ud-emulator 0.1.5

Pure-Rust 32-bit x86 emulator + PE runtime loader + Win32 host shims. Mirrors oxideav-vfw; intended to grow into the dynamic-analysis backend that informs decompilation (indirect-target recovery, constant-data discovery).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361

//! SSE / SSE2 instruction executor.
//!
//! Routed from [`super::isa_int::Cpu::dispatch_0f`] for the
//! second-byte ranges that overlap the SSE encoding space:
//!
//! ```text
//!   0F 10..1F        MOVUPS / MOVSS / MOVLPS / MOVHLPS / …
//!   0F 28..2F        MOVAPS / CVT* / UCOMISS / COMISS
//!   0F 50..5F        MOVMSKPS + math (SQRT / RCP / RSQRT /
//!                                     AND / OR / XOR / ANDN /
//!                                     ADD / MUL / SUB / MIN /
//!                                     DIV / MAX / CMP / CVT)
//!   0F C2/C4..C6     CMPPS / PINSRW / PEXTRW / SHUFPS
//! ```
//!
//! The 0x66 / 0xF2 / 0xF3 mandatory prefixes select between
//! lane widths (PS / PD / SS / SD); we track those in
//! [`super::isa_int::Cpu`]'s prefix state ([`Cpu::op_size_16`]
//! for `0x66`, [`Cpu::rep_prefix`] for `0xF2` / `0xF3`).
//!
//! New opcodes are added trace-driven: when a real codec
//! traps with `UndefinedOpcode { opcode: 0xF?? }`, look up the
//! mnemonic in the Intel SDM and add a match arm here.
//!
//! Reference: Intel® 64 and IA-32 Architectures Software
//! Developer's Manual, Volume 2A/2B per-instruction pages.

use super::decode::{resolve_modrm32, Operand};
use super::isa_int::{Cpu, StepOk};
use super::mmu::Mmu;
use super::Trap;

/// Discriminator for the SSE mandatory prefix attached to the
/// current instruction.
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
enum SsePrefix {
    /// "No prefix" — packed-single semantics (PS).
    Np,
    /// `0x66` — packed-double semantics (PD).
    P66,
    /// `0xF3` — scalar-single semantics (SS).
    Pf3,
    /// `0xF2` — scalar-double semantics (SD).
    Pf2,
}

impl SsePrefix {
    fn current(cpu: &Cpu) -> Self {
        match (cpu.op_size_16(), cpu.rep_prefix_byte()) {
            (true, _) => SsePrefix::P66,
            (false, Some(0xF3)) => SsePrefix::Pf3,
            (false, Some(0xF2)) => SsePrefix::Pf2,
            _ => SsePrefix::Np,
        }
    }
}

/// Encode an SSE opcode for [`Trap::UndefinedOpcode`] reporting.
/// Includes the second byte and the mandatory prefix so the
/// trap log is unambiguous.
fn opcode_id(op2: u8, pfx: SsePrefix) -> u32 {
    let pfx_bits = match pfx {
        SsePrefix::Np => 0x0000,
        SsePrefix::P66 => 0x6600,
        SsePrefix::Pf3 => 0xF300,
        SsePrefix::Pf2 => 0xF200,
    };
    pfx_bits | 0x0F00 | u32::from(op2)
}

/// Dispatch a single SSE-encoded instruction. The `0x0F` byte
/// has already been consumed; `op2` is the second byte.
pub fn dispatch(cpu: &mut Cpu, mmu: &mut Mmu, op2: u8, entry_eip: u32) -> Result<StepOk, Trap> {
    cpu.sse_dispatch_count = cpu.sse_dispatch_count.wrapping_add(1);
    let pfx = SsePrefix::current(cpu);
    match (op2, pfx) {
        // 0F 12 /r — without prefix: MOVLPS / MOVHLPS.
        //   mod = 11 (register form): MOVHLPS xmm1, xmm2 — low 64
        //     of xmm1 := high 64 of xmm2.
        //   mod != 11 (memory form):   MOVLPS xmm, m64 — low 64
        //     of xmm := [mem]; high 64 unchanged.
        (0x12, SsePrefix::Np) => movlps_or_movhlps(cpu, mmu),
        // 0F 13 /r — MOVLPS m64, xmm (store low 64 to memory).
        // Reg form is reserved / not encoded.
        (0x13, SsePrefix::Np) => movlps_store(cpu, mmu),
        // 0F 17 /r — MOVHPS m64, xmm (store high 64 to memory).
        // Reg form reserved.
        (0x17, SsePrefix::Np) => movhps_store(cpu, mmu),
        // 0F 16 /r — without prefix: MOVHPS / MOVLHPS.
        //   mod = 11 (register form): MOVLHPS xmm1, xmm2 — high 64
        //     of xmm1 := low 64 of xmm2.
        //   mod != 11 (memory form):   MOVHPS xmm, m64 — high 64
        //     of xmm := [mem]; low 64 unchanged.
        (0x16, SsePrefix::Np) => movhps_or_movlhps(cpu, mmu),

        _ => Err(Trap::UndefinedOpcode {
            eip: entry_eip,
            opcode: opcode_id(op2, pfx),
        }),
    }
}

// ============================================================
// Per-instruction implementations
// ============================================================

/// `0F 12 /r` (no prefix). The `mod` field of the ModR/M byte
/// selects between MOVHLPS (register form) and MOVLPS (memory).
fn movlps_or_movhlps(cpu: &mut Cpu, mmu: &mut Mmu) -> Result<StepOk, Trap> {
    let mr = cpu.fetch_modrm(mmu)?;
    let dst_idx = (mr.reg & 0x7) as usize;
    let bytes = cpu.peek_after_modrm(mmu, 16)?;
    let (op, consumed) = resolve_modrm32(mr, &bytes, &cpu.regs)?;
    cpu.advance_eip(consumed as u32);
    let new_low: u64 = match op {
        Operand::Reg32(_) => {
            // MOVHLPS — `r/m` encodes xmm[r/m]; we use its
            // high 64 bits.
            let src = cpu.xmm[(mr.rm & 0x7) as usize];
            (src >> 64) as u64
        }
        Operand::Mem32(addr) => {
            // MOVLPS — load 8 bytes from memory.
            mmu.load64(cpu.seg_translate(addr))?
        }
    };
    let prev = cpu.xmm[dst_idx];
    let high = (prev >> 64) as u64;
    cpu.xmm[dst_idx] = pack_lh(new_low, high);
    Ok(StepOk::Continued)
}

/// `0F 13 /r` (no prefix) — `MOVLPS m64, xmm`. Stores the low
/// 64 bits of the xmm register to the memory operand. The
/// register form (`mod = 11`) is reserved — Intel SDM lists no
/// encoding — so we trap it as a sub-opcode.
fn movlps_store(cpu: &mut Cpu, mmu: &mut Mmu) -> Result<StepOk, Trap> {
    let mr = cpu.fetch_modrm(mmu)?;
    let bytes = cpu.peek_after_modrm(mmu, 16)?;
    let (op, consumed) = resolve_modrm32(mr, &bytes, &cpu.regs)?;
    cpu.advance_eip(consumed as u32);
    let addr = match op {
        Operand::Mem32(a) => cpu.seg_translate(a),
        Operand::Reg32(_) => {
            return Err(Trap::UndefinedOpcode {
                eip: cpu.regs.eip.wrapping_sub(consumed as u32 + 2),
                opcode: 0x0F13,
            });
        }
    };
    let low = cpu.xmm[(mr.reg & 0x7) as usize] as u64;
    mmu.write(addr, &low.to_le_bytes())?;
    Ok(StepOk::Continued)
}

/// `0F 17 /r` (no prefix) — `MOVHPS m64, xmm`. Symmetric of
/// [`movlps_store`] for the high 64 bits.
fn movhps_store(cpu: &mut Cpu, mmu: &mut Mmu) -> Result<StepOk, Trap> {
    let mr = cpu.fetch_modrm(mmu)?;
    let bytes = cpu.peek_after_modrm(mmu, 16)?;
    let (op, consumed) = resolve_modrm32(mr, &bytes, &cpu.regs)?;
    cpu.advance_eip(consumed as u32);
    let addr = match op {
        Operand::Mem32(a) => cpu.seg_translate(a),
        Operand::Reg32(_) => {
            return Err(Trap::UndefinedOpcode {
                eip: cpu.regs.eip.wrapping_sub(consumed as u32 + 2),
                opcode: 0x0F17,
            });
        }
    };
    let high = (cpu.xmm[(mr.reg & 0x7) as usize] >> 64) as u64;
    mmu.write(addr, &high.to_le_bytes())?;
    Ok(StepOk::Continued)
}

/// `0F 16 /r` (no prefix). Symmetric counterpart of
/// [`movlps_or_movhlps`] — the `mod` field selects MOVLHPS
/// (register) vs MOVHPS (memory), and both write the high 64
/// bits.
fn movhps_or_movlhps(cpu: &mut Cpu, mmu: &mut Mmu) -> Result<StepOk, Trap> {
    let mr = cpu.fetch_modrm(mmu)?;
    let dst_idx = (mr.reg & 0x7) as usize;
    let bytes = cpu.peek_after_modrm(mmu, 16)?;
    let (op, consumed) = resolve_modrm32(mr, &bytes, &cpu.regs)?;
    cpu.advance_eip(consumed as u32);
    let new_high: u64 = match op {
        Operand::Reg32(_) => {
            // MOVLHPS — `r/m` encodes xmm[r/m]; use its low 64.
            cpu.xmm[(mr.rm & 0x7) as usize] as u64
        }
        Operand::Mem32(addr) => mmu.load64(cpu.seg_translate(addr))?,
    };
    let prev = cpu.xmm[dst_idx];
    let low = prev as u64;
    cpu.xmm[dst_idx] = pack_lh(low, new_high);
    Ok(StepOk::Continued)
}

// ============================================================
// SSE2 integer space (`0x66 0F xx`) — the MMX-shaped opcode
// space repurposed for 128-bit XMM operations when the `0x66`
// mandatory prefix is present. Routed here from `isa_int`'s
// 0F-dispatcher so MMX-only instructions don't accidentally
// service their XMM counterparts.
// ============================================================

/// Dispatch a `0x66 0F xx` instruction whose `xx` lives in the
/// MMX opcode space (`60..6F | 70..7F | D0..FF`). Only the
/// opcodes corpus codecs actually use are wired up; everything
/// else traps with a structured opcode id so the next gap is
/// obvious at trap-time.
pub fn dispatch_xmm_int(
    cpu: &mut Cpu,
    mmu: &mut Mmu,
    op2: u8,
    entry_eip: u32,
) -> Result<StepOk, Trap> {
    cpu.sse_dispatch_count = cpu.sse_dispatch_count.wrapping_add(1);
    match op2 {
        // 0x66 0F 6F /r — MOVDQA xmm, xmm/m128.
        0x6F => movdqa_load_xmm(cpu, mmu),
        // 0x66 0F 7F /r — MOVDQA xmm/m128, xmm.
        0x7F => movdqa_store_xmm(cpu, mmu),
        // 0x66 0F EF /r — PXOR xmm, xmm/m128.
        0xEF => pxor_xmm(cpu, mmu),
        _ => Err(Trap::UndefinedOpcode {
            eip: entry_eip,
            // Distinguish the XMM (66-prefixed) form from the
            // MMX form sharing the same op2 byte by setting
            // a high bit. `0x0166_XX` reads as "0x66-prefixed
            // 0F XX".
            opcode: 0x0166_0000 | u32::from(op2),
        }),
    }
}

/// `0x66 0F 6F /r` — MOVDQA xmm1, xmm2/m128. Unaligned access
/// is treated as accepted here; real silicon faults on
/// misaligned operands but corpus codecs don't rely on that.
fn movdqa_load_xmm(cpu: &mut Cpu, mmu: &mut Mmu) -> Result<StepOk, Trap> {
    let mr = cpu.fetch_modrm(mmu)?;
    let bytes = cpu.peek_after_modrm(mmu, 16)?;
    let (op, consumed) = resolve_modrm32(mr, &bytes, &cpu.regs)?;
    cpu.advance_eip(consumed as u32);
    let dst_idx = (mr.reg & 0x7) as usize;
    let value: u128 = match op {
        Operand::Reg32(_) => cpu.xmm[(mr.rm & 0x7) as usize],
        Operand::Mem32(addr) => {
            let addr = cpu.seg_translate(addr);
            let low = mmu.load64(addr)?;
            let high = mmu.load64(addr.wrapping_add(8))?;
            pack_lh(low, high)
        }
    };
    cpu.xmm[dst_idx] = value;
    Ok(StepOk::Continued)
}

/// `0x66 0F 7F /r` — MOVDQA xmm2/m128, xmm1. The 16-byte store
/// MagicYUV uses to clear its stack-resident buffer descriptor.
fn movdqa_store_xmm(cpu: &mut Cpu, mmu: &mut Mmu) -> Result<StepOk, Trap> {
    let mr = cpu.fetch_modrm(mmu)?;
    let bytes = cpu.peek_after_modrm(mmu, 16)?;
    let (op, consumed) = resolve_modrm32(mr, &bytes, &cpu.regs)?;
    cpu.advance_eip(consumed as u32);
    let value = cpu.xmm[(mr.reg & 0x7) as usize];
    let low = value as u64;
    let high = (value >> 64) as u64;
    match op {
        Operand::Reg32(_) => cpu.xmm[(mr.rm & 0x7) as usize] = value,
        Operand::Mem32(addr) => {
            let addr = cpu.seg_translate(addr);
            mmu.write(addr, &low.to_le_bytes())?;
            mmu.write(addr.wrapping_add(8), &high.to_le_bytes())?;
        }
    }
    Ok(StepOk::Continued)
}

/// `0x66 0F EF /r` — PXOR xmm1, xmm2/m128.
fn pxor_xmm(cpu: &mut Cpu, mmu: &mut Mmu) -> Result<StepOk, Trap> {
    let mr = cpu.fetch_modrm(mmu)?;
    let bytes = cpu.peek_after_modrm(mmu, 16)?;
    let (op, consumed) = resolve_modrm32(mr, &bytes, &cpu.regs)?;
    cpu.advance_eip(consumed as u32);
    let dst_idx = (mr.reg & 0x7) as usize;
    let src: u128 = match op {
        Operand::Reg32(_) => cpu.xmm[(mr.rm & 0x7) as usize],
        Operand::Mem32(addr) => {
            let addr = cpu.seg_translate(addr);
            let low = mmu.load64(addr)?;
            let high = mmu.load64(addr.wrapping_add(8))?;
            pack_lh(low, high)
        }
    };
    cpu.xmm[dst_idx] ^= src;
    Ok(StepOk::Continued)
}

// ============================================================
// Helpers
// ============================================================

/// Pack two 64-bit halves into a 128-bit XMM value
/// (`low` at bits [63:0], `high` at bits [127:64]).
#[inline]
fn pack_lh(low: u64, high: u64) -> u128 {
    (u128::from(high) << 64) | u128::from(low)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::emulator::mmu::Perm;
    use crate::emulator::regs::Reg32;

    fn make_cpu() -> (Cpu, Mmu) {
        let mut mmu = Mmu::new();
        mmu.map(0x1000, 0x1000, Perm::R | Perm::W | Perm::X);
        let cpu = Cpu::new();
        (cpu, mmu)
    }

    /// `0F 12 C1` — MOVHLPS xmm0, xmm1: low 64 of xmm0 := high
    /// 64 of xmm1. High 64 of xmm0 is unchanged.
    #[test]
    fn movhlps_copies_high_half_into_low_half() {
        let (mut cpu, mut mmu) = make_cpu();
        cpu.regs.eip = 0x1000;
        cpu.xmm[0] = pack_lh(0xAAAA_AAAA_AAAA_AAAA, 0xDEAD_BEEF_DEAD_BEEF);
        cpu.xmm[1] = pack_lh(0x1111_1111_1111_1111, 0xCAFE_F00D_CAFE_F00D);
        // 0F 12 C1 = MOVHLPS xmm0, xmm1
        mmu.write_initializer(0x1000, &[0x0F, 0x12, 0xC1]).unwrap();
        let _ = cpu.step(&mut mmu).unwrap();
        assert_eq!(cpu.xmm[0] as u64, 0xCAFE_F00D_CAFE_F00D);
        assert_eq!((cpu.xmm[0] >> 64) as u64, 0xDEAD_BEEF_DEAD_BEEF);
        assert_eq!(cpu.sse_dispatch_count, 1);
    }

    /// `0F 12 06` — MOVLPS xmm0, [esi]: low 64 of xmm0 :=
    /// [esi]; high 64 of xmm0 unchanged.
    #[test]
    fn movlps_loads_low_half_from_memory() {
        let (mut cpu, mut mmu) = make_cpu();
        // Map a separate data page so the load doesn't read the
        // code stream.
        mmu.map(0x4000, 0x1000, Perm::R | Perm::W);
        let payload = 0x0123_4567_89AB_CDEF_u64;
        mmu.write_initializer(0x4000, &payload.to_le_bytes())
            .unwrap();
        cpu.regs.eip = 0x1000;
        cpu.regs.set32(Reg32::Esi, 0x4000);
        cpu.xmm[0] = pack_lh(0xAAAA_AAAA_AAAA_AAAA, 0xBBBB_BBBB_BBBB_BBBB);
        // 0F 12 06 = MOVLPS xmm0, [esi]
        mmu.write_initializer(0x1000, &[0x0F, 0x12, 0x06]).unwrap();
        let _ = cpu.step(&mut mmu).unwrap();
        assert_eq!(cpu.xmm[0] as u64, payload);
        assert_eq!((cpu.xmm[0] >> 64) as u64, 0xBBBB_BBBB_BBBB_BBBB);
    }
}