This repository has been archived by the owner on Aug 23, 2022. It is now read-only.
/
print_ELF_64_linux.cpp
668 lines (556 loc) · 32.8 KB
/
print_ELF_64_linux.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
/*
* Copyright (c) 2017 Trail of Bits, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <cstdio>
#include <cinttypes>
#define HAS_FEATURE_AVX 1
#define HAS_FEATURE_AVX512 0
#define ADDRESS_SIZE_BITS 64
#include <remill/Arch/X86/Runtime/State.h>
#include <mcsema/Arch/X86/Runtime/Registers.h>
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wformat"
static const size_t kStackSize = 1UL << 20UL;
static void PrintStoreFlags(FILE * out) {
// FPU control.
fprintf(out, " fnstcw WORD PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, x87.fxsave.cwd));
fprintf(out, " pushfq\n");
fprintf(out, " mov edx, 0xcd5\n");
fprintf(out, " not rdx\n");
fprintf(out, " and QWORD PTR [rsp], rdx\n");
fprintf(out, " mov edx, 1\n");
fprintf(out, " and dl, BYTE PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, CF));
fprintf(out, " shl edx, 0\n");
fprintf(out, " or QWORD PTR [rsp], rdx\n");
fprintf(out, " mov edx, 1\n");
fprintf(out, " and dl, BYTE PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, PF));
fprintf(out, " shl edx, 2\n");
fprintf(out, " or QWORD PTR [rsp], rdx\n");
fprintf(out, " mov edx, 1\n");
fprintf(out, " and dl, BYTE PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, AF));
fprintf(out, " shl edx, 4\n");
fprintf(out, " or QWORD PTR [rsp], rdx\n");
fprintf(out, " mov edx, 1\n");
fprintf(out, " and dl, BYTE PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, ZF));
fprintf(out, " shl edx, 6\n");
fprintf(out, " or QWORD PTR [rsp], rdx\n");
fprintf(out, " mov edx, 1\n");
fprintf(out, " and dl, BYTE PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, SF));
fprintf(out, " shl edx, 7\n");
fprintf(out, " or QWORD PTR [rsp], rdx\n");
fprintf(out, " mov edx, 1\n");
fprintf(out, " and dl, BYTE PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, DF));
fprintf(out, " shl edx, 10\n");
fprintf(out, " or QWORD PTR [rsp], rdx\n");
fprintf(out, " mov edx, 1\n");
fprintf(out, " and dl, BYTE PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, OF));
fprintf(out, " shl edx, 11\n");
fprintf(out, " or QWORD PTR [rsp], rdx\n");
fprintf(out, " popfq\n");
}
static void PrintLoadFlags(FILE * out) {
// FPU control.
fprintf(out, " push dx\n");
fprintf(out, " fldcw WORD PTR [rsp]\n");
fprintf(out, " pop WORD PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, x87.fxsave.cwd));
// Get the RFlags.
fprintf(out, " pushfq\n");
fprintf(out, " pop rdx\n");
fprintf(out, " mov [rdi + %" PRIuMAX "], rdx\n", __builtin_offsetof(State, rflag));
// Clear our the `ArithFlags` struct, which is 16 bytes.
fprintf(out, " mov QWORD PTR [rdi + %" PRIuMAX "], 0\n", __builtin_offsetof(State, aflag));
fprintf(out, " mov QWORD PTR [rdi + %" PRIuMAX "], 0\n", __builtin_offsetof(State, aflag) + 8);
// Marshal the RFlags into the ArithFlags struct.
