651 lines
31 KiB
Python
651 lines
31 KiB
Python
# Copyright (c) 2015-2019 Vector 35 Inc
|
|
#
|
|
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
# of this software and associated documentation files (the "Software"), to
|
|
# deal in the Software without restriction, including without limitation the
|
|
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
|
# sell copies of the Software, and to permit persons to whom the Software is
|
|
# furnished to do so, subject to the following conditions:
|
|
#
|
|
# The above copyright notice and this permission notice shall be included in
|
|
# all copies or substantial portions of the Software.
|
|
#
|
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
|
# IN THE SOFTWARE.
|
|
|
|
import struct
|
|
import traceback
|
|
import os
|
|
|
|
from binaryninja.architecture import Architecture
|
|
from binaryninja.lowlevelil import LowLevelILLabel, LLIL_TEMP
|
|
from binaryninja.function import RegisterInfo, InstructionInfo, InstructionTextToken
|
|
from binaryninja.binaryview import BinaryView
|
|
from binaryninja.types import Symbol
|
|
from binaryninja.log import log_error
|
|
from binaryninja.enums import (BranchType, InstructionTextTokenType,
|
|
LowLevelILOperation, LowLevelILFlagCondition, FlagRole, SegmentFlag, SymbolType)
|
|
|
|
# 2-3 compatibility
|
|
from binaryninja import range
|
|
|
|
|
|
InstructionNames = [
|
|
"brk", "ora", None, None, None, "ora", "asl", None, # 0x00
|
|
"php", "ora", "asl@", None, None, "ora", "asl", None, # 0x08
|
|
"bpl", "ora", None, None, None, "ora", "asl", None, # 0x10
|
|
"clc", "ora", None, None, None, "ora", "asl", None, # 0x18
|
|
"jsr", "and", None, None, "bit", "and", "rol", None, # 0x20
|
|
"plp", "and", "rol@", None, "bit", "and", "rol", None, # 0x28
|
|
"bmi", "and", None, None, None, "and", "rol", None, # 0x30
|
|
"sec", "and", None, None, None, "and", "rol", None, # 0x38
|
|
"rti", "eor", None, None, None, "eor", "lsr", None, # 0x40
|
|
"pha", "eor", "lsr@", None, "jmp", "eor", "lsr", None, # 0x48
|
|
"bvc", "eor", None, None, None, "eor", "lsr", None, # 0x50
|
|
"cli", "eor", None, None, None, "eor", "lsr", None, # 0x58
|
|
"rts", "adc", None, None, None, "adc", "ror", None, # 0x60
|
|
"pla", "adc", "ror@", None, "jmp", "adc", "ror", None, # 0x68
|
|
"bvs", "adc", None, None, None, "adc", "ror", None, # 0x70
|
|
"sei", "adc", None, None, None, "adc", "ror", None, # 0x78
|
|
None, "sta", None, None, "sty", "sta", "stx", None, # 0x80
|
|
"dey", None, "txa", None, "sty", "sta", "stx", None, # 0x88
|
|
"bcc", "sta", None, None, "sty", "sta", "stx", None, # 0x90
|
|
"tya", "sta", "txs", None, None, "sta", None, None, # 0x98
|
|
"ldy", "lda", "ldx", None, "ldy", "lda", "ldx", None, # 0xa0
|
|
"tay", "lda", "tax", None, "ldy", "lda", "ldx", None, # 0xa8
|
|
"bcs", "lda", None, None, "ldy", "lda", "ldx", None, # 0xb0
|
|
"clv", "lda", "tsx", None, "ldy", "lda", "ldx", None, # 0xb8
|
|
"cpy", "cmp", None, None, "cpy", "cmp", "dec", None, # 0xc0
|
|
"iny", "cmp", "dex", None, "cpy", "cmp", "dec", None, # 0xc8
|
|
"bne", "cmp", None, None, None, "cmp", "dec", None, # 0xd0
|
|
"cld", "cmp", None, None, None, "cmp", "dec", None, # 0xd8
|
|
"cpx", "sbc", None, None, "cpx", "sbc", "inc", None, # 0xe0
|
|
"inx", "sbc", "nop", None, "cpx", "sbc", "inc", None, # 0xe8
|
|
"beq", "sbc", None, None, None, "sbc", "inc", None, # 0xf0
|
|
"sed", "sbc", None, None, None, "sbc", "inc", None # 0xf8
|
|
]
|
|
|
|
NONE = 0
|
|
ABS = 1
|
|
ABS_DEST = 2
|
|
ABS_X = 3
|
|
ABS_X_DEST = 4
|
|
ABS_Y = 5
|
|
ABS_Y_DEST = 6
|
|
ACCUM = 7
|
|
ADDR = 8
|
|
IMMED = 9
|
|
IND = 10
|
|
IND_X = 11
|
|
IND_X_DEST = 12
|
|
IND_Y = 13
|
|
IND_Y_DEST = 14
|
|
REL = 15
|
|
ZERO = 16
|
|
ZERO_DEST = 17
|
|
ZERO_X = 18
|
|
ZERO_X_DEST = 19
|
|
ZERO_Y = 20
|
|
ZERO_Y_DEST = 21
|
|
InstructionOperandTypes = [
|
|
NONE, IND_X, NONE, NONE, NONE, ZERO, ZERO_DEST, NONE, # 0x00
|
|
NONE, IMMED, ACCUM, NONE, NONE, ABS, ABS_DEST, NONE, # 0x08
|
|
REL, IND_Y, NONE, NONE, NONE, ZERO_X, ZERO_X_DEST, NONE, # 0x10
|
|
NONE, ABS_Y, NONE, NONE, NONE, ABS_X, ABS_X_DEST, NONE, # 0x18
|
|
ADDR, IND_X, NONE, NONE, ZERO, ZERO, ZERO_DEST, NONE, # 0x20
|
|
NONE, IMMED, ACCUM, NONE, ABS, ABS, ABS_DEST, NONE, # 0x28
|
|
REL, IND_Y, NONE, NONE, NONE, ZERO_X, ZERO_X_DEST, NONE, # 0x30
|
|
NONE, ABS_Y, NONE, NONE, NONE, ABS_X, ABS_X_DEST, NONE, # 0x38
|
|
NONE, IND_X, NONE, NONE, NONE, ZERO, ZERO_DEST, NONE, # 0x40
|
|
NONE, IMMED, ACCUM, NONE, ADDR, ABS, ABS_DEST, NONE, # 0x48
|
|
REL, IND_Y, NONE, NONE, NONE, ZERO_X, ZERO_X_DEST, NONE, # 0x50
|
|
NONE, ABS_Y, NONE, NONE, NONE, ABS_X, ABS_X_DEST, NONE, # 0x58
|
|
NONE, IND_X, NONE, NONE, NONE, ZERO, ZERO_DEST, NONE, # 0x60
|
|
NONE, IMMED, ACCUM, NONE, IND, ABS, ABS_DEST, NONE, # 0x68
|
|
REL, IND_Y, NONE, NONE, NONE, ZERO_X, ZERO_X_DEST, NONE, # 0x70
|
|
NONE, ABS_Y, NONE, NONE, NONE, ABS_X, ABS_X_DEST, NONE, # 0x78
|
|
NONE, IND_X_DEST, NONE, NONE, ZERO_DEST, ZERO_DEST, ZERO_DEST, NONE, # 0x80
|
|
NONE, NONE, NONE, NONE, ABS_DEST, ABS_DEST, ABS_DEST, NONE, # 0x88
|
|
REL, IND_Y_DEST, NONE, NONE, ZERO_X_DEST, ZERO_X_DEST, ZERO_Y_DEST, NONE, # 0x90
|
|
NONE, ABS_Y_DEST, NONE, NONE, NONE, ABS_X_DEST, NONE, NONE, # 0x98
|
|
IMMED, IND_X, IMMED, NONE, ZERO, ZERO, ZERO, NONE, # 0xa0
|
|
NONE, IMMED, NONE, NONE, ABS, ABS, ABS, NONE, # 0xa8
|
|
REL, IND_Y, NONE, NONE, ZERO_X, ZERO_X, ZERO_Y, NONE, # 0xb0
|
|
NONE, ABS_Y, NONE, NONE, ABS_X, ABS_X, ABS_Y, NONE, # 0xb8
|
|
IMMED, IND_X, NONE, NONE, ZERO, ZERO, ZERO_DEST, NONE, # 0xc0
|
|
NONE, IMMED, NONE, NONE, ABS, ABS, ABS_DEST, NONE, # 0xc8
|
|
REL, IND_Y, NONE, NONE, NONE, ZERO_X, ZERO_X_DEST, NONE, # 0xd0
|
|
NONE, ABS_Y, NONE, NONE, NONE, ABS_X, ABS_X_DEST, NONE, # 0xd8
|
|
IMMED, IND_X, NONE, NONE, ZERO, ZERO, ZERO_DEST, NONE, # 0xe0
|
|
NONE, IMMED, NONE, NONE, ABS, ABS, ABS_DEST, NONE, # 0xe8
|
|
REL, IND_Y, NONE, NONE, NONE, ZERO_X, ZERO_X_DEST, NONE, # 0xf0
|
|
NONE, ABS_Y, NONE, NONE, NONE, ABS_X, ABS_X_DEST, NONE # 0xf8
|
|
]
|
|
|
|
OperandLengths = [
|
|
0, # NONE
|
|
2, # ABS
|
|
2, # ABS_DEST
|
|
2, # ABS_X
|
|
2, # ABS_X_DEST
|
|
2, # ABS_Y
|
|
2, # ABS_Y_DEST
|
|
0, # ACCUM
|
|
2, # ADDR
|
|
1, # IMMED
|
|
2, # IND
|
|
1, # IND_X
|
|
1, # IND_X_DEST
|
|
1, # IND_Y
|
|
1, # IND_Y_DEST
|
|
1, # REL
|
|
1, # ZERO
|
|
1, # ZREO_DEST
|
|
1, # ZERO_X
|
|
1, # ZERO_X_DEST
|
|
1, # ZERO_Y
|
|
1 # ZERO_Y_DEST
|
|
]
|
|
|
|
OperandTokens = [
|
|
lambda value: [], # NONE
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.4x" % value, value)], # ABS
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.4x" % value, value)], # ABS_DEST
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.4x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, ", "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "x")], # ABS_X
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.4x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, ", "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "x")], # ABS_X_DEST
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.4x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, ", "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "y")], # ABS_Y
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.4x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, ", "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "y")], # ABS_Y_DEST
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.RegisterToken, "a")], # ACCUM
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.4x" % value, value)], # ADDR
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.TextToken, "#"), InstructionTextToken(InstructionTextTokenType.IntegerToken, "$%.2x" % value, value)], # IMMED
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.TextToken, "["), InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.4x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, "]")], # IND
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.TextToken, "["), InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.2x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, ", "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "x"),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, "]")], # IND_X
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.TextToken, "["), InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.2x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, ", "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "x"),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, "]")], # IND_X_DEST
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.TextToken, "["), InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.2x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, "], "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "y")], # IND_Y
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.TextToken, "["), InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.2x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, "], "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "y")], # IND_Y_DEST
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.4x" % value, value)], # REL
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.2x" % value, value)], # ZERO
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.2x" % value, value)], # ZERO_DEST
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.2x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, ", "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "x")], # ZERO_X
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.2x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, ", "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "x")], # ZERO_X_DEST
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.2x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, ", "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "y")], # ZERO_Y
|
|
lambda value: [InstructionTextToken(InstructionTextTokenType.PossibleAddressToken, "$%.2x" % value, value),
|
|
InstructionTextToken(InstructionTextTokenType.TextToken, ", "), InstructionTextToken(InstructionTextTokenType.RegisterToken, "y")] # ZERO_Y_DEST
|
|
]
|
|
|
|
|
|
def indirect_load(il, value):
|
|
if (value & 0xff) == 0xff:
|
|
lo_addr = il.const_pointer(2, value)
|
|
hi_addr = il.const_pointer(2, (value & 0xff00) | ((value + 1) & 0xff))
|
|
lo = il.zero_extend(2, il.load(1, lo_addr))
|
|
hi = il.shift_left(2, il.zero_extend(2, il.load(1, hi_addr)), il.const(2, 8))
|
|
return il.or_expr(2, lo, hi)
|
|
return il.load(2, il.const_pointer(2, value))
|
|
|
|
|
|
def load_zero_page_16(il, value):
|
|
if il[value].operation == LowLevelILOperation.LLIL_CONST:
|
|
if il[value].constant == 0xff:
|
|
lo = il.zero_extend(2, il.load(1, il.const_pointer(2, 0xff)))
|
|
hi = il.shift_left(2, il.zero_extend(2, il.load(1, il.const_pointer(2, 0)), il.const(2, 8)))
|
|
return il.or_expr(2, lo, hi)
|
|
return il.load(2, il.const_pointer(2, il[value].constant))
|
|
il.append(il.set_reg(1, LLIL_TEMP(0), value))
|
|
value = il.reg(1, LLIL_TEMP(0))
|
|
lo_addr = value
|
|
hi_addr = il.add(1, value, il.const(1, 1))
|
|
lo = il.zero_extend(2, il.load(1, lo_addr))
|
|
hi = il.shift_left(2, il.zero_extend(2, il.load(1, hi_addr)), il.const(2, 8))
|
|
return il.or_expr(2, lo, hi)
|
|
|
|
|
|
OperandIL = [
|
|
lambda il, value: None, # NONE
|
|
lambda il, value: il.load(1, il.const_pointer(2, value)), # ABS
|
|
lambda il, value: il.const(2, value), # ABS_DEST
|
|
lambda il, value: il.load(1, il.add(2, il.const(2, value), il.zero_extend(2, il.reg(1, "x")))), # ABS_X
|
|
lambda il, value: il.add(2, il.const(2, value), il.zero_extend(2, il.reg(1, "x"))), # ABS_X_DEST
|
|
lambda il, value: il.load(1, il.add(2, il.const(2, value), il.zero_extend(2, il.reg(1, "y")))), # ABS_Y
|
|
lambda il, value: il.add(2, il.const(2, value), il.zero_extend(2, il.reg(1, "y"))), # ABS_Y_DEST
|
|
lambda il, value: il.reg(1, "a"), # ACCUM
|
|
lambda il, value: il.const_pointer(2, value), # ADDR
|
|
lambda il, value: il.const(1, value), # IMMED
|
|
lambda il, value: indirect_load(il, value), # IND
|
|
lambda il, value: il.load(1, load_zero_page_16(il, il.add(1, il.const(1, value), il.reg(1, "x")))), # IND_X
|
|
lambda il, value: load_zero_page_16(il, il.add(1, il.const(1, value), il.reg(1, "x"))), # IND_X_DEST
|
|
lambda il, value: il.load(1, il.add(2, load_zero_page_16(il, il.const(1, value)), il.reg(1, "y"))), # IND_Y
|
|
lambda il, value: il.add(2, load_zero_page_16(il, il.const(1, value)), il.reg(1, "y")), # IND_Y_DEST
|
|
lambda il, value: il.const_pointer(2, value), # REL
|
|
lambda il, value: il.load(1, il.const_pointer(2, value)), # ZERO
|
|
lambda il, value: il.const_pointer(2, value), # ZERO_DEST
|
|
lambda il, value: il.load(1, il.zero_extend(2, il.add(1, il.const(1, value), il.reg(1, "x")))), # ZERO_X
|
|
lambda il, value: il.zero_extend(2, il.add(1, il.const(1, value), il.reg(1, "x"))), # ZERO_X_DEST
|
|
lambda il, value: il.load(1, il.zero_extend(2, il.add(1, il.const(1, value), il.reg(1, "y")))), # ZERO_Y
|
|
lambda il, value: il.zero_extend(2, il.add(1, il.const(1, value), il.reg(1, "y"))) # ZERO_Y_DEST
|
|
]
|
|
|
|
|
|
def cond_branch(il, cond, dest):
|
|
t = None
|
|
if il[dest].operation == LowLevelILOperation.LLIL_CONST:
|
|
t = il.get_label_for_address(Architecture['6502'], il[dest].constant)
|
|
if t is None:
|
|
t = LowLevelILLabel()
|
|
indirect = True
|
|
else:
|
|
indirect = False
|
|
f = LowLevelILLabel()
|
|
il.append(il.if_expr(cond, t, f))
|
|
if indirect:
|
|
il.mark_label(t)
|
|
il.append(il.jump(dest))
|
|
il.mark_label(f)
|
|
return None
|
|
|
|
|
|
def jump(il, dest):
|
|
label = None
|
|
if il[dest].operation == LowLevelILOperation.LLIL_CONST:
|
|
label = il.get_label_for_address(Architecture['6502'], il[dest].constant)
|
|
if label is None:
|
|
il.append(il.jump(dest))
|
|
else:
|
|
il.append(il.goto(label))
|
|
return None
|
|
|
|
|
|
def get_p_value(il):
|
|
c = il.flag_bit(1, "c", 0)
|
|
z = il.flag_bit(1, "z", 1)
|
|
i = il.flag_bit(1, "i", 2)
|
|
d = il.flag_bit(1, "d", 3)
|
|
b = il.flag_bit(1, "b", 4)
|
|
v = il.flag_bit(1, "v", 6)
|
|
s = il.flag_bit(1, "s", 7)
|
|
return il.or_expr(1, il.or_expr(1, il.or_expr(1, il.or_expr(1, il.or_expr(1,
|
|
il.or_expr(1, c, z), i), d), b), v), s)
|
|
|
|
|
|
def set_p_value(il, value):
|
|
il.append(il.set_reg(1, LLIL_TEMP(0), value))
|
|
il.append(il.set_flag("c", il.test_bit(1, il.reg(1, LLIL_TEMP(0)), il.const(1, 0x01))))
|
|
il.append(il.set_flag("z", il.test_bit(1, il.reg(1, LLIL_TEMP(0)), il.const(1, 0x02))))
|
|
il.append(il.set_flag("i", il.test_bit(1, il.reg(1, LLIL_TEMP(0)), il.const(1, 0x04))))
|
|
il.append(il.set_flag("d", il.test_bit(1, il.reg(1, LLIL_TEMP(0)), il.const(1, 0x08))))
|
|
il.append(il.set_flag("b", il.test_bit(1, il.reg(1, LLIL_TEMP(0)), il.const(1, 0x10))))
|
|
il.append(il.set_flag("v", il.test_bit(1, il.reg(1, LLIL_TEMP(0)), il.const(1, 0x40))))
|
|
il.append(il.set_flag("s", il.test_bit(1, il.reg(1, LLIL_TEMP(0)), il.const(1, 0x80))))
|
|
return None
|
|
|
|
|
|
def rti(il):
|
|
set_p_value(il, il.pop(1))
|
|
return il.ret(il.pop(2))
|
|
|
|
|
|
InstructionIL = {
|
|
"adc": lambda il, operand: il.set_reg(1, "a", il.add_carry(1, il.reg(1, "a"), operand, il.flag("c"), flags = "*")),
|
|
"asl": lambda il, operand: il.store(1, operand, il.shift_left(1, il.load(1, operand), il.const(1, 1), flags = "czs")),
|
|
"asl@": lambda il, operand: il.set_reg(1, "a", il.shift_left(1, operand, il.const(1, 1), flags = "czs")),
|
|
"and": lambda il, operand: il.set_reg(1, "a", il.and_expr(1, il.reg(1, "a"), operand, flags = "zs")),
|
|
"bcc": lambda il, operand: cond_branch(il, il.flag_condition(LowLevelILFlagCondition.LLFC_UGE), operand),
|
|
"bcs": lambda il, operand: cond_branch(il, il.flag_condition(LowLevelILFlagCondition.LLFC_ULT), operand),
|
|
"beq": lambda il, operand: cond_branch(il, il.flag_condition(LowLevelILFlagCondition.LLFC_E), operand),
|
|
"bit": lambda il, operand: il.and_expr(1, il.reg(1, "a"), operand, flags = "czs"),
|
|
"bmi": lambda il, operand: cond_branch(il, il.flag_condition(LowLevelILFlagCondition.LLFC_NEG), operand),
|
|
"bne": lambda il, operand: cond_branch(il, il.flag_condition(LowLevelILFlagCondition.LLFC_NE), operand),
|
|
"bpl": lambda il, operand: cond_branch(il, il.flag_condition(LowLevelILFlagCondition.LLFC_POS), operand),
|
|
"brk": lambda il, operand: il.system_call(),
|
|
"bvc": lambda il, operand: cond_branch(il, il.not_expr(0, il.flag("v")), operand),
|
|
"bvs": lambda il, operand: cond_branch(il, il.flag("v"), operand),
|
|
"clc": lambda il, operand: il.set_flag("c", il.const(0, 0)),
|
|
"cld": lambda il, operand: il.set_flag("d", il.const(0, 0)),
|
|
"cli": lambda il, operand: il.set_flag("i", il.const(0, 0)),
|
|
"clv": lambda il, operand: il.set_flag("v", il.const(0, 0)),
|
|
"cmp": lambda il, operand: il.sub(1, il.reg(1, "a"), operand, flags = "czs"),
|
|
"cpx": lambda il, operand: il.sub(1, il.reg(1, "x"), operand, flags = "czs"),
|
|
"cpy": lambda il, operand: il.sub(1, il.reg(1, "y"), operand, flags = "czs"),
|
|
"dec": lambda il, operand: il.store(1, operand, il.sub(1, il.load(1, operand), il.const(1, 1), flags = "zs")),
|
|
"dex": lambda il, operand: il.set_reg(1, "x", il.sub(1, il.reg(1, "x"), il.const(1, 1), flags = "zs")),
|
|
"dey": lambda il, operand: il.set_reg(1, "y", il.sub(1, il.reg(1, "y"), il.const(1, 1), flags = "zs")),
|
|
"eor": lambda il, operand: il.set_reg(1, "a", il.xor_expr(1, il.reg(1, "a"), operand, flags = "zs")),
|
|
"inc": lambda il, operand: il.store(1, operand, il.add(1, il.load(1, operand), il.const(1, 1), flags = "zs")),
|
|
"inx": lambda il, operand: il.set_reg(1, "x", il.add(1, il.reg(1, "x"), il.const(1, 1), flags = "zs")),
|
|
"iny": lambda il, operand: il.set_reg(1, "y", il.add(1, il.reg(1, "y"), il.const(1, 1), flags = "zs")),
|
|
"jmp": lambda il, operand: jump(il, operand),
|
|
"jsr": lambda il, operand: il.call(operand),
|
|
"lda": lambda il, operand: il.set_reg(1, "a", operand, flags = "zs"),
|
|
"ldx": lambda il, operand: il.set_reg(1, "x", operand, flags = "zs"),
|
|
"ldy": lambda il, operand: il.set_reg(1, "y", operand, flags = "zs"),
|
|
"lsr": lambda il, operand: il.store(1, operand, il.logical_shift_right(1, il.load(1, operand), il.const(1, 1), flags = "czs")),
|
|
"lsr@": lambda il, operand: il.set_reg(1, "a", il.logical_shift_right(1, il.reg(1, "a"), il.const(1, 1), flags = "czs")),
|
|
"nop": lambda il, operand: il.nop(),
|
|
"ora": lambda il, operand: il.set_reg(1, "a", il.or_expr(1, il.reg(1, "a"), operand, flags = "zs")),
|
|
"pha": lambda il, operand: il.push(1, il.reg(1, "a")),
|
|
"php": lambda il, operand: il.push(1, get_p_value(il)),
|
|
"pla": lambda il, operand: il.set_reg(1, "a", il.pop(1), flags = "zs"),
|
|
"plp": lambda il, operand: set_p_value(il, il.pop(1)),
|
|
"rol": lambda il, operand: il.store(1, operand, il.rotate_left_carry(1, il.load(1, operand), il.const(1, 1), il.flag("c"), flags = "czs")),
|
|
"rol@": lambda il, operand: il.set_reg(1, "a", il.rotate_left_carry(1, il.reg(1, "a"), il.const(1, 1), il.flag("c"), flags = "czs")),
|
|
"ror": lambda il, operand: il.store(1, operand, il.rotate_right_carry(1, il.load(1, operand), il.const(1, 1), il.flag("c"), flags = "czs")),
|
|
"ror@": lambda il, operand: il.set_reg(1, "a", il.rotate_right_carry(1, il.reg(1, "a"), il.const(1, 1), il.flag("c"), flags = "czs")),
|
|
"rti": lambda il, operand: rti(il),
|
|
"rts": lambda il, operand: il.ret(il.add(2, il.pop(2), il.const(2, 1))),
|
|
"sbc": lambda il, operand: il.set_reg(1, "a", il.sub_borrow(1, il.reg(1, "a"), operand, il.flag("c"), flags = "*")),
|
|
"sec": lambda il, operand: il.set_flag("c", il.const(0, 1)),
|
|
"sed": lambda il, operand: il.set_flag("d", il.const(0, 1)),
|
|
"sei": lambda il, operand: il.set_flag("i", il.const(0, 1)),
|
|
"sta": lambda il, operand: il.store(1, operand, il.reg(1, "a")),
|
|
"stx": lambda il, operand: il.store(1, operand, il.reg(1, "x")),
|
|
"sty": lambda il, operand: il.store(1, operand, il.reg(1, "y")),
|
|
"tax": lambda il, operand: il.set_reg(1, "x", il.reg(1, "a"), flags = "zs"),
|
|
"tay": lambda il, operand: il.set_reg(1, "y", il.reg(1, "a"), flags = "zs"),
|
|
"tsx": lambda il, operand: il.set_reg(1, "x", il.reg(1, "s"), flags = "zs"),
|
|
"txa": lambda il, operand: il.set_reg(1, "a", il.reg(1, "x"), flags = "zs"),
|
|
"txs": lambda il, operand: il.set_reg(1, "s", il.reg(1, "x")),
|
|
"tya": lambda il, operand: il.set_reg(1, "a", il.reg(1, "y"), flags = "zs")
|
|
}
|
|
|
|
|
|
class M6502(Architecture):
|
|
name = "6502"
|
|
address_size = 2
|
|
default_int_size = 1
|
|
instr_alignment = 1
|
|
max_instr_length = 3
|
|
regs = {
|
|
"a": RegisterInfo("a", 1),
|
|
"x": RegisterInfo("x", 1),
|
|
"y": RegisterInfo("y", 1),
|
|
"s": RegisterInfo("s", 1)
|
|
}
|
|
stack_pointer = "s"
|
|
flags = ["c", "z", "i", "d", "b", "v", "s"]
|
|
flag_write_types = ["*", "czs", "zvs", "zs"]
|
|
flag_roles = {
|
|
"c": FlagRole.SpecialFlagRole, # Not a normal carry flag, subtract result is inverted
|
|
"z": FlagRole.ZeroFlagRole,
|
|
"v": FlagRole.OverflowFlagRole,
|
|
"s": FlagRole.NegativeSignFlagRole
|
|
}
|
|
flags_required_for_flag_condition = {
|
|
LowLevelILFlagCondition.LLFC_UGE: ["c"],
|
|
LowLevelILFlagCondition.LLFC_ULT: ["c"],
|
|
LowLevelILFlagCondition.LLFC_E: ["z"],
|
|
LowLevelILFlagCondition.LLFC_NE: ["z"],
|
|
LowLevelILFlagCondition.LLFC_NEG: ["s"],
|
|
LowLevelILFlagCondition.LLFC_POS: ["s"]
|
|
}
|
|
flags_written_by_flag_write_type = {
|
|
"*": ["c", "z", "v", "s"],
|
|
"czs": ["c", "z", "s"],
|
|
"zvs": ["z", "v", "s"],
|
|
"zs": ["z", "s"]
|
|
}
|
|
|
|
def decode_instruction(self, data, addr):
|
|
if len(data) < 1:
|
|
return None, None, None, None
|
|
opcode = ord(data[0])
|
|
instr = InstructionNames[opcode]
|
|
if instr is None:
|
|
return None, None, None, None
|
|
|
|
operand = InstructionOperandTypes[opcode]
|
|
length = 1 + OperandLengths[operand]
|
|
if len(data) < length:
|
|
return None, None, None, None
|
|
|
|
if OperandLengths[operand] == 0:
|
|
value = None
|
|
elif operand == REL:
|
|
value = (addr + 2 + struct.unpack("b", data[1])[0]) & 0xffff
|
|
elif OperandLengths[operand] == 1:
|
|
value = ord(data[1])
|
|
else:
|
|
value = struct.unpack("<H", data[1:3])[0]
|
|
|
|
return instr, operand, length, value
|
|
|
|
def get_instruction_info(self, data, addr):
|
|
instr, operand, length, value = self.decode_instruction(data, addr)
|
|
if instr is None:
|
|
return None
|
|
|
|
result = InstructionInfo()
|
|
result.length = length
|
|
if instr == "jmp":
|
|
if operand == ADDR:
|
|
result.add_branch(BranchType.UnconditionalBranch, struct.unpack("<H", data[1:3])[0])
|
|
else:
|
|
result.add_branch(BranchType.UnresolvedBranch)
|
|
elif instr == "jsr":
|
|
result.add_branch(BranchType.CallDestination, struct.unpack("<H", data[1:3])[0])
|
|
elif instr in ["rti", "rts"]:
|
|
result.add_branch(BranchType.FunctionReturn)
|
|
if instr in ["bcc", "bcs", "beq", "bmi", "bne", "bpl", "bvc", "bvs"]:
|
|
dest = (addr + 2 + struct.unpack("b", data[1])[0]) & 0xffff
|
|
result.add_branch(BranchType.TrueBranch, dest)
|
|
result.add_branch(BranchType.FalseBranch, addr + 2)
|
|
return result
|
|
|
|
def get_instruction_text(self, data, addr):
|
|
instr, operand, length, value = self.decode_instruction(data, addr)
|
|
if instr is None:
|
|
return None
|
|
|
|
tokens = []
|
|
tokens.append(InstructionTextToken(InstructionTextTokenType.TextToken, "%-7s " % instr.replace("@", "")))
|
|
tokens += OperandTokens[operand](value)
|
|
return tokens, length
|
|
|
|
def get_instruction_low_level_il(self, data, addr, il):
|
|
instr, operand, length, value = self.decode_instruction(data, addr)
|
|
if instr is None:
|
|
return None
|
|
|
|
operand = OperandIL[operand](il, value)
|
|
instr = InstructionIL[instr](il, operand)
|
|
if isinstance(instr, list):
|
|
for i in instr:
|
|
il.append(i)
|
|
elif instr is not None:
|
|
il.append(instr)
|
|
|
|
return length
|
|
|
|
def get_flag_write_low_level_il(self, op, size, write_type, flag, operands, il):
|
|
if flag == 'c':
|
|
if (op == LowLevelILOperation.LLIL_SUB) or (op == LowLevelILOperation.LLIL_SBB):
|
|
# Subtraction carry flag is inverted from the commom implementation
|
|
return il.not_expr(0, self.get_default_flag_write_low_level_il(op, size, FlagRole.CarryFlagRole, operands, il))
|
|
# Other operations use a normal carry flag
|
|
return self.get_default_flag_write_low_level_il(op, size, FlagRole.CarryFlagRole, operands, il)
|
|
return Architecture.get_flag_write_low_level_il(self, op, size, write_type, flag, operands, il)
|
|
|
|
def is_never_branch_patch_available(self, data, addr):
|
|
if (data[0] == "\x10") or (data[0] == "\x30") or (data[0] == "\x50") or (data[0] == "\x70") or (data[0] == "\x90") or (data[0] == "\xb0") or (data[0] == "\xd0") or (data[0] == "\xf0"):
|
|
return True
|
|
return False
|
|
|
|
def is_invert_branch_patch_available(self, data, addr):
|
|
if (data[0] == "\x10") or (data[0] == "\x30") or (data[0] == "\x50") or (data[0] == "\x70") or (data[0] == "\x90") or (data[0] == "\xb0") or (data[0] == "\xd0") or (data[0] == "\xf0"):
|
|
return True
|
|
return False
|
|
|
|
def is_always_branch_patch_available(self, data, addr):
|
|
return False
|
|
|
|
def is_skip_and_return_zero_patch_available(self, data, addr):
|
|
return (data[0] == "\x20") and (len(data) == 3)
|
|
|
|
def is_skip_and_return_value_patch_available(self, data, addr):
|
|
return (data[0] == "\x20") and (len(data) == 3)
|
|
|
|
def convert_to_nop(self, data, addr):
|
|
return "\xea" * len(data)
|
|
|
|
def never_branch(self, data, addr):
|
|
if (data[0] == "\x10") or (data[0] == "\x30") or (data[0] == "\x50") or (data[0] == "\x70") or (data[0] == "\x90") or (data[0] == "\xb0") or (data[0] == "\xd0") or (data[0] == "\xf0"):
|
|
return "\xea" * len(data)
|
|
return None
|
|
|
|
def invert_branch(self, data, addr):
|
|
if (data[0] == "\x10") or (data[0] == "\x30") or (data[0] == "\x50") or (data[0] == "\x70") or (data[0] == "\x90") or (data[0] == "\xb0") or (data[0] == "\xd0") or (data[0] == "\xf0"):
|
|
return chr(ord(data[0]) ^ 0x20) + data[1:]
|
|
return None
|
|
|
|
def skip_and_return_value(self, data, addr, value):
|
|
if (data[0] != "\x20") or (len(data) != 3):
|
|
return None
|
|
return "\xa9" + chr(value & 0xff) + "\xea"
|
|
|
|
|
|
class NESView(BinaryView):
|
|
name = "NES"
|
|
long_name = "NES ROM"
|
|
|
|
def __init__(self, data):
|
|
BinaryView.__init__(self, parent_view = data, file_metadata = data.file)
|
|
self.platform = Architecture['6502'].standalone_platform
|
|
|
|
@classmethod
|
|
def is_valid_for_data(self, data):
|
|
hdr = data.read(0, 16)
|
|
if len(hdr) < 16:
|
|
return False
|
|
if hdr[0:4] != "NES\x1a":
|
|
return False
|
|
rom_banks = struct.unpack("B", hdr[4])[0]
|
|
if rom_banks < (self.bank + 1):
|
|
return False
|
|
return True
|
|
|
|
def init(self):
|
|
try:
|
|
hdr = self.parent_view.read(0, 16)
|
|
self.rom_banks = struct.unpack("B", hdr[4])[0]
|
|
self.vrom_banks = struct.unpack("B", hdr[5])[0]
|
|
self.rom_flags = struct.unpack("B", hdr[6])[0]
|
|
self.mapper_index = struct.unpack("B", hdr[7])[0] | (self.rom_flags >> 4)
|
|
self.ram_banks = struct.unpack("B", hdr[8])[0]
|
|
self.rom_offset = 16
|
|
if self.rom_flags & 4:
|
|
self.rom_offset += 512
|
|
self.rom_length = self.rom_banks * 0x4000
|
|
|
|
# Add mapping for RAM and hardware registers, not backed by file contents
|
|
self.add_auto_segment(0, 0x8000, 0, 0, SegmentFlag.SegmentReadable | SegmentFlag.SegmentWritable | SegmentFlag.SegmentExecutable)
|
|
|
|
# Add ROM mappings
|
|
self.add_auto_segment(0x8000, 0x4000, self.rom_offset + (self.__class__.bank * 0x4000), 0x4000,
|
|
SegmentFlag.SegmentReadable | SegmentFlag.SegmentExecutable)
|
|
self.add_auto_segment(0xc000, 0x4000, self.rom_offset + self.rom_length - 0x4000, 0x4000,
|
|
SegmentFlag.SegmentReadable | SegmentFlag.SegmentExecutable)
|
|
|
|
nmi = struct.unpack("<H", self.read(0xfffa, 2))[0]
|
|
start = struct.unpack("<H", self.read(0xfffc, 2))[0]
|
|
irq = struct.unpack("<H", self.read(0xfffe, 2))[0]
|
|
self.define_auto_symbol(Symbol(SymbolType.FunctionSymbol, nmi, "_nmi"))
|
|
self.define_auto_symbol(Symbol(SymbolType.FunctionSymbol, start, "_start"))
|
|
self.define_auto_symbol(Symbol(SymbolType.FunctionSymbol, irq, "_irq"))
|
|
self.add_function(nmi)
|
|
self.add_function(irq)
|
|
self.add_entry_point(start)
|
|
|
|
# Hardware registers
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x2000, "PPUCTRL"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x2001, "PPUMASK"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x2002, "PPUSTATUS"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x2003, "OAMADDR"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x2004, "OAMDATA"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x2005, "PPUSCROLL"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x2006, "PPUADDR"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x2007, "PPUDATA"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4000, "SQ1_VOL"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4001, "SQ1_SWEEP"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4002, "SQ1_LO"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4003, "SQ1_HI"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4004, "SQ2_VOL"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4005, "SQ2_SWEEP"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4006, "SQ2_LO"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4007, "SQ2_HI"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4008, "TRI_LINEAR"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x400a, "TRI_LO"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x400b, "TRI_HI"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x400c, "NOISE_VOL"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x400e, "NOISE_LO"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x400f, "NOISE_HI"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4010, "DMC_FREQ"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4011, "DMC_RAW"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4012, "DMC_START"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4013, "DMC_LEN"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4014, "OAMDMA"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4015, "SND_CHN"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4016, "JOY1"))
|
|
self.define_auto_symbol(Symbol(SymbolType.DataSymbol, 0x4017, "JOY2"))
|
|
|
|
sym_files = [self.file.filename + ".%x.nl" % self.__class__.bank,
|
|
self.file.filename + ".ram.nl",
|
|
self.file.filename + ".%x.nl" % (self.rom_banks - 1)]
|
|
for f in sym_files:
|
|
if os.path.exists(f):
|
|
sym_contents = open(f, "r").read()
|
|
lines = sym_contents.split('\n')
|
|
for line in lines:
|
|
sym = line.split('#')
|
|
if len(sym) < 3:
|
|
break
|
|
addr = int(sym[0][1:], 16)
|
|
name = sym[1]
|
|
self.define_auto_symbol(Symbol(SymbolType.FunctionSymbol, addr, name))
|
|
if addr >= 0x8000:
|
|
self.add_function(addr)
|
|
|
|
return True
|
|
except:
|
|
log_error(traceback.format_exc())
|
|
return False
|
|
|
|
def perform_is_executable(self):
|
|
return True
|
|
|
|
def perform_get_entry_point(self):
|
|
return struct.unpack("<H", str(self.perform_read(0xfffc, 2)))[0]
|
|
|
|
|
|
banks = []
|
|
for i in range(0, 32):
|
|
class NESViewBank(NESView):
|
|
bank = i
|
|
name = "NES Bank %X" % i
|
|
long_name = "NES ROM (bank %X)" % i
|
|
|
|
def __init__(self, data):
|
|
NESView.__init__(self, data)
|
|
|
|
banks.append(NESViewBank)
|
|
NESViewBank.register()
|
|
|
|
M6502.register()
|