Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question about Indirect Call with Specified Address #15

Open
Umiade opened this issue Nov 14, 2018 · 0 comments
Open

Question about Indirect Call with Specified Address #15

Umiade opened this issue Nov 14, 2018 · 0 comments

Comments

@Umiade
Copy link

Umiade commented Nov 14, 2018

Hello:
Since vmir is such a efficient interpreter for bitcode, I decide to fix it for daily use(I work for Android/IOS code protection). After I fixed some function in Linker such as dlopen & dlsym, it seems to have a logic error about VMOP(JSR_R). Once I use dlopen&dlsym to get a function address and try to call it, the interpreter can not call this indirect function by using the specified address. I tried to fix this problem with the code below.

VMOP(JSR_R)
vm_tracef(&F, "Calling indirect %s (%d)", vm_funcname(R32(0), iu), R32(0));
if (R32(0) >= VECTOR_LEN(&iu->iu_functions))
{
	printf("[-] JSR_R out of length: 0x%08x\n", R32(0));
	vm_bad_function(iu, R32(0));
}

SET_CALLEE_FUNC(R32(0));
if (iu->iu_vm_funcs[R32(0)])
{
	r = vm_exec(iu->iu_vm_funcs[R32(0)], rf + I[1], rf + I[2], &F);
	RESTORE_CURRENT_FRAME();
	if (r)
		return r;
}
else if (iu->iu_function_table[R32(0)])
{
	iu->iu_function_table[R32(0)](rf + I[2], rf + I[1], iu, hostmem);
	RESTORE_CURRENT_FRAME();
}
else if ((int32_t)R32(0) + iu->iu_mem > 0x10000000) // bad, how to locate a func ptr
{
	// (rf + I[0]) func_addr
	void *params = rf + I[1];
	printf("\n----------[JSR_R] args: %08x  %08x %08x\n", vmir_vm_ptr(&params, iu), vmir_vm_ptr(&params, iu), vmir_vm_ptr(&params, iu));
	typedef int (*indirect_func)(int, ...);
	void *func_addr = R32(0) + iu->iu_mem;
	// TODO: args
}
else	
{
	vm_bad_function(iu, R32(0));
}

I found that R32(0) is address in vm_mem and rf + I[1] locate on the params, but I can not find a way to figure out how many params the indirect function use, any advice, please.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant