rizin icon indicating copy to clipboard operation
rizin copied to clipboard
verified publisher icon rizinorg

HP PA-RISC: Migrate to Capstone and add basic analysis

Open XVilka opened this issue 1 year ago • 6 comments

Your checklist for this pull request

  • [x] I've read the guidelines for contributing to this repository
  • [x] I made sure to follow the project's coding style
  • [ ] I've documented or updated the documentation of every function and struct this PR changes. If not so I've explained why.
  • [x] I've added tests that prove my fix is effective or that my feature works (if possible)
  • [ ] I've updated the rizin book with the relevant information (if needed)

Detailed description

  • Remove GNU hppa plugin
  • Add Capstone-based disassembler
  • Add basic analysis plugin

Now it is able to derive control flow properly for most common instructions:

Screenshot 2024-05-05 at 1 20 08 AM

Test plan

CI is green

Closing issues

Partially addresses https://github.com/rizinorg/ideas/issues/1 Partially addresses https://github.com/rizinorg/rizin/issues/2704

Useful information

  • https://kaashif.co.uk/2019/04/18/hp-pa-risc-assembly-crash-course/
  • http://www.3kranger.com/HP3000/mpeix/en-hard/09740-90015/ch03s04.html

XVilka avatar May 04 '24 11:05 XVilka

I fixed ELF parsing (imports and relocs) but it looks like there are still some invalid instructions left unhandled. @R33v0LT could you please take a look?

Screenshot 2025-06-11 at 11 04 04 PM

notxvilka avatar Jun 11 '25 19:06 notxvilka

I fixed ELF parsing (imports and relocs) but it looks like there are still some invalid instructions left unhandled. @R33v0LT could you please take a look?

Screenshot 2025-06-11 at 11 04 04 PM

Instruction e841acd0 decoded as b,l 0x82670, rp on hppa 2.0. Type of branch instruction is defined by bits [16:18] (known as ext field). According to hppa 1.1 manual (http://bitsavers.informatik.uni-stuttgart.de/pdf/hp/pa-risc/09740-90039_PA_RISC_1.1_Architecture_and_Instruction_Set_Reference_Manual_Ed3.pdf), there are 3 types of ext field supported: 0 (BL), 1 (GATE), 2 (BLR), 6 (BV) e841acd0 has ext field equal to 5, so with hppa 1.1 disassembler marked this instruction as invalid

R33v0LT avatar Jun 29 '25 12:06 R33v0LT

I fixed ELF parsing (imports and relocs) but it looks like there are still some invalid instructions left unhandled. @R33v0LT could you please take a look? Screenshot 2025-06-11 at 11 04 04 PM

Instruction e841acd0 decoded as b,l 0x82670, rp on hppa 2.0. Type of branch instruction is defined by bits [16:18] (known as ext field). According to hppa 1.1 manual (http://bitsavers.informatik.uni-stuttgart.de/pdf/hp/pa-risc/09740-90039_PA_RISC_1.1_Architecture_and_Instruction_Set_Reference_Manual_Ed3.pdf), there are 3 types of ext field supported: 0 (BL), 1 (GATE), 2 (BLR), 6 (BV) e841acd0 has ext field equal to 5, so with hppa 1.1 disassembler marked this instruction as invalid

Interesting, but the ELF I took from the HPPA Linux is marked as PARISC 1.1:

ELF Header:
  Magic:   7f 45 4c 46 01 02 01 03 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, big endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - GNU
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           HPPA
  Version:                           0x1
  Entry point address:               0x27bd8
  Start of program headers:          52 (bytes into file)
  Start of section headers:          769272 (bytes into file)
  Flags:                             0x210, PA-RISC 1.1
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         8
  Size of section headers:           40 (bytes)
  Number of section headers:         28
  Section header string table index: 27

There is also 000841c8:

│           0x00027c20      04000000       iitlbp flags,(flags)
│           0x00027c24      08000240       or flags,flags,flags
╰           0x00027c28      000841c8       invalid
            0x00027c2c      2b623000       addil 0x5800,dp
            0x00027c30      6bc23fd9       stw rp,-0x14(sp)
            0x00027c34      403c0308       ldb 0x184(r1),ret0          ; 388
            0x00027c38      6fc40080       stwm r4,0x40(sp)            ; 64

And few more others: Screenshot 2025-06-29 at 7 51 14 PM

notxvilka avatar Jun 29 '25 15:06 notxvilka

This is also available with 2.0:

cstool hppa20w 000841c8
 0  00 08 41 c8  movb	r1,rp,0x408

If it is not in the ISA, it either is a custom flag in their compiler to enable the extra instructions/fields or they have a bug.

@notxvilka Can you share where the binary is coming from? We should probably open an issue there.

Rot127 avatar Jun 30 '25 12:06 Rot127

This is also available with 2.0:

cstool hppa20w 000841c8
 0  00 08 41 c8  movb	r1,rp,0x408

If it is not in the ISA, it either is a custom flag in their compiler to enable the extra instructions/fields or they have a bug.

@notxvilka Can you share where the binary is coming from? We should probably open an issue there.

It's from Debian for PARISC. All ELF files I checked are like that. I think I will just force 2.0 ISA instead.

notxvilka avatar Jun 30 '25 16:06 notxvilka

If 1.1 is a subset of 2.0, just enforce 2.0

wargio avatar Jul 01 '25 07:07 wargio