URL https://opencores.org/ocsvn/ao486/ao486/trunk

Subversion Repositories ao486

[/] [ao486/] [trunk/] [ao486_tool/] [src/] [ao486/] [test/] [branch/] [TestCALL_call_gate_same.java] - Blame information for rev 2

Details | Compare with Previous | View Log


/*
 * Copyright (c) 2014, Aleksander Osman
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * * Redistributions of source code must retain the above copyright notice, this
 *   list of conditions and the following disclaimer.
 *
 * * Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
package ao486.test.branch;
 
import ao486.test.TestUnit;
import ao486.test.layers.DescriptorTableLayer;
import ao486.test.layers.EffectiveAddressLayerFactory;
import ao486.test.layers.FlagsLayer;
import ao486.test.layers.GeneralRegisterLayer;
import ao486.test.layers.HandleModeChangeLayer;
import ao486.test.layers.IOLayer;
import ao486.test.layers.InstructionLayer;
import ao486.test.layers.Layer;
import ao486.test.layers.MemoryLayer;
import ao486.test.layers.MemoryPatchLayer;
import ao486.test.layers.OtherLayer;
import ao486.test.layers.Pair;
import ao486.test.layers.SegmentLayer;
import ao486.test.layers.StackLayer;
import java.io.*;
import java.util.LinkedList;
import java.util.Random;
 
 
public class TestCALL_call_gate_same extends TestUnit implements Serializable {
    public static void main(String args[]) throws Exception {
        run_test(TestCALL_call_gate_same.class);
    }
 
    public TestCALL_call_gate_same() {
 
    }
 
    //--------------------------------------------------------------------------
    @Override
    public int get_test_count() throws Exception {
        return 100;
    }
 
    @Override
    public void init() throws Exception {
 
        random = new Random(16+index);
 
        String instruction;
        while(true) {
            layers.clear();
 
            LinkedList<Pair<Long, Long>> prohibited_list = new LinkedList<>();
 
            InstructionLayer instr = new InstructionLayer(random, prohibited_list);
            layers.add(instr);
            StackLayer stack = new StackLayer(random, prohibited_list);
            layers.add(stack);
            layers.add(new OtherLayer(OtherLayer.Type.PROTECTED_OR_V8086, random));
            layers.add(new FlagsLayer(FlagsLayer.Type.NOT_V8086, random));
            layers.add(new GeneralRegisterLayer(random));
            layers.add(new SegmentLayer(random));
            layers.add(new MemoryLayer(random));
            layers.add(new IOLayer(random));
 
            layers.addFirst(new HandleModeChangeLayer(
                    getInput("cr0_pe"),
                    getInput("vmflag"),
                    getInput("cs_rpl"),
                    getInput("cs_p"),
                    getInput("cs_s"),
                    getInput("cs_type")
            ));
 
            // instruction size
            boolean cs_d_b = getInput("cs_d_b") == 1;
 
            boolean a32 = random.nextBoolean();
            boolean o32 = random.nextBoolean();
 
            /* null check, selector limit checked in: TestCALL_protected_seg
             *
             * 0 - pre-(call gate) valid check
             * 1 - cs_selector NULL
             * 2 - cs_selector out of bounds
             * 3 - cs_descriptor valid check
             * 4 - eip out of bounds
             *
             * 5 - all ok
             */
 
            int type = random.nextInt(6);
            System.out.println("Running test type: " + type);
 
            DescriptorTableLayer tables = null;
 
            //------------------------------------------------------------------
            //------------------------------------------------------------------
 
