From b5253fa510abb050f3773da7bdfde88b6d97e19b Mon Sep 17 00:00:00 2001 From: Arusekk Date: Sun, 21 Jan 2024 04:58:30 +0100 Subject: [PATCH] shellcraft.amd64.mov: fix logic once again --- .../templates/aarch64/linux/syscall.asm | 8 ++--- pwnlib/shellcraft/templates/aarch64/mov.asm | 30 ++++++++++++------- pwnlib/shellcraft/templates/aarch64/push.asm | 6 ++-- .../shellcraft/templates/aarch64/setregs.asm | 4 +-- 4 files changed, 28 insertions(+), 20 deletions(-) diff --git a/pwnlib/shellcraft/templates/aarch64/linux/syscall.asm b/pwnlib/shellcraft/templates/aarch64/linux/syscall.asm index 9269bc1c7..9fceb1afd 100644 --- a/pwnlib/shellcraft/templates/aarch64/linux/syscall.asm +++ b/pwnlib/shellcraft/templates/aarch64/linux/syscall.asm @@ -13,11 +13,11 @@ Any of the arguments can be expressions to be evaluated by :func:`pwnlib.constan Example: - >>> print(shellcraft.aarch64.linux.syscall(11, 1, 'sp', 2, 0).rstrip()) - /* call syscall(0xb, 1, 'sp', 2, 0) */ - mov x0, #1 + >>> print(shellcraft.aarch64.linux.syscall(11, 9, 'sp', 8, 0).rstrip()) + /* call syscall(0xb, 9, 'sp', 8, 0) */ + mov x0, #9 mov x1, sp - mov x2, #2 + mov x2, #8 mov x3, xzr mov x8, #11 svc 0 diff --git a/pwnlib/shellcraft/templates/aarch64/mov.asm b/pwnlib/shellcraft/templates/aarch64/mov.asm index 524e11924..3dc595246 100644 --- a/pwnlib/shellcraft/templates/aarch64/mov.asm +++ b/pwnlib/shellcraft/templates/aarch64/mov.asm @@ -28,12 +28,12 @@ Examples: mov x0, x1 >>> print(shellcraft.mov('x0','0').rstrip()) mov x0, xzr - >>> print(shellcraft.mov('x0', 5).rstrip()) - mov x0, #5 - >>> print(shellcraft.mov('x0', 0x34532).rstrip()) - /* Set x0 = 214322 = 0x34532 */ + >>> print(shellcraft.mov('x0', 9).rstrip()) + mov x0, #9 + >>> print(shellcraft.mov('x0', 0x94532).rstrip()) + /* Set x0 = 607538 = 0x94532 */ mov x0, #17714 - movk x0, #3, lsl #16 + movk x0, #9, lsl #16 Args: dest (str): The destination register. @@ -78,22 +78,30 @@ if isinstance(src, six.integer_types): dst = 'x15' lobits = 15 - src = unpack(b''.join(words)) xor = unpack(b''.join(xor)) + if xor: + src = unpack(b''.join(words)) + +tmp = 'x14' +if dst == 'x14': + tmp = 'x15' +if dst == 'x15': + tmp = 'x12' %> %if not isinstance(src, six.integer_types): mov ${dst}, ${src} %else: - %if src & 0xffff == 0: + %if src == 0: mov ${dst}, xzr - %endif - %if src & 0xffff == src != 0: + %elif src & 0xffff == src: mov ${dst}, #${src} %else: /* Set ${dst} = ${src} = ${pretty(src, False)} */ %if src & 0x000000000000ffff: mov ${dst}, #${(src >> 0x00) & 0xffff} + %else: + mov ${dst}, xzr %endif %if src & 0x00000000ffff0000: movk ${dst}, #${(src >> 0x10) & 0xffff}, lsl #16 @@ -106,8 +114,8 @@ if isinstance(src, six.integer_types): %endif %endif %if xor: - ${SC.mov('x14', xor)} - eor ${dst}, ${dst}, x14 + ${SC.mov(tmp, xor)} + eor ${dst}, ${dst}, ${tmp} %endif %if mov_x15: ${SC.mov(mov_x15,'x15')} diff --git a/pwnlib/shellcraft/templates/aarch64/push.asm b/pwnlib/shellcraft/templates/aarch64/push.asm index b0c6ef73a..43b8323bb 100644 --- a/pwnlib/shellcraft/templates/aarch64/push.asm +++ b/pwnlib/shellcraft/templates/aarch64/push.asm @@ -28,9 +28,9 @@ Example: /* push 0 */ mov x14, xzr str x14, [sp, #-16]! - >>> print(pwnlib.shellcraft.push(1).rstrip()) - /* push 1 */ - mov x14, #1 + >>> print(pwnlib.shellcraft.push(9).rstrip()) + /* push 9 */ + mov x14, #9 str x14, [sp, #-16]! >>> print(pwnlib.shellcraft.push(256).rstrip()) /* push 0x100 */ diff --git a/pwnlib/shellcraft/templates/aarch64/setregs.asm b/pwnlib/shellcraft/templates/aarch64/setregs.asm index 78732bf34..aaaa08ff2 100644 --- a/pwnlib/shellcraft/templates/aarch64/setregs.asm +++ b/pwnlib/shellcraft/templates/aarch64/setregs.asm @@ -13,8 +13,8 @@ Args: Example: - >>> print(shellcraft.setregs({'x0':1, 'x2':'x3'}).rstrip()) - mov x0, #1 + >>> print(shellcraft.setregs({'x0':9, 'x2':'x3'}).rstrip()) + mov x0, #9 mov x2, x3 >>> print(shellcraft.setregs({'x0':'x1', 'x1':'x0', 'x2':'x3'}).rstrip()) mov x2, x3