URL https://opencores.org/ocsvn/ao486/ao486/trunk

Subversion Repositories ao486

[/] [ao486/] [trunk/] [ao486_tool/] [src/] [ao486/] [test/] [branch/] [TestCALL_call_gate_more.java] - Blame information for rev 2

Details | Compare with Previous | View Log


/*
 * Copyright (c) 2014, Aleksander Osman
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * * Redistributions of source code must retain the above copyright notice, this
 *   list of conditions and the following disclaimer.
 *
 * * Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
package ao486.test.branch;
 
import ao486.test.TestUnit;
import ao486.test.layers.DescriptorTableLayer;
import ao486.test.layers.EffectiveAddressLayerFactory;
import ao486.test.layers.FlagsLayer;
import ao486.test.layers.GeneralRegisterLayer;
import ao486.test.layers.HandleModeChangeLayer;
import ao486.test.layers.IOLayer;
import ao486.test.layers.InstructionLayer;
import ao486.test.layers.Layer;
import ao486.test.layers.MemoryLayer;
import ao486.test.layers.MemoryPatchLayer;
import ao486.test.layers.OtherLayer;
import ao486.test.layers.Pair;
import ao486.test.layers.SegmentLayer;
import ao486.test.layers.StackLayer;
import ao486.test.layers.TSSCurrentLayer;
import java.io.*;
import java.util.LinkedList;
import java.util.Random;
 
 
public class TestCALL_call_gate_more extends TestUnit implements Serializable {
    public static void main(String args[]) throws Exception {
        run_test(TestCALL_call_gate_more.class);
    }
 
    //--------------------------------------------------------------------------
    @Override
    public int get_test_count() throws Exception {
        return 100;
    }
 
    @Override
    public void init() throws Exception {
 
        random = new Random(12+index);
 
        String instruction;
        while(true) {
            layers.clear();
 
            LinkedList<Pair<Long, Long>> prohibited_list = new LinkedList<>();
 
            InstructionLayer instr = new InstructionLayer(random, prohibited_list);
            layers.add(instr);
            StackLayer stack = new StackLayer(random, prohibited_list);
            layers.add(stack);
            layers.add(new OtherLayer(OtherLayer.Type.PROTECTED_OR_V8086, random));
            layers.add(new FlagsLayer(FlagsLayer.Type.NOT_V8086, random));
            layers.add(new GeneralRegisterLayer(random));
            layers.add(new SegmentLayer(random));
            layers.add(new MemoryLayer(random));
            layers.add(new IOLayer(random));
 
            layers.addFirst(new HandleModeChangeLayer(
                    getInput("cr0_pe"),
                    getInput("vmflag"),
                    getInput("cs_rpl"),
                    getInput("cs_p"),
                    getInput("cs_s"),
                    getInput("cs_type")
            ));
 
            // instruction size
            boolean cs_d_b = getInput("cs_d_b") == 1;
 
            boolean a32 = random.nextBoolean();
            boolean o32 = random.nextBoolean();
 
            /* 0 - call gate valid check
             * 1 - cs valid check
             *
             * 2 - tss length
             * 3 - ss selector null
             * 4 - ss selector out of bounds
             * 5 - ss descriptor check
             * 6 - stack limit
             * 7 - eip out of bounds
             *
             * 8 - all ok
             */
 
            int type = random.nextInt(8+1);
            System.out.println("Preparing test with type: " + type);
 
            DescriptorTableLayer tables = new DescriptorTableLayer(random, prohibited_list, true);
 
            //------------------------------------------------------------------
            //------------------------------------------------------------------
 
            // prepare cs descriptor
            boolean is_cs_ldt = random.nextBoolean();
 
            boolean conds[] = new boolean[3];
            int cond = 1 << random.nextInt(conds.length);
            if(type >= 2) cond = 0;
 
            int     new_cs_rpl  = 0;
            boolean new_cs_seg  = false;
            int     new_cs_type = 0;
            int     new_cs_dpl  = 0;
            boolean new_cs_p    = false;
            int     old_cs_rpl  = 0;
 
            do {
                do {
                    new_cs_seg  = random.nextBoolean();
                    new_cs_type = random.nextInt(16);
                    new_cs_p    = random.nextBoolean();
 
                    new_cs_rpl  = random.nextInt(4);
                    new_cs_dpl  = random.nextInt(4);
 
                    old_cs_rpl  = random.nextInt(4);
                }
                while( (((new_cs_type >> 2) & 1) == 0 && new_cs_dpl < old_cs_rpl) == false ); //non-conforming
 
                conds[0] = new_cs_seg == false;
                conds[1] = ((new_cs_type >> 3) & 1) == 0;
                conds[2] = new_cs_p == false;
                //conds[3] = new_cs_dpl > old_cs_rpl; //not possible
            }
            while(!isAccepted(cond, conds[0],conds[1],conds[2]));
 
