Merge pull request QBDI#241 from QBDI/Fix_arm_mov_pc

[ARM] support 'mov pc, lr'
losenineai · Aug 3, 2023 · 8fe7559 · 8fe7559
2 parents 99e7083 + 824309f
commit 8fe7559
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 11 deletions.
diff --git a/src/Patch/ARM/PatchGenerator_ARM.cpp b/src/Patch/ARM/PatchGenerator_ARM.cpp
@@ -185,6 +185,7 @@ WritePC::generate(const Patch &patch, TempManager &temp_manager) const {
     case llvm::ARM::MOVi16:
     case llvm::ARM::MOVi:
     case llvm::ARM::MOVr:
+    case llvm::ARM::MOVPCLR:
     case llvm::ARM::MOVsi:
     case llvm::ARM::MVNi:
     case llvm::ARM::MVNr:
@@ -351,6 +352,7 @@ SetExchange::generate(const Patch &patch, TempManager &temp_manager) const {
     case llvm::ARM::MOVi16:
     case llvm::ARM::MOVi:
     case llvm::ARM::MOVr:
+    case llvm::ARM::MOVPCLR:
     case llvm::ARM::MOVsi:
     case llvm::ARM::MVNi:
     case llvm::ARM::MVNr:

diff --git a/src/Patch/ARM/PatchRuleAssembly_ARM.cpp b/src/Patch/ARM/PatchRuleAssembly_ARM.cpp
@@ -119,28 +119,33 @@ std::vector<PatchRule> getARMPatchRules(Options opts) {
   // Warning: All instructions can be conditionnal, Each patchRule must keep the
   // conditionnal behavior
 
-  /* Rule #0: BX lr without condition
+  /* Rule #0: BX lr | mov pc, lr without condition
    *
    *  str lr, <offset PC>
    *  setExchange
    */
-  rules.emplace_back(
-      And::unique(conv_unique<PatchCondition>(OpIs::unique(llvm::ARM::BX_RET),
-                                              Not::unique(HasCond::unique()))),
-      conv_unique<PatchGenerator>(
-          SaveReg::unique(Reg(REG_LR), Offset(Reg(REG_PC))),
-          SetExchange::unique(Temp(0))));
-
-  /* Rule #1: BX lr with condition
+  rules.emplace_back(And::unique(conv_unique<PatchCondition>(
+                         Or::unique(conv_unique<PatchCondition>(
+                             OpIs::unique(llvm::ARM::BX_RET),
+                             OpIs::unique(llvm::ARM::MOVPCLR))),
+                         Not::unique(HasCond::unique()))),
+                     conv_unique<PatchGenerator>(
+                         SaveReg::unique(Reg(REG_LR), Offset(Reg(REG_PC))),
+                         SetExchange::unique(Temp(0))));
+
+  /* Rule #1: BX lr | mov pc, lr with condition
    *
    *  mov temp0, <PC-4>
    *  movcc temp0, lr
    *  str temp0, <offset PC>
    *  setExchange
    */
   rules.emplace_back(
-      And::unique(conv_unique<PatchCondition>(OpIs::unique(llvm::ARM::BX_RET),
-                                              HasCond::unique())),
+      And::unique(
+          conv_unique<PatchCondition>(Or::unique(conv_unique<PatchCondition>(
+                                          OpIs::unique(llvm::ARM::BX_RET),
+                                          OpIs::unique(llvm::ARM::MOVPCLR))),
+                                      HasCond::unique())),
       conv_unique<PatchGenerator>(
           GetNextInstAddr::unique(Temp(0), /* keepCond */ false),
           CopyRegCC::unique(Temp(0), Reg(REG_LR)), WritePC::unique(Temp(0)),

diff --git a/test/Patch/ARM/ComparedExecutor_ARM.cpp b/test/Patch/ARM/ComparedExecutor_ARM.cpp
@@ -274,7 +274,11 @@ const char *StackTricks_s =
     "    adr r2, end\n"
     "    adr r3, f1\n"
     "    push {r0, r2}\n"
+    "    adr r12, f0\n"
+    "    blx r12\n"
     "    bx r3\n"
+    "f0:\n"
+    "    mov pc, lr\n"
     "f1:\n"
     "    ldr r0, [sp]\n"
     "    adr r2, f2\n"