            // prepare cs descriptor
            boolean is_cs_ldt = (type == 1)? false : random.nextBoolean();
 
            boolean conds[] = new boolean[4];
            int cond = 1 << random.nextInt(conds.length);
            if(type >= 4) cond = 0;
 
            int     new_cs_rpl  = 0;
            boolean new_cs_seg  = false;
            int     new_cs_type = 0;
            int     new_cs_dpl  = 0;
            boolean new_cs_p    = false;
            int     old_cs_rpl  = 0;
 
            do {
                do {
                    new_cs_seg  = random.nextBoolean();
                    new_cs_type = random.nextInt(16);
                    new_cs_p    = random.nextBoolean();
 
                    new_cs_rpl  = random.nextInt(4);
                    new_cs_dpl  = random.nextInt(4);
 
                    old_cs_rpl  = random.nextInt(4);
                }
                while(((new_cs_type >> 2) & 1) == 0 && new_cs_dpl < old_cs_rpl); //non-conforming
 
                conds[0] = new_cs_seg == false;
                conds[1] = ((new_cs_type >> 3) & 1) == 0;
                conds[2] = new_cs_dpl > old_cs_rpl;
                conds[3] = new_cs_p == false;
            }
            while(!isAccepted(cond, conds[0],conds[1],conds[2],conds[3]));
 
System.out.printf("cond cs: %d\n", cond);
 
            long new_cs_base, new_cs_limit;
            boolean new_cs_g;
            while(true) {
                new_cs_base = Layer.norm(random.nextInt());
                new_cs_g    = random.nextBoolean();
 
                new_cs_limit = random.nextInt(new_cs_g? 0xF : 0xFFFF);
                if(new_cs_g) new_cs_limit = (new_cs_limit << 12) | 0xFFF;
 
                if( new_cs_base + new_cs_limit < 4294967296L &&
                    Layer.collides(prohibited_list, (int)new_cs_base, (int)(new_cs_base + new_cs_limit)) == false
                ) break;
            }
 
            boolean new_cs_d_b = random.nextBoolean();
            boolean new_cs_l   = random.nextBoolean();
            boolean new_cs_avl = random.nextBoolean();
            long new_cs_limit_final = new_cs_g? new_cs_limit >> 12 : new_cs_limit;
            Descriptor cs_desc = new Descriptor((int)new_cs_base, (int)new_cs_limit_final, new_cs_type, new_cs_seg, new_cs_p, new_cs_dpl, new_cs_d_b, new_cs_g, new_cs_l, new_cs_avl);
 
System.out.printf("cs_desc: ");
for(int i=0; i<8; i++) System.out.printf("%02x ", cs_desc.get_byte(i));
System.out.printf("\n");
 
            //-------
            tables = new DescriptorTableLayer(random, prohibited_list, true);
 
            int index = -1;
            if(type == 1) {
                index = random.nextInt(4);
            }
            else if(type == 2) {
                index = tables.getOutOfBoundsIndex(is_cs_ldt);
                if(index == -1) continue;
            }
            else {
                index = tables.addDescriptor(is_cs_ldt, cs_desc);
                if(index == -1) continue;
            }
 
            if(type != 1) {
                index <<= 3;
                if(is_cs_ldt) index |= 4;
                index |= new_cs_rpl;
            }
 
            //--------------------------------------------------------------
            // prepare call gate descriptor
 
            boolean is_cg_ldt = random.nextBoolean();
 
            conds = new boolean[2];
            cond = 1 << random.nextInt(conds.length);
            if(type >= 1) cond = 0;
 
            int     new_cg_rpl  = 0;
            boolean new_cg_seg  = false;
            int     new_cg_type = 0;
            int     new_cg_dpl  = 0;
            boolean new_cg_p    = false;
 
            do {
                new_cg_seg  = false;
                new_cg_type = random.nextBoolean()? 0x4 : 0xc; //CALL_GATE 286,386
 
                new_cg_rpl  = random.nextInt(4);
                new_cg_dpl  = random.nextInt(4);
                new_cg_p    = random.nextBoolean();
                is_cg_ldt   = random.nextBoolean();
 
                if((cond & 1) == 1 && old_cs_rpl == 0) {
                    cond &= 0xFE;
                    cond |= 2;
                }
 
                conds[0] = new_cg_dpl < old_cs_rpl || new_cg_dpl < new_cg_rpl;
                conds[1] = new_cg_p == false;
            }
            while(!isAccepted(cond, conds[0],conds[1]));
 
            long new_cg_base  = index;
            long new_cg_limit = Layer.norm(random.nextInt(0xFFFFF+1));
            boolean new_cg_g  = random.nextBoolean();
 
            boolean new_cg_d_b = random.nextBoolean();
            boolean new_cg_l   = random.nextBoolean();
            boolean new_cg_avl = random.nextBoolean();
            long new_cg_limit_final = new_cg_g? new_cg_limit >> 12 : new_cg_limit;
            Descriptor cg_desc = new Descriptor((int)new_cg_base, (int)new_cg_limit_final, new_cg_type, new_cg_seg, new_cg_p, new_cg_dpl, new_cg_d_b, new_cg_g, new_cg_l, new_cg_avl);
 
//------------
            final int old_cs_rpl_final = old_cs_rpl;
            Layer cs_rpl_layer = new Layer() {
                long cs_rpl() { return old_cs_rpl_final; }
            };
            layers.addFirst(cs_rpl_layer);
 
            // eip limit
            long eip = 0;
            if(type == 4) {
                while(true) {
                    eip = new_cs_limit + 1 + random.nextInt(10);
 
                    if(new_cg_type == 0x4) eip &= 0xFFFF;
 
                    if(eip > new_cs_limit) break;
                }
                if(new_cg_type == 0x4) eip |= (random.nextInt() & 0xFFFF0000);
            }
            else {
                while(true) {
                    eip = Layer.norm(random.nextInt((int)new_cs_limit+1));
 
                    if(new_cg_type == 0x4) eip &= 0xFFFF;
 
                    if(eip <= new_cs_limit) break;
                }
                long dest = new_cs_base + eip;
                // adding always possible
                MemoryPatchLayer patch = new MemoryPatchLayer(random, prohibited_list, (int)dest, 0x0F,0x0F);
                layers.addFirst(patch);
 
                if(new_cg_type == 0x4) eip |= (random.nextInt() & 0xFFFF0000);
            }
            cg_desc.set_dest_offset(eip);
 
System.out.printf("cg_desc: ");
for(int i=0; i<8; i++) System.out.printf("%02x ", cg_desc.get_byte(i));
System.out.printf("\n");
 
            //----------
            index = tables.addDescriptor(is_cg_ldt, cg_desc);
            if(index == -1) continue;
 
            index = index << 3;
            if(is_cg_ldt) index |= 4;
            index |= new_cg_rpl;
 
System.out.printf("cond cg: %d\n", cond);
 
            layers.addFirst(tables);
 
            //------------------------------------------------------------------
            //------------------------------------------------------------------
 
            long new_eip = 0;
            long new_cs  = index;
 
            // instruction
            byte extra_bytes[] = null;
 
            boolean is_Ep = random.nextBoolean();
 
            if(is_Ep) {
                byte modregrm_bytes[] = EffectiveAddressLayerFactory.prepare(
                        o32? (((new_cs & 0xFFFF) << 32) | (new_eip & 0xFFFFFFFF)) : (((new_cs & 0xFFFF) << 16) | (new_eip & 0xFFFF)),
                        3, EffectiveAddressLayerFactory.modregrm_reg_t.SET,
                        o32? 6 : 4, a32,
                        layers, random, this, true, false);
                extra_bytes = modregrm_bytes;
            }
            else {
                long immediate = o32? (((new_cs & 0xFFFF) << 32) | (new_eip & 0xFFFFFFFF)) : (((new_cs & 0xFFFF) << 16) | (new_eip & 0xFFFF));
 
                byte imm_bytes[] = new byte[o32? 6 : 4];
                for(int i=0; i<imm_bytes.length; i++) {
                    imm_bytes[i] = (byte)(immediate & 0xFF);
                    immediate >>= 8;
                }
                extra_bytes = imm_bytes;
            }
 
            instruction = prepare_instr(cs_d_b, a32, o32, extra_bytes, is_Ep);
            instr.add_instruction(instruction);
 
            // end condition
            break;
        }
 
        System.out.println("Instruction: [" + instruction + "]");
    }
 
    String prepare_instr(boolean cs_d_b, boolean a32, boolean o32, byte extra_bytes[], boolean is_Ep) throws Exception {
        int opcodes[] = {
            0xFF, 0x9A
        };
 
        String prefix = "";
        if(cs_d_b != o32) { prefix = "66" + prefix; }
        if(cs_d_b != a32) { prefix = "67" + prefix; }
 
        int opcode = opcodes[is_Ep? 0 : 1];
 
        byte instr[] = new byte[1 + extra_bytes.length];
        instr[0] = (byte)opcode;
        System.arraycopy(extra_bytes, 0, instr, 1, extra_bytes.length);
 
        return prefix + bytesToHex(instr);
    }
 
}

Browse

Tools

Subversion Repositories ao486

[/] [ao486/] [trunk/] [ao486_tool/] [src/] [ao486/] [test/] [branch/] [TestCALL_call_gate_same.java] - Blame information for rev 2

Line No.	Rev	Author	Line
1	2	alfik	`/*`
2			`* Copyright (c) 2014, Aleksander Osman`
3			`* All rights reserved.`
4			`*`
5			`* Redistribution and use in source and binary forms, with or without`
6			`* modification, are permitted provided that the following conditions are met:`
7			`*`
8			`* * Redistributions of source code must retain the above copyright notice, this`
9			`* list of conditions and the following disclaimer.`
10			`*`
11			`* * Redistributions in binary form must reproduce the above copyright notice,`
12			`* this list of conditions and the following disclaimer in the documentation`
13			`* and/or other materials provided with the distribution.`
14			`*`
15			`* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"`
16			`* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
17			`* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE`
18			`* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE`
19			`* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
20			`* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR`
21			`* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER`
22			`* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,`
23			`* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE`
24			`* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`
25			`*/`
26
27			`package ao486.test.branch;`
28
29			`import ao486.test.TestUnit;`
30			`import ao486.test.layers.DescriptorTableLayer;`
31			`import ao486.test.layers.EffectiveAddressLayerFactory;`
32			`import ao486.test.layers.FlagsLayer;`
33			`import ao486.test.layers.GeneralRegisterLayer;`
34			`import ao486.test.layers.HandleModeChangeLayer;`
35			`import ao486.test.layers.IOLayer;`
36			`import ao486.test.layers.InstructionLayer;`
37			`import ao486.test.layers.Layer;`
38			`import ao486.test.layers.MemoryLayer;`
39			`import ao486.test.layers.MemoryPatchLayer;`
40			`import ao486.test.layers.OtherLayer;`
41			`import ao486.test.layers.Pair;`
42			`import ao486.test.layers.SegmentLayer;`
43			`import ao486.test.layers.StackLayer;`
44			`import java.io.*;`
45			`import java.util.LinkedList;`
46			`import java.util.Random;`
47
48
49			`public class TestCALL_call_gate_same extends TestUnit implements Serializable {`
50			`public static void main(String args[]) throws Exception {`
51			`run_test(TestCALL_call_gate_same.class);`
52			`}`
53
54			`public TestCALL_call_gate_same() {`
55
56			`}`
57
58			`//--------------------------------------------------------------------------`
59			`@Override`
60			`public int get_test_count() throws Exception {`
61			`return 100;`
62			`}`
63
64			`@Override`
65			`public void init() throws Exception {`
66
67			`random = new Random(16+index);`
68
69			`String instruction;`
70			`while(true) {`
71			`layers.clear();`
72
73			`LinkedList<Pair<Long, Long>> prohibited_list = new LinkedList<>();`
74
75			`InstructionLayer instr = new InstructionLayer(random, prohibited_list);`
76			`layers.add(instr);`
77			`StackLayer stack = new StackLayer(random, prohibited_list);`
78			`layers.add(stack);`
79			`layers.add(new OtherLayer(OtherLayer.Type.PROTECTED_OR_V8086, random));`
80			`layers.add(new FlagsLayer(FlagsLayer.Type.NOT_V8086, random));`
81			`layers.add(new GeneralRegisterLayer(random));`
82			`layers.add(new SegmentLayer(random));`
83			`layers.add(new MemoryLayer(random));`
84			`layers.add(new IOLayer(random));`
85
86			`layers.addFirst(new HandleModeChangeLayer(`
87			`getInput("cr0_pe"),`
88			`getInput("vmflag"),`
89			`getInput("cs_rpl"),`
90			`getInput("cs_p"),`
91			`getInput("cs_s"),`
92			`getInput("cs_type")`
93			`));`
94
95			`// instruction size`
96			`boolean cs_d_b = getInput("cs_d_b") == 1;`
97
98			`boolean a32 = random.nextBoolean();`
99			`boolean o32 = random.nextBoolean();`
100
101			`/* null check, selector limit checked in: TestCALL_protected_seg`
102			`*`
103			`* 0 - pre-(call gate) valid check`
104			`* 1 - cs_selector NULL`
105			`* 2 - cs_selector out of bounds`
106			`* 3 - cs_descriptor valid check`
107			`* 4 - eip out of bounds`
108			`*`
109			`* 5 - all ok`
110			`*/`
111
112			`int type = random.nextInt(6);`
113			`System.out.println("Running test type: " + type);`
114
115			`DescriptorTableLayer tables = null;`
116
117			`//------------------------------------------------------------------`
118			`//------------------------------------------------------------------`
119
120			`// prepare cs descriptor`
121			`boolean is_cs_ldt = (type == 1)? false : random.nextBoolean();`
122
123			`boolean conds[] = new boolean[4];`
124			`int cond = 1 << random.nextInt(conds.length);`
125			`if(type >= 4) cond = 0;`
126
127			`int new_cs_rpl = 0;`
128			`boolean new_cs_seg = false;`
129			`int new_cs_type = 0;`
130			`int new_cs_dpl = 0;`
131			`boolean new_cs_p = false;`
132			`int old_cs_rpl = 0;`
133
134			`do {`
135			`do {`
136			`new_cs_seg = random.nextBoolean();`
137			`new_cs_type = random.nextInt(16);`
138			`new_cs_p = random.nextBoolean();`
139
140			`new_cs_rpl = random.nextInt(4);`
141			`new_cs_dpl = random.nextInt(4);`
142
143			`old_cs_rpl = random.nextInt(4);`
144			`}`
145			`while(((new_cs_type >> 2) & 1) == 0 && new_cs_dpl < old_cs_rpl); //non-conforming`
146
147			`conds[0] = new_cs_seg == false;`
148			`conds[1] = ((new_cs_type >> 3) & 1) == 0;`
149			`conds[2] = new_cs_dpl > old_cs_rpl;`
150			`conds[3] = new_cs_p == false;`
151			`}`
152			`while(!isAccepted(cond, conds[0],conds[1],conds[2],conds[3]));`
153
154			`System.out.printf("cond cs: %d\n", cond);`
155
156			`long new_cs_base, new_cs_limit;`
157			`boolean new_cs_g;`
158			`while(true) {`
159			`new_cs_base = Layer.norm(random.nextInt());`
160			`new_cs_g = random.nextBoolean();`
161
162			`new_cs_limit = random.nextInt(new_cs_g? 0xF : 0xFFFF);`
163			`if(new_cs_g) new_cs_limit = (new_cs_limit << 12) \| 0xFFF;`
164
165			`if( new_cs_base + new_cs_limit < 4294967296L &&`
166			`Layer.collides(prohibited_list, (int)new_cs_base, (int)(new_cs_base + new_cs_limit)) == false`
167			`) break;`
168			`}`
169
170			`boolean new_cs_d_b = random.nextBoolean();`
171			`boolean new_cs_l = random.nextBoolean();`
172			`boolean new_cs_avl = random.nextBoolean();`
173			`long new_cs_limit_final = new_cs_g? new_cs_limit >> 12 : new_cs_limit;`
174			`Descriptor cs_desc = new Descriptor((int)new_cs_base, (int)new_cs_limit_final, new_cs_type, new_cs_seg, new_cs_p, new_cs_dpl, new_cs_d_b, new_cs_g, new_cs_l, new_cs_avl);`
175
176			`System.out.printf("cs_desc: ");`
177			`for(int i=0; i<8; i++) System.out.printf("%02x ", cs_desc.get_byte(i));`
178			`System.out.printf("\n");`
179
180			`//-------`
181			`tables = new DescriptorTableLayer(random, prohibited_list, true);`
182
183			`int index = -1;`
184			`if(type == 1) {`
185			`index = random.nextInt(4);`
186			`}`
187			`else if(type == 2) {`
188			`index = tables.getOutOfBoundsIndex(is_cs_ldt);`
189			`if(index == -1) continue;`
190			`}`
191			`else {`
192			`index = tables.addDescriptor(is_cs_ldt, cs_desc);`
193			`if(index == -1) continue;`
194			`}`
195
196			`if(type != 1) {`
197			`index <<= 3;`
198			`if(is_cs_ldt) index \|= 4;`
199			`index \|= new_cs_rpl;`
200			`}`
201
202			`//--------------------------------------------------------------`
203			`// prepare call gate descriptor`
204
205			`boolean is_cg_ldt = random.nextBoolean();`
206
207			`conds = new boolean[2];`
208			`cond = 1 << random.nextInt(conds.length);`
209			`if(type >= 1) cond = 0;`
210
211			`int new_cg_rpl = 0;`
212			`boolean new_cg_seg = false;`
213			`int new_cg_type = 0;`
214			`int new_cg_dpl = 0;`
215			`boolean new_cg_p = false;`
216
217			`do {`
218			`new_cg_seg = false;`
219			`new_cg_type = random.nextBoolean()? 0x4 : 0xc; //CALL_GATE 286,386`
220
221			`new_cg_rpl = random.nextInt(4);`
222			`new_cg_dpl = random.nextInt(4);`
223			`new_cg_p = random.nextBoolean();`
224			`is_cg_ldt = random.nextBoolean();`
225
226			`if((cond & 1) == 1 && old_cs_rpl == 0) {`
227			`cond &= 0xFE;`
228			`cond \|= 2;`
229			`}`
230
231			`conds[0] = new_cg_dpl < old_cs_rpl \|\| new_cg_dpl < new_cg_rpl;`
232			`conds[1] = new_cg_p == false;`
233			`}`
234			`while(!isAccepted(cond, conds[0],conds[1]));`
235
236			`long new_cg_base = index;`
237			`long new_cg_limit = Layer.norm(random.nextInt(0xFFFFF+1));`
238			`boolean new_cg_g = random.nextBoolean();`
239
240			`boolean new_cg_d_b = random.nextBoolean();`
241			`boolean new_cg_l = random.nextBoolean();`
242			`boolean new_cg_avl = random.nextBoolean();`
243			`long new_cg_limit_final = new_cg_g? new_cg_limit >> 12 : new_cg_limit;`
244			`Descriptor cg_desc = new Descriptor((int)new_cg_base, (int)new_cg_limit_final, new_cg_type, new_cg_seg, new_cg_p, new_cg_dpl, new_cg_d_b, new_cg_g, new_cg_l, new_cg_avl);`
245
246			`//------------`
247			`final int old_cs_rpl_final = old_cs_rpl;`
248			`Layer cs_rpl_layer = new Layer() {`
249			`long cs_rpl() { return old_cs_rpl_final; }`
250			`};`
251			`layers.addFirst(cs_rpl_layer);`
252
253			`// eip limit`
254			`long eip = 0;`
255			`if(type == 4) {`
256			`while(true) {`
257			`eip = new_cs_limit + 1 + random.nextInt(10);`
258
259			`if(new_cg_type == 0x4) eip &= 0xFFFF;`
260
261			`if(eip > new_cs_limit) break;`
262			`}`
263			`if(new_cg_type == 0x4) eip \|= (random.nextInt() & 0xFFFF0000);`
264			`}`
265			`else {`
266			`while(true) {`
267			`eip = Layer.norm(random.nextInt((int)new_cs_limit+1));`
268
269			`if(new_cg_type == 0x4) eip &= 0xFFFF;`
270
271			`if(eip <= new_cs_limit) break;`
272			`}`
273			`long dest = new_cs_base + eip;`
274			`// adding always possible`
275			`MemoryPatchLayer patch = new MemoryPatchLayer(random, prohibited_list, (int)dest, 0x0F,0x0F);`
276			`layers.addFirst(patch);`
277
278			`if(new_cg_type == 0x4) eip \|= (random.nextInt() & 0xFFFF0000);`
279			`}`
280			`cg_desc.set_dest_offset(eip);`
281
282			`System.out.printf("cg_desc: ");`
283			`for(int i=0; i<8; i++) System.out.printf("%02x ", cg_desc.get_byte(i));`
284			`System.out.printf("\n");`
285
286			`//----------`
287			`index = tables.addDescriptor(is_cg_ldt, cg_desc);`
288			`if(index == -1) continue;`
289
290			`index = index << 3;`
291			`if(is_cg_ldt) index \|= 4;`
292			`index \|= new_cg_rpl;`
293
294			`System.out.printf("cond cg: %d\n", cond);`
295
296			`layers.addFirst(tables);`
297
298			`//------------------------------------------------------------------`
299			`//------------------------------------------------------------------`
300
301			`long new_eip = 0;`
302			`long new_cs = index;`
303
304			`// instruction`
305			`byte extra_bytes[] = null;`
306
307			`boolean is_Ep = random.nextBoolean();`
308
309			`if(is_Ep) {`
310			`byte modregrm_bytes[] = EffectiveAddressLayerFactory.prepare(`
311			`o32? (((new_cs & 0xFFFF) << 32) \| (new_eip & 0xFFFFFFFF)) : (((new_cs & 0xFFFF) << 16) \| (new_eip & 0xFFFF)),`
312			`3, EffectiveAddressLayerFactory.modregrm_reg_t.SET,`
313			`o32? 6 : 4, a32,`
314			`layers, random, this, true, false);`
315			`extra_bytes = modregrm_bytes;`
316			`}`
317			`else {`
318			`long immediate = o32? (((new_cs & 0xFFFF) << 32) \| (new_eip & 0xFFFFFFFF)) : (((new_cs & 0xFFFF) << 16) \| (new_eip & 0xFFFF));`
319
320			`byte imm_bytes[] = new byte[o32? 6 : 4];`
321			`for(int i=0; i<imm_bytes.length; i++) {`
322			`imm_bytes[i] = (byte)(immediate & 0xFF);`
323			`immediate >>= 8;`
324			`}`
325			`extra_bytes = imm_bytes;`
326			`}`
327
328			`instruction = prepare_instr(cs_d_b, a32, o32, extra_bytes, is_Ep);`
329			`instr.add_instruction(instruction);`
330
331			`// end condition`
332			`break;`
333			`}`
334
335			`System.out.println("Instruction: [" + instruction + "]");`
336			`}`
337
338			`String prepare_instr(boolean cs_d_b, boolean a32, boolean o32, byte extra_bytes[], boolean is_Ep) throws Exception {`
339			`int opcodes[] = {`
340			`0xFF, 0x9A`
341			`};`
342
343			`String prefix = "";`
344			`if(cs_d_b != o32) { prefix = "66" + prefix; }`
345			`if(cs_d_b != a32) { prefix = "67" + prefix; }`
346
347			`int opcode = opcodes[is_Ep? 0 : 1];`
348
349			`byte instr[] = new byte[1 + extra_bytes.length];`
350			`instr[0] = (byte)opcode;`
351			`System.arraycopy(extra_bytes, 0, instr, 1, extra_bytes.length);`
352
353			`return prefix + bytesToHex(instr);`
354			`}`
355
356			`}`