System.out.printf("cond cs: %d\n", cond);
 
            long new_cs_base, new_cs_limit;
            boolean new_cs_g;
            while(true) {
                new_cs_base = Layer.norm(random.nextInt());
                new_cs_g    = random.nextBoolean();
 
                new_cs_limit = random.nextInt(new_cs_g? 0xF : 0xFFFF);
                if(new_cs_g) new_cs_limit = (new_cs_limit << 12) | 0xFFF;
 
                if( new_cs_base + new_cs_limit < 4294967296L &&
                    Layer.collides(prohibited_list, (int)new_cs_base, (int)(new_cs_base + new_cs_limit)) == false
                ) break;
            }
 
            boolean new_cs_d_b = random.nextBoolean();
            boolean new_cs_l   = random.nextBoolean();
            boolean new_cs_avl = random.nextBoolean();
            long new_cs_limit_final = new_cs_g? new_cs_limit >> 12 : new_cs_limit;
            Descriptor cs_desc = new Descriptor((int)new_cs_base, (int)new_cs_limit_final, new_cs_type, new_cs_seg, new_cs_p, new_cs_dpl, new_cs_d_b, new_cs_g, new_cs_l, new_cs_avl);
 
System.out.printf("cs_desc: ");
for(int i=0; i<8; i++) System.out.printf("%02x ", cs_desc.get_byte(i));
System.out.printf("\n");
 
            //-------
 
            int index = -1;
            if(type == 1 && random.nextInt(5) == 0) {
                index = random.nextInt(4);
            }
            else if(type == 1 && random.nextInt(5) == 0) {
                index = tables.getOutOfBoundsIndex(is_cs_ldt);
                if(index == -1) continue;
 
                index <<= 3;
                if(is_cs_ldt) index |= 4;
                index |= new_cs_rpl;
            }
            else {
                index = tables.addDescriptor(is_cs_ldt, cs_desc);
                if(index == -1) continue;
 
                index <<= 3;
                if(is_cs_ldt) index |= 4;
                index |= new_cs_rpl;
            }
            int cs_selector = index;
 
            //--------------------------------------------------------------
            // prepare ss descriptor
 
            boolean is_ss_ldt = random.nextBoolean();
 
            conds = new boolean[5];
            cond = 1 << random.nextInt(conds.length);
            if(type >= 6) cond = 0;
 
            int     new_ss_rpl  = 0;
            boolean new_ss_seg  = false;
            int     new_ss_type = 0;
            int     new_ss_dpl  = 0;
            boolean new_ss_p    = false;
 
            do {
                new_ss_seg  = random.nextBoolean();
                new_ss_type = random.nextInt(16);
 
                new_ss_rpl  = random.nextInt(4);
                new_ss_dpl  = random.nextInt(4);
                new_ss_p    = random.nextBoolean();
                is_ss_ldt   = random.nextBoolean();
 
                if(type >= 7) new_ss_type &= 0xB; // not expand-down
 
                conds[0] = new_ss_rpl != new_cs_dpl;
                conds[1] = new_ss_dpl != new_cs_dpl;
                conds[2] = new_ss_seg == false;
                conds[3] = ((new_ss_type >> 3)&1) == 1 || (((new_ss_type >> 3)&1) == 0 && ((new_ss_type >> 1)&1) == 0); // code or (data && ro)
                conds[4] = new_ss_p == false;
            }
            while(!isAccepted(cond, conds[0],conds[1],conds[2],conds[3],conds[4]));
 
            long new_ss_base, new_ss_limit;
            boolean new_ss_g;
            while(true) {
                new_ss_base = Layer.norm(random.nextInt());
                new_ss_g    = random.nextBoolean();
 
                new_ss_limit = random.nextInt(new_ss_g? 0xF : 0xFFFF);
                if(new_ss_g) new_cs_limit = (new_ss_limit << 12) | 0xFFF;
 
                if( new_ss_base + new_ss_limit < 4294967296L &&
                    Layer.collides(prohibited_list, (int)new_ss_base, (int)(new_ss_base + new_ss_limit)) == false
                ) break;
            }
            boolean new_ss_d_b = random.nextBoolean();
            boolean new_ss_l   = random.nextBoolean();
            boolean new_ss_avl = random.nextBoolean();
            long new_ss_limit_final = new_ss_g? new_ss_limit >> 12 : new_ss_limit;
            Descriptor ss_desc = new Descriptor((int)new_ss_base, (int)new_ss_limit_final, new_ss_type, new_ss_seg, new_ss_p, new_ss_dpl, new_ss_d_b, new_ss_g, new_ss_l, new_ss_avl);
 
System.out.printf("cond ss: %d\n", cond);
 
System.out.printf("ss_desc: ");
for(int i=0; i<8; i++) System.out.printf("%02x ", ss_desc.get_byte(i));
System.out.printf("\n");
 
            //---------------
            index = -1;
            if(type == 3) {
                index = random.nextInt(4);
            }
            else if(type == 4) {
                index = tables.getOutOfBoundsIndex(is_ss_ldt);
                if(index == -1) continue;
 
                index <<= 3;
                if(is_ss_ldt) index |= 4;
                index |= new_ss_rpl;
            }
            else {
                index = tables.addDescriptor(is_ss_ldt, ss_desc);
                if(index == -1) continue;
 
                index <<= 3;
                if(is_ss_ldt) index |= 4;
                index |= new_ss_rpl;
            }
            int ss_selector = index;
 
            //--------------------------------------------------------------
            // TSS segment contents
 
            int tss_type_val = random.nextInt(4);
            TSSCurrentLayer.Type tss_type =
                    (tss_type_val == 0)? TSSCurrentLayer.Type.ACTIVE_286 :
                    (tss_type_val == 1)? TSSCurrentLayer.Type.ACTIVE_386 :
                    (tss_type_val == 2)? TSSCurrentLayer.Type.BUSY_286 :
                                         TSSCurrentLayer.Type.BUSY_386;
 
            int tss_max_offset = (tss_type == TSSCurrentLayer.Type.ACTIVE_286 || tss_type == TSSCurrentLayer.Type.BUSY_286)? 2 + new_cs_dpl*4 + 4 : 4 + new_cs_dpl*8 + 8;
 
            int tss_limit = (type == 2)? random.nextInt(tss_max_offset-1) : tss_max_offset + random.nextInt(5);
 
            //Random random, TSSCurrentLayer.Type type, int limit, int selector, LinkedList<Pair<Long, Long>> prohibited_list
            TSSCurrentLayer current_tss = new TSSCurrentLayer(random, tss_type, tss_limit, random.nextInt(65536), prohibited_list);
 
            long new_esp =
                    (type == 6)? new_ss_limit + 1 + random.nextInt(5) : random.nextInt((new_ss_limit == 0)? 1 : (int)new_ss_limit);
 
            current_tss.add_ss_esp(new_cs_dpl, new_esp, ss_selector);
 
            layers.addFirst(current_tss);
 
            //--------------------------------------------------------------
            // prepare call gate descriptor
 
            boolean is_cg_ldt = random.nextBoolean();
 
            conds = new boolean[2];
            cond = 1 << random.nextInt(conds.length);
            if(type >= 1) cond = 0;
 
            int     new_cg_rpl  = 0;
            boolean new_cg_seg  = false;
            int     new_cg_type = 0;
            int     new_cg_dpl  = 0;
            boolean new_cg_p    = false;
 
            do {
                new_cg_seg  = false;
                new_cg_type = random.nextBoolean()? 0x4 : 0xc; //CALL_GATE 286,386
 
                new_cg_rpl  = random.nextInt(4);
                new_cg_dpl  = random.nextInt(4);
                new_cg_p    = random.nextBoolean();
                is_cg_ldt   = random.nextBoolean();
 
                if((cond & 1) == 1 && old_cs_rpl == 0) {
                    cond &= 0xFE;
                    cond |= 2;
                }
 
                conds[0] = new_cg_dpl < old_cs_rpl || new_cg_dpl < new_cg_rpl;
                conds[1] = new_cg_p == false;
            }
            while(!isAccepted(cond, conds[0],conds[1]));
 
            long new_cg_base  = (random.nextInt(32) << 16) | cs_selector;
            long new_cg_limit = Layer.norm(random.nextInt(0xFFFFF+1));
            boolean new_cg_g  = random.nextBoolean();
 
            boolean new_cg_d_b = random.nextBoolean();
            boolean new_cg_l   = random.nextBoolean();
            boolean new_cg_avl = random.nextBoolean();
            long new_cg_limit_final = new_cg_g? new_cg_limit >> 12 : new_cg_limit;
            Descriptor cg_desc = new Descriptor((int)new_cg_base, (int)new_cg_limit_final, new_cg_type, new_cg_seg, new_cg_p, new_cg_dpl, new_cg_d_b, new_cg_g, new_cg_l, new_cg_avl);
 
//------------
            final int old_cs_rpl_final = old_cs_rpl;
            Layer cs_rpl_layer = new Layer() {
                long cs_rpl() { return old_cs_rpl_final; }
            };
            layers.addFirst(cs_rpl_layer);
 
            // eip limit
            long eip = 0;
            if(type == 7) {
                while(true) {
                    eip = new_cs_limit + 1 + random.nextInt(10);
 
                    if(new_cg_type == 0x4) eip &= 0xFFFF;
 
                    if(eip > new_cs_limit) break;
                }
                if(new_cg_type == 0x4) eip |= (random.nextInt() & 0xFFFF0000);
            }
            else {
                while(true) {
                    eip = Layer.norm(random.nextInt((int)new_cs_limit+1));
 
                    if(new_cg_type == 0x4) eip &= 0xFFFF;
 
                    if(eip <= new_cs_limit) break;
                }
                long dest = new_cs_base + eip;
                // adding always possible
                MemoryPatchLayer patch = new MemoryPatchLayer(random, prohibited_list, (int)dest, 0x0F,0x0F);
                layers.addFirst(patch);
 
                if(new_cg_type == 0x4) eip |= (random.nextInt() & 0xFFFF0000);
            }
            cg_desc.set_dest_offset(eip);
 
System.out.printf("cg_desc: ");
for(int i=0; i<8; i++) System.out.printf("%02x ", cg_desc.get_byte(i));
System.out.printf("\n");
 
            //----------
            index = tables.addDescriptor(is_cg_ldt, cg_desc);
            if(index == -1) continue;
 
            index = index << 3;
            if(is_cg_ldt) index |= 4;
            index |= new_cg_rpl;
 
System.out.printf("cond cg: %d\n", cond);
 
            layers.addFirst(tables);
 
            //------------------------------------------------------------------
            //------------------------------------------------------------------
 
            long new_eip = 0;
            long new_cs  = index;
 
            // instruction
            byte extra_bytes[] = null;
 
            boolean is_Ep = random.nextBoolean();
 
            if(is_Ep) {
                byte modregrm_bytes[] = EffectiveAddressLayerFactory.prepare(
                        o32? (((new_cs & 0xFFFF) << 32) | (new_eip & 0xFFFFFFFFL)) : (((new_cs & 0xFFFF) << 16) | (new_eip & 0xFFFF)),
                        3, EffectiveAddressLayerFactory.modregrm_reg_t.SET,
                        o32? 6 : 4, a32,
                        layers, random, this, true, false);
//System.out.printf("extra_bytes length: %d, [0] = %x\n", modregrm_bytes.length, modregrm_bytes[0]);
                extra_bytes = modregrm_bytes;
            }
            else {
                long immediate = o32? (((new_cs & 0xFFFF) << 32) | (new_eip & 0xFFFFFFFFL)) : (((new_cs & 0xFFFF) << 16) | (new_eip & 0xFFFF));
 
                byte imm_bytes[] = new byte[o32? 6 : 4];
                for(int i=0; i<imm_bytes.length; i++) {
                    imm_bytes[i] = (byte)(immediate & 0xFF);
                    immediate >>= 8;
                }
                extra_bytes = imm_bytes;
            }
 
            instruction = prepare_instr(cs_d_b, a32, o32, extra_bytes, is_Ep);
            instr.add_instruction(instruction);
 
            // end condition
            break;
        }
 
        System.out.println("Instruction: [" + instruction + "]");
    }
 
    String prepare_instr(boolean cs_d_b, boolean a32, boolean o32, byte extra_bytes[], boolean is_Ep) throws Exception {
        int opcodes[] = {
            0xFF, 0x9A
        };
 
        String prefix = "";
        if(cs_d_b != o32) { prefix = "66" + prefix; }
        if(cs_d_b != a32) { prefix = "67" + prefix; }
 
        int opcode = opcodes[is_Ep? 0 : 1];
 
        byte instr[] = new byte[1 + extra_bytes.length];
        instr[0] = (byte)opcode;
        System.arraycopy(extra_bytes, 0, instr, 1, extra_bytes.length);
 
        return prefix + bytesToHex(instr);
    }
 
}

Browse

Tools

Subversion Repositories ao486

[/] [ao486/] [trunk/] [ao486_tool/] [src/] [ao486/] [test/] [branch/] [TestCALL_call_gate_more.java] - Blame information for rev 2