fprintf(out, " bt rdx, 0\n");
fprintf(out, " adc BYTE PTR [rdi + %" PRIuMAX "], 0\n", __builtin_offsetof(State, CF));
fprintf(out, " bt rdx, 2\n");
fprintf(out, " adc BYTE PTR [rdi + %" PRIuMAX "], 0\n", __builtin_offsetof(State, PF));
fprintf(out, " bt rdx, 4\n");
fprintf(out, " adc BYTE PTR [rdi + %" PRIuMAX "], 0\n", __builtin_offsetof(State, AF));
fprintf(out, " bt rdx, 6\n");
fprintf(out, " adc BYTE PTR [rdi + %" PRIuMAX "], 0\n", __builtin_offsetof(State, ZF));
fprintf(out, " bt rdx, 7\n");
fprintf(out, " adc BYTE PTR [rdi + %" PRIuMAX "], 0\n", __builtin_offsetof(State, SF));
fprintf(out, " bt rdx, 10\n");
fprintf(out, " adc BYTE PTR [rdi + %" PRIuMAX "], 0\n", __builtin_offsetof(State, DF));
fprintf(out, " bt rdx, 11\n");
fprintf(out, " adc BYTE PTR [rdi + %" PRIuMAX "], 0\n", __builtin_offsetof(State, OF));
}
int main(void) {
FILE *out = fopen("runtime_64.S", "w");
fprintf(out, "/* Auto-generated file! Don't modify! */\n\n");
fprintf(out, " .intel_syntax noprefix\n");
fprintf(out, "\n");
// Thread-local state structure, named by `__mcsema_reg_state`.
fprintf(out, " .type __mcsema_reg_state,@object\n");
fprintf(out, " .section .tbss,\"awT\",@nobits\n");
fprintf(out, " .align 16\n");
fprintf(out, "__mcsema_reg_state:\n");
fprintf(out, " .zero %" PRIuMAX "\n", sizeof(State));
fprintf(out, " .size __mcsema_reg_state, %" PRIuMAX "\n", sizeof(State));
fprintf(out, "\n");
// Thread-local stack structure, named by `__mcsema_stack`.
fprintf(out, " .type __mcsema_stack,@object\n");
fprintf(out, " .section .tbss,\"awT\",@nobits\n");
fprintf(out, " .align 16\n");
fprintf(out, "__mcsema_stack:\n");
fprintf(out, " .zero %" PRIuMAX "\n", kStackSize); // 1 MiB.
fprintf(out, " .size __mcsema_stack, %" PRIuMAX "\n", kStackSize);
fprintf(out, "\n");
fprintf(out, " .text\n");
fprintf(out, "\n");
// Forward declarations.
fprintf(out, " .globl __mcsema_detach_ret\n");
fprintf(out, "\n");
// Implements `__mcsema_attach_call`. This goes from native state into lifted
// code.
fprintf(out, " .globl __mcsema_attach_call\n");
fprintf(out, " .type __mcsema_attach_call,@function\n");
fprintf(out, "__mcsema_attach_call:\n");
fprintf(out, " .cfi_startproc\n");
// Save off the first three args of the ABI.
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rsi\n", __builtin_offsetof(State, RSI));
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rdi\n", __builtin_offsetof(State, RDI));
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rdx\n", __builtin_offsetof(State, RDX));
// On the stack:
// 0 EA of the lifted function (from the CFG).
// 8 Address of the lifted function (from the bitcode).
// 16 Return address into native caller.
// Set up the `FS` segment register so that TLS works :-)
fprintf(out, " mov rsi, QWORD PTR fs:[0]\n");
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rsi\n", __builtin_offsetof(State, FS_BASE));
// Get arg (rdi) to contain the State pointer.
fprintf(out, " lea rdi, QWORD PTR [__mcsema_reg_state@TPOFF]\n");
fprintf(out, " lea rdi, QWORD PTR [rsi + rdi]\n");
// Get the program counter off of the stack.
fprintf(out, " pop QWORD PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RIP));
// Remaining general purpose registers.
fprintf(out, " mov [rdi + %" PRIuMAX "], rax\n", __builtin_offsetof(State, RAX));
fprintf(out, " mov [rdi + %" PRIuMAX "], rbx\n", __builtin_offsetof(State, RBX));
fprintf(out, " mov [rdi + %" PRIuMAX "], rcx\n", __builtin_offsetof(State, RCX));
fprintf(out, " mov [rdi + %" PRIuMAX "], rbp\n", __builtin_offsetof(State, RBP));
fprintf(out, " mov [rdi + %" PRIuMAX "], r8\n", __builtin_offsetof(State, R8));
fprintf(out, " mov [rdi + %" PRIuMAX "], r9\n", __builtin_offsetof(State, R9));
fprintf(out, " mov [rdi + %" PRIuMAX "], r10\n", __builtin_offsetof(State, R10));
fprintf(out, " mov [rdi + %" PRIuMAX "], r11\n", __builtin_offsetof(State, R11));
fprintf(out, " mov [rdi + %" PRIuMAX "], r12\n", __builtin_offsetof(State, R12));
fprintf(out, " mov [rdi + %" PRIuMAX "], r13\n", __builtin_offsetof(State, R13));
fprintf(out, " mov [rdi + %" PRIuMAX "], r14\n", __builtin_offsetof(State, R14));
fprintf(out, " mov [rdi + %" PRIuMAX "], r15\n", __builtin_offsetof(State, R15));
PrintLoadFlags(out); // Note: Clobbers RDX.
