Add RzIL chapter and various small changes. (#131)

* Don't use hardcoded links.
* Update output in ioplugins.md
* Small update of macros.md chapter

Author: wargio

_quarto.yml

@@ -79,6 +79,7 @@ book:
         chapters:
          - src/disassembling/intro.md
          - src/disassembling/adding_metadata.md
+         - src/disassembling/rzil.md
          - src/disassembling/esil.md
 
       - part: "Analysis"

src/analysis/emulation.md

@@ -8,7 +8,7 @@ to solve even in the most basic way without at least a partial emulation.
 Thus, many professional reverse engineering tools use code emulation while
 performing an analysis of binary code, and Rizin is no different here.
 
-For partial emulation (or imprecise full emulation) Rizin uses its own RzIL intermediate language, designed
+For partial emulation (or imprecise full emulation) Rizin uses its own [RzIL intermediate language](../disassembling/rzil.md), designed
 to replace current [ESIL](../disassembling/esil.md).
 
 Rizin supports this kind of partial emulation for all platforms that

src/basic_commands/print_modes.md

@@ -504,7 +504,7 @@ ESIL's goal is to have a human-readable representation of every opcode semantics
 ### Print gadgets
 
 In Rizin, visual gadgets allows the users to cast or display the output of a particular Rizin command anywhere on the
-screen while in Visual mode. This command is unrelated with displaying [ROP Gadgets](https://book.rizin.re/refcard/intro.html#searching).
+screen while in Visual mode. This command is unrelated with displaying [ROP Gadgets](../refcard/intro.html#searching).
 
 Using the commands under `pg` (print gadgets), we can add, remove and change the location of these visual gadgets.
 You can add a gadget using `pg`:

src/configuration/evars.md

@@ -435,7 +435,7 @@ The variable `scr.seek` can be assigned a full-featured expression or a pointer/
 
 ### scr.scrollbar: `bool`
 
-When you have configured any [flagzones](http://book.rada.re/basic_commands/flags.html#flag-zones) (`fz?`), the `scr.scrollbar` variable facilitates the display of the scrollbar alongside the flagzones in Visual mode. Set it to `1` for displaying the scrollbar at the right end, `2` for the top, and `3` to position it at the bottom.
+When you have configured any [flagzones](../basic_commands/flags.html#flag-zones) (`fz?`), the `scr.scrollbar` variable facilitates the display of the scrollbar alongside the flagzones in Visual mode. Set it to `1` for displaying the scrollbar at the right end, `2` for the top, and `3` to position it at the bottom.
 
