amd64-darwin.dylib hacking

modified: stub/src/amd64-darwin.dylib-entry.S modified: stub/amd64-darwin.dylib-entry.h modified: stub/tmp/amd64-darwin.dylib-entry.bin.dump
2025-09-28 19:06:07 +08:00 · 2017-05-17 21:36:40 -07:00 · 2017-05-17 21:36:40 -07:00 · d9e019bd87
commit d9e019bd87
parent ce194fa5d8
3 changed files with 634 additions and 635 deletions
--- a/src/stub/amd64-darwin.dylib-entry.h
+++ b/src/stub/amd64-darwin.dylib-entry.h
--- a/src/stub/src/amd64-darwin.dylib-entry.S
+++ b/src/stub/src/amd64-darwin.dylib-entry.S
@ -46,9 +46,7 @@

 section MACHMAINX
 _start: .globl _start
-L100: pause; jmp L100  // FIXME
-    int3  // FIXME
-        push $~0  // space for &user_init function
+        push %rax  // space for &user_init_fn
        push %rdi; push %rsi; push %rdx; push %rcx; push %r8  // args
        push %rbp  // callee-save registers
        push %rbx
@ -224,15 +222,16 @@ main:
        pop %rbp  # &escape

 // Get temp pages for compressed __TEXT and this stub
-        lea -1*4 + _start - escape(%rbp),%rbx
-        mov (%rbx),%eax; sub %rax,%rbx  # our &Mach_header
-        mov -4*4 + _start - escape(%rbp),%edx  # offset(user_init_fn)
+        lea -4*4 + _start - escape(%rbp),%rsi
+        lodsl; xchg %eax,%edx  # offset(user_init_fn)
+        lodsl; xchg %eax,%ecx  # offset(b_info)
+        lodsl  # skip
+        mov (%rsi),%eax  # #preceding bytes in file
+        sub %rax,%rsi; push %rsi; pop %rbx  # our &Mach_header
        add %rbx,%rdx; mov %rdx,7*8(%rsp)  # reloc(user_init_fn)
-        mov -3*4 + _start - escape(%rbp),%edx  # offset(b_info)
-        sub %edx,%eax; add %rbx,%rdx
-        sub $-4+ _start,%eax
-        add $    dy_top,%eax; push %rax  # P_02  length(tmppag)
-        push %rdx  # P_01  &b_info
+        sub %ecx,%eax  # omit Mach_headers from copy
+        add $4+dy_top,%eax; push %rax  # P_02  length(tmppag)
+        add %rbx,%rcx;      push %rcx  # P_01  &b_info
        xchg %eax,%arg2l  # length

        xor %arg6,%arg6  # 0  offset
@ -257,17 +256,26 @@ main:
 // Make temp pages executable, and go there
        pop %arg1  # P_03 src (tmppag)
        pop %arg2  # P_02 length(tmppag)
-        push $PROT_READ|PROT_EXEC; pop %arg3
        push %arg2  # P_02 length(tmppag)
        push %arg1  # P_03 src(tmppag)
        push %rcx  # P_06 reloc(&b_info)
        push %rax  # P_04  reloc(dy_top)
-        mov $SYS_mprotect,%eax; syscall; jc bad_mmap
+        call mprot_RE

        pop %rax  # P_04 reloc(dy_top)
        add $dy_reloc - dy_top,%rax
        jmp *%rax

+mprot_RW:
+        push $PROT_READ|PROT_WRITE; jmp mprot
+mprot_RE:
+        push $PROT_READ|PROT_EXEC
+mprot:
+        mov $SYS_mprotect,%eax
+mding:
+        pop %arg3
+        syscall; jc bad_mmap
+        ret
 bad_mmap:
        hlt
        jmp bad_mmap
@ -277,8 +285,7 @@ dy_reloc:
 // Make __TEXT writeable
        push %rbx; pop %arg1  # our &Mach_header
        mov -2*4 + _start - escape(%rbp),%arg2l
-        push $PROT_READ|PROT_WRITE; pop %arg3
-        mov $SYS_mprotect,%eax; syscall; jc bad_mmap
+        call mprot_RW

        pop %rsi  # P_06  reloc(&b_info)
        push %rbx; pop %rdi  # our &Mach_header
@ -325,13 +332,12 @@ sz_Mach_header64 = 0x20
          add $8+ 2*4 + sz_Mach_header64,%rbx  # &segname[8] after "__TEXT\0\0"
          mov %rax,(%rbx)
        mov -2*4 + _start - decompress(%rbp),%arg2l
-        push $PROT_READ|PROT_EXEC; pop %arg3
-        mov $SYS_mprotect,%eax; syscall; jc bad_mmap
+        call mprot_RE

        pop %arg1  # P_03 tmppag
        pop %arg2  # P_02 len(tmppag)
        mov $SYS_munmap,%eax
-        push %rbx; pop %rcx
+        push %rbx; pop %rcx  # &hatch
        pop %rbx; pop %rbp  // saved registers
        pop %r8
        jmp *%rcx
--- a/src/stub/tmp/amd64-darwin.dylib-entry.bin.dump
+++ b/src/stub/tmp/amd64-darwin.dylib-entry.bin.dump
@ -2,18 +2,18 @@ file format elf64-x86-64

 Sections:
 Idx Name          Size      VMA               LMA               File off  Algn  Flags
-  0 MACHMAINX     00000023  0000000000000000  0000000000000000  00000040  2**0  CONTENTS, RELOC, READONLY
-  1 NRV_HEAD      00000066  0000000000000000  0000000000000000  00000063  2**0  CONTENTS, READONLY
-  2 NRV2E         000000b7  0000000000000000  0000000000000000  000000c9  2**0  CONTENTS, RELOC, READONLY
-  3 NRV2D         0000009e  0000000000000000  0000000000000000  00000180  2**0  CONTENTS, RELOC, READONLY
-  4 NRV2B         00000090  0000000000000000  0000000000000000  0000021e  2**0  CONTENTS, RELOC, READONLY
-  5 LZMA_ELF00    00000064  0000000000000000  0000000000000000  000002ae  2**0  CONTENTS, RELOC, READONLY
-  6 LZMA_DEC10    000009f7  0000000000000000  0000000000000000  00000312  2**0  CONTENTS, READONLY
-  7 LZMA_DEC20    000009f7  0000000000000000  0000000000000000  00000d09  2**0  CONTENTS, READONLY
-  8 LZMA_DEC30    00000014  0000000000000000  0000000000000000  00001700  2**0  CONTENTS, READONLY
-  9 NRV_TAIL      00000000  0000000000000000  0000000000000000  00001714  2**0  CONTENTS, READONLY
- 10 MACHMAINY     00000011  0000000000000000  0000000000000000  00001714  2**0  CONTENTS, READONLY
- 11 MACHMAINZ     00000163  0000000000000000  0000000000000000  00001725  2**0  CONTENTS, RELOC, READONLY
+  0 MACHMAINX     0000001d  0000000000000000  0000000000000000  00000040  2**0  CONTENTS, RELOC, READONLY
+  1 NRV_HEAD      00000066  0000000000000000  0000000000000000  0000005d  2**0  CONTENTS, READONLY
+  2 NRV2E         000000b7  0000000000000000  0000000000000000  000000c3  2**0  CONTENTS, RELOC, READONLY
+  3 NRV2D         0000009e  0000000000000000  0000000000000000  0000017a  2**0  CONTENTS, RELOC, READONLY
+  4 NRV2B         00000090  0000000000000000  0000000000000000  00000218  2**0  CONTENTS, RELOC, READONLY
+  5 LZMA_ELF00    00000064  0000000000000000  0000000000000000  000002a8  2**0  CONTENTS, RELOC, READONLY
+  6 LZMA_DEC10    000009f7  0000000000000000  0000000000000000  0000030c  2**0  CONTENTS, READONLY
+  7 LZMA_DEC20    000009f7  0000000000000000  0000000000000000  00000d03  2**0  CONTENTS, READONLY
+  8 LZMA_DEC30    00000014  0000000000000000  0000000000000000  000016fa  2**0  CONTENTS, READONLY
+  9 NRV_TAIL      00000000  0000000000000000  0000000000000000  0000170e  2**0  CONTENTS, READONLY
+ 10 MACHMAINY     00000011  0000000000000000  0000000000000000  0000170e  2**0  CONTENTS, READONLY
+ 11 MACHMAINZ     00000148  0000000000000000  0000000000000000  0000171f  2**0  CONTENTS, RELOC, READONLY
 SYMBOL TABLE:
 0000000000000000 l    d  NRV_HEAD	0000000000000000 NRV_HEAD
 0000000000000000 l    d  LZMA_DEC30	0000000000000000 LZMA_DEC30
@ -32,7 +32,7 @@ SYMBOL TABLE:

 RELOCATION RECORDS FOR [MACHMAINX]:
 OFFSET           TYPE              VALUE
-0000000000000010 R_X86_64_PC32     MACHMAINZ+0xfffffffffffffffc
+000000000000000a R_X86_64_PC32     MACHMAINZ+0xfffffffffffffffc

 RELOCATION RECORDS FOR [NRV2E]:
 OFFSET           TYPE              VALUE
@ -55,5 +55,4 @@ OFFSET           TYPE              VALUE

 RELOCATION RECORDS FOR [MACHMAINZ]:
 OFFSET           TYPE              VALUE
-0000000000000027 R_X86_64_32       _start+0xfffffffffffffffc
-000000000000002c R_X86_64_32       MACHMAINZ+0x0000000000000163
+000000000000001c R_X86_64_32       MACHMAINZ+0x000000000000014c