Assembly Instructions in inject.c Sample

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Assembly Instructions in inject.c Sample

Postby bob969 » Mon Apr 04, 2016 6:20 pm

Jonathan:

I've been working through more examples from the class, and I found myself playing around with the inject code. I can get it working as is, but I wanted to take a closer look at it to get a better understanding. I'm getting stuck on the load/branch commands. Specifically, something like:

LDR X8, #3
BLR X8

Is the 3 an offset relative to some base address? It looks like you're just putting 3 into X8 and then calling 3... so I'm having a hard time understanding how that turns into the pthread_set_self call.

Thanks!
bob969
 
Posts: 8
Joined: Tue Mar 22, 2016 1:44 pm

Re: Assembly Instructions in inject.c Sample

Postby Siguza » Mon Apr 04, 2016 9:23 pm

Hi

I'm not J, and I'm not too familiar with ARM assembly, but taken from the Armv8 reference (page 23):

LDR Xt, addr
Load Register (extended): loads a doubleword from memory addressed by addr to Xt.

That would make #3 be treated as an address, or not?
I also remember loading literal values into a register requiring making use of some pseudo register... or am I remembering that wrong?
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Assembly Instructions in inject.c Sample

Postby morpheus » Mon Apr 04, 2016 9:33 pm

The way ARM64 works, instructions are relative to PC. So when you say #3 that's 3 x 8 shifted from the current address. You can see this better with jtool - as you disassemble pretty much any ARM64, it will show you the LDR and where the value is loaded from. In the inject.c example, it points to where _PTHREADSS_ is (which is replaced by the part which patches the shellcode). Figure out the offset between the _PTHREADS_ and the LDR instruction, and you'll see it works out!

(sorry for the quick answer - just en route to somewhere and saw question so wanted to answer)
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Assembly Instructions in inject.c Sample

Postby bob969 » Wed Apr 06, 2016 6:10 pm

Jonathan:

OK, I think I figured out what was confusing me. The offsets listed in the comments weren't quite right, but I managed to decode the instructions and the offsets there make sense to me.

Thanks for your help!
bob969
 
Posts: 8
Joined: Tue Mar 22, 2016 1:44 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest