Allow disassembly or analysis to be overridden.

GJDuck · GJDuck · commit 60c05939ec92 · 2022-12-10T10:24:34.000+08:00
This introduces two new options for E9Tool:
    --use-disasm disasm.csv
    --use-targets targets.csv
This allows the default E9Tool disassembler or
control-flow analysis to be overridden with
information generated by other tools.

Here:
    * disasm.csv lists all instruction addresses
    * targets.csv lists all jump/call targets
diff --git a/doc/e9tool-user-guide.md b/doc/e9tool-user-guide.md
@@ -7,6 +7,7 @@
     - [1.1 Optimization](#optimization)
     - [1.2 Compression](#compression)
     - [1.3 Rewriting Modes](#modes)
+    - [1.4 Disassembly and Analysis](#analysis)
 * [2. Matching Language](#matching)
     - [2.1 Attributes](#attributes)
     - [2.2 Definedness](#definedness)
@@ -123,6 +124,39 @@ possible rewriting errors.
 Thus, the CFR mode is not as robust as the default mode, although it should
 be compatible with most binaries.
 
+---
+### <a id="analysis">1.4 Disassembly and Analysis</a>
+
+For convenience, E9Tool comes with a built-in linear disassembler that should
+handle some binaries compiled with standard compilers, such as `gcc`.
+However, linear disassemblers have known limitations for some binaries that
+mix code and data.
+It is possible to override the default disassembler using the `--use-disasm`
+option, e.g.:
+
+        $ e9tool --use-disasm disasm.csv ...
+
+Here, `disasm.csv` is a single-column *comma-seperated-value* (CSV) file that
+should contain all instruction addresses to be disassembled.
+The `disasm.csv` file can be generated by other disassemblers, and integrated
+into the E9Tool/E9Patch toolchain.
+
+Similarly, E9Tool's default *control-flow-recovery* analysis can be
+overridden by the `--use-targets` option, e.g.:
+
+        $ e9tool --use-targets targets.csv ...
+
+Here, `targets.csv` is a CSV file with one or two columns.
+The first column is the list of all jump/call target addresses in the binary.
+The second column, if present, is a Boolean value (either 0 or 1), where a
+value of 1 indicates that the target is a function entry, and 0 otherwise.
+Like disassembly, the `targets.csv` file can be generated by other binary
+analysis tools and integrated into the E9Tool/E9Patch toolchain.
+
+Note that `--use-targets` option does not affect the internal
+control-flow-recovery analysis for E9Patch (for the `-X` option).
+Rather, the option only affects E9Tool's matching/patching operations.
+
 ---
 ## <a id="matching">2. Matching Language</a>
 
diff --git a/doc/e9tool.1 b/doc/e9tool.1
@@ -203,6 +203,16 @@ The default syntax is "ATT".
 .IP "\fB\-\-trap\fR=\fI\,ADDR\/\fR, \fB\-\-trap\-all\fR" 4
 Insert a trap (int3) instruction at the corresponding
 trampoline entry.  This can be used for debugging with gdb.
+.IP "\fB\-\-use\-disasm \fI\,FILE\/\fR" 4
+Use the instruction information in FILE rather than the default
+disassmebler.  Here, FILE is a CSV file with a single column
+representing instruction addresses.
+.IP "\fB\-\-use\-targets \fI\,FILE\/\fR" 4
+Use the jump/call target information in FILE rather than the
+default control-flow recovery analysis.  Here, FILE is a CSV
+file where the first column is all jump/call targets, and an
+optional second column is 1 for call targets (functions), or
+0 otherwise (the default is 0).
 .IP "\fB\-\-version\fR" 4
 Print the version and exit.
 .IP "\fB\-X\fR" 4
diff --git a/src/e9tool/e9csv.cpp b/src/e9tool/e9csv.cpp
@@ -283,3 +283,87 @@ MatchVal getCSVValue(intptr_t addr, const char *basename, uint16_t idx)
     return record[idx];
 }
 
