QEMU dyngen

Though I've played with QEMU for a while and have done some experiments on the translation process with success, it is still of great importance to get a better and correct understanding about its dynamic translation process. Following is pieces of information from QEMU's official document, the QEMU Internals, and my understanding.

The basic idea is to split every x86 instruction into fewer simpler instructions called micro operations.

I think this idea is similar to Intel's micro instruction, every x86 instruction is first translated/interpreted as a few simple instructions, e.g. the call instruction (0xff) used in my PoC example is translated into:

movtl_T1_im(nextip) //save next ip in T1
push_T1 //push next ip onto stack
jmp_T0 //jump to the target ip saved in T0

Each simple instruction is implemented by a piece of C code.

Each simple instructions, like push_T1 is implemented by a piece of C code (a simple function in op.h). These code is then compiled into binary code of the target platform. These code snippet is then used to generate the dynamic translator.

QEMU is no more difficult to port than a dynamic linker.

The generated dynamic translator is much like a linker which links the target platform binary code snippet to form a basic block, then executes the block. One interesting thing about the translator is parameter a snippet needs is passed to it at link time through code patching. Following is the example given in its paper: QEMU, a Fast and Portable Dynamic Translator.

The translated micro operations of PowerPC instruction add r1,r1,-16 is:

movl_T0_r1
addl_T0_im(-16)
movl_T0_r1

The C code of addl_T0_im is:

extern int __op_param1;
void op_addl_T0_im(void)
{
T0 = T0 + ((long)(&__op_param1));
}

The generated dynamic translator passes immediate parameter -16 to the code snippet by:

case INDEX_op_addl_T0_im:
{
long param1;
extern void op_addl_T0_im();
memcpy(gen_code_ptr,(char *)&op_addl_T0_im+0,6); //dynamic link
param1 = *opparam_ptr++; //read parameter
*(uint32_t *)(gen_code_ptr + 2) = param1; //patch parameter __op_param1 with runtime value
gen_code_ptr += 6;
break;
}

From this example we can see, by using runtime patch to pass opration parameters, when write functions for micro operations, we no longer need to worry about the runtime value of parameters. This also makes it possible to directly instrument C code snippet to add function like dynamic taint and target address checking.

P.S. From version 0.10.0, QEMU begin to use TCG (tiny code generator), which brings some differences. I think this may require another blog to describe these changes.

贫■之歌[zz]

动新真是越来越邪恶了，绝对不适合小朋友，不过现在的小朋友……哎，没有分级的nation

演唱者：泉此方，岩崎南，小早川优，基督山伯伯（kao！）

洗衣板  在小小的胸部里
洗衣板  孕育着爱
洗衣板  马拉松也跑得快
洗衣板  T恤 也不会变形（指T恤上印的图案）
洗衣板  匍匐前进也爬得快
洗衣板  看起来也比较苗条
洗衣板  色狼不容易缠上
洗衣板  就算年纪大也看不出来
洗衣板  非常坚强的洗衣板  给你我的爱
洗衣板  就算躺着向上也不会感到痛苦
洗衣板  肩膀没有压迫感
洗衣板  不穿内衣也不怕走光
洗衣板  不怕被书包带卡住
洗衣板  洗澡不会溢出浴缸的水
洗衣板  不会那么容易流汗

洗衣板  在这小小的胸部里
洗衣板  孕育着梦想

P.S. [zz]不要给人渣发“好人卡”，对他说：“大哥哥，你是个人渣”就可以了

Blogged with Flock

test from ecto

虽然不能看，不知道能不能发

喜欢梨花，喜欢C.C.

都是神秘的女人，都有悲惨的命运，但都坚强地活着，不屈不挠的战斗着。当然，也都有无比可爱的时候，无比诱人的地方。

看来我喜欢的女人就是这样的吧~

呵呵~ 周末一口气把寒蝉和解都看完了，很好看，很开心。接下来就要抓紧时间复习了！

春夏秋冬终于聚齐

Minami-ke，一如既往的有趣啊~~~

南冬马出现，并被千秋强行收为小弟（虽然是个女生，还比千秋大……），春夏秋冬终于聚齐~

同时热烈祝贺冬马被千秋大人收为小弟！

可怜的真子~~~ hiahia

CLANNAD－Ana

作詞：萩原ゆう　作曲：traditional　編曲：戸越まごめ　Vocal：Lia


The place changes and goes. Like a wind,like clouds.

Like the traces of the heart, no halt at the places.



The place is so far away. be far apart.

people's hand does not reach,so merely has (the) worship



The place is a lofty lord.can't meet nobody put on.

We will lose the place.so lofty which changes.



Not all were desired.However,we're never sad.

still, there is still the place.far away. far away



(The wind) blows through the place. an endless,with all.

Like the ripple float on the water. It blows as it goes.



The place is No make at all.Nothing is shown.

Like the sand clasped by hand,It falls vainly.



The place is (a) profound lord,and wear the vain faint light.

But we will find it in the place.The hut at which it stands still.



if not concerned with all,It will maintain that No dye.

therefore there is still the hut.It's lonly,solitary.



no halt at the wind.it soars to the sky.

Like the verdure (which) meets with sunrise,It grows up as reborn.



The hut has held new one.that's different from all.

like the sand castle of the children,but realized with the mind.



The person is a vain statue.wear taciturnity calm.

still,We will konw a huge flow.It is stopped by nobody.



soon,the wind wears the snow cloud.will be dyed to snow-white.

Summer grass will incline.No sunlight,feebly shade.



The place buried in deep snow.like the collapsing castle.

like the head of the shade,figure will be thrown away.



The hut buried in deep.It sinks in to the flood.

and The "not dyeing" is dyed out,and waits for a oppose one.



Even if all are healed, be gonna no return.

there is still the place.far away .far away.



The place changes and goes. Like a wind, like clouds.

Like the traces of the heart, no halt at the places.



The place is a lofty lord. can't meet nobody put on.

still,there is still the place.far away .far away.

Blogged with Flock

女神的微笑

还能说啥nie？！虽然初中时候显然更喜欢明日香，嘿嘿~