// XMM registers.
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm0\n", __builtin_offsetof(State, XMM0));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm1\n", __builtin_offsetof(State, XMM1));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm2\n", __builtin_offsetof(State, XMM2));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm3\n", __builtin_offsetof(State, XMM3));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm4\n", __builtin_offsetof(State, XMM4));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm5\n", __builtin_offsetof(State, XMM5));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm6\n", __builtin_offsetof(State, XMM6));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm7\n", __builtin_offsetof(State, XMM7));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm8\n", __builtin_offsetof(State, XMM8));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm9\n", __builtin_offsetof(State, XMM9));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm10\n", __builtin_offsetof(State, XMM10));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm11\n", __builtin_offsetof(State, XMM11));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm12\n", __builtin_offsetof(State, XMM12));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm13\n", __builtin_offsetof(State, XMM13));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm14\n", __builtin_offsetof(State, XMM14));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm15\n", __builtin_offsetof(State, XMM15));
// If `RSP` is null then we need to initialize it to our new stack.
fprintf(out, " mov rdx, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RSP));
fprintf(out, " cmp rdx, 0\n");
fprintf(out, " jnz .Lhave_stack\n");
fprintf(out, " lea r8, QWORD PTR [__mcsema_stack@TPOFF]\n");
fprintf(out, " mov rsi, fs:[0];\n");
fprintf(out, " lea rdx, QWORD PTR [rsi + r8 + %" PRIuMAX "]\n", (kStackSize - 16));
fprintf(out, ".Lhave_stack:\n");
// Set up a return address so that when the lifted function returns, it will
// go to `__mcsema_detach_ret`, which will return to native code.
fprintf(out, " lea rax, [rip + __mcsema_detach_ret]\n");
fprintf(out, " mov [rdx - 8], rax\n");
// Put the address of the lifted function onto the lifted stack, so that we
// can `RET` into the lifted function.
fprintf(out, " pop QWORD PTR [rdx - 16]\n");
// Swap onto the lifted stack. The native `RSP` is now where it should be.
fprintf(out, " mov [rdi + %" PRIuMAX "], rsp\n", __builtin_offsetof(State, RSP));
fprintf(out, " lea rsp, [rdx - 16]\n");
// Set up arg2 as the program counter.
fprintf(out, " mov rsi, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RIP));
// Set up arg3 as the memory pointer, which is (for now?) a nullptr.
fprintf(out, " xor rdx, rdx\n");
// The address of the lifted function is still on the stack, and `RDX` holds
// the native PC of the original function.
// RDX currently holds the address of the lifted function (where we want to
// go). Inside of the lifted function, RDX (arg3 of AMD64 ABI) needs to hold
// the same thing as State::RIP. So, push on the address of the lifted
// function, get RDX right, then `RET` to the lifted function.
fprintf(out, " ret\n");
fprintf(out, ".Lfunc_end1:\n");
fprintf(out, " .size __mcsema_attach_call,.Lfunc_end1-__mcsema_attach_call\n");
fprintf(out, " .cfi_endproc\n");
fprintf(out, "\n");
// Implements `__mcsema_detach_ret`. This goes from lifted code into native code.
// The native code pointer is located at the native `[State::RSP - 8]`
// address.
fprintf(out, " .globl __mcsema_detach_ret\n");
fprintf(out, " .type __mcsema_detach_ret,@function\n");
fprintf(out, "__mcsema_detach_ret:\n");
fprintf(out, " .cfi_startproc\n");
// RAX holds the memory pointer, which is null.
fprintf(out, " mov rdi, QWORD PTR fs:[0]\n");
fprintf(out, " lea rax, QWORD PTR [__mcsema_reg_state@TPOFF]\n");
fprintf(out, " lea rdi, QWORD PTR [rdi + rax]\n");
// The lifted code emulated a ret, which incremented `rsp` by 8.
// We "undo" that, then swap back to the native stack. When we swap, we
// save into `State::RSP` where we are in the lifted stack, so that the
// next attach can continue on where we left off.
fprintf(out, " sub QWORD PTR [rdi + %" PRIuMAX "], 8\n", __builtin_offsetof(State, RSP));
fprintf(out, " xchg [rdi + %" PRIuMAX "], rsp\n", __builtin_offsetof(State, RSP));
PrintStoreFlags(out); // Clobbers RDX.
// General purpose registers.
fprintf(out, " mov rax, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RAX));
fprintf(out, " mov rbx, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RBX));
fprintf(out, " mov rcx, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RCX));
fprintf(out, " mov rdx, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RDX));
fprintf(out, " mov rsi, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RSI));
fprintf(out, " mov rbp, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RBP));
fprintf(out, " mov r8, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R8));
fprintf(out, " mov r9, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R9));
fprintf(out, " mov r10, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R10));
fprintf(out, " mov r11, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R11));
fprintf(out, " mov r12, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R12));
fprintf(out, " mov r13, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R13));
fprintf(out, " mov r14, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R14));
fprintf(out, " mov r15, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R15));
// XMM registers.
fprintf(out, " movntdqa xmm0, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM0));
fprintf(out, " movntdqa xmm1, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM1));
fprintf(out, " movntdqa xmm2, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM2));
fprintf(out, " movntdqa xmm3, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM3));
fprintf(out, " movntdqa xmm4, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM4));
fprintf(out, " movntdqa xmm5, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM5));
fprintf(out, " movntdqa xmm6, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM6));
fprintf(out, " movntdqa xmm7, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM7));
fprintf(out, " movntdqa xmm8, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM8));
fprintf(out, " movntdqa xmm9, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM9));
fprintf(out, " movntdqa xmm10, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM10));
fprintf(out, " movntdqa xmm11, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM11));
fprintf(out, " movntdqa xmm12, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM12));
fprintf(out, " movntdqa xmm13, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM13));
fprintf(out, " movntdqa xmm14, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM14));
fprintf(out, " movntdqa xmm15, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM15));
fprintf(out, " mov rdi, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RDI));
fprintf(out, " ret\n");
fprintf(out, ".Lfunc_end3:\n");
fprintf(out, " .size __mcsema_detach_ret,.Lfunc_end3-__mcsema_detach_ret\n");
fprintf(out, " .cfi_endproc\n");
fprintf(out, "\n");
// Implements `__remill_function_call`. This is a fully generic form of function
// call detaching that is unaware of the ABI / calling convention of the target.
fprintf(out, " .globl __remill_jump\n");
fprintf(out, " .type __remill_jump,@function\n");
fprintf(out, "__remill_jump:\n");
fprintf(out, " .globl __remill_function_call\n");
fprintf(out, " .type __remill_function_call,@function\n");
fprintf(out, "__remill_function_call:\n");
fprintf(out, ".Lfunc_begin5:\n");
fprintf(out, " .cfi_startproc\n");
// Stash the memory pointer. This is probably actually nothing. But for
// generality, we will store and return it, as is expected by the prototype
// of `__remill_function_call` (see remill/Arch/Runtime/Intrinsics.h).
fprintf(out, " push rdx\n"); // Alignment.
fprintf(out, " push rdx\n");
// Stash the callee-saved registers (amd64 ABI). These registers need to
// be restored later so that things are as they should be when we return
// back onto the lifted stack.
fprintf(out, " push rbx\n");
fprintf(out, " push rbp\n");
fprintf(out, " push r12\n");
fprintf(out, " push r13\n");
fprintf(out, " push r14\n");
fprintf(out, " push r15\n");
// fprintf(out, " push rcx\n");
// fprintf(out, " push rdx\n");
// fprintf(out, " push r8\n");
// fprintf(out, " push r9\n");
// fprintf(out, " push r10\n");
// fprintf(out, " push r11\n");
// Stash the return address stored on the native stack, the replace it
// with the re-attach function.
fprintf(out, " mov r15, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RSP));
fprintf(out, " push QWORD PTR [r15]\n");
fprintf(out, " lea r14, [rip + __mcsema_attach_ret]\n");
fprintf(out, " mov QWORD PTR [r15], r14\n");
// Emulate a push of the target address onto the native stack. We will
// `ret` to the target later on.
//
// Note: The target address is passed as arg2 (pc) to `__remill_function_call`
// which is `RSI` in the AMD64 ABI.
fprintf(out, " sub r15, 8\n");
fprintf(out, " mov QWORD PTR [r15], rsi\n");
// Swap off-stack, stash the lifted stack pointer.
fprintf(out, " mov [rdi + %" PRIuMAX "], rsp\n", __builtin_offsetof(State, RSP));
fprintf(out, " mov rsp, r15\n");
PrintStoreFlags(out); // Clobbers RDX.
// (Most) General purpose registers.
fprintf(out, " mov rax, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RAX));
fprintf(out, " mov rbx, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RBX));
fprintf(out, " mov rcx, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RCX));
fprintf(out, " mov rdx, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RDX));
fprintf(out, " mov rsi, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RSI));
fprintf(out, " mov rbp, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RBP));
fprintf(out, " mov r8, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R8));
fprintf(out, " mov r9, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R9));
fprintf(out, " mov r10, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R10));
fprintf(out, " mov r11, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R11));
fprintf(out, " mov r12, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R12));
fprintf(out, " mov r13, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R13));
fprintf(out, " mov r14, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R14));
fprintf(out, " mov r15, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, R15));
// XMM registers.
fprintf(out, " movntdqa xmm0, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM0));
fprintf(out, " movntdqa xmm1, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM1));
fprintf(out, " movntdqa xmm2, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM2));
fprintf(out, " movntdqa xmm3, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM3));
fprintf(out, " movntdqa xmm4, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM4));
fprintf(out, " movntdqa xmm5, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM5));
fprintf(out, " movntdqa xmm6, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM6));
fprintf(out, " movntdqa xmm7, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM7));
fprintf(out, " movntdqa xmm8, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM8));
fprintf(out, " movntdqa xmm9, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM9));
fprintf(out, " movntdqa xmm10, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM10));
fprintf(out, " movntdqa xmm11, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM11));
fprintf(out, " movntdqa xmm12, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM12));
fprintf(out, " movntdqa xmm13, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM13));
fprintf(out, " movntdqa xmm14, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM14));
fprintf(out, " movntdqa xmm15, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, XMM15));
// Swap out RDI.
fprintf(out, " mov rdi, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RDI));
// Code above put the native target address (stored in RDI on entry to
// `__remill_function_call`) on the stack, just below the return address,
// which is now `__mcsema_attach_ret`), so we can `ret` and go to our
// intended target.
fprintf(out, ".Ltmp1000:\n");
fprintf(out, " ret\n");
fprintf(out, ".Lfunc_end5:\n");
fprintf(out, " .size __remill_function_call,.Lfunc_end5-__remill_function_call\n");
fprintf(out, " .cfi_endproc\n");
fprintf(out, "\n");
// Implements `__mcsema_attach_ret`. This goes from native state into lifted
// code.
fprintf(out, " .globl __mcsema_attach_ret\n");
fprintf(out, " .type __mcsema_attach_ret,@function\n");
fprintf(out, "__mcsema_attach_ret:\n");
fprintf(out, " .cfi_startproc\n");
// Copy RSI, then store the address of the reg state struct into RSI for
// easier indexing later on. Also set up the `FS` segment register so that
// TLS works :-)
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rdi\n", __builtin_offsetof(State, RDI));
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rsi\n", __builtin_offsetof(State, RSI));
fprintf(out, " mov rdi, QWORD PTR fs:[0]\n");
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rdi\n", __builtin_offsetof(State, FS_BASE));
fprintf(out, " lea rsi, [__mcsema_reg_state@TPOFF]\n");
fprintf(out, " lea rdi, QWORD PTR [rsi + rdi]\n");
// General purpose registers.
fprintf(out, " mov [rdi + %" PRIuMAX "], rax\n", __builtin_offsetof(State, RAX));
fprintf(out, " mov [rdi + %" PRIuMAX "], rbx\n", __builtin_offsetof(State, RBX));
fprintf(out, " mov [rdi + %" PRIuMAX "], rcx\n", __builtin_offsetof(State, RCX));
fprintf(out, " mov [rdi + %" PRIuMAX "], rdx\n", __builtin_offsetof(State, RDX));
fprintf(out, " mov [rdi + %" PRIuMAX "], rbp\n", __builtin_offsetof(State, RBP));
fprintf(out, " mov [rdi + %" PRIuMAX "], r8\n", __builtin_offsetof(State, R8));
fprintf(out, " mov [rdi + %" PRIuMAX "], r9\n", __builtin_offsetof(State, R9));
fprintf(out, " mov [rdi + %" PRIuMAX "], r10\n", __builtin_offsetof(State, R10));
fprintf(out, " mov [rdi + %" PRIuMAX "], r11\n", __builtin_offsetof(State, R11));
fprintf(out, " mov [rdi + %" PRIuMAX "], r12\n", __builtin_offsetof(State, R12));
fprintf(out, " mov [rdi + %" PRIuMAX "], r13\n", __builtin_offsetof(State, R13));
fprintf(out, " mov [rdi + %" PRIuMAX "], r14\n", __builtin_offsetof(State, R14));
fprintf(out, " mov [rdi + %" PRIuMAX "], r15\n", __builtin_offsetof(State, R15));
// Swap into the mcsema stack.
fprintf(out, " xchg rsp, [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RSP));
// XMM registers.
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm0\n", __builtin_offsetof(State, XMM0));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm1\n", __builtin_offsetof(State, XMM1));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm2\n", __builtin_offsetof(State, XMM2));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm3\n", __builtin_offsetof(State, XMM3));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm4\n", __builtin_offsetof(State, XMM4));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm5\n", __builtin_offsetof(State, XMM5));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm6\n", __builtin_offsetof(State, XMM6));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm7\n", __builtin_offsetof(State, XMM7));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm8\n", __builtin_offsetof(State, XMM8));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm9\n", __builtin_offsetof(State, XMM9));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm10\n", __builtin_offsetof(State, XMM10));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm11\n", __builtin_offsetof(State, XMM11));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm12\n", __builtin_offsetof(State, XMM12));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm13\n", __builtin_offsetof(State, XMM13));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm14\n", __builtin_offsetof(State, XMM14));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm15\n", __builtin_offsetof(State, XMM15));
PrintLoadFlags(out); // Note: Clobbers RDX.
// On the mcsema stack:
// 0 emulated return address.
// 8 stashed r15
// 16 stashed r14
// 24 stashed r13
// 32 stashed r12
// 40 stashed rbp
// 48 stashed rbx
// Restore emulated return address.
fprintf(out, " pop QWORD PTR [rdi + %" PRIuMAX "]\n", __builtin_offsetof(State, RIP));
//
// fprintf(out, " pop r11\n");
// fprintf(out, " pop r10\n");
// fprintf(out, " pop r9\n");
// fprintf(out, " pop r8\n");
// fprintf(out, " pop rdx\n");
// fprintf(out, " pop rcx\n");
// Callee-saved registers.
fprintf(out, " pop r15\n");
fprintf(out, " pop r14\n");
fprintf(out, " pop r13\n");
fprintf(out, " pop r12\n");
fprintf(out, " pop rbp\n");
fprintf(out, " pop rbx\n");
// Stashed memory pointer (for returning).
fprintf(out, " pop rax\n"); // Alignment.
fprintf(out, " pop rax\n");
fprintf(out, " ret\n");
fprintf(out, ".Lfunc_end2:\n");
fprintf(out, " .size __mcsema_attach_ret,.Lfunc_end2-__mcsema_attach_ret\n");
fprintf(out, " .cfi_endproc\n");
fprintf(out, "\n");
// Implements `__mcsema_exception_ret`. It gets called after the exception returns to the handler.
// It sets the native stack and base pointers correctly after cleaning the stack. It also save the native
// registers state.
// Arguments: RDI -> stack pointer
// RSI -> base pointer
fprintf(out, " .globl __mcsema_exception_ret\n");
fprintf(out, " .type __mcsema_exception_ret,@function\n");
fprintf(out, "__mcsema_exception_ret:\n");
fprintf(out, ".Lfunc_begin10:\n");
fprintf(out, ".cfi_startproc\n");
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rdi\n", __builtin_offsetof(State, RDI));
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rsi\n", __builtin_offsetof(State, RSI));
fprintf(out, " mov rdi, QWORD PTR fs:[0]\n");
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rdi\n", __builtin_offsetof(State, FS_BASE));
fprintf(out, " lea rsi, [__mcsema_reg_state@TPOFF]\n");
fprintf(out, " lea rdi, QWORD PTR [rsi + rdi]\n");
// General purpose registers.
//fprintf(out, " mov [rdi + %" PRIuMAX "], rax\n", __builtin_offsetof(State, RAX));
fprintf(out, " mov [rdi + %" PRIuMAX "], rbx\n", __builtin_offsetof(State, RBX));
fprintf(out, " mov [rdi + %" PRIuMAX "], rcx\n", __builtin_offsetof(State, RCX));
fprintf(out, " mov [rdi + %" PRIuMAX "], rdx\n", __builtin_offsetof(State, RDX));
// Sets the native stack and base pointers
fprintf(out, " mov rax, fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "]\n", __builtin_offsetof(State, RDI));
fprintf(out, " mov [rdi + %" PRIuMAX "], rax\n", __builtin_offsetof(State, RSP));
fprintf(out, " add QWORD PTR [rdi + %" PRIuMAX "], 8\n", __builtin_offsetof(State, RSP));
fprintf(out, " mov rax, fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "]\n", __builtin_offsetof(State, RSI));
fprintf(out, " mov [rdi + %" PRIuMAX "], rax\n", __builtin_offsetof(State, RBP));
fprintf(out, " mov [rdi + %" PRIuMAX "], r8\n", __builtin_offsetof(State, R8));
fprintf(out, " mov [rdi + %" PRIuMAX "], r9\n", __builtin_offsetof(State, R9));
fprintf(out, " mov [rdi + %" PRIuMAX "], r10\n", __builtin_offsetof(State, R10));
fprintf(out, " mov [rdi + %" PRIuMAX "], r11\n", __builtin_offsetof(State, R11));
fprintf(out, " mov [rdi + %" PRIuMAX "], r12\n", __builtin_offsetof(State, R12));
fprintf(out, " mov [rdi + %" PRIuMAX "], r13\n", __builtin_offsetof(State, R13));
fprintf(out, " mov [rdi + %" PRIuMAX "], r14\n", __builtin_offsetof(State, R14));
fprintf(out, " mov [rdi + %" PRIuMAX "], r15\n", __builtin_offsetof(State, R15));
// XMM registers.
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm0\n", __builtin_offsetof(State, XMM0));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm1\n", __builtin_offsetof(State, XMM1));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm2\n", __builtin_offsetof(State, XMM2));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm3\n", __builtin_offsetof(State, XMM3));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm4\n", __builtin_offsetof(State, XMM4));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm5\n", __builtin_offsetof(State, XMM5));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm6\n", __builtin_offsetof(State, XMM6));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm7\n", __builtin_offsetof(State, XMM7));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm8\n", __builtin_offsetof(State, XMM8));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm9\n", __builtin_offsetof(State, XMM9));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm10\n", __builtin_offsetof(State, XMM10));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm11\n", __builtin_offsetof(State, XMM11));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm12\n", __builtin_offsetof(State, XMM12));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm13\n", __builtin_offsetof(State, XMM13));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm14\n", __builtin_offsetof(State, XMM14));
fprintf(out, " movntdq [rdi + %" PRIuMAX "], xmm15\n", __builtin_offsetof(State, XMM15));
fprintf(out, " ret\n");
fprintf(out, " ud2\n");
fprintf(out, ".Lfunc_end10:\n");
fprintf(out, " .size __mcsema_exception_ret,.Lfunc_end10-__mcsema_exception_ret\n");
fprintf(out, " .cfi_endproc\n");
fprintf(out, "\n");
// Implements `__mcsema_get_stack_pointer`. Returns the stack pointer register.
