mirror/upx
1
0
Fork 0
mirror of https://github.com/upx/upx synced 2025-10-05 19:20:23 +08:00
Code Issues Releases Wiki Activity

amd64-darwin.dylib hacking

Browse Source 
modified:   stub/src/amd64-darwin.dylib-entry.S

	modified:   stub/amd64-darwin.dylib-entry.h
	modified:   stub/tmp/amd64-darwin.dylib-entry.bin.dump
This commit is contained in:
John Reiser 2017-05-17 21:36:40 -07:00
parent ce194fa5d8
commit d9e019bd87
3 changed files with 634 additions and 635 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1198
src/stub/amd64-darwin.dylib-entry.h
View File

File diff suppressed because it is too large Load Diff

42
src/stub/src/amd64-darwin.dylib-entry.S
View File

@ -46,9 +46,7 @@
section MACHMAINX section MACHMAINX
_start: .globl _start _start: .globl _start
L100: pause; jmp L100 // FIXME push %rax // space for &user_init_fn
int3 // FIXME
push $~0 // space for &user_init function
push %rdi; push %rsi; push %rdx; push %rcx; push %r8 // args push %rdi; push %rsi; push %rdx; push %rcx; push %r8 // args
push %rbp // callee-save registers push %rbp // callee-save registers
push %rbx push %rbx
@ -224,15 +222,16 @@ main:
pop %rbp # &escape pop %rbp # &escape
// Get temp pages for compressed __TEXT and this stub // Get temp pages for compressed __TEXT and this stub
lea -1*4 + _start - escape(%rbp),%rbx lea -4*4 + _start - escape(%rbp),%rsi
mov (%rbx),%eax; sub %rax,%rbx # our &Mach_header lodsl; xchg %eax,%edx # offset(user_init_fn)
mov -4*4 + _start - escape(%rbp),%edx # offset(user_init_fn) lodsl; xchg %eax,%ecx # offset(b_info)
lodsl # skip
mov (%rsi),%eax # #preceding bytes in file
sub %rax,%rsi; push %rsi; pop %rbx # our &Mach_header
add %rbx,%rdx; mov %rdx,7*8(%rsp) # reloc(user_init_fn) add %rbx,%rdx; mov %rdx,7*8(%rsp) # reloc(user_init_fn)
mov -3*4 + _start - escape(%rbp),%edx # offset(b_info) sub %ecx,%eax # omit Mach_headers from copy
sub %edx,%eax; add %rbx,%rdx add $4+dy_top,%eax; push %rax # P_02 length(tmppag)
sub $-4+ _start,%eax add %rbx,%rcx; push %rcx # P_01 &b_info
add $ dy_top,%eax; push %rax # P_02 length(tmppag)
push %rdx # P_01 &b_info
xchg %eax,%arg2l # length xchg %eax,%arg2l # length
xor %arg6,%arg6 # 0 offset xor %arg6,%arg6 # 0 offset
@ -257,17 +256,26 @@ main:
// Make temp pages executable, and go there // Make temp pages executable, and go there
pop %arg1 # P_03 src (tmppag) pop %arg1 # P_03 src (tmppag)
pop %arg2 # P_02 length(tmppag) pop %arg2 # P_02 length(tmppag)
push $PROT_READ|PROT_EXEC; pop %arg3
push %arg2 # P_02 length(tmppag) push %arg2 # P_02 length(tmppag)
push %arg1 # P_03 src(tmppag) push %arg1 # P_03 src(tmppag)
push %rcx # P_06 reloc(&b_info) push %rcx # P_06 reloc(&b_info)
push %rax # P_04 reloc(dy_top) push %rax # P_04 reloc(dy_top)
mov $SYS_mprotect,%eax; syscall; jc bad_mmap call mprot_RE
pop %rax # P_04 reloc(dy_top) pop %rax # P_04 reloc(dy_top)
add $dy_reloc - dy_top,%rax add $dy_reloc - dy_top,%rax
jmp *%rax jmp *%rax
mprot_RW:
push $PROT_READ|PROT_WRITE; jmp mprot
mprot_RE:
push $PROT_READ|PROT_EXEC
mprot:
mov $SYS_mprotect,%eax
mding:
pop %arg3
syscall; jc bad_mmap
ret
bad_mmap: bad_mmap:
hlt hlt
jmp bad_mmap jmp bad_mmap
@ -277,8 +285,7 @@ dy_reloc:
// Make __TEXT writeable // Make __TEXT writeable
push %rbx; pop %arg1 # our &Mach_header push %rbx; pop %arg1 # our &Mach_header
mov -2*4 + _start - escape(%rbp),%arg2l mov -2*4 + _start - escape(%rbp),%arg2l
push $PROT_READ|PROT_WRITE; pop %arg3 call mprot_RW
mov $SYS_mprotect,%eax; syscall; jc bad_mmap
pop %rsi # P_06 reloc(&b_info) pop %rsi # P_06 reloc(&b_info)
push %rbx; pop %rdi # our &Mach_header push %rbx; pop %rdi # our &Mach_header
@ -325,13 +332,12 @@ sz_Mach_header64 = 0x20
add $8+ 2*4 + sz_Mach_header64,%rbx # &segname[8] after "__TEXT\0\0" add $8+ 2*4 + sz_Mach_header64,%rbx # &segname[8] after "__TEXT\0\0"
mov %rax,(%rbx) mov %rax,(%rbx)
mov -2*4 + _start - decompress(%rbp),%arg2l mov -2*4 + _start - decompress(%rbp),%arg2l
push $PROT_READ|PROT_EXEC; pop %arg3 call mprot_RE
mov $SYS_mprotect,%eax; syscall; jc bad_mmap
pop %arg1 # P_03 tmppag pop %arg1 # P_03 tmppag
pop %arg2 # P_02 len(tmppag) pop %arg2 # P_02 len(tmppag)
mov $SYS_munmap,%eax mov $SYS_munmap,%eax
push %rbx; pop %rcx push %rbx; pop %rcx # &hatch
pop %rbx; pop %rbp // saved registers pop %rbx; pop %rbp // saved registers
pop %r8 pop %r8
jmp *%rcx jmp *%rcx

29
src/stub/tmp/amd64-darwin.dylib-entry.bin.dump
View File

@ -2,18 +2,18 @@ file format elf64-x86-64
Sections: Sections:
Idx Name Size VMA LMA File off Algn Flags Idx Name Size VMA LMA File off Algn Flags
0 MACHMAINX 00000023 0000000000000000 0000000000000000 00000040 2**0 CONTENTS, RELOC, READONLY 0 MACHMAINX 0000001d 0000000000000000 0000000000000000 00000040 2**0 CONTENTS, RELOC, READONLY
1 NRV_HEAD 00000066 0000000000000000 0000000000000000 00000063 2**0 CONTENTS, READONLY 1 NRV_HEAD 00000066 0000000000000000 0000000000000000 0000005d 2**0 CONTENTS, READONLY
2 NRV2E 000000b7 0000000000000000 0000000000000000 000000c9 2**0 CONTENTS, RELOC, READONLY 2 NRV2E 000000b7 0000000000000000 0000000000000000 000000c3 2**0 CONTENTS, RELOC, READONLY
3 NRV2D 0000009e 0000000000000000 0000000000000000 00000180 2**0 CONTENTS, RELOC, READONLY 3 NRV2D 0000009e 0000000000000000 0000000000000000 0000017a 2**0 CONTENTS, RELOC, READONLY
4 NRV2B 00000090 0000000000000000 0000000000000000 0000021e 2**0 CONTENTS, RELOC, READONLY 4 NRV2B 00000090 0000000000000000 0000000000000000 00000218 2**0 CONTENTS, RELOC, READONLY
5 LZMA_ELF00 00000064 0000000000000000 0000000000000000 000002ae 2**0 CONTENTS, RELOC, READONLY 5 LZMA_ELF00 00000064 0000000000000000 0000000000000000 000002a8 2**0 CONTENTS, RELOC, READONLY
6 LZMA_DEC10 000009f7 0000000000000000 0000000000000000 00000312 2**0 CONTENTS, READONLY 6 LZMA_DEC10 000009f7 0000000000000000 0000000000000000 0000030c 2**0 CONTENTS, READONLY
7 LZMA_DEC20 000009f7 0000000000000000 0000000000000000 00000d09 2**0 CONTENTS, READONLY 7 LZMA_DEC20 000009f7 0000000000000000 0000000000000000 00000d03 2**0 CONTENTS, READONLY
8 LZMA_DEC30 00000014 0000000000000000 0000000000000000 00001700 2**0 CONTENTS, READONLY 8 LZMA_DEC30 00000014 0000000000000000 0000000000000000 000016fa 2**0 CONTENTS, READONLY
9 NRV_TAIL 00000000 0000000000000000 0000000000000000 00001714 2**0 CONTENTS, READONLY 9 NRV_TAIL 00000000 0000000000000000 0000000000000000 0000170e 2**0 CONTENTS, READONLY
10 MACHMAINY 00000011 0000000000000000 0000000000000000 00001714 2**0 CONTENTS, READONLY 10 MACHMAINY 00000011 0000000000000000 0000000000000000 0000170e 2**0 CONTENTS, READONLY
11 MACHMAINZ 00000163 0000000000000000 0000000000000000 00001725 2**0 CONTENTS, RELOC, READONLY 11 MACHMAINZ 00000148 0000000000000000 0000000000000000 0000171f 2**0 CONTENTS, RELOC, READONLY
SYMBOL TABLE: SYMBOL TABLE:
0000000000000000 l d NRV_HEAD 0000000000000000 NRV_HEAD 0000000000000000 l d NRV_HEAD 0000000000000000 NRV_HEAD
0000000000000000 l d LZMA_DEC30 0000000000000000 LZMA_DEC30 0000000000000000 l d LZMA_DEC30 0000000000000000 LZMA_DEC30
@ -32,7 +32,7 @@ SYMBOL TABLE:
RELOCATION RECORDS FOR [MACHMAINX]: RELOCATION RECORDS FOR [MACHMAINX]:
OFFSET TYPE VALUE OFFSET TYPE VALUE
0000000000000010 R_X86_64_PC32 MACHMAINZ+0xfffffffffffffffc 000000000000000a R_X86_64_PC32 MACHMAINZ+0xfffffffffffffffc
RELOCATION RECORDS FOR [NRV2E]: RELOCATION RECORDS FOR [NRV2E]:
OFFSET TYPE VALUE OFFSET TYPE VALUE
@ -55,5 +55,4 @@ OFFSET TYPE VALUE
RELOCATION RECORDS FOR [MACHMAINZ]: RELOCATION RECORDS FOR [MACHMAINZ]:
OFFSET TYPE VALUE OFFSET TYPE VALUE
0000000000000027 R_X86_64_32 _start+0xfffffffffffffffc 000000000000001c R_X86_64_32 MACHMAINZ+0x000000000000014c
000000000000002c R_X86_64_32 MACHMAINZ+0x0000000000000163