Line No.	Rev	Author	Line
1	2	alfik	`/*`
2			`* Copyright (c) 2014, Aleksander Osman`
3			`* All rights reserved.`
4			`*`
5			`* Redistribution and use in source and binary forms, with or without`
6			`* modification, are permitted provided that the following conditions are met:`
7			`*`
8			`* * Redistributions of source code must retain the above copyright notice, this`
9			`* list of conditions and the following disclaimer.`
10			`*`
11			`* * Redistributions in binary form must reproduce the above copyright notice,`
12			`* this list of conditions and the following disclaimer in the documentation`
13			`* and/or other materials provided with the distribution.`
14			`*`
15			`* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"`
16			`* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
17			`* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE`
18			`* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE`
19			`* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
20			`* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR`
21			`* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER`
22			`* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,`
23			`* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE`
24			`* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`
25			`*/`
26
27			`package ao486.test.branch;`
28
29			`import ao486.test.TestUnit;`
30			`import ao486.test.layers.DescriptorTableLayer;`
31			`import ao486.test.layers.EffectiveAddressLayerFactory;`
32			`import ao486.test.layers.FlagsLayer;`
33			`import ao486.test.layers.GeneralRegisterLayer;`
34			`import ao486.test.layers.HandleModeChangeLayer;`
35			`import ao486.test.layers.IOLayer;`
36			`import ao486.test.layers.InstructionLayer;`
37			`import ao486.test.layers.Layer;`
38			`import ao486.test.layers.MemoryLayer;`
39			`import ao486.test.layers.MemoryPatchLayer;`
40			`import ao486.test.layers.OtherLayer;`
41			`import ao486.test.layers.Pair;`
42			`import ao486.test.layers.SegmentLayer;`
43			`import ao486.test.layers.StackLayer;`
44			`import ao486.test.layers.TSSCurrentLayer;`
45			`import java.io.*;`
46			`import java.util.LinkedList;`
47			`import java.util.Random;`
48
49
50			`public class TestCALL_call_gate_more extends TestUnit implements Serializable {`
51			`public static void main(String args[]) throws Exception {`
52			`run_test(TestCALL_call_gate_more.class);`
53			`}`
54
55			`//--------------------------------------------------------------------------`
56			`@Override`
57			`public int get_test_count() throws Exception {`
58			`return 100;`
59			`}`
60
61			`@Override`
62			`public void init() throws Exception {`
63
64			`random = new Random(12+index);`
65
66			`String instruction;`
67			`while(true) {`
68			`layers.clear();`
69
70			`LinkedList<Pair<Long, Long>> prohibited_list = new LinkedList<>();`
71
72			`InstructionLayer instr = new InstructionLayer(random, prohibited_list);`
73			`layers.add(instr);`
74			`StackLayer stack = new StackLayer(random, prohibited_list);`
75			`layers.add(stack);`
76			`layers.add(new OtherLayer(OtherLayer.Type.PROTECTED_OR_V8086, random));`
77			`layers.add(new FlagsLayer(FlagsLayer.Type.NOT_V8086, random));`
78			`layers.add(new GeneralRegisterLayer(random));`
79			`layers.add(new SegmentLayer(random));`
80			`layers.add(new MemoryLayer(random));`
81			`layers.add(new IOLayer(random));`
82
83			`layers.addFirst(new HandleModeChangeLayer(`
84			`getInput("cr0_pe"),`
85			`getInput("vmflag"),`
86			`getInput("cs_rpl"),`
87			`getInput("cs_p"),`
88			`getInput("cs_s"),`
89			`getInput("cs_type")`
90			`));`
91
92			`// instruction size`
93			`boolean cs_d_b = getInput("cs_d_b") == 1;`
94
95			`boolean a32 = random.nextBoolean();`
96			`boolean o32 = random.nextBoolean();`
97
98			`/* 0 - call gate valid check`
99			`* 1 - cs valid check`
100			`*`
101			`* 2 - tss length`
102			`* 3 - ss selector null`
103			`* 4 - ss selector out of bounds`
104			`* 5 - ss descriptor check`
105			`* 6 - stack limit`
106			`* 7 - eip out of bounds`
107			`*`
108			`* 8 - all ok`
109			`*/`
110
111			`int type = random.nextInt(8+1);`