fprintf(out, " .globl __mcsema_get_stack_pointer\n");
fprintf(out, " .type __mcsema_get_stack_pointer,@function\n");
fprintf(out, "__mcsema_get_stack_pointer:\n");
fprintf(out, " .cfi_startproc\n");
fprintf(out, " mov rax, fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "]\n", __builtin_offsetof(State, RSP));
fprintf(out, " ret\n");
fprintf(out, ".Lfunc_end20:\n");
fprintf(out, " .size __mcsema_get_stack_pointer,.Lfunc_end20-__mcsema_get_stack_pointer\n");
fprintf(out, " .cfi_endproc\n");
fprintf(out, "\n");
// Implements `__mcsema_get_frame_pointer`. Returns the base pointer register.
fprintf(out, " .globl __mcsema_get_frame_pointer\n");
fprintf(out, " .type __mcsema_get_frame_pointer,@function\n");
fprintf(out, "__mcsema_get_frame_pointer:\n");
fprintf(out, " .cfi_startproc\n");
fprintf(out, " mov rax, fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "]\n", __builtin_offsetof(State, RBP));
fprintf(out, " ret\n");
fprintf(out, ".Lfunc_end21:\n");
fprintf(out, " .size __mcsema_get_frame_pointer,.Lfunc_end21-__mcsema_get_frame_pointer\n");
fprintf(out, " .cfi_endproc\n");
fprintf(out, "\n");
// Implements `__mcsema_get_type_index`. Returns the base pointer register.
fprintf(out, " .globl __mcsema_get_type_index\n");
fprintf(out, " .type __mcsema_get_type_index,@function\n");
fprintf(out, "__mcsema_get_type_index:\n");
fprintf(out, " .cfi_startproc\n");
fprintf(out, " mov fs:[__mcsema_reg_state@TPOFF + %" PRIuMAX "], rax\n", __builtin_offsetof(State, RAX));
fprintf(out, " mov rax, rdx\n");
fprintf(out, " ret\n");
fprintf(out, ".Lfunc_end22:\n");
fprintf(out, " .size __mcsema_get_type_index,.Lfunc_end22-__mcsema_get_type_index\n");
fprintf(out, " .cfi_endproc\n");
fprintf(out, "\n");
// Implements `__mcsema_debug_get_reg_state`. This is useful when debugging in
// gdb.
fprintf(out, " .globl __mcsema_debug_get_reg_state\n");
fprintf(out, " .type __mcsema_debug_get_reg_state,@function\n");
fprintf(out, "__mcsema_debug_get_reg_state:\n");
fprintf(out, " .cfi_startproc\n");
fprintf(out, " mov rax, fs:[0]\n");
fprintf(out, " lea rdx, [__mcsema_reg_state@TPOFF]\n");
fprintf(out, " lea rax, [rax + rdx]\n");
fprintf(out, " ret\n");
fprintf(out, ".Lfunc_end6:\n");
fprintf(out, " .size __mcsema_debug_get_reg_state,.Lfunc_end6-__mcsema_debug_get_reg_state\n");
fprintf(out, " .cfi_endproc\n");
fprintf(out, "\n");
// Error functions.
fprintf(out, " .globl __remill_error\n");
fprintf(out, " .type __remill_error,@function\n");
fprintf(out, " .globl __remill_missing_block\n");
fprintf(out, " .type __remill_missing_block,@function\n");
fprintf(out, " .globl __remill_function_return\n");
fprintf(out, " .type __remill_function_return,@function\n");
fprintf(out, "__remill_error:\n");
fprintf(out, "__remill_missing_block:\n");
fprintf(out, "__remill_function_return:\n");
fprintf(out, " ud2\n");
return 0;
}
#pragma clang diagnostic pop
// // Align the stack.
// fprintf(out, " push rsp\n");
// fprintf(out, " push QWORD PTR [rsp]\n");
// fprintf(out, " and rsp, -16\n");
// // Restore stack alignment
// fprintf(out, " pop rsp\n");