fix aarch64: mov, pushstr, pushstr_array

fixes: - #2160 - #2284
Gallopsled · Jan 3, 2024 · 15748d0 · 15748d0
1 parent 8b56039
commit 15748d0
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 7 deletions.
diff --git a/pwnlib/shellcraft/templates/aarch64/mov.asm b/pwnlib/shellcraft/templates/aarch64/mov.asm
@@ -80,14 +80,15 @@ xor        = None
 %if not isinstance(src, six.integer_types):
     mov  ${dst}, ${src}
 %else:
+  %if src & 0xffff == 0:
+    mov  ${dst}, xzr
+  %endif
   %if src == 0:
     mov  ${dst}, xzr
-  %elif src & 0xffff == 0:
-    eor  ${dst}, ${dst}, ${dst}
   %elif src & 0xffff == src:
     mov  ${dst}, #${src}
   %else:
-    /* Set ${dst} = ${src} = ${pretty(src)} */
+    /* Set ${dst} = ${src} = ${pretty(src, False)} */
     %if src & 0x000000000000ffff:
     mov  ${dst}, #${(src >> 0x00) & 0xffff}
     %endif

diff --git a/pwnlib/shellcraft/templates/aarch64/pushstr.asm b/pwnlib/shellcraft/templates/aarch64/pushstr.asm
@@ -37,6 +37,8 @@ if append_null and not string.endswith(b'\x00'):
     string += b'\x00'
 
 pretty_string = pretty or shellcraft.pretty(string)
+if len(pretty_string) > 1000:
+    pretty_string = pretty_string[:1000] + '...'
 
 while len(string) % 8:
     string += b'\x00'

diff --git a/pwnlib/shellcraft/templates/aarch64/pushstr_array.asm b/pwnlib/shellcraft/templates/aarch64/pushstr_array.asm
@@ -39,20 +39,33 @@ string = b''.join(array)
 # which seems like a safe maximum.
 if len(array) * 8 > 4095:
     raise Exception("Array size is too large (%i), max=4095" % len(array))
+
+need_fix_alligment = len(array) % 2 == 1
 %>\
     /* push argument array ${shellcraft.pretty(array, False)} */
     ${shellcraft.pushstr(string, register1=register1, register2=register2)}
 
     /* push null terminator */
-    ${shellcraft.mov(register1, 0)}
-    str ${register1}, [sp, #-8]!
+    ${shellcraft.mov(register2, 0)}
+    str ${register2}, [sp, #-16]!
 
     /* push pointers onto the stack */
 %for i, value in enumerate(reversed(array)):
-   ${shellcraft.mov(register1, (i+1)*8 + string.index(value))}
+   ${shellcraft.mov(register1, 8 + ((i+1)*8 + string.index(value)))}
    add ${register1}, sp, ${register1}
-   str ${register1}, [sp, #-8]! /* ${pretty(array[-i], False)} */
+ %if i % 2 == 0:
+   str ${register2}, [sp, #-16]!  /* allocate zeros */
+   str ${register1}, [sp, #8]!
+ %else:
+   sub sp, sp, #8
+   str ${register1}, [sp, #0]!
+ %endif
 %endfor
 
     /* set ${reg} to the current top of the stack */
     ${shellcraft.mov(reg,'sp')}
+
+  %if need_fix_alligment:
+    /* fix alligment */
+    sub sp, sp, #8
+  %endif