From dde6bbf77e6a6df95dad5426e56a4bba115a7253 Mon Sep 17 00:00:00 2001 From: Cyrille Bagard Date: Tue, 30 Jun 2009 20:24:59 +0000 Subject: Added a few extra opcodes: imul, jle, movsx and movzx. git-svn-id: svn://svn.gna.org/svn/chrysalide/trunk@85 abbe820e-26c8-41b2-8c08-b7b2b41f8b0a --- ChangeLog | 14 ++++++++++++++ src/arch/x86/Makefile.am | 4 ++-- src/arch/x86/instruction.c | 20 ++++++++++++++++++++ src/arch/x86/instruction.h | 10 +++++++++- src/arch/x86/op_jump.c | 36 ++++++++++++++++++++++++++++++++++++ src/arch/x86/op_movsx.c | 29 ++++++++++++----------------- src/arch/x86/op_movzx.c | 29 ++++++++++++----------------- src/arch/x86/op_mul.c | 37 +++++++++++++++++++++++++++++++++++++ src/arch/x86/opcodes.h | 12 ++++++++++++ src/arch/x86/processor.c | 18 ++++++++++++++++++ 10 files changed, 172 insertions(+), 37 deletions(-) diff --git a/ChangeLog b/ChangeLog index 94c3dd1..032c201 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,19 @@ 09-06-30 Cyrille Bagard + * src/arch/x86/instruction.c: + * src/arch/x86/instruction.h: + * src/arch/x86/Makefile.am: + * src/arch/x86/opcodes.h: + * src/arch/x86/op_jump.c: + * src/arch/x86/op_movsx.c: + * src/arch/x86/op_movzx.c: + * src/arch/x86/op_mul.c: + * src/arch/x86/processor.c: + Add a few extra opcodes: imul, jle, movsx and movzx. Most of them are + two bytes opcodes. + +09-06-30 Cyrille Bagard + * src/analysis/binary.c: Disable the "control flow" link for conditional jumps. diff --git a/src/arch/x86/Makefile.am b/src/arch/x86/Makefile.am index 4b4222a..257bf9c 100644 --- a/src/arch/x86/Makefile.am +++ b/src/arch/x86/Makefile.am @@ -17,6 +17,8 @@ libarchx86_la_SOURCES = \ op_lea.c \ op_leave.c \ op_mov.c \ + op_movsx.c \ + op_movzx.c \ op_mul.c \ op_nop.c \ op_not.c \ @@ -42,8 +44,6 @@ libarchx86_la_SOURCES = \ processor.h processor.c \ registers.h registers.c -# op_movsx.c -# op_movzx.c libarchx86_la_CFLAGS = $(AM_CFLAGS) diff --git a/src/arch/x86/instruction.c b/src/arch/x86/instruction.c index 67a1fe0..5f6e7ee 100644 --- a/src/arch/x86/instruction.c +++ b/src/arch/x86/instruction.c @@ -90,6 +90,14 @@ static x86_instruction _instructions[XOP_COUNT] = { [XOP_OR_R8_RM8] = { false, 0x0a, IDX_TO_EXT(-1), "or", XPX_NONE }, [XOP_OR_AL_IMM8] = { false, 0x0c, IDX_TO_EXT(-1), "or", XPX_NONE }, + + [XOP_JLE_REL1632] = { false, 0x8e, IDX_TO_EXT(-1), "jle", XPX_TWO_BYTES | XPX_OPERAND_SIZE_OVERRIDE }, + + + [XOP_MOVZX_R1632_RM8] = { false, 0xb6, IDX_TO_EXT(-1), "movzx", XPX_TWO_BYTES | XPX_OPERAND_SIZE_OVERRIDE }, + [XOP_MOVSX_R1632_RM8] = { false, 0xbe, IDX_TO_EXT(-1), "movsx", XPX_TWO_BYTES | XPX_OPERAND_SIZE_OVERRIDE }, + + [XOP_ADC_RM8_R8] = { false, 0x10, IDX_TO_EXT(-1), "adc", XPX_NONE }, [XOP_AND_RM8_R8] = { false, 0x20, IDX_TO_EXT(-1), "and", XPX_NONE }, @@ -152,6 +160,8 @@ static x86_instruction _instructions[XOP_COUNT] = { [XOP_PUSH_IMM1632] = { false, 0x68, IDX_TO_EXT(-1), "push", XPX_OPERAND_SIZE_OVERRIDE }, + [XOP_IMUL_RM1632_IMM8] = { false, 0x6b, IDX_TO_EXT(-1), "imul", XPX_OPERAND_SIZE_OVERRIDE }, + [XOP_JO_REL8] = { false, 0x70, IDX_TO_EXT(-1), "jo", XPX_NONE }, [XOP_JNO_REL8] = { false, 0x71, IDX_TO_EXT(-1), "jno", XPX_NONE }, @@ -445,6 +455,10 @@ X86Opcodes x86_guess_next_instruction(const bin_t *data, off_t pos, off_t len, X while (pos < len) switch (data[pos]) { + case 0x0f: + pos++; + *prefix |= XPX_TWO_BYTES; + break; case 0x66: pos++; *prefix |= XPX_OPERAND_SIZE_OVERRIDE; @@ -535,6 +549,12 @@ static InstructionLinkType x86_get_instruction_link(const GX86Instruction *instr switch (instr->type) { + case XOP_JLE_REL1632: + relative = G_X86_RELATIVE_OPERAND(g_arch_instruction_get_operand(G_ARCH_INSTRUCTION(instr), 0)); + if (g_imm_operand_to_vmpa_t(g_x86_relative_operand_get_value(relative), addr)) result = ILT_CALL; + else result = ILT_NONE; + break; + case XOP_JO_REL8: case XOP_JNO_REL8: case XOP_JB_REL8: diff --git a/src/arch/x86/instruction.h b/src/arch/x86/instruction.h index 460dd0e..2f59c46 100644 --- a/src/arch/x86/instruction.h +++ b/src/arch/x86/instruction.h @@ -45,6 +45,11 @@ typedef enum _X86Opcodes XOP_OR_R8_RM8, /* or (0x0a) */ XOP_OR_AL_IMM8, /* or (0x0c) */ + XOP_JLE_REL1632, /* jle ([0x66] 0x0f 0x8e) */ + + XOP_MOVZX_R1632_RM8, /* movzx ([0x66] 0x0f 0xb6) */ + XOP_MOVSX_R1632_RM8, /* movsx ([0x66] 0x0f 0xbe) */ + XOP_ADC_RM8_R8, /* adc (0x10) */ XOP_AND_RM8_R8, /* and (0x20) */ @@ -102,6 +107,7 @@ typedef enum _X86Opcodes XOP_PUSH_IMM1632, /* push ([0x66] 0x68) */ + XOP_IMUL_RM1632_IMM8, /* imul ([0x66] 0x6b) */ XOP_JO_REL8, /* jo (0x70) */ XOP_JNO_REL8, /* jno (0x71) */ @@ -285,7 +291,9 @@ enum _X86Prefix XPX_OPERAND_SIZE_OVERRIDE = (1 << 0), /* Taille des opérandes */ - XPX_REPEAT_STRING_OPERATION = (1 << 2) /* Boucle pour les chaînes */ + XPX_REPEAT_STRING_OPERATION = (1 << 2), /* Boucle pour les chaînes */ + + XPX_TWO_BYTES = (1 << 3) /* Instruction sur deux octets */ }; diff --git a/src/arch/x86/op_jump.c b/src/arch/x86/op_jump.c index be993f1..9688963 100644 --- a/src/arch/x86/op_jump.c +++ b/src/arch/x86/op_jump.c @@ -203,6 +203,42 @@ GArchInstruction *x86_read_instr_jl_rel8(const bin_t *data, off_t *pos, off_t le * addr = adresse virtuelle de l'instruction. * * proc = architecture ciblée par le désassemblage. * * * +* Description : Décode une instruction de type 'jle' (16 ou 32 bits). * +* * +* Retour : Instruction mise en place ou NULL. * +* * +* Remarques : - * +* * +******************************************************************************/ + +GArchInstruction *x86_read_instr_jle_rel1632(const bin_t *data, off_t *pos, off_t len, vmpa_t addr, X86Prefix prefix, const GX86Processor *proc) +{ + GArchInstruction *result; /* Instruction à retourner */ + AsmOperandSize oprsize; /* Taille des opérandes */ + + result = g_x86_instruction_new(XOP_JLE_REL1632); + + oprsize = g_x86_processor_get_operand_size(proc, prefix); + + if (!x86_read_one_operand(result, data, pos, len, X86_OTP_REL1632, oprsize, addr)) + { + /* TODO free(result);*/ + return NULL; + } + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : data = flux de données à analyser. * +* pos = position courante dans ce flux. [OUT] * +* len = taille totale des données à analyser. * +* addr = adresse virtuelle de l'instruction. * +* proc = architecture ciblée par le désassemblage. * +* * * Description : Décode une instruction de type 'jmp' (petit saut). * * * * Retour : Instruction mise en place ou NULL. * diff --git a/src/arch/x86/op_movsx.c b/src/arch/x86/op_movsx.c index e75f1a1..74b1b0b 100644 --- a/src/arch/x86/op_movsx.c +++ b/src/arch/x86/op_movsx.c @@ -32,13 +32,13 @@ /****************************************************************************** * * -* Paramètres : data = flux de données à analyser. * -* pos = position courante dans ce flux. [OUT] * -* len = taille totale des données à analyser. * -* offset = adresse virtuelle de l'instruction. * -* proc = architecture ciblée par le désassemblage. * +* Paramètres : data = flux de données à analyser. * +* pos = position courante dans ce flux. [OUT] * +* len = taille totale des données à analyser. * +* addr = adresse virtuelle de l'instruction. * +* proc = architecture ciblée par le désassemblage. * * * -* Description : Décode une instruction de type 'movsx' (8 bits). * +* Description : Décode une instruction de type 'movsx' (16 ou 32 bits). * * * * Retour : Instruction mise en place ou NULL. * * * @@ -46,26 +46,21 @@ * * ******************************************************************************/ -asm_x86_instr *x86_read_instr_movsx_r1632_rm8(const uint8_t *data, off_t *pos, off_t len, uint64_t offset, const asm_x86_processor *proc) +GArchInstruction *x86_read_instr_movsx_r1632_rm8(const bin_t *data, off_t *pos, off_t len, vmpa_t addr, X86Prefix prefix, const GX86Processor *proc) { - asm_x86_instr *result; /* Instruction à retourner */ + GArchInstruction *result; /* Instruction à retourner */ AsmOperandSize oprsize; /* Taille des opérandes */ - result = (asm_x86_instr *)calloc(1, sizeof(asm_x86_instr)); + result = g_x86_instruction_new(XOP_MOVSX_R1632_RM8); - /* 0x0f : passage en mode 2 octets */ - (*pos)++; + oprsize = g_x86_processor_get_operand_size(proc, prefix); - oprsize = switch_x86_operand_size_if_needed(proc, data, pos); - - ASM_INSTRUCTION(result)->opcode = data[(*pos)++]; - /* if (!x86_read_two_operands(result, data, pos, len, X86_OTP_R1632, X86_OTP_RM8, oprsize)) { - free(result); + /* TODO free(result);*/ return NULL; } - */ + return result; } diff --git a/src/arch/x86/op_movzx.c b/src/arch/x86/op_movzx.c index c1629d9..fc32623 100644 --- a/src/arch/x86/op_movzx.c +++ b/src/arch/x86/op_movzx.c @@ -32,13 +32,13 @@ /****************************************************************************** * * -* Paramètres : data = flux de données à analyser. * -* pos = position courante dans ce flux. [OUT] * -* len = taille totale des données à analyser. * -* offset = adresse virtuelle de l'instruction. * -* proc = architecture ciblée par le désassemblage. * +* Paramètres : data = flux de données à analyser. * +* pos = position courante dans ce flux. [OUT] * +* len = taille totale des données à analyser. * +* addr = adresse virtuelle de l'instruction. * +* proc = architecture ciblée par le désassemblage. * * * -* Description : Décode une instruction