URL https://opencores.org/ocsvn/ao486/ao486/trunk

Subversion Repositories ao486

[/] [ao486/] [trunk/] [ao486_tool/] [src/] [ao486/] [test/] [branch/] [TestIRET_protected_outer.java] - Blame information for rev 2

Details | Compare with Previous | View Log


/*
 * Copyright (c) 2014, Aleksander Osman
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * * Redistributions of source code must retain the above copyright notice, this
 *   list of conditions and the following disclaimer.
 *
 * * Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
package ao486.test.branch;
 
import ao486.test.TestUnit;
import ao486.test.layers.DescriptorTableLayer;
import ao486.test.layers.FlagsLayer;
import ao486.test.layers.GeneralRegisterLayer;
import ao486.test.layers.HandleModeChangeLayer;
import ao486.test.layers.IOLayer;
import ao486.test.layers.InstructionLayer;
import ao486.test.layers.Layer;
import ao486.test.layers.MemoryLayer;
import ao486.test.layers.MemoryPatchLayer;
import ao486.test.layers.OtherLayer;
import ao486.test.layers.Pair;
import ao486.test.layers.SegmentLayer;
import ao486.test.layers.StackLayer;
import java.io.*;
import java.util.LinkedList;
import java.util.Random;
 
 
public class TestIRET_protected_outer extends TestUnit implements Serializable {
    public static void main(String args[]) throws Exception {
        run_test(TestIRET_protected_outer.class);
    }
 
    //--------------------------------------------------------------------------
    @Override
    public int get_test_count() throws Exception {
        return 100;
    }
 
    @Override
    public void init() throws Exception {
 
        random = new Random(45 + index);
 
        String instruction;
        while(true) {
            layers.clear();
 
            LinkedList<Pair<Long, Long>> prohibited_list = new LinkedList<>();
 
            InstructionLayer instr  = new InstructionLayer(random, prohibited_list);
            layers.add(instr);
            StackLayer stack        = new StackLayer(random, prohibited_list);
            layers.add(stack);
            layers.add(new OtherLayer(OtherLayer.Type.PROTECTED_OR_V8086, random));
            layers.add(new FlagsLayer(FlagsLayer.Type.NOT_V8086_NOT_NT, random));
            layers.add(new GeneralRegisterLayer(random));
            layers.add(new SegmentLayer(random));
            layers.add(new MemoryLayer(random));
            layers.add(new IOLayer(random));
            layers.addFirst(new HandleModeChangeLayer(
                    getInput("cr0_pe"),
                    getInput("vmflag"),
                    getInput("cs_rpl"),
                    getInput("cs_p"),
                    getInput("cs_s"),
                    getInput("cs_type")
            ));
 
 
            // instruction size
            boolean cs_d_b  = getInput("cs_d_b") == 1;
 
            boolean a32     = random.nextBoolean();
            boolean o32     = random.nextBoolean();
 
 
            long cs  = 0;
            long eip = 0;
            long eflags = Layer.norm(random.nextInt());
 
            // eflags with no vmflag
            eflags &= 0xFFFDFFFF;
 
            //-------------------------- prepare CS
 
            DescriptorTableLayer tables = new DescriptorTableLayer(random, prohibited_list, true);
 
            boolean is_ldt = random.nextBoolean();
 
            boolean conds[] = new boolean[6];
            int cond = 0;
 
            int     new_cs_rpl  = 0;
            int     old_cs_rpl  = 0;
            boolean new_cs_seg  = false;
            int     new_cs_type = 0;
            int     new_cs_dpl  = 0;
            boolean new_cs_p    = false;
 
            do {
                old_cs_rpl  = random.nextInt(3);
                new_cs_seg  = random.nextBoolean();
                new_cs_type = random.nextInt(16);
                new_cs_dpl  = random.nextInt(4);
                new_cs_p    = random.nextBoolean();
 
                new_cs_rpl = old_cs_rpl+1+random.nextInt(3-old_cs_rpl);
 
                conds[0] = new_cs_rpl < old_cs_rpl;
                //check_cs()
                conds[1] = new_cs_seg == false;
                conds[2] = ((new_cs_type >> 3)&1) == 0; // is data segment
                conds[3] = ((new_cs_type >> 3)&1) == 1 && ((new_cs_type >> 2)&1) == 0 && new_cs_dpl != new_cs_rpl; // code non conforming
                conds[4] = ((new_cs_type >> 3)&1) == 1 && ((new_cs_type >> 2)&1) == 1 && new_cs_dpl > new_cs_rpl;  // code conforming
                conds[5] = new_cs_p == false;
            }
            while(!isAccepted(cond, conds[0],conds[1],conds[2],conds[3],conds[4],conds[5]));
 
            long new_cs_base, new_cs_limit;
            boolean new_cs_g;
            while(true) {
                new_cs_base = Layer.norm(random.nextInt());
                new_cs_g    = random.nextBoolean();
 
                new_cs_limit = random.nextInt(new_cs_g? 2 : 0xFFFF + 1);
                if(new_cs_g) new_cs_limit = (new_cs_limit << 12) | 0xFFF;
 
                if( new_cs_base + new_cs_limit < 4294967296L &&
                    Layer.collides(prohibited_list, (int)new_cs_base, (int)(new_cs_base + new_cs_limit)) == false
                ) break;
            }
 
            boolean new_cs_d_b = random.nextBoolean();
            boolean new_cs_l   = random.nextBoolean();
            boolean new_cs_avl = random.nextBoolean();
            long new_cs_limit_final = new_cs_g? new_cs_limit >> 12 : new_cs_limit;
            Descriptor cs_desc = new Descriptor((int)new_cs_base, (int)new_cs_limit_final, new_cs_type, new_cs_seg, new_cs_p, new_cs_dpl, new_cs_d_b, new_cs_g, new_cs_l, new_cs_avl);
 
            final int old_cs_rpl_final = old_cs_rpl;
            Layer cs_rpl_layer = new Layer() {
                long cs_rpl() { return old_cs_rpl_final; }
            };
            layers.addFirst(cs_rpl_layer);
 
            int index = tables.addDescriptor(is_ldt, cs_desc);
            if(index == -1) continue;
 
            index = index << 3;
            if(is_ldt) index |= 4;
 
            index |= new_cs_rpl;
 
            cs = index;
 
 
            /* all outer
            *
            * 0. ss_selector null
            * 1. ss_descriptor out of bounds
            * 2. check ss
            * 3. eip out of bounds
            * 4. all ok
            */
 
            int test_type = 4; //random.nextInt(5);
 
            if(test_type == 3) {
                while(true) {
                    eip = new_cs_limit + 1 + random.nextInt(10);
 
                    if(o32 == false) eip &= 0xFFFF;
 
                    if(eip > new_cs_limit) break;
                }
                if(o32 == false) eip |= (random.nextInt() & 0xFFFF0000);
            }
            else {
                while(true) {
                    eip = Layer.norm(random.nextInt((int)new_cs_limit+1));
 
                    if(o32 == false) eip &= 0xFFFF;
 
                    if(eip <= new_cs_limit) break;
                }
 
                long dest = new_cs_base + eip;
                // adding always possible
                MemoryPatchLayer patch = new MemoryPatchLayer(random, prohibited_list, (int)dest, 0x0F,0x0F);
                layers.addFirst(patch);
 
                if(o32 == false) eip |= (random.nextInt() & 0xFFFF0000);
            }
 
 
 