112			`System.out.println("Preparing test with type: " + type);`
113
114			`DescriptorTableLayer tables = new DescriptorTableLayer(random, prohibited_list, true);`
115
116			`//------------------------------------------------------------------`
117			`//------------------------------------------------------------------`
118
119			`// prepare cs descriptor`
120			`boolean is_cs_ldt = random.nextBoolean();`
121
122			`boolean conds[] = new boolean[3];`
123			`int cond = 1 << random.nextInt(conds.length);`
124			`if(type >= 2) cond = 0;`
125
126			`int new_cs_rpl = 0;`
127			`boolean new_cs_seg = false;`
128			`int new_cs_type = 0;`
129			`int new_cs_dpl = 0;`
130			`boolean new_cs_p = false;`
131			`int old_cs_rpl = 0;`
132
133			`do {`
134			`do {`
135			`new_cs_seg = random.nextBoolean();`
136			`new_cs_type = random.nextInt(16);`
137			`new_cs_p = random.nextBoolean();`
138
139			`new_cs_rpl = random.nextInt(4);`
140			`new_cs_dpl = random.nextInt(4);`
141
142			`old_cs_rpl = random.nextInt(4);`
143			`}`
144			`while( (((new_cs_type >> 2) & 1) == 0 && new_cs_dpl < old_cs_rpl) == false ); //non-conforming`
145
146			`conds[0] = new_cs_seg == false;`
147			`conds[1] = ((new_cs_type >> 3) & 1) == 0;`
148			`conds[2] = new_cs_p == false;`
149			`//conds[3] = new_cs_dpl > old_cs_rpl; //not possible`
150			`}`
151			`while(!isAccepted(cond, conds[0],conds[1],conds[2]));`
152
153			`System.out.printf("cond cs: %d\n", cond);`
154
155			`long new_cs_base, new_cs_limit;`
156			`boolean new_cs_g;`
157			`while(true) {`
158			`new_cs_base = Layer.norm(random.nextInt());`
159			`new_cs_g = random.nextBoolean();`
160
161			`new_cs_limit = random.nextInt(new_cs_g? 0xF : 0xFFFF);`
162			`if(new_cs_g) new_cs_limit = (new_cs_limit << 12) \| 0xFFF;`
163
164			`if( new_cs_base + new_cs_limit < 4294967296L &&`
165			`Layer.collides(prohibited_list, (int)new_cs_base, (int)(new_cs_base + new_cs_limit)) == false`
166			`) break;`
167			`}`
168
169			`boolean new_cs_d_b = random.nextBoolean();`
170			`boolean new_cs_l = random.nextBoolean();`
171			`boolean new_cs_avl = random.nextBoolean();`
172			`long new_cs_limit_final = new_cs_g? new_cs_limit >> 12 : new_cs_limit;`
173			`Descriptor cs_desc = new Descriptor((int)new_cs_base, (int)new_cs_limit_final, new_cs_type, new_cs_seg, new_cs_p, new_cs_dpl, new_cs_d_b, new_cs_g, new_cs_l, new_cs_avl);`
174
175			`System.out.printf("cs_desc: ");`
176			`for(int i=0; i<8; i++) System.out.printf("%02x ", cs_desc.get_byte(i));`
177			`System.out.printf("\n");`
178
179			`//-------`
180
181			`int index = -1;`
182			`if(type == 1 && random.nextInt(5) == 0) {`
183			`index = random.nextInt(4);`
184			`}`
185			`else if(type == 1 && random.nextInt(5) == 0) {`
186			`index = tables.getOutOfBoundsIndex(is_cs_ldt);`
187			`if(index == -1) continue;`
188
189			`index <<= 3;`
190			`if(is_cs_ldt) index \|= 4;`
191			`index \|= new_cs_rpl;`
192			`}`
193			`else {`
194			`index = tables.addDescriptor(is_cs_ldt, cs_desc);`
195			`if(index == -1) continue;`
196
197			`index <<= 3;`
198			`if(is_cs_ldt) index \|= 4;`
199			`index \|= new_cs_rpl;`
200			`}`
201			`int cs_selector = index;`
202
203			`//--------------------------------------------------------------`
204			`// prepare ss descriptor`
205
206			`boolean is_ss_ldt = random.nextBoolean();`
207
208			`conds = new boolean[5];`
209			`cond = 1 << random.nextInt(conds.length);`
210			`if(type >= 6) cond = 0;`
211
212			`int new_ss_rpl = 0;`
213			`boolean new_ss_seg = false;`
214			`int new_ss_type = 0;`
215			`int new_ss_dpl = 0;`
216			`boolean new_ss_p = false;`
217
218			`do {`
219			`new_ss_seg = random.nextBoolean();`
220			`new_ss_type = random.nextInt(16);`
221
222			`new_ss_rpl = random.nextInt(4);`
223			`new_ss_dpl = random.nextInt(4);`
224			`new_ss_p = random.nextBoolean();`
225			`is_ss_ldt = random.nextBoolean();`
226
227			`if(type >= 7) new_ss_type &= 0xB; // not expand-down`
228
229			`conds[0] = new_ss_rpl != new_cs_dpl;`
230			`conds[1] = new_ss_dpl != new_cs_dpl;`
231			`conds[2] = new_ss_seg == false;`
232			`conds[3] = ((new_ss_type >> 3)&1) == 1 \|\| (((new_ss_type >> 3)&1) == 0 && ((new_ss_type >> 1)&1) == 0); // code or (data && ro)`
