Refactor rel32 searching process for x64 to make it more similar to x86.

courgette/testdata/rel32_x64_03.txt

Index: courgette/testdata/rel32_x64_03.txt
diff --git a/courgette/testdata/rel32_win32_x86_03.txt b/courgette/testdata/rel32_x64_03.txt
similarity index 54%
copy from courgette/testdata/rel32_win32_x86_03.txt
copy to courgette/testdata/rel32_x64_03.txt
index 6403b103caa0e3728ef0b7e6c7619d80a67f8ebb..08cb037368616750ae9c8ea62293f81fba1094a4 100644
--- a/courgette/testdata/rel32_win32_x86_03.txt
+++ b/courgette/testdata/rel32_x64_03.txt
@@ -1,5 +1,7 @@
 # Test target validity: only accept target RVA in [1000, 3000).
 
+# Processor type
+x64
 # .text start RVA and end RVA
 1000
 3000
@@ -28,8 +30,23 @@ Program:
   00401039: E8 C2 3F 00 00     call        00405000  # Outside image
   0040103E: E8 BE 3F 00 00     call        00405001  # Outside image
   00401043: E8 88 88 88 88     call        88C898D0  # Far away
-  00401048: 5D                 pop         ebp
-  00401049: C3                 ret
+  00401048: FF 15 B1 EF FF FF  call        003FFFFF  # 1 byte before image

[huangs, 2016/05/30 18:14:48]

These are indirect, RIP-relative calls, i.e., load QWORD PTR at [rip+??], THEN
call the 64-address address.

00401048: FF 15 B1 EF FF FF  call        [rip-0000104F]  # 003FFFFF
                                                   # 1 byte before image
0040104E: FF 15 AC EF FF FF  call        [rip-00401054]  # 00400000
                                                   # In image

etc.

Same with jmp.

[etiennep, 2016/06/01 17:23:41]

Done.

+  0040104E: FF 15 AC EF FF FF  call        00400000  # In image
+  00401054: FF 15 A5 3F 00 00  call        00404FFF  # 1 byte before end
+  0040105A: FF 15 A0 3F 00 00  call        00405000  # Outside image
+  00401060: FF 15 6A 88 C8 88  call        88C898D0  # Far away
+  00401066: FF 25 93 EF FF FF  jmp         003FFFFF
+  0040106C: FF 25 8E EF FF FF  jmp         00400000
+  00401072: FF 25 87 3F 00 00  jmp         00404FFF
+  00401078: FF 25 82 3F 00 00  jmp         00405000
+  0040107E: 8D 05 7B EF FF FF  lea         eax,[rip-00001085]

[huangs, 2016/05/30 18:14:48]

I mentioned that "rip+..." should be used, but having the target address makes
it clearer, so have it in comments?

lea         eax,[rip-00001085]  # 003FFFFF
                        # 1 byte before image
lea         eax,[rip-0000108A]  # 00400000
                        # In image
lea         eax,[rip+00003F6F]  # 004FFFF0
                        # 1 byte before end
lea         eax,[rip+00003F6A]  # 00500000
                        # Outside image

[etiennep, 2016/06/01 17:23:41]

Done.

+                                                     # 1 byte before image
+  00401084: 8D 05 76 EF FF FF  lea         eax,[rip-0000108A] # In image
+  0040108A: 8D 05 6F 3F 00 00  lea         eax,[rip+00003F6F]
+                                                     # 1 byte before end
+  00401090: 8D 05 6A 3F 00 00  lea         eax,[rip+00003F6A] # Outside image
+  00401096: 5D                 pop         ebp
+  00401097: C3                 ret
 
 Abs32:
 
@@ -38,3 +55,9 @@ Expected:
 1015
 101F
 102A
+1050
+1056
+106E
+1074
+# 1086 Not yet detected.
+# 108C Not yet detected.