 ### scr.utf8: `bool`
 

src/disassembling/rzil.md

@@ -0,0 +1,178 @@
+# RzIL
+
+RzIL is the new intermediate language in Rizin, primarily intended for representing the semantics of machine code. It is designed as a clone of BAP's [Core Theory](http://binaryanalysisplatform.github.io/bap/api/master/bap-core-theory/Bap_core_theory/), with minor deviations where necessary; it is worth noting that in practice, RzIL is very similar to the SMT representation with bitvectors and bitvector-indexed arrays as well as effects.
+
+More details related to the implementation can be found [here](https://github.com/rizinorg/rizin/blob/dev/doc/rzil.md).
+
+## IL statements
+
+Instructions can are internally represented as [IL statements](https://github.com/rizinorg/rizin/blob/dev/librz/include/rz_il/rz_il_opcodes.h); these statements are expressed as **s-expressions** (symbolic expression) which utilize LISP-like syntax as string format. 
+
+- `aoi` generates a **one-line** LISP-like syntax (JSON format is available via `aoj` command).
+- `aoip` generates a **prettified** LISP-like syntax
+
+Here an example using `aoip` (the *prettified* output) of two PowerPC instructions (`stwu` and `mflr`).
+
+```bash
+[0x10000488]> pd 2
+|           0x10000488      stwu  r1, -0x10(r1)
+|           0x1000048c      mflr  r0
+[0x10000488]> aoi?
+Usage: aoi[p]   # Print the RzIL of next N instructions
+| aoi [<n_instructions>]  # Print the RzIL of next N instructions
+| aoip [<n_instructions>] # Pretty print the RzIL of next N instructions
+[0x10000488]> aoip 2
+0x10000488
+(seq
+  (storew 0
+    (+
+      (var r1)
+      (let v
+        (bv 16 0xfff0)
+        (ite
+          (msb
+            (var v))
+          (cast 32
+            (msb
+              (var v))
+            (var v))
+          (cast 32
+            false
+            (var v)))))
+    (cast 32
+      false
+      (var r1)))
+  (set r1
+    (+
+      (var r1)
+      (let v
+        (bv 16 0xfff0)
+        (ite
+          (msb
+            (var v))
+          (cast 32
+            (msb
+              (var v))
+            (var v))
+          (cast 32
+            false
+            (var v)))))))
+0x1000048c
+(set r0
+  (cast 32
+    false
+    (var lr)))
+```
+
+The `plf` command allows to generate an in-line representation of the entire function in s-expressions.
+
+```bash
+[0x100002bc]> pdf @ sym.example
+/ sym.example();
+|           ; var int32_t var_1ch @ stack - 0x1c
+|           0x1000044c      stwu  r1, -0x10(r1)
+|           0x10000450      mflr  r0
+|           0x10000454      stw   r0, 0x14(r1)
+|           0x10000458      lwz   r0, 0x14(r1)
+|           0x1000045c      addi  r1, r1, 0x10
+|           0x10000460      mtlr  r0
+\           0x10000464      blr
+[0x100002bc]> plf @ sym.example
+0x1000044c (seq (storew 0 (+ (var r1) (let v (bv 16 0xfff0) (ite (msb (var v)) (cast 32 (msb (var v)) (var v)) (cast 32 false (var v))))) (cast 32 false (var r1))) (set r1 (+ (var r1) (let v (bv 16 0xfff0) (ite (msb (var v)) (cast 32 (msb (var v)) (var v)) (cast 32 false (var v)))))))
+0x10000450 (set r0 (cast 32 false (var lr)))
+0x10000454 (seq (storew 0 (+ (var r1) (let v (bv 16 0x14) (ite (msb (var v)) (cast 32 (msb (var v)) (var v)) (cast 32 false (var v))))) (cast 32 false (var r0))) empty)
+0x10000458 (seq (set r0 (let ea (+ (var r1) (let v (bv 16 0x14) (ite (msb (var v)) (cast 32 (msb (var v)) (var v)) (cast 32 false (var v))))) (let loadw (loadw 0 32 (var ea)) (cast 32 false (var loadw))))) empty)
+0x1000045c (seq (set a (var r1)) (set b (let v (bv 16 0x10) (ite (msb (var v)) (cast 32 (msb (var v)) (var v)) (cast 32 false (var v))))) empty (set r1 (+ (var a) (var b))) empty empty empty)
+0x10000460 (set lr (cast 32 false (var r0)))
+0x10000464 (seq (set CIA (bv 32 0x10000464)) empty empty (set NIA (& (bv 32 0xfffffffc) (var lr))) (jmp (var NIA)))
+[0x100002bc]> 
+```
+
+The same output of `aoi` can be obtained via `rz-asm` like this:
+
+```bash
+$ rz-asm -de -a ppc 7c0802a6
+mflr r0
+$ rz-asm -Ie -a ppc 7c0802a6
+(set r0 (cast 32 false (var lr)))
+```
+
+## Emulation
+
+Rizin enables instruction emulation by leveraging RzIL. The emulation can be used to record changes within the VM, like read and writes of registers and memory locations (`e io.buffers=true` is required for memory ops). The emulation is controlled via the `aez` commands.
+
+```bash
+[0x00000000]> aez?
+Usage: aez<isv?>   # RzIL Emulation
+| aezi                     # Initialize the RzIL Virtual Machine at the current offset
+| aezs [<n_times>]         # Step N instructions within the RzIL Virtual Machine
+| aezse[j] [<n_times>]     # Step N instructions within the RzIL VM and output VM changes (read &
+                             write)
+| aezsu <address>          # Step until PC equals given address
+| aezsue <address>         # Step until PC equals given address and output VM changes (read & write)
+| aezv[jqt] [<var_name> [<number>]] # Print or modify the current status of the RzIL Virtual Machine
+```
+
+Supported architectures can be inspected via the `La` command. If the architecture has an `I`, as in the example below, it supports RzIL.
+
+```bash
+_dAeI 32 64      ppc         BSD     Capstone PowerPC disassembler
+```
+
+Here is an example of emulation of a PowerPC binary printing a string via *printf*.
+
+In this example, `r9` contains the base address which is used to calculate the pointer to the string (stored in `r3`) used by 'reloc.printf'.
+
+```bash
+[0x1000049c]> pd 3
+|           0x1000049c      lis   r9, 0x1000
+|           0x100004a0      addi  r3, r9, 0x640
+|           0x100004a4      bl    reloc.printf
+```
+
+First we need to initialize the RzIL Virtual Machine at the current offset using `aezi`
+
+```bash
+[0x1000049c]> aezi?
+Usage: aezi   # Initialize the RzIL Virtual Machine at the current offset
+[0x1000049c]> aezi
+```
+
+Then we execute 2 instructions via `aezs` (quiet) or use `aezse` to see the actual changes within the RzIL VM.
+
+```bash
+[0x1000049c]> aezse?
+Usage: aezse[j] [<n_times>]   # Step N instructions within the RzIL VM and output VM changes (read & write)
+[0x1000049c]> aezse 2 # execute 2 instructions
+pc_write(old: 0x1000049c, new: 0x100004a0)
+var_write(name: r9, old: 0x0, new: 0x10000000)
+pc_write(old: 0x100004a0, new: 0x100004a4)
+var_write(name: r3, old: 0x0, new: 0x10000640)
+```
+
+It's possible to see (or modify) the values of the registers in the RzIL VM via `aezv`.
+
+```bash
+[0x1000049c]> # We can also print the content of the RzIL VM via 'aezv'
+[0x1000049c]> aezv?
+Usage: aezv[jqt] [<var_name> [<number>]]   # Print or modify the current status of the RzIL Virtual Machine
+[0x1000049c]> aezv r3
+ r3: 0x10000640
+[0x1000049c]> aezv r9
+ r9: 0x10000000
+```
+
+Now that we know that the string is situated at `0x10000640`, we can print it.
+
+```bash
+[0x1000049c]> # hexdump the content of address 0x10000640 with a buffer size of 0x20 bytes.
+[0x1000049c]> px @ 0x10000640 @! 0x20
+- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
+0x10000640  5369 6d70 6c65 2050 5043 2070 726f 6772  Simple PPC progr
+0x10000650  616d 2e00 0000 0000 ffff ffff ffff ffff  am..............
+[0x1000049c]>
+[0x1000049c]> # Decode and print the utf-8 string at address 0x10000640
+[0x1000049c]> ps @ 0x10000640
+Simple PPC program.
+[0x1000049c]>
+```