de type 'movzx' (8 bits). * +* Description : Décode une instruction de type 'movzx' (16 ou 32 bits). * * * * Retour : Instruction mise en place ou NULL. * * * @@ -46,26 +46,21 @@ * * ******************************************************************************/ -asm_x86_instr *x86_read_instr_movzx_r1632_rm8(const uint8_t *data, off_t *pos, off_t len, uint64_t offset, const asm_x86_processor *proc) +GArchInstruction *x86_read_instr_movzx_r1632_rm8(const bin_t *data, off_t *pos, off_t len, vmpa_t addr, X86Prefix prefix, const GX86Processor *proc) { - asm_x86_instr *result; /* Instruction à retourner */ + GArchInstruction *result; /* Instruction à retourner */ AsmOperandSize oprsize; /* Taille des opérandes */ - result = (asm_x86_instr *)calloc(1, sizeof(asm_x86_instr)); + result = g_x86_instruction_new(XOP_MOVZX_R1632_RM8); - /* 0x0f : passage en mode 2 octets */ - (*pos)++; + oprsize = g_x86_processor_get_operand_size(proc, prefix); - oprsize = switch_x86_operand_size_if_needed(proc, data, pos); - - ASM_INSTRUCTION(result)->opcode = data[(*pos)++]; - /* if (!x86_read_two_operands(result, data, pos, len, X86_OTP_R1632, X86_OTP_RM8, oprsize)) { - free(result); + /* TODO free(result);*/ return NULL; } - */ + return result; } diff --git a/src/arch/x86/op_mul.c b/src/arch/x86/op_mul.c index e80bad2..f1ed641 100644 --- a/src/arch/x86/op_mul.c +++ b/src/arch/x86/op_mul.c @@ -64,3 +64,40 @@ GArchInstruction *x86_read_instr_imul_rm1632(const bin_t *data, off_t *pos, off_ return result; } + + +/****************************************************************************** +* * +* Paramètres : data = flux de données à analyser. * +* pos = position courante dans ce flux. [OUT] * +* len = taille totale des données à analyser. * +* offset = adresse virtuelle de l'instruction. * +* proc = architecture ciblée par le désassemblage. * +* * +* Description : Décode une instruction de type 'imul' (16 ou 32 bits). * +* * +* Retour : Instruction mise en place ou NULL. * +* * +* Remarques : - * +* * +******************************************************************************/ + +GArchInstruction *x86_read_instr_imul_rm1632_imm8(const bin_t *data, off_t *pos, off_t len, vmpa_t addr, X86Prefix prefix, const GX86Processor *proc) +{ + GArchInstruction *result; /* Instruction à retourner */ + AsmOperandSize oprsize; /* Taille des opérandes */ + + result = g_x86_instruction_new(XOP_IMUL_RM1632_IMM8); + + oprsize = g_x86_processor_get_operand_size(proc, prefix); + + if (!x86_read_two_operands(result, data, pos, len, X86_OTP_RM1632, X86_OTP_IMM8, oprsize)) + { + /* TODO free(result);*/ + return NULL; + } + + return result; + +} + diff --git a/src/arch/x86/opcodes.h b/src/arch/x86/opcodes.h index e2ec5a6..93e4d5c 100644 --- a/src/arch/x86/opcodes.h +++ b/src/arch/x86/opcodes.h @@ -111,6 +111,9 @@ GArchInstruction *x86_read_instr_hlt(const bin_t *, off_t *, off_t, vmpa_t, X86P /* Décode une instruction de type 'imul' (16 ou 32 bits). */ GArchInstruction *x86_read_instr_imul_rm1632(const bin_t *, off_t *, off_t, vmpa_t, X86Prefix, const GX86Processor *); +/* Décode une instruction de type 'imul' (16 ou 32 bits). */ +GArchInstruction *x86_read_instr_imul_rm1632_imm8(const bin_t *, off_t *, off_t, vmpa_t, X86Prefix, const GX86Processor *); + /* Décode une instruction de type 'inc' (16 ou 32 bits). */ GArchInstruction *x86_read_instr_inc_r1632(const bin_t *, off_t *, off_t, vmpa_t, X86Prefix, const GX86Processor *); @@ -135,6 +138,9 @@ GArchInstruction *x86_read_instr_jg_rel8(const bin_t *, off_t *, off_t, vmpa_t, /* Décode une instruction de type 'jl' (saut 8b si inférieur). */ GArchInstruction *x86_read_instr_jl_rel8(const bin_t *, off_t *, off_t, vmpa_t, X86Prefix, const GX86Processor *); +/* Décode une instruction de type 'jle' (16 ou 32 bits). */ +GArchInstruction *x86_read_instr_jle_rel1632(const bin_t *, off_t *, off_t, vmpa_t, X86Prefix, const GX86Processor *); + /* Décode une instruction de type 'jna' (saut 8b si !supérieur). */ GArchInstruction *x86_read_instr_jna_rel8(const bin_t *, off_t *, off_t, vmpa_t, X86Prefix, const GX86Processor *); @@ -216,6 +222,12 @@ GArchInstruction *x86_read_instr_mov_rm1632_r1632(const bin_t *, off_t *, off_t, /* Décode une instruction de type 'mov' (8 bits). */ GArchInstruction *x86_read_instr_mov_rm8_r8(const bin_t *, off_t *, off_t, vmpa_t, X86Prefix, const GX86Processor *); +/* Décode une instruction de type 'movsx' (16 ou 32 bits). */ +GArchInstruction *x86_read_instr_movsx_r1632_rm8(const bin_t *, off_t *, off_t, vmpa_t, X86Prefix, const GX86Processor *); + +/* Décode une instruction de type 'movzx' (16 ou 32 bits). */ +GArchInstruction *x86_read_instr_movzx_r1632_rm8(const bin_t *, off_t *, off_t, vmpa_t, X86Prefix, const GX86Processor *); + /* Décode une instruction de type 'nop'. */ GArchInstruction *x86_read_instr_nop(const bin_t *, off_t *, off_t, vmpa_t, X86Prefix, const GX86Processor *); diff --git a/src/arch/x86/processor.c b/src/arch/x86/processor.c index 7370da1..b4ee334 100644 --- a/src/arch/x86/processor.c +++ b/src/arch/x86/processor.c @@ -181,6 +181,7 @@ static GArchInstruction *g_x86_processor_decode_instruction(const GX86Processor id = x86_guess_next_instruction(data, *pos, len, &prefix, &care); + if (prefix & XPX_TWO_BYTES) (*pos)++; if (prefix & XPX_OPERAND_SIZE_OVERRIDE) (*pos)++; if (id != XOP_COUNT && !care) (*pos)++; @@ -221,6 +222,19 @@ static GArchInstruction *g_x86_processor_decode_instruction(const GX86Processor break; + case XOP_JLE_REL1632: + result = x86_read_instr_jle_rel1632(data, pos, len, addr, prefix, proc); + break; + + + case XOP_MOVZX_R1632_RM8: + result = x86_read_instr_movzx_r1632_rm8(data, pos, len, addr, prefix, proc); + break; + + case XOP_MOVSX_R1632_RM8: + result = x86_read_instr_movsx_r1632_rm8(data, pos, len, addr, prefix, proc); + break; + @@ -334,6 +348,10 @@ static GArchInstruction *g_x86_processor_decode_instruction(const GX86Processor break; + case XOP_IMUL_RM1632_IMM8: + result = x86_read_instr_imul_rm1632_imm8(data, pos, len, addr, prefix, proc); + break; + case XOP_JO_REL8: result = x86_read_instr_jo_rel8(data, pos, len, addr, prefix, proc); -- cgit v0.11.2-87-g4458