mirror/upx
1
0
Fork 0
mirror of https://github.com/upx/upx synced 2025-09-28 19:06:07 +08:00
Code Issues Releases Wiki Activity

arm64-linux.shlib-init

Browse Source 
modified:   p_lx_elf.cpp
	modified:   stub/src/arm64-linux.shlib-init.S

	modified:   stub/arm64-linux.shlib-init.h
	modified:   stub/tmp/arm64-linux.shlib-init.bin.dump
This commit is contained in:
John Reiser 2017-06-04 16:52:43 -07:00
parent d9e019bd87
commit 140a031515
4 changed files with 593 additions and 635 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/p_lx_elf.cpp
View File

@ -2444,6 +2444,7 @@ PackLinuxElf64arm::canPack()
throwCantPack("first PT_LOAD.p_offset != 0; try '--force-execve'");
return false;
}
hatch_off = phdr->p_memsz;
break;
}
}
@ -2571,7 +2572,7 @@ PackLinuxElf64arm::canPack()
if ( sh_addr==va_gash
|| (sh_addr==va_hash && 0==va_gash) ) {
shdr= &shdri[get_te32(&shdr->sh_link)]; // the associated SHT_SYMTAB
hatch_off = (char *)&ehdri.e_ident[11] - (char *)&ehdri;
//hatch_off = (char *)&ehdri.e_ident[11] - (char *)&ehdri;
break;
}
}

1022
src/stub/arm64-linux.shlib-init.h
View File

File diff suppressed because it is too large Load Diff

177
src/stub/src/arm64-linux.shlib-init.S
View File

@ -66,6 +66,7 @@ __ARM_NR_cacheflush = (1<<31) // FIXME
#define arg3 x2
#define arg4 x3
#define arg5 x4
#define arg6 x5
#define edi w0
#define esi w1
@ -93,19 +94,23 @@ __ARM_NR_cacheflush = (1<<31) // FIXME
#define bits w4
#define off w5
#define tmp1w w3
#define tmp1x x3
#define tmp2w w6
#define tmp2x x6
section ELFMAINX
// .long offset(.) // detect relocation
// .long offset(user DT_INIT)
// .long offset(escape_hatch)
// .long offset({p_info; b_info; compressed data})
// .long offset({l_info; p_info; b_info; compressed data})
_start: .globl _start
brk #0 // for debugging
PUSH3(x29,x30,x0)
PUSH4(arg4,arg5,x6,x7)
PUSH3(arg1,arg2,arg3)
// brk #0 // debugging
PUSH2(lr,x0) // x0= placeholder for user DT_INIT
PUSH4(arg1,arg2,arg3,fp)
mov fp,sp
o_uinit= (3+4+2)*8 // pc
o_uinit= 5*8 // pc
bl main // push &f_decompress
f_decompress:
@ -144,13 +149,6 @@ L71:
/* IDENTSTR goes here */
section ELFMAINZ
.macro push reg
str \reg,[sp,#-4]!
.endm
.macro pop reg
ldr \reg,[sp],#4
.endm
#define lodsl ldr eax,[rsi],#4
#define lodslu lodsl
@ -175,14 +173,14 @@ main:
add rsi,rdx,# _start - f_decompress - 4*4
mov rcx,rsi
lodsl; sub rcx,rcx,rax; //str ecx,[fp,#o_reloc]
lodsl; add rax,rcx,rax; str eax,[fp,#o_uinit] // reloc DT_INIT for step 12
lodsl; add rax,rcx,rax; push rax // reloc &hatch for step 10
o_hatch= -1*4
lodsl; add edi,ecx,eax // &l_info; also destination for decompress
add esi,edi,#sz_l_info + sz_p_info // &b_info
lodsl; add rax,rcx,rax; str rax,[fp,#o_uinit] // reloc DT_INIT for step 12
lodsl; add rax,rcx,rax; PUSH1(rax) // reloc &hatch for step 10
o_hatch= -2*8 // HOLE
lodsl; add rdi,rcx,rax // &l_info; also destination for decompress
add rsi,rdi,#sz_l_info + sz_p_info // &b_info
sub sp,sp,#2*4 // param space: munmap temp pages step 9
p_unmap= -3*4
sub sp,sp,#2*8 // param space: munmap temp pages step 9
p_unmap= -4*8
ldr eax,[rsi,#4]; add rsi,rsi,#3*4 // sz_cpr
add rsi,rsi,rax // skip unpack helper block
@ -190,13 +188,12 @@ p_unmap= -3*4
lodslu // eax=dstlen
lsl ecx,edi,# (32-PAGE_SHIFT)
lsr ecx,ecx,#2+(32-PAGE_SHIFT) // ecx= w_fragment
add eax,eax,ecx,lsl #2; push eax // params: mprotect restored pages step 8
sub edi,edi,ecx,lsl #2; push edi
p_mprot= -5*8
add eax,eax,ecx,lsl #2
sub rdi,rdi,rcx,lsl #2
PUSH2(rdi,rax) // params: mprotect restored pages step 8
p_mprot= -6*8
sub eax,eax,ecx,lsl #2 // dstlen
add edi,edi,ecx,lsl #2 // dst
push ecx // w_fragment
o_wfrag= -6*8
add rdi,rdi,rcx,lsl #2 // dst
bl L610
f_unfilter: // (char *ptr, uint len, uint cto, uint fid)
@ -225,39 +222,36 @@ unfret:
ret
L610:
push lr
o_unflt= -7*8
ldrb tmp,[rsi,#b_method-4+1]; push tmpx // ftid
ldrb tmp,[rsi,#b_method-4+2]; push tmpx // cto8
push rax // dstlen also for unfilter step 7
push rdi // dst param for unfilter step 7
p_unflt= -11*8
PUSH2(lr,rcx) // f_unf, w_frag
o_wfrag = -7*8
o_unflt= -8*8
ldrb tmp1w,[rsi,# b_method-4+1] // ftid
ldrb tmp2w,[rsi,# b_method-4+2] // cto8
PUSH4(rdi,rax,tmp2x,tmp1x) // dst, dstlen, cto8, ftid for unfilter step 7
p_unflt= -12*8
lodslu; mov ecx,eax // ecx= srclen
lodslu; push rax // method,filter,cto,junk
push rdx // &decompress
o_uncpr= -13*8
add tmpx,fp,#p_unflt+1*4; push tmpx // &dstlen
push rdi // dst
push rcx // srclen
push rsi // src; arglist ready for decompress step 6
p_uncpr= -17*8
lodslu
PUSH2(rdx,rax) // &decompress, {method,filter,cto,junk}
o_uncpr= -14*8
add tmpx,fp,#p_unflt+1*8
PUSH4(rsi,rcx,rdi,tmpx) // src,srclen,dst,&dstlen arglist ready for decompress step 6
p_uncpr= -18*8
and tmpx,rsi,#3 // length of prefix alignment
add rcx,rcx,#3 // allow suffix alignment
add rcx,rcx,tmpx // prefix increases byte length
ldr tmp,[fp,#o_wfrag]; add rdx,tmpx,rcx,lsr #2 // w_srclen + w_frag
ldr tmp,[fp,#o_uncpr]; bl wlen_subr
ldr tmp,[fp,#o_unflt]; bl wlen_subr
ldr tmpx,[fp,#o_uncpr]; bl wlen_subr
ldr tmpx,[fp,#o_unflt]; bl wlen_subr
bl L220
supervise:
// Allocate pages for result of decompressing.
// These replace the compressed source and the following hole.
mov arg6,#0
mov arg5,#-1 // cater to *BSD for fd of MAP_ANON
mov arg4,#MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED
mov arg3,#PROT_READ|PROT_WRITE
ldr arg2,[fp,#p_mprot+4] // dstlen
ldr arg2,[fp,#p_mprot+8] // dstlen
ldr arg1,[fp,#p_mprot ] // dst
mov x6,arg1 // required result
do_sys __NR_mmap64; cmp x0,x6; beq 0f; brk #0; 0:
@ -268,81 +262,63 @@ supervise:
ldr rsi,[fp,#p_unmap]
bl movsl
//p_uncpr
POP4(arg1,arg2,arg3,arg4)
POP1(rax)
blr rax // decompress
add sp,sp,#8 // toss arg5
bl L620
//hatch:
do_sys __NR_munmap
POP3(arg1,arg2,arg3)
POP4(rax,rcx,x6,x7)
POP3(fp,lr,x1)
br x1
do_sys __NR_munmap // 2 instr
POP4(arg1,arg2,arg3,fp) // 2 instr
POP2(lr,arg4) // 1 instr; arg4= user DT_INIT
br arg4
L620: // Implant escape hatch at end of .text
ldr eax,[fp,#o_hatch]
ldp arg1,arg2,[lr]
ldr rax,[fp,#o_hatch]
ldp arg1,arg2,[lr] // 4 instr
stp arg1,arg2,[rax]
ldr arg1,[lr,#2*8] // 2 instr
str arg1,[rax,#2*8]
//p_unflt
POP4(arg1,arg2,arg3,arg4)
POP2(rax,x12) // x12= w_fragment [toss]
POP1(rax) // f_unf
cbz arg4,0f // 0==ftid ==> no filter
blr rax // unfilter
0:
//p_mprot
ldr arg1,[sp,#0*4] // lo(dst)
ldr arg2,[sp,#1*4] // len
mov arg3,#0
add arg2,arg2,arg1 // hi(dst)
add arg2,arg2,#2*4 // len(hatch)
do_sys __ARM_NR_cacheflush
POP2(arg1,arg2)
mov arg3,#PROT_READ|PROT_EXEC
do_sys __NR_mprotect
//p_unmap
#if defined(ARMEL_EABI4) //{
// first part of do_sys7t __NR_munmap
.if __NR_munmap <= 0xff
mov r7,#__NR_munmap
.else
mov r7,#__NR_munmap>>16
lsl r7,r7,#16
add r7,r7,#__NR_munmap - ((__NR_munmap>>16)<<16)
.endif
#endif //}
POP3(arg1,arg2,lr)
br lr // togo hatch
br lr // goto hatch
movsl_subr:
ldr ecx,[rsi,#-4] // 'bl <over>' instruction word
bic ecx,ecx,#0xff<<24 // displacment field
add ecx,ecx,#1 // displ omits one word
// FALL THROUGH to the part of 'movsl' that trims to a multiple of 8 words.
// 7/8 of the time this is faster; 1/8 of the time it's slower.
9:
ldr tmp,[rsi],#4; sub ecx,ecx,#1
movsl: // rdi= 4-byte aligned dst; rsi= 4-byte aligned src; ecx= word count
tst ecx,#1; lsr ecx,ecx,#1; beq 5f
ldr tmp,[rsi],#4
str tmp,[rdi],#4
movsl: // rdi= 4-byte aligned dst; esi= 4-byte aligned src; ecx= word count
tst ecx,#7; bne 9b // work ecx down to multiple of 8
lsr ecx,ecx,#3; cbz ecx,9f
5:
cbz ecx,9f
7:
ldp x2,x3,[rsi],#2*8; subs ecx,ecx,#1
stp x2,x3,[rdi],#2*8; cbnz ecx,7b
ldp w2,w3,[rsi],#2*4; sub ecx,ecx,#1
stp w2,w3,[rdi],#2*4; cbnz ecx,7b
9:
ret
L220:
push lr // &supervise
o_super= -18*8
PUSH1(lr) // &supervise
o_super= -20*8 // HOLE
mov tmpx,lr; bl wlen_subr // wlen_supervise
lsl arg2,rdx,#2 // convert to bytes
// Allocate pages to hold temporary copy.
mov arg6,#0
mov arg5,#-1 // cater to *BSD for fd of MAP_ANON
mov arg4,#MAP_PRIVATE|MAP_ANONYMOUS
mov arg3,#PROT_READ|PROT_WRITE|PROT_EXEC
@ -351,21 +327,16 @@ o_super= -18*8
do_sys __NR_mmap64; cmn x0,#4096; bcc 0f; brk #0; 0:
str x0,[fp,#p_unmap+0*8] // address to unmap
ldr esi,[fp,#p_mprot]
ldr rsi,[fp,#p_mprot]
//mov edi,r0 // edi= dst NOP: edi==r0
ldr ecx,[fp,#o_wfrag] // w_fragment
bl movsl // copy the fragment
ldr esi,[fp,#p_uncpr+0*4] // src
ldr ecx,[fp,#p_uncpr+1*4] // len
and tmp,esi,#3 // length of prefix alignment
sub esi,esi,tmp // down to word aligned
add ecx,ecx,tmp // prefix increases byte length
add tmp,tmp,edi // skip prefix at destination
str tmp,[fp,#p_uncpr+0*4] // dst
add ecx,ecx,#7 // round up to full words
lsr ecx,ecx,#3
bl movsl // copy all aligned words that contain compressed data
ldr rsi,[fp,#p_uncpr] // src
ldr ecx,[fp,#p_uncpr+1*8] // len
str rdi,[fp,#p_uncpr]
add ecx,ecx,#3; lsr ecx,ecx,#2
bl movsl // copy compressed data
mov rdx,rdi // lo(dst) of copied code
@ -377,21 +348,15 @@ o_super= -18*8
str rdi,[fp,#o_unflt]
bl movsl_subr // copy unfilter
pop rsi // &supervise
push rdi // &copied
POP1(rsi) // &supervise
PUSH1(rdi) // &copied
bl movsl_subr // copy supervisor
mov arg2,rdi // hi(dst) of copied code
mov arg1,rdx // lo(dst) of copied code
mov arg3,#0
do_sys __ARM_NR_cacheflush
POP1(lr); br lr // goto copied supervisor
pop lr; br lr // goto copied supervisor
wlen_subr: // edx+= nwords of inline subr at *tmp
wlen_subr: // rdx+= nwords of inline subr at *tmp
ldr tmp,[tmpx,#-4] // 'bl <over>' instruction word
bic tmp,tmp,#0xff<<24 // displacment field
add tmp,tmp,#1 // displ omits one word
add rdx,rdx,tmpx
ret

26
src/stub/tmp/arm64-linux.shlib-init.bin.dump
View File

@ -2,18 +2,18 @@ file format elf64-littleaarch64
Sections:
Idx Name Size VMA LMA File off Algn Flags
0 ELFMAINX 00000024 0000000000000000 0000000000000000 00000040 2**0 CONTENTS, RELOC, READONLY
1 NRV_HEAD 00000000 0000000000000000 0000000000000000 00000064 2**0 CONTENTS, READONLY
2 NRV_TAIL 00000000 0000000000000000 0000000000000000 00000064 2**0 CONTENTS, READONLY
3 NRV2E 00000128 0000000000000000 0000000000000000 00000064 2**0 CONTENTS, READONLY
4 NRV2D 0000011c 0000000000000000 0000000000000000 0000018c 2**0 CONTENTS, READONLY
5 NRV2B 000000f0 0000000000000000 0000000000000000 000002a8 2**0 CONTENTS, READONLY
6 LZMA_ELF00 000000d0 0000000000000000 0000000000000000 00000398 2**0 CONTENTS, RELOC, READONLY
7 LZMA_DEC20 00000968 0000000000000000 0000000000000000 00000468 2**0 CONTENTS, READONLY
8 LZMA_DEC10 0000049c 0000000000000000 0000000000000000 00000dd0 2**0 CONTENTS, READONLY
9 LZMA_DEC30 00000000 0000000000000000 0000000000000000 0000126c 2**0 CONTENTS, READONLY
10 ELFMAINY 0000003e 0000000000000000 0000000000000000 0000126c 2**0 CONTENTS, READONLY
11 ELFMAINZ 000002ec 0000000000000000 0000000000000000 000012aa 2**0 CONTENTS, READONLY
0 ELFMAINX 00000014 0000000000000000 0000000000000000 00000040 2**0 CONTENTS, RELOC, READONLY
1 NRV_HEAD 00000000 0000000000000000 0000000000000000 00000054 2**0 CONTENTS, READONLY
2 NRV_TAIL 00000000 0000000000000000 0000000000000000 00000054 2**0 CONTENTS, READONLY
3 NRV2E 00000128 0000000000000000 0000000000000000 00000054 2**0 CONTENTS, READONLY
4 NRV2D 0000011c 0000000000000000 0000000000000000 0000017c 2**0 CONTENTS, READONLY
5 NRV2B 000000f0 0000000000000000 0000000000000000 00000298 2**0 CONTENTS, READONLY
6 LZMA_ELF00 000000d0 0000000000000000 0000000000000000 00000388 2**0 CONTENTS, RELOC, READONLY
7 LZMA_DEC20 00000968 0000000000000000 0000000000000000 00000458 2**0 CONTENTS, READONLY
8 LZMA_DEC10 0000049c 0000000000000000 0000000000000000 00000dc0 2**0 CONTENTS, READONLY
9 LZMA_DEC30 00000000 0000000000000000 0000000000000000 0000125c 2**0 CONTENTS, READONLY
10 ELFMAINY 0000003e 0000000000000000 0000000000000000 0000125c 2**0 CONTENTS, READONLY
11 ELFMAINZ 0000027c 0000000000000000 0000000000000000 0000129a 2**0 CONTENTS, READONLY
SYMBOL TABLE:
0000000000000000 l d LZMA_DEC30 0000000000000000 LZMA_DEC30
0000000000000000 l d ELFMAINZ 0000000000000000 ELFMAINZ
@ -36,7 +36,7 @@ SYMBOL TABLE:
RELOCATION RECORDS FOR [ELFMAINX]:
OFFSET TYPE VALUE
0000000000000020 R_AARCH64_CALL26 ELFMAINZ
0000000000000010 R_AARCH64_CALL26 ELFMAINZ
RELOCATION RECORDS FOR [LZMA_ELF00]:
OFFSET TYPE VALUE