            //-------------------------- prepare SS
            long ss  = random.nextInt(4);
            long esp = Layer.norm(random.nextInt());
 
 
            if(test_type == 0) {
                // nothing
            }
            else if(test_type == 1) {
                is_ldt = random.nextBoolean();
 
                index = tables.getOutOfBoundsIndex(is_ldt);
                if(index == -1) continue;
 
                index = index << 3;
                if(is_ldt) index |= 4;
 
                index |= new_cs_rpl;
 
                ss = index;
            }
            else if(test_type == 2 || test_type == 3 || test_type == 4) {
                is_ldt = random.nextBoolean();
 
                conds = new boolean[6];
                cond = 1 << random.nextInt(conds.length);
                if(test_type >= 3) cond = 0;
 
                int     new_ss_rpl  = 0;
                boolean new_ss_seg  = false;
                int     new_ss_type = 0;
                int     new_ss_dpl  = 0;
                boolean new_ss_p    = false;
 
                do {
                    new_ss_rpl  = random.nextInt(4);
                    new_ss_seg  = random.nextBoolean();
                    new_ss_type = random.nextInt(16);
                    new_ss_dpl  = random.nextInt(4);
                    new_ss_p    = random.nextBoolean();
 
                    conds[0] = new_ss_rpl != new_cs_rpl;
                    conds[1] = new_ss_seg == false;
                    conds[2] = ((new_ss_type >> 3)&1) == 1; // is code segment
                    conds[3] = ((new_ss_type >> 3)&1) == 0 && ((new_ss_type >> 1)&1) == 0; // data not writable
                    conds[4] = new_ss_dpl != new_cs_rpl;
                    conds[5] = new_ss_p == false;
                }
                while(!isAccepted(cond, conds[0],conds[1],conds[2],conds[3],conds[4],conds[5]));
 
                long new_ss_base, new_ss_limit;
                while(true) {
                    new_ss_base = Layer.norm(random.nextInt());
 
                    new_ss_limit = random.nextInt(0xFFFF + 1);
 
                    if( new_ss_base + new_ss_limit < 4294967296L &&
                        Layer.collides(prohibited_list, (int)new_ss_base, (int)(new_ss_base + new_ss_limit)) == false
                    ) break;
                }
 
                boolean new_ss_d_b = random.nextBoolean();
                boolean new_ss_g   = random.nextBoolean();
                boolean new_ss_l   = random.nextBoolean();
                boolean new_ss_avl = random.nextBoolean();
                Descriptor ss_desc = new Descriptor((int)new_ss_base, (int)new_ss_limit, new_ss_type, new_ss_seg, new_ss_p, new_ss_dpl, new_ss_d_b, new_ss_g, new_ss_l, new_ss_avl);
 
 
                index = tables.addDescriptor(is_ldt, ss_desc);
                if(index == -1) continue;
 
                index = index << 3;
                if(is_ldt) index |= 4;
 
                index |= new_ss_rpl;
 
                ss = index;
            }
 
            // entry stack
            if(o32) {
                stack.push_dword((int)eip);     //eip
                stack.push_dword((int)cs);      //cs
                stack.push_dword((int)eflags);  //eflags
                stack.push_dword((int)esp); // esp
                stack.push_dword((int)ss);  // ss
            }
            else {
                stack.push_word((int)eip);      //eip
                stack.push_word((int)cs);       //cs
                stack.push_word((int)eflags);   //eflags
                stack.push_word((int)esp); // esp
                stack.push_word((int)ss);  // ss
            }
 
            layers.addFirst(tables);
 
            // add instruction
            instruction = prepare_instr(cs_d_b, a32, o32);
            instr.add_instruction(instruction);
 
 
 
            // end condition
            break;
        }
 
        System.out.println("Instruction: [" + instruction + "]");
    }
 
    int imm_len(boolean a32, boolean o32, int opcode) {
        return 0;
    }
    String prepare_instr(boolean cs_d_b, boolean a32, boolean o32) throws Exception {
        int opcodes[] = {
            0xCF
        };
 