+/*
+ * Specialized parser for lists of addresses.
+ */
+void parseAddrs(const char *filename, std::vector<intptr_t> &As)
+{
+    FILE *stream = fopen(filename, "r");
+    if (stream == nullptr)
+        error("failed to open CSV file \"%s\" for reading: %s",
+            filename, strerror(errno));
+
+    Record record;
+    CSV csv = {stream, filename, /*length=*/1, 0};
+    while (true)
+    {
+        if (!parseRecord(csv, record))
+            break;
+        if ((unsigned)record.size() != (unsigned)csv.length)
+            error("failed to parse CSV file \"%s\" at line %u; record with "
+                "invalid length %zu (expected %u)", csv.filename,
+                csv.lineno, record.size(), csv.length);
+        MatchVal &addr = record[0];
+        if (addr.type != MATCH_TYPE_INTEGER)
+            error("failed to parse CSV file \"%s\" at line %u; first record "
+                "entry must be an address", csv.filename, csv.lineno);
+        As.push_back(addr.i);
+        record.clear();
+    }
+
+    fclose(stream);
+    std::sort(As.begin(), As.end());
+    std::unique(As.begin(), As.end());
+    As.shrink_to_fit();
+}
+
+/*
+ * Specialized parser for targets.
+ */
+void parseTargets(const char *filename, const Instr *Is, size_t size,
+    Targets &targets)
+{
+    FILE *stream = fopen(filename, "r");
+    if (stream == nullptr)
+        error("failed to open CSV file \"%s\" for reading: %s",
+            filename, strerror(errno));
+
+    Record record;
+    CSV csv = {stream, filename, /*length=*/2, 0};
+    while (true)
+    {
+        if (!parseRecord(csv, record))
+            break;
+        if (record.size() != 1 && record.size() != 2)
+            error("failed to parse CSV file \"%s\" at line %u; record with "
+                "invalid length %zu (expected 1 or 2)", csv.filename,
+                csv.lineno, record.size());
+        MatchVal &addr = record[0];
+        if (addr.type != MATCH_TYPE_INTEGER)
+            error("failed to parse CSV file \"%s\" at line %u; first record "
+                "entry must be an address", csv.filename, csv.lineno);
+        TargetKind kind = TARGET_DIRECT;
+        if (record.size() == 2)
+        {
+            MatchVal &func = record[1];
+            if (func.type != MATCH_TYPE_INTEGER || (func.i != 0 && func.i != 1))
+                error("failed to parse CSV file \"%s\" at line %u; second "
+                    "record entry must be Boolean value (0 or 1)",
+                    csv.filename, csv.lineno);
+            kind |= (func.i != 0? TARGET_FUNCTION: 0);
+        }
+        if (findInstr(Is, size, addr.i) < 0)
+        {
+            record.clear();
+            continue;
+        }
+        auto r = targets.insert({addr.i, kind});
+        if (!r.second)
+            error("failed to parse CSV file \"%s\" at line %u; duplicate "
+                "record with address 0x%lx", csv.filename, csv.lineno,
+                addr);
+        record.clear();
+    }
+    fclose(stream);
+}
+
diff --git a/src/e9tool/e9csv.h b/src/e9tool/e9csv.h
@@ -20,5 +20,8 @@
 #include "e9action.h"
 
 extern MatchVal getCSVValue(intptr_t addr, const char *basename, uint16_t idx);
+void parseAddrs(const char *filename, std::vector<intptr_t> &As);
+void parseTargets(const char *filename, const e9tool::Instr *Is, size_t size,
+    e9tool::Targets &targets);
 
 #endif
diff --git a/src/e9tool/e9misc.cpp b/src/e9tool/e9misc.cpp
@@ -330,6 +330,18 @@ void usage(FILE *stream, const char *progname)
         "\t\tInsert a trap (int3) instruction at the corresponding\n"
         "\t\ttrampoline entry.  This can be used for debugging with gdb.\n"
         "\n"
+        "\t--use-disasm FILE\n"
+        "\t\tUse the instruction information in FILE rather than the default\n"
+        "\t\tdisassmebler.  Here, FILE is a CSV file with a single column\n"
+        "\t\trepresenting instruction addresses.\n"
+        "\n"
+        "\t--use-targets FILE\n"
+        "\t\tUse the jump/call target information in FILE rather than the\n"
+        "\t\tdefault control-flow recovery analysis.  Here, FILE is a CSV\n"
+        "\t\tfile where the first column is all jump/call targets, and an\n"
+        "\t\toptional second column is 1 for call targets (functions), or\n"
+        "\t\t0 otherwise (the default is 0).\n"
+        "\n"
         "\t--version\n"
         "\t\tPrint the version and exit.\n"
         "\n"
diff --git a/src/e9tool/e9tool.cpp b/src/e9tool/e9tool.cpp
@@ -529,6 +529,29 @@ static size_t exclude(const std::vector<Exclude> &excludes, intptr_t addr)
     return 0;
 }
 
