ghidra icon indicating copy to clipboard operation
ghidra copied to clipboard

Published 20 hours ago verified publisher icon NationalSecurityAgency

Sleigh: check pattern bytes equality

Open lab313ru opened this issue 1 year ago • 10 comments

For example I have the following sequence, and I would like to create a special opcode for it (like a macro). I know it should contain equal bytes at some positions: image

How can I check that using Sleigh, or any other method in order to create a special macro? (Registers may vary)

lab313ru avatar May 25 '23 22:05 lab313ru

I'm not a 100% sure I understand without a concrete example. However, I think creating a table for this would suit your needs.

ex:

ByteEquality: is something & mask1=mask2 {}

:SomeInstruction is OriginalCondition & ByteEquality { // handle equality case }

:SomeInstruction is OriginalCondition { // handle original instruction }

astrelsky avatar May 31 '23 11:05 astrelsky

Will this work for tokens in different groups?

lab313ru avatar Jun 01 '23 16:06 lab313ru

Just checked. It doesn't. It requires accessing a different group mask.

lab313ru avatar Jun 01 '23 16:06 lab313ru

Just checked. It doesn't. It requires accessing a different group mask.

I think you can use a table which accesses multiple token groups. The same token group rules that apply to the instruction table apply to all tables.

astrelsky avatar Jun 02 '23 11:06 astrelsky

What do you mean?

For example I have:

define token instruction(8)
 op1=(0,7)
 op2=(0,7)
 reg1=(0,7)
 reg2=(0,7)
;

define pcodeop regs_the_same;

And I have the following opcode:

:opcode1 is op1=1; reg1; reg2 {
  regs_the_same();
}

How can I check that the reg1 byte is equal to the reg2 byte in the opcode?

lab313ru avatar Jun 02 '23 12:06 lab313ru

What do you mean?

For example I have:

define token instruction(8)
 op1=(0,7)
 op2=(0,7)
 reg1=(0,7)
 reg2=(0,7)
;

define pcodeop regs_the_same;

And I have the following opcode:

:opcode1 is op1=1; reg1; reg2 {
  regs_the_same();
}

How can I check that the reg1 byte is equal to the reg2 byte in the opcode?

~~Those are part of the same token~~

~~:opcode1 is op1=1 & reg1 & reg2 & reg1=reg2 {} I think.~~

Ignore my blatant oversight above. Is the use case actually that simple? If so I'd just define another token as 16 bytes and do what I attempted to demonstrate.

If memory serves correctly you need to use ... when mixing mixed sized tokens.

astrelsky avatar Jun 02 '23 16:06 astrelsky

Some macroses are much greater in size, so I also need to check two bytes at 16 bytes distance. I don't think that I can use such a big tokens for that.

lab313ru avatar Jun 02 '23 16:06 lab313ru

Defining such a big tokens makes Ghidra impossible to compile my language because of timeout:

define token big1(360)
   big1_x08 = (64,71)
   big1_x08_ = (64,71)
   big1_x11 = (136,143)
   big1_x11_ = (136,143)
   big1_x14 = (160,167)
   big1_x14_ = (160,167)
   big1_x1d = (232,239)
   big1_x1d_ = (232,239)
   big1_x1f = (248,255)
   big1_x1f_ = (248,255)
   big1_x24 = (288,295)
   big1_x24_ = (288,295)
   big1_x27 = (312,319)
   big1_x27_ = (312,319)
;

lab313ru avatar Jun 03 '23 11:06 lab313ru

Some macroses are much greater in size, so I also need to check two bytes at 16 bytes distance. I don't think that I can use such a big tokens for that.

I'm all out of idea then. I don't think it was ever intended to have 16 byte instructions...

astrelsky avatar Jun 03 '23 16:06 astrelsky

That was my idea to implement macro instructions:)

lab313ru avatar Jun 03 '23 16:06 lab313ru