        String prefix = "";
        if(cs_d_b != o32) { prefix = "66" + prefix; }
        if(cs_d_b != a32) { prefix = "67" + prefix; }
 
        int     opcode      = opcodes[random.nextInt(opcodes.length)];
        boolean is_modregrm = false;
 
        byte possible_modregrm = (byte)random.nextInt();
        byte possible_sib      = (byte)random.nextInt();
 
        int len = (is_modregrm == false)? 1 : 1 + modregrm_len(!cs_d_b, unsigned(possible_modregrm), unsigned(possible_sib));
        len += imm_len(a32, o32, opcode);
 
 
        byte instr[] = new byte[len];
        instr[0] = (byte)opcode;
        for(int i=1; i<len; i++) {
            if(i==1)        instr[1] = possible_modregrm;
            else if(i==2)   instr[2] = possible_sib;
            else            instr[i] = (byte)random.nextInt();
        }
 
        return prefix + bytesToHex(instr);
    }
 
}

Browse

Tools

Subversion Repositories ao486

[/] [ao486/] [trunk/] [ao486_tool/] [src/] [ao486/] [test/] [branch/] [TestIRET_protected_outer.java] - Blame information for rev 2

Line No.	Rev	Author	Line
1	2	alfik	`/*`
2			`* Copyright (c) 2014, Aleksander Osman`
3			`* All rights reserved.`
4			`*`
5			`* Redistribution and use in source and binary forms, with or without`
6			`* modification, are permitted provided that the following conditions are met:`
7			`*`
8			`* * Redistributions of source code must retain the above copyright notice, this`
9			`* list of conditions and the following disclaimer.`
10			`*`
11			`* * Redistributions in binary form must reproduce the above copyright notice,`
12			`* this list of conditions and the following disclaimer in the documentation`
13			`* and/or other materials provided with the distribution.`
14			`*`
15			`* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"`
16			`* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
17			`* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE`
18			`* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE`
19			`* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
20			`* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR`
21			`* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER`
22			`* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,`
23			`* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE`
24			`* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`
25			`*/`
26
27			`package ao486.test.branch;`
28
29			`import ao486.test.TestUnit;`
30			`import ao486.test.layers.DescriptorTableLayer;`
31			`import ao486.test.layers.FlagsLayer;`
32			`import ao486.test.layers.GeneralRegisterLayer;`
33			`import ao486.test.layers.HandleModeChangeLayer;`
34			`import ao486.test.layers.IOLayer;`
35			`import ao486.test.layers.InstructionLayer;`
36			`import ao486.test.layers.Layer;`
37			`import ao486.test.layers.MemoryLayer;`
38			`import ao486.test.layers.MemoryPatchLayer;`
39			`import ao486.test.layers.OtherLayer;`
40			`import ao486.test.layers.Pair;`
41			`import ao486.test.layers.SegmentLayer;`
42			`import ao486.test.layers.StackLayer;`
43			`import java.io.*;`
44			`import java.util.LinkedList;`
45			`import java.util.Random;`
46
47
48			`public class TestIRET_protected_outer extends TestUnit implements Serializable {`
