ARM64 supported

pinwhell · Jun 24, 2022 · be193a4 · be193a4
1 parent ece4373
commit be193a4
Show file tree

Hide file tree

Showing 5 changed files with 89 additions and 3 deletions.
diff --git a/LittleXrefs/src/CapstoneHelper.cpp b/LittleXrefs/src/CapstoneHelper.cpp
@@ -39,3 +39,21 @@ bool ArmCapstoneHelper::HeuristicReturn(cs_insn* pInst)
 
     return false;
 }
+
+uint16_t Arm64CapstoneHelper::GetLValueRegType(cs_insn* pInst)
+{
+    return pInst->detail->arm64.operands[0].reg;
+}
+
+uint16_t Arm64CapstoneHelper::GetRValueRegType(cs_insn* pInst)
+{
+    return pInst->detail->arm64.operands[1].reg;
+}
+
+bool Arm64CapstoneHelper::HeuristicReturn(cs_insn* pInst)
+{
+    if (pInst->id == ARM64_INS_RET)
+        return true;
+
+    return false;
+}
diff --git a/LittleXrefs/src/CapstoneHelper.h b/LittleXrefs/src/CapstoneHelper.h
@@ -12,3 +12,12 @@ class ArmCapstoneHelper{
 	static bool HeuristicReturn(cs_insn* pInst);
 };
 
+class Arm64CapstoneHelper {
+public:
+	static uint16_t GetLValueRegType(cs_insn* pInst);
+	static uint16_t GetRValueRegType(cs_insn* pInst);
+	static bool RegisterPresent(cs_insn* pInst, uint16_t reg);
+	static bool HeuristicReturn(cs_insn* pInst);
+};
+
+
diff --git a/LittleXrefs/src/IReferenceEngine.cpp b/LittleXrefs/src/IReferenceEngine.cpp
@@ -110,5 +110,64 @@ Arm64ReferenceEngine::Arm64ReferenceEngine(csh CapstoneDisasm)
 
 void Arm64ReferenceEngine::FindRefereces(Function* pFunc, cs_insn* pStart, cs_insn* pEnd, uint16_t trackReg, uint64_t offset, FunctionReferenceList& outRefsLists)
 {
+	for (cs_insn* pCurrInst = pStart; pCurrInst < pEnd; pCurrInst++)
+	{
+		if (Arm64CapstoneHelper::HeuristicReturn(pCurrInst)) break;
+
+		switch (pCurrInst->id)
+		{
+
+		case ARM64_INS_LDR:
+		case ARM64_INS_LDRB:
+		{
+			uint16_t lreg = Arm64CapstoneHelper::GetLValueRegType(pCurrInst);
+			uint16_t rreg = Arm64CapstoneHelper::GetRValueRegType(pCurrInst);
+
+			if (trackReg == rreg)
+			{
+				uintptr_t disp = pCurrInst->detail->arm64.operands[1].mem.disp;
+
+				if (disp == offset) // LDR? R?, [trackReg, #?? == offset?]
+					outRefsLists.AddReference(pFunc, pCurrInst, 'r');
+
+			}
+			else if (lreg == trackReg) goto END_FIND;	// Register that contained instance of offset was overriden, 
+								 // no more work to do
+			break;
+		}
+
+		case ARM64_INS_STR:
+		case ARM64_INS_STRB:
+		{
+			uint16_t rreg = Arm64CapstoneHelper::GetRValueRegType(pCurrInst);
+
+			if (trackReg == rreg)
+			{
+				uintptr_t disp = pCurrInst->detail->arm64.operands[1].mem.disp;
+
+				if (disp == offset) // LDR? X?, [trackReg, #?? == offset?]
+					outRefsLists.AddReference(pFunc, pCurrInst, 'w');
 
+			}
+
+			break;
+		}
+
+		case ARM64_INS_MOV:
+		{
+			uint16_t lreg = Arm64CapstoneHelper::GetLValueRegType(pCurrInst);
+			uint16_t rreg = Arm64CapstoneHelper::GetRValueRegType(pCurrInst);
+
+			if (trackReg == rreg) FindRefereces(pFunc, pCurrInst + 1, pEnd, lreg, offset, outRefsLists);
+			else if (lreg == trackReg) goto END_FIND;	// Again Register that contained instance of offset was overriden, 
+														// no more work to do
+
+			break;
+		}
+
+
+		}
+	}
+END_FIND:
+	return;
 }
diff --git a/LittleXrefs/src/LittleXrefs.cpp b/LittleXrefs/src/LittleXrefs.cpp
@@ -30,8 +30,8 @@ bool LX::LittleXrefs::LoadFiles()
 	if (!Utils::get_assembly_path(assemblyFilePath) || !Utils::get_script_path(scriptDumpFilePath))
 		return false;
 #else 
-	assemblyFilePath = L"samples/libil2cpp.so";
-	scriptDumpFilePath = L"samples/script.json";
+	assemblyFilePath = L"libil2cpp.so";
+	scriptDumpFilePath = L"script.json";
 #endif
 
 

diff --git a/LittleXrefs/src/LittleXrefs.h b/LittleXrefs/src/LittleXrefs.h
@@ -3,7 +3,7 @@
 #include <json\json.h>
 #include <fstream>
 
-#define ASK_FILES
+//#define ASK_FILES
 
 namespace LX{