233			`conds[4] = new_ss_p == false;`
234			`}`
235			`while(!isAccepted(cond, conds[0],conds[1],conds[2],conds[3],conds[4]));`
236
237			`long new_ss_base, new_ss_limit;`
238			`boolean new_ss_g;`
239			`while(true) {`
240			`new_ss_base = Layer.norm(random.nextInt());`
241			`new_ss_g = random.nextBoolean();`
242
243			`new_ss_limit = random.nextInt(new_ss_g? 0xF : 0xFFFF);`
244			`if(new_ss_g) new_cs_limit = (new_ss_limit << 12) \| 0xFFF;`
245
246			`if( new_ss_base + new_ss_limit < 4294967296L &&`
247			`Layer.collides(prohibited_list, (int)new_ss_base, (int)(new_ss_base + new_ss_limit)) == false`
248			`) break;`
249			`}`
250			`boolean new_ss_d_b = random.nextBoolean();`
251			`boolean new_ss_l = random.nextBoolean();`
252			`boolean new_ss_avl = random.nextBoolean();`
253			`long new_ss_limit_final = new_ss_g? new_ss_limit >> 12 : new_ss_limit;`
254			`Descriptor ss_desc = new Descriptor((int)new_ss_base, (int)new_ss_limit_final, new_ss_type, new_ss_seg, new_ss_p, new_ss_dpl, new_ss_d_b, new_ss_g, new_ss_l, new_ss_avl);`
255
256			`System.out.printf("cond ss: %d\n", cond);`
257
258			`System.out.printf("ss_desc: ");`
259			`for(int i=0; i<8; i++) System.out.printf("%02x ", ss_desc.get_byte(i));`
260			`System.out.printf("\n");`
261
262			`//---------------`
263			`index = -1;`
264			`if(type == 3) {`
265			`index = random.nextInt(4);`
266			`}`
267			`else if(type == 4) {`
268			`index = tables.getOutOfBoundsIndex(is_ss_ldt);`
269			`if(index == -1) continue;`
270
271			`index <<= 3;`
272			`if(is_ss_ldt) index \|= 4;`
273			`index \|= new_ss_rpl;`
274			`}`
275			`else {`
276			`index = tables.addDescriptor(is_ss_ldt, ss_desc);`
277			`if(index == -1) continue;`
278
279			`index <<= 3;`
280			`if(is_ss_ldt) index \|= 4;`
281			`index \|= new_ss_rpl;`
282			`}`
283			`int ss_selector = index;`
284
285			`//--------------------------------------------------------------`
286			`// TSS segment contents`
287
288			`int tss_type_val = random.nextInt(4);`
289			`TSSCurrentLayer.Type tss_type =`
290			`(tss_type_val == 0)? TSSCurrentLayer.Type.ACTIVE_286 :`
291			`(tss_type_val == 1)? TSSCurrentLayer.Type.ACTIVE_386 :`
292			`(tss_type_val == 2)? TSSCurrentLayer.Type.BUSY_286 :`
293			`TSSCurrentLayer.Type.BUSY_386;`
294
295			`int tss_max_offset = (tss_type == TSSCurrentLayer.Type.ACTIVE_286 \|\| tss_type == TSSCurrentLayer.Type.BUSY_286)? 2 + new_cs_dpl4 + 4 : 4 + new_cs_dpl8 + 8;`
296
297			`int tss_limit = (type == 2)? random.nextInt(tss_max_offset-1) : tss_max_offset + random.nextInt(5);`
298
299			`//Random random, TSSCurrentLayer.Type type, int limit, int selector, LinkedList<Pair<Long, Long>> prohibited_list`
300			`TSSCurrentLayer current_tss = new TSSCurrentLayer(random, tss_type, tss_limit, random.nextInt(65536), prohibited_list);`
301
302			`long new_esp =`
303			`(type == 6)? new_ss_limit + 1 + random.nextInt(5) : random.nextInt((new_ss_limit == 0)? 1 : (int)new_ss_limit);`
304
305			`current_tss.add_ss_esp(new_cs_dpl, new_esp, ss_selector);`
306
307			`layers.addFirst(current_tss);`
308
309			`//--------------------------------------------------------------`
310			`// prepare call gate descriptor`
311
312			`boolean is_cg_ldt = random.nextBoolean();`
313
314			`conds = new boolean[2];`
315			`cond = 1 << random.nextInt(conds.length);`
316			`if(type >= 1) cond = 0;`
317
318			`int new_cg_rpl = 0;`
319			`boolean new_cg_seg = false;`
320			`int new_cg_type = 0;`
321			`int new_cg_dpl = 0;`
322			`boolean new_cg_p = false;`
323
324			`do {`
325			`new_cg_seg = false;`
326			`new_cg_type = random.nextBoolean()? 0x4 : 0xc; //CALL_GATE 286,386`
327
328			`new_cg_rpl = random.nextInt(4);`
329			`new_cg_dpl = random.nextInt(4);`
330			`new_cg_p = random.nextBoolean();`
331			`is_cg_ldt = random.nextBoolean();`
332
333			`if((cond & 1) == 1 && old_cs_rpl == 0) {`
334			`cond &= 0xFE;`
335			`cond \|= 2;`
336			`}`
337
338			`conds[0] = new_cg_dpl < old_cs_rpl \|\| new_cg_dpl < new_cg_rpl;`
339			`conds[1] = new_cg_p == false;`
340			`}`
341			`while(!isAccepted(cond, conds[0],conds[1]));`
342
343			`long new_cg_base = (random.nextInt(32) << 16) \| cs_selector;`
344			`long new_cg_limit = Layer.norm(random.nextInt(0xFFFFF+1));`
345			`boolean new_cg_g = random.nextBoolean();`
346
347			`boolean new_cg_d_b = random.nextBoolean();`
348			`boolean new_cg_l = random.nextBoolean();`
349			`boolean new_cg_avl = random.nextBoolean();`
350			`long new_cg_limit_final = new_cg_g? new_cg_limit >> 12 : new_cg_limit;`
351			`Descriptor cg_desc = new Descriptor((int)new_cg_base, (int)new_cg_limit_final, new_cg_type, new_cg_seg, new_cg_p, new_cg_dpl, new_cg_d_b, new_cg_g, new_cg_l, new_cg_avl);`
352
353			`//------------`
354			`final int old_cs_rpl_final = old_cs_rpl;`
355			`Layer cs_rpl_layer = new Layer() {`
356			`long cs_rpl() { return old_cs_rpl_final; }`
357			`};`
358			`layers.addFirst(cs_rpl_layer);`
359
360			`// eip limit`
361			`long eip = 0;`
362			`if(type == 7) {`
363			`while(true) {`
364			`eip = new_cs_limit + 1 + random.nextInt(10);`
365
366			`if(new_cg_type == 0x4) eip &= 0xFFFF;`
367
368			`if(eip > new_cs_limit) break;`
369			`}`
370			`if(new_cg_type == 0x4) eip \|= (random.nextInt() & 0xFFFF0000);`
371			`}`
372			`else {`
373			`while(true) {`
374			`eip = Layer.norm(random.nextInt((int)new_cs_limit+1));`
375
376			`if(new_cg_type == 0x4) eip &= 0xFFFF;`
377
378			`if(eip <= new_cs_limit) break;`
379			`}`
380			`long dest = new_cs_base + eip;`
381			`// adding always possible`
382			`MemoryPatchLayer patch = new MemoryPatchLayer(random, prohibited_list, (int)dest, 0x0F,0x0F);`
383			`layers.addFirst(patch);`
384
385			`if(new_cg_type == 0x4) eip \|= (random.nextInt() & 0xFFFF0000);`
386			`}`
387			`cg_desc.set_dest_offset(eip);`
388
389			`System.out.printf("cg_desc: ");`
390			`for(int i=0; i<8; i++) System.out.printf("%02x ", cg_desc.get_byte(i));`
391			`System.out.printf("\n");`
392
393			`//----------`
394			`index = tables.addDescriptor(is_cg_ldt, cg_desc);`
395			`if(index == -1) continue;`
396
397			`index = index << 3;`
398			`if(is_cg_ldt) index \|= 4;`
399			`index \|= new_cg_rpl;`
400
401			`System.out.printf("cond cg: %d\n", cond);`
402
403			`layers.addFirst(tables);`
404
405			`//------------------------------------------------------------------`
406			`//------------------------------------------------------------------`
407
408			`long new_eip = 0;`
409			`long new_cs = index;`
410
411			`// instruction`
412			`byte extra_bytes[] = null;`
413
414			`boolean is_Ep = random.nextBoolean();`
415
416			`if(is_Ep) {`
417			`byte modregrm_bytes[] = EffectiveAddressLayerFactory.prepare(`
418			`o32? (((new_cs & 0xFFFF) << 32) \| (new_eip & 0xFFFFFFFFL)) : (((new_cs & 0xFFFF) << 16) \| (new_eip & 0xFFFF)),`
419			`3, EffectiveAddressLayerFactory.modregrm_reg_t.SET,`
420			`o32? 6 : 4, a32,`
421			`layers, random, this, true, false);`
422			`//System.out.printf("extra_bytes length: %d, [0] = %x\n", modregrm_bytes.length, modregrm_bytes[0]);`
423			`extra_bytes = modregrm_bytes;`
424			`}`
425			`else {`
426			`long immediate = o32? (((new_cs & 0xFFFF) << 32) \| (new_eip & 0xFFFFFFFFL)) : (((new_cs & 0xFFFF) << 16) \| (new_eip & 0xFFFF));`
427
428			`byte imm_bytes[] = new byte[o32? 6 : 4];`
429			`for(int i=0; i<imm_bytes.length; i++) {`
430			`imm_bytes[i] = (byte)(immediate & 0xFF);`
431			`immediate >>= 8;`
432			`}`
433			`extra_bytes = imm_bytes;`
434			`}`
435
436			`instruction = prepare_instr(cs_d_b, a32, o32, extra_bytes, is_Ep);`
437			`instr.add_instruction(instruction);`
438
439			`// end condition`
440			`break;`
441			`}`
442
443			`System.out.println("Instruction: [" + instruction + "]");`
444			`}`
445
446			`String prepare_instr(boolean cs_d_b, boolean a32, boolean o32, byte extra_bytes[], boolean is_Ep) throws Exception {`
447			`int opcodes[] = {`
448			`0xFF, 0x9A`
449			`};`
450
451			`String prefix = "";`
452			`if(cs_d_b != o32) { prefix = "66" + prefix; }`
453			`if(cs_d_b != a32) { prefix = "67" + prefix; }`
454
455			`int opcode = opcodes[is_Ep? 0 : 1];`
456
457			`byte instr[] = new byte[1 + extra_bytes.length];`
458			`instr[0] = (byte)opcode;`
459			`System.arraycopy(extra_bytes, 0, instr, 1, extra_bytes.length);`
460
461			`return prefix + bytesToHex(instr);`
462			`}`
463
464			`}`