src/plugins/ioplugins.md

@@ -31,33 +31,33 @@ $ rizin =
 You can get a list of the rizin IO plugins by typing `rizin -L`:
 ```
 $ rizin -L
-rw_  ar       Open ar/lib files [ar|lib]://[file//path] (LGPL3)
-rw_  bfdbg    BrainFuck Debugger (bfdbg://path/to/file) (LGPL3)
-rwd  bochs    Attach to a BOCHS debugger (LGPL3)
-r_d  debug    Native debugger (dbg:///bin/ls dbg://1388 pidof:// waitfor://) (LGPL3) v0.2.0 pancake
-rw_  default  open local files using def_mmap:// (LGPL3)
-rwd  gdb      Attach to gdbserver, 'qemu -s', gdb://localhost:1234 (LGPL3)
-rw_  gprobe   open gprobe connection using gprobe:// (LGPL3)
-rw_  gzip     read/write gzipped files (LGPL3)
-rw_  http     http get (http://rada.re/) (LGPL3)
-rw_  ihex     Intel HEX file (ihex://eeproms.hex) (LGPL)
+rw_  ar       Open ar/lib files (LGPL3) ar://,lib:// xarkes
+rw_  bfdbg    Attach to brainfuck Debugger instance (LGPL3) bfdbg://
+rwd  bochs    Attach to a BOCHS debugger instance (LGPL3) bochs://
+r_d  debug    Attach to native debugger instance (LGPL3) dbg://,pidof://,waitfor:// v0.2.0 pancake
+rw_  default  Open local files (LGPL3) file://,nocache://
+rw_  dmp      Debug a Windows DMP file (LGPL3) dmp://
+rw_  fd       Local process filedescriptor IO (MIT) fd://
+rwd  gdb      Attach to gdbserver instance (LGPL3) gdb://
+rw_  gzip     Read/write gzipped files (LGPL3) gzip://
+rw_  http     Make http get requests (LGPL3) http://
+rw_  ihex     Open intel HEX file (LGPL) ihex://
 r__  mach     mach debug io (unsupported in this platform) (LGPL)
-rw_  malloc   memory allocation (malloc://1024 hex://cd8090) (LGPL3)
-rw_  mmap     open file using mmap:// (LGPL3)
-rw_  null     null-plugin (null://23) (LGPL3)
-rw_  procpid  /proc/pid/mem io (LGPL3)
-rwd  ptrace   ptrace and /proc/pid/mem (if available) io (LGPL3)
-rwd  qnx      Attach to QNX pdebug instance, qnx://host:1234 (LGPL3)
-rw_  rzk      kernel access API io (rzk://) (LGPL3)
-rw_  rz-pipe   rz-pipe io plugin (MIT)
-rw_  rzweb    rzweb io client (rzweb://cloud.rada.re/cmd/) (LGPL3)
-rw_  rap      rizin network protocol (rap://:port rap://host:port/file) (LGPL3)
-rw_  rbuf     RBuffer IO plugin: rbuf:// (LGPL)
-rw_  self     read memory from myself using 'self://' (LGPL3)
-rw_  shm      shared memory resources (shm://key) (LGPL3)
-rw_  sparse   sparse buffer allocation (sparse://1024 sparse://) (LGPL3)
-rw_  tcp      load files via TCP (listen or connect) (LGPL3)
-rwd  windbg   Attach to a KD debugger (windbg://socket) (LGPL3)
-rwd  winedbg  Wine-dbg io and debug.io plugin for rizin (MIT)
-rw_  zip      Open zip files [apk|ipa|zip|zipall]://[file//path] (BSD)
+rw_  malloc   Memory allocation plugin (LGPL3) malloc://,hex://
+rw_  null     Null plugin (LGPL3) null://
+rw_  procpid  Open /proc/[pid]/mem io (LGPL3) procpid://
+rwd  ptrace   Ptrace and /proc/pid/mem (if available) io plugin (LGPL3) ptrace://,attach://
+rwd  qnx      Attach to QNX pdebug instance (LGPL3) qnx://
+rw_  rap      Remote binary protocol plugin (MIT) rap://,raps://
+rw_  rzpipe   rzpipe io plugin (MIT) rzpipe://
+rw_  rzweb    rzweb io client plugin (LGPL3) rzweb://
+rw_  self     Read memory from self (LGPL3) self://
+rw_  shm      Shared memory resources plugin (MIT) shm://
+rw_  sparse   Sparse buffer allocation plugin (LGPL3) sparse://
+rw_  srec     Motorola S-record file format (LGPL-3) srec://
+rw_  tcp      Load files via TCP (listen or connect) (LGPL3) tcp://
+rw_  vfile    Virtual Files provided by RzBin Files (LGPL) vfile://
+rwd  winedbg  Wine-dbg io and debug.io plugin (MIT) winedbg://
+rwd  winkd    Attach to a KD debugger (LGPL3) winkd://
+rw_  zip      Open zip files (BSD) zip://,apk://,ipa://,jar://,zipall://,apkall://,ipaall://,jarall://
 ```

src/scripting/macros.md

@@ -1,12 +1,26 @@
 # Macros
 
-Apart from simple sequencing and looping, Rizin allows to write simple macros, using this construction:
+Rizin allows to write simple macros via command `(`; A macro is essentially a pre-recorded set of instructions that automates tasks.
+
+```
+[0x00000000]> (?
+Usage: ([*-?]   # Manage scripting macros
+| ([*]                     # List all defined macros
+| (-<macro-name>           # Remove a defined macro named <macro-name>
+| (<macro-name> [<macro-arg0> <macro-arg1> ...][; <cmds>])[([<macro-call-arg0> <macro-call-arg1> ...])] # Add a new macro <macro-name>
+| (<macro-name> [<macro-arg0> <macro-arg1> ...][; <cmds>])[([<macro-call-arg0> <macro-call-arg1> ...])] # Define a macro <macro-name> and call it with the arguments
+                                                                                                          <macro-call-args>
+| .(<macro-name> [<macro-call-arg0> <macro-call-arg1> ...]) # Call macro <macro-name> with the arguments <macro-call-args>
+| ..(<macro-name> [<macro-call-arg0> <macro-call-arg1> ...]) # Call macro <macro-name> multiple times with the arguments <macro-call-args>
+```
+
+Example of macro usage named `qwe`:
 
 ```
 [0x00404800]> (qwe; pd 4; ao)
 ```
 
-This will define a macro called 'qwe' which runs sequentially first 'pd 4' then 'ao'.
+This will define a macro called `qwe` which runs sequentially first `pd 4` then `ao`.
 Calling the macro using syntax `.(macro)` is simple:
 
 ```
@@ -38,11 +52,10 @@ To list available macros simply call `(*`:
 (qwe ; pd 4; ao)
 ```
 
-And if you want to remove some macro, just add '-' before the name:
+And if you want to remove some macro, just add `-` before the name:
 
 ```
-[0x00404800]> (-qwe)
-Macro 'qwe' removed.
+[0x00404800]> (-qwe
 [0x00404800]>
 ```
 
@@ -80,8 +93,17 @@ To run a macro multiple times with different arguments, a convenient way is to u
 
 # Aliases
 
-Rizin also offers aliases which might help you save time by quickly executing your most used commands.
-They are under `$?`.
+Rizin also offers aliases which might help you save time by quickly executing your most used commands; they are under the command `$?`.
+
+```
+[0x00000000]> $?
+Usage: $[*?]   # Alias commands and strings
+| $[alias[=cmd] [args...]] # List all defined aliases / Define alias (see %$? for help on $variables)
+| $*                     # List all the aliases as rizin commands in base64
+| $**                    # Same as above, but using plain text
+
+Detailed help for $[alias[=cmd] [args...]] is provided by $??.
+```
 
 The general usage of the feature is: `$alias=cmd`