some targets set pc to breakpoint */ b = r_bp_get_at (dbg->bp, pc); if (!b) { return true; } pc_off = 0; } /* set the pc value back */ if (pc_off) { pc -= pc_off; if (!r_reg_set_value (dbg->reg, pc_ri, pc)) { eprintf ("failed to set PC!\n"); return false; } if (!r_debug_reg_sync (dbg, R_REG_TYPE_GPR, true)) { eprintf ("cannot set registers!\n"); return false; } } # endif *pb = b; /* if we are on a software stepping breakpoint, we hide what is going on... */ if (b->swstep) { dbg->reason.bp_addr = 0; return true; } /* setup our stage 2 */ dbg->reason.bp_addr = b->addr; /* inform the user of what happened */ if (dbg->hitinfo) { eprintf ("hit %spoint at: %"PFMT64x "\n", b->trace ? "trace" : "break", pc); } /* now that we've cleaned up after the breakpoint, call the other * potential breakpoint handlers */ if (dbg->corebind.core && dbg->corebind.bphit) { dbg->corebind.bphit (dbg->corebind.core, b); } return true; }