49			`public static void main(String args[]) throws Exception {`
50			`run_test(TestIRET_protected_outer.class);`
51			`}`
52
53			`//--------------------------------------------------------------------------`
54			`@Override`
55			`public int get_test_count() throws Exception {`
56			`return 100;`
57			`}`
58
59			`@Override`
60			`public void init() throws Exception {`
61
62			`random = new Random(45 + index);`
63
64			`String instruction;`
65			`while(true) {`
66			`layers.clear();`
67
68			`LinkedList<Pair<Long, Long>> prohibited_list = new LinkedList<>();`
69
70			`InstructionLayer instr = new InstructionLayer(random, prohibited_list);`
71			`layers.add(instr);`
72			`StackLayer stack = new StackLayer(random, prohibited_list);`
73			`layers.add(stack);`
74			`layers.add(new OtherLayer(OtherLayer.Type.PROTECTED_OR_V8086, random));`
75			`layers.add(new FlagsLayer(FlagsLayer.Type.NOT_V8086_NOT_NT, random));`
76			`layers.add(new GeneralRegisterLayer(random));`
77			`layers.add(new SegmentLayer(random));`
78			`layers.add(new MemoryLayer(random));`
79			`layers.add(new IOLayer(random));`
80			`layers.addFirst(new HandleModeChangeLayer(`
81			`getInput("cr0_pe"),`
82			`getInput("vmflag"),`
83			`getInput("cs_rpl"),`
84			`getInput("cs_p"),`
85			`getInput("cs_s"),`
86			`getInput("cs_type")`
87			`));`
88
89
90			`// instruction size`
91			`boolean cs_d_b = getInput("cs_d_b") == 1;`
92
93			`boolean a32 = random.nextBoolean();`
94			`boolean o32 = random.nextBoolean();`
95
96
97			`long cs = 0;`
98			`long eip = 0;`
99			`long eflags = Layer.norm(random.nextInt());`
100
101			`// eflags with no vmflag`
102			`eflags &= 0xFFFDFFFF;`
103
104			`//-------------------------- prepare CS`
105
106			`DescriptorTableLayer tables = new DescriptorTableLayer(random, prohibited_list, true);`
107
108			`boolean is_ldt = random.nextBoolean();`
109
110			`boolean conds[] = new boolean[6];`
111			`int cond = 0;`
112
113			`int new_cs_rpl = 0;`
114			`int old_cs_rpl = 0;`
115			`boolean new_cs_seg = false;`
116			`int new_cs_type = 0;`
117			`int new_cs_dpl = 0;`
118			`boolean new_cs_p = false;`
119
120			`do {`
121			`old_cs_rpl = random.nextInt(3);`
122			`new_cs_seg = random.nextBoolean();`
123			`new_cs_type = random.nextInt(16);`
124			`new_cs_dpl = random.nextInt(4);`
125			`new_cs_p = random.nextBoolean();`
126
127			`new_cs_rpl = old_cs_rpl+1+random.nextInt(3-old_cs_rpl);`
128
129			`conds[0] = new_cs_rpl < old_cs_rpl;`
130			`//check_cs()`
131			`conds[1] = new_cs_seg == false;`
132			`conds[2] = ((new_cs_type >> 3)&1) == 0; // is data segment`
133			`conds[3] = ((new_cs_type >> 3)&1) == 1 && ((new_cs_type >> 2)&1) == 0 && new_cs_dpl != new_cs_rpl; // code non conforming`
134			`conds[4] = ((new_cs_type >> 3)&1) == 1 && ((new_cs_type >> 2)&1) == 1 && new_cs_dpl > new_cs_rpl; // code conforming`
135			`conds[5] = new_cs_p == false;`
136			`}`
137			`while(!isAccepted(cond, conds[0],conds[1],conds[2],conds[3],conds[4],conds[5]));`
138
139			`long new_cs_base, new_cs_limit;`
140			`boolean new_cs_g;`
141			`while(true) {`
142			`new_cs_base = Layer.norm(random.nextInt());`
143			`new_cs_g = random.nextBoolean();`
144
145			`new_cs_limit = random.nextInt(new_cs_g? 2 : 0xFFFF + 1);`
