more content

Author: sha0coder

crates/libmwemu/src/emu/execution.rs

@@ -24,8 +24,7 @@ impl Emu {
 
     /// Call a 32bits function at addr, passing argument in an array of u64 but will cast to u32.
     /// The calling convention is stack, like winapi32.
-    pub fn call32(&mut self, addr: u64, args: &[u64]) -> Result<u32, MwemuError> {
-        //TODO: why this was u64?
+    pub fn call32(&mut self, addr: u64, args: &[u32]) -> Result<u32, MwemuError> {
         if addr == self.regs().get_eip() {
             if addr == 0 {
                 return Err(MwemuError::new(
@@ -37,7 +36,7 @@ impl Emu {
         }
         let orig_stack = self.regs().get_esp();
         for arg in args.iter().rev() {
-            self.stack_push32(*arg as u32);
+            self.stack_push32(*arg);
         }
         let ret_addr = self.regs().get_eip();
         self.stack_push32(ret_addr as u32);
@@ -47,9 +46,9 @@ impl Emu {
         Ok(self.regs().get_eax() as u32)
     }
 
-    /// Call a 64bits function at addr, passing argument in an array of u64.
-    /// The calling convention is registers rcx/rdx/48/r9 and then stack. Like windows64.
-    /// Dont use for linux64 syscall like convention, on those cases craft stack/register manually.
+    /// Call 64bits function at addr using Microsoft x64 ABI, passing argument in an array of u64.
+    /// The calling convention is registers rcx/rdx/r8/r9 and then stack. Like windows64.
+    /// Dont use for linux64 syscall like convention, for this is linux_call64()
     pub fn call64(&mut self, addr: u64, args: &[u64]) -> Result<u64, MwemuError> {
         if addr == self.regs().rip {
             if addr == 0 {
@@ -74,21 +73,109 @@ impl Emu {
         if n >= 4 {
             self.regs_mut().r9 = args[3];
         }
+
+        // stack pointer backup, for restoring when function returns.
         let orig_stack = self.regs().rsp;
+
+        // padding
+        let extra_args = if n > 4 { (n - 4) * 8 } else { 0 };
+        let total = extra_args + 32 + 8;
+        let padding = (16 - (self.regs().rsp as usize + total) % 16) % 16;
+        self.regs_mut().rsp -= padding as u64;
+
+        // shadow space (32bits)
+        for _ in 0..4 {
+            self.stack_push64(0);
+        }
+
+        // stack parameters
         if n > 4 {
             for arg in args.iter().skip(4).rev() {
                 self.stack_push64(*arg);
             }
         }
 
+        // return address
+        let ret_addr = self.regs().rip;
+        self.stack_push64(ret_addr);
+
+        // trigger function
+        self.regs_mut().rip = addr;
+
+        // emulate the function until return address is reached
+        self.run(Some(ret_addr))?;
+
+        // recover stack and  return rax
+        self.regs_mut().rsp = orig_stack;
+        Ok(self.regs().rax)
+    }
+
+
+    /// Call a 64bits function at addr, passing arguments in an array of u64.
+    /// The calling convention is registers RDI, RSI, RDX, RCX, R8, R9 and then stack. Like linux64.
+    pub fn linux_call64(&mut self, addr: u64, args: &[u64]) -> Result<u64, MwemuError> {
+        if addr == self.regs().rip {
+            if addr == 0 {
+                return Err(MwemuError::new(
+                    "return address reached after starting the call64, change rip.",
+                ));
+            } else {
+                self.regs_mut().rip = 0;
+            }
+        }
+
+        let n = args.len();
+        if n >= 1 {
+            self.regs_mut().rdi = args[0];
+        }
+        if n >= 2 {
+            self.regs_mut().rsi = args[1];
+        }
+        if n >= 3 {
+            self.regs_mut().rdx = args[2];
+        }
+        if n >= 4 {
+            self.regs_mut().rcx = args[3];
+        }
+        if n >= 5 {
+            self.regs_mut().r8 = args[4];
+        }
+        if n >= 6 {
+            self.regs_mut().r9 = args[5];
+        }
+
+        // stack pointer backup, for restoring when function returns.
+        let orig_stack = self.regs().rsp;
+
+        // padding
+        let extra_args = if n > 6 { (n - 6) * 8 } else { 0 };
+        let total = extra_args + 8;
+        let padding = (16 - (self.regs().rsp as usize + total) % 16) % 16;
+        self.regs_mut().rsp -= padding as u64;
+
+        // stack parameters
+        if n > 6 {
+            for arg in args.iter().skip(6).rev() {
+                self.stack_push64(*arg);
+            }
+        }
+
+        // return address
         let ret_addr = self.regs().rip;
         self.stack_push64(ret_addr);
+
+        // trigger function
         self.regs_mut().rip = addr;
+
+        // emulate the function until return address is reached
         self.run(Some(ret_addr))?;
+
+        // recover stack and  return rax
         self.regs_mut().rsp = orig_stack;
         Ok(self.regs().rax)
     }
 
+
     /// Start emulation until a ret instruction is found.
     /// It will return the address or MwemuError.
     #[inline]

crates/libmwemu/src/tests/call32.rs

@@ -0,0 +1,18 @@
+use crate::tests::helpers;
+use crate::*;
+
+#[test]
+// this tests a linux 64bits flags
+pub fn call32() {
+    helpers::setup();
+
+    let mut emu = emu32();
+    let opcodes: Vec<u8> = vec![
+        0x55, 0x48, 0x89, 0xe5, 0x89, 0x7d, 0xfc, 0x89,
+        0x75, 0xf8, 0x8b, 0x55, 0xfc, 0x8b, 0x45, 0xf8,
+        0x01, 0xd0, 0x5d, 0xc3,
+    ];
+E   emu.load_bytes(opcodes);  
+
+
+}

crates/libmwemu/src/tests/call64.rs

@@ -45,3 +45,6 @@ mod stress_shl2p_all;
 mod stress_shl2p_trigger;
 mod stress_shr2p_all;
 mod test_unified_step_and_run_methods;
+mod call32;
+mod call64;
+mod linux_call64;

crates/libmwemu/src/tests/linux_call64.rs

@@ -409,7 +409,7 @@ impl Emu {
     }
 
     /// call a 32bits function, internally pushes params in reverse order.
-    fn call32(&mut self, address: u64, params: Vec<u64>) -> PyResult<u32> {
+    fn call32(&mut self, address: u64, params: Vec<u32>) -> PyResult<u32> {
         match self.emu.call32(address, &params) {
             Ok(pc) => Ok(pc),
             Err(e) => Err(PyValueError::new_err(e.message)),