+/*
+ * Next instruction.
+ */
+static size_t nextInstr(const std::vector<intptr_t> &disasm, intptr_t addr)
+{
+    ssize_t max = (ssize_t)disasm.size() - 1;
+    if (disasm.size() == 0 || addr > disasm[max])
+        return INT32_MAX;
+    ssize_t lo = 0, hi = max;
+    while (lo <= hi)
+    {
+        ssize_t mid = (lo + hi) / 2;
+        intptr_t i = disasm[mid];
+        if (addr < i)
+            hi = mid-1;
+        else if (addr > i)
+            lo = mid+1;
+        else
+            return 0;
+    }
+    return disasm[lo] - addr;
+}
+
 /*
  * Metadata.
  */
@@ -651,6 +674,8 @@ enum Option
     OPTION_SYNTAX,
     OPTION_TRAP,
     OPTION_TRAP_ALL,
+    OPTION_USE_DISASM,
+    OPTION_USE_TARGETS,
     OPTION_VERSION,
 };
 
@@ -725,6 +750,8 @@ int main_2(int argc, char **argv)
         {"syntax",        req_arg, nullptr, OPTION_SYNTAX},
         {"trap",          req_arg, nullptr, OPTION_TRAP},
         {"trap-all",      no_arg,  nullptr, OPTION_TRAP_ALL},
+        {"use-disasm",    req_arg, nullptr, OPTION_USE_DISASM},
+        {"use-targets",   req_arg, nullptr, OPTION_USE_TARGETS},
         {"version",       no_arg,  nullptr, OPTION_VERSION},
         {nullptr,         no_arg,  nullptr, 0}
     }; 
@@ -741,6 +768,10 @@ int main_2(int argc, char **argv)
     std::vector<std::string> option_patch;
     std::vector<ActionEntry> option_actions;
     std::vector<std::string> option_exclude;
+    std::string option_use_disasm("");
+    std::string option_use_targets("");
+    std::string option_use_funcs("");
+
     int option_sync = 64, option_threshold = 2;
     bool option_CFR = false;
     srand(0xe9e9e9e9);
@@ -898,6 +929,12 @@ int main_2(int argc, char **argv)
             case OPTION_TRAP_ALL:
                 option_trap_all = true;
                 break;
+            case OPTION_USE_DISASM:
+                option_use_disasm = optarg;
+                break;
+            case OPTION_USE_TARGETS:
+                option_use_targets = optarg;
+                break;
             case OPTION_VERSION:
                 puts("E9Tool " STRING(VERSION));
                 return EXIT_SUCCESS;
@@ -1252,6 +1289,13 @@ int main_2(int argc, char **argv)
     /*
      * Disassemble the ELF file.
      */
+    std::vector<intptr_t> disasm;
+    bool use_disasm = false;
+    if (option_use_disasm != "")
+    {
+        parseAddrs(option_use_disasm.c_str(), disasm);
+        use_disasm = true;
+    }
     initDisassembler();
     std::vector<Instr> Is;
     std::vector<Desync> desyncs;
@@ -1279,6 +1323,7 @@ int main_2(int argc, char **argv)
         while (true)
         {
             size_t skip = exclude(excludes, address);
+            skip += (use_disasm? nextInstr(disasm, address + skip): 0);
             if (skip > 0)
             {
                 address += skip;
@@ -1296,7 +1341,7 @@ int main_2(int argc, char **argv)
             I.first = first;
             first = false;
 
-            int score = suspiciousness(bytes, I.size);
+            int score = (use_disasm? 0: suspiciousness(bytes, I.size));
             if (option_debug && !I.data)
             {
                 InstrInfo J;
@@ -1311,6 +1356,11 @@ int main_2(int argc, char **argv)
                     (score >= option_threshold? " <data?>": ""));
             }
 
+            if (I.data && use_disasm)
+                error("failed to decode instruction at address 0x%lx; "
+                    "the \"%s\" disassmebly file may be inaccurate",
+                    I.address, option_use_disasm.c_str());
+
             if (I.data || score >= option_threshold)
             {
                 // Data has been detected in the code segment.  We attempt to
@@ -1352,13 +1402,20 @@ int main_2(int argc, char **argv)
                 section, section_addr, section_addr + section_size,
                 section_addr, section_addr + (code - start));
     }
+    disasm.clear();
     Is.shrink_to_fit();
     notifyPlugins(out, &elf, Is, EVENT_DISASSEMBLY_COMPLETE);
     size_t count = Is.size();
 
     // Step (1a): CFG Analysis (if necessary).
     if (option_targets)
-        buildTargets(&elf, Is.data(), Is.size(), elf.targets);
+    {
+        if (option_use_targets != "")
+            parseTargets(option_use_targets.c_str(), Is.data(), Is.size(),
+                elf.targets);
+        else
+            buildTargets(&elf, Is.data(), Is.size(), elf.targets);
+    }
     if (option_bbs)
         buildBBs(&elf, Is.data(), Is.size(), elf.targets, elf.bbs);
     if (option_fs)