146			`if(new_cs_g) new_cs_limit = (new_cs_limit << 12) \| 0xFFF;`
147
148			`if( new_cs_base + new_cs_limit < 4294967296L &&`
149			`Layer.collides(prohibited_list, (int)new_cs_base, (int)(new_cs_base + new_cs_limit)) == false`
150			`) break;`
151			`}`
152
153			`boolean new_cs_d_b = random.nextBoolean();`
154			`boolean new_cs_l = random.nextBoolean();`
155			`boolean new_cs_avl = random.nextBoolean();`
156			`long new_cs_limit_final = new_cs_g? new_cs_limit >> 12 : new_cs_limit;`
157			`Descriptor cs_desc = new Descriptor((int)new_cs_base, (int)new_cs_limit_final, new_cs_type, new_cs_seg, new_cs_p, new_cs_dpl, new_cs_d_b, new_cs_g, new_cs_l, new_cs_avl);`
158
159			`final int old_cs_rpl_final = old_cs_rpl;`
160			`Layer cs_rpl_layer = new Layer() {`
161			`long cs_rpl() { return old_cs_rpl_final; }`
162			`};`
163			`layers.addFirst(cs_rpl_layer);`
164
165			`int index = tables.addDescriptor(is_ldt, cs_desc);`
166			`if(index == -1) continue;`
167
168			`index = index << 3;`
169			`if(is_ldt) index \|= 4;`
170
171			`index \|= new_cs_rpl;`
172
173			`cs = index;`
174
175
176			`/* all outer`
177			`*`
178			`* 0. ss_selector null`
179			`* 1. ss_descriptor out of bounds`
180			`* 2. check ss`
181			`* 3. eip out of bounds`
182			`* 4. all ok`
183			`*/`
184
185			`int test_type = 4; //random.nextInt(5);`
186
187			`if(test_type == 3) {`
188			`while(true) {`
189			`eip = new_cs_limit + 1 + random.nextInt(10);`
190
191			`if(o32 == false) eip &= 0xFFFF;`
192
193			`if(eip > new_cs_limit) break;`
194			`}`
195			`if(o32 == false) eip \|= (random.nextInt() & 0xFFFF0000);`
196			`}`
197			`else {`
198			`while(true) {`
199			`eip = Layer.norm(random.nextInt((int)new_cs_limit+1));`
200
201			`if(o32 == false) eip &= 0xFFFF;`
202
203			`if(eip <= new_cs_limit) break;`
204			`}`
205
206			`long dest = new_cs_base + eip;`
207			`// adding always possible`
208			`MemoryPatchLayer patch = new MemoryPatchLayer(random, prohibited_list, (int)dest, 0x0F,0x0F);`
209			`layers.addFirst(patch);`
210
211			`if(o32 == false) eip \|= (random.nextInt() & 0xFFFF0000);`
212			`}`
213
214
215
216			`//-------------------------- prepare SS`
217			`long ss = random.nextInt(4);`
218			`long esp = Layer.norm(random.nextInt());`
219
220
221			`if(test_type == 0) {`
222			`// nothing`
223			`}`
224			`else if(test_type == 1) {`
225			`is_ldt = random.nextBoolean();`
226
227			`index = tables.getOutOfBoundsIndex(is_ldt);`
228			`if(index == -1) continue;`
229
230			`index = index << 3;`
231			`if(is_ldt) index \|= 4;`
232
233			`index \|= new_cs_rpl;`
234
235			`ss = index;`
236			`}`
237			`else if(test_type == 2 \|\| test_type == 3 \|\| test_type == 4) {`
238			`is_ldt = random.nextBoolean();`
239
240			`conds = new boolean[6];`
241			`cond = 1 << random.nextInt(conds.length);`
242			`if(test_type >= 3) cond = 0;`
243
244			`int new_ss_rpl = 0;`
245			`boolean new_ss_seg = false;`
246			`int new_ss_type = 0;`
247			`int new_ss_dpl = 0;`
248			`boolean new_ss_p = false;`
249
250			`do {`
251			`new_ss_rpl = random.nextInt(4);`
252			`new_ss_seg = random.nextBoolean();`
253			`new_ss_type = random.nextInt(16);`
254			`new_ss_dpl = random.nextInt(4);`
255			`new_ss_p = random.nextBoolean();`
256
257			`conds[0] = new_ss_rpl != new_cs_rpl;`
258			`conds[1] = new_ss_seg == false;`
259			`conds[2] = ((new_ss_type >> 3)&1) == 1; // is code segment`
260			`conds[3] = ((new_ss_type >> 3)&1) == 0 && ((new_ss_type >> 1)&1) == 0; // data not writable`
261			`conds[4] = new_ss_dpl != new_cs_rpl;`
262			`conds[5] = new_ss_p == false;`
263			`}`
264			`while(!isAccepted(cond, conds[0],conds[1],conds[2],conds[3],conds[4],conds[5]));`
265
266			`long new_ss_base, new_ss_limit;`
267			`while(true) {`
268			`new_ss_base = Layer.norm(random.nextInt());`
269
270			`new_ss_limit = random.nextInt(0xFFFF + 1);`
271
272			`if( new_ss_base + new_ss_limit < 4294967296L &&`
273			`Layer.collides(prohibited_list, (int)new_ss_base, (int)(new_ss_base + new_ss_limit)) == false`
274			`) break;`
275			`}`
276
277			`boolean new_ss_d_b = random.nextBoolean();`
278			`boolean new_ss_g = random.nextBoolean();`
279			`boolean new_ss_l = random.nextBoolean();`
280			`boolean new_ss_avl = random.nextBoolean();`
281			`Descriptor ss_desc = new Descriptor((int)new_ss_base, (int)new_ss_limit, new_ss_type, new_ss_seg, new_ss_p, new_ss_dpl, new_ss_d_b, new_ss_g, new_ss_l, new_ss_avl);`
282
283
284			`index = tables.addDescriptor(is_ldt, ss_desc);`
285			`if(index == -1) continue;`
286
287			`index = index << 3;`
288			`if(is_ldt) index \|= 4;`
289
290			`index \|= new_ss_rpl;`
291
292			`ss = index;`
293			`}`
294
295			`// entry stack`
296			`if(o32) {`
297			`stack.push_dword((int)eip); //eip`
298			`stack.push_dword((int)cs); //cs`
299			`stack.push_dword((int)eflags); //eflags`
300			`stack.push_dword((int)esp); // esp`
301			`stack.push_dword((int)ss); // ss`
302			`}`
303			`else {`
304			`stack.push_word((int)eip); //eip`
305			`stack.push_word((int)cs); //cs`
306			`stack.push_word((int)eflags); //eflags`
307			`stack.push_word((int)esp); // esp`
308			`stack.push_word((int)ss); // ss`
309			`}`
310
311			`layers.addFirst(tables);`
312
313			`// add instruction`
314			`instruction = prepare_instr(cs_d_b, a32, o32);`
315			`instr.add_instruction(instruction);`
316
317
318
319			`// end condition`
320			`break;`
321			`}`
322
323			`System.out.println("Instruction: [" + instruction + "]");`
324			`}`
325
326			`int imm_len(boolean a32, boolean o32, int opcode) {`
327			`return 0;`
328			`}`
329			`String prepare_instr(boolean cs_d_b, boolean a32, boolean o32) throws Exception {`
330			`int opcodes[] = {`
331			`0xCF`
332			`};`
333
334			`String prefix = "";`
335			`if(cs_d_b != o32) { prefix = "66" + prefix; }`
336			`if(cs_d_b != a32) { prefix = "67" + prefix; }`
337
338			`int opcode = opcodes[random.nextInt(opcodes.length)];`
339			`boolean is_modregrm = false;`
340
341			`byte possible_modregrm = (byte)random.nextInt();`
342			`byte possible_sib = (byte)random.nextInt();`
343
344			`int len = (is_modregrm == false)? 1 : 1 + modregrm_len(!cs_d_b, unsigned(possible_modregrm), unsigned(possible_sib));`
345			`len += imm_len(a32, o32, opcode);`
346
347
348			`byte instr[] = new byte[len];`
349			`instr[0] = (byte)opcode;`
350			`for(int i=1; i<len; i++) {`
351			`if(i==1) instr[1] = possible_modregrm;`
352			`else if(i==2) instr[2] = possible_sib;`
353			`else instr[i] = (byte)random.nextInt();`
354			`}`
355
356			`return prefix + bytesToHex(instr);`
357			`}`
358
359			`}`