-
Notifications
You must be signed in to change notification settings - Fork 4
/
target_fn.c
114 lines (93 loc) · 3.09 KB
/
target_fn.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#include <unistd.h>
#include <stdint.h>
extern uint8_t *probe_buf;
extern uint64_t cur_probe_space;
extern uint64_t signal_idx;
uint64_t try_decrypt(void);
__uint128_t aes_ctr(uint64_t ctr);
extern uint8_t *turing_tape;
extern uint8_t turing_state;
// This will be an int 0-255 typically...
inline void signal(uint64_t state) __attribute__((always_inline));
void signal(uint64_t state)
{
asm volatile ("mov (%%rcx), %%rax" :: "c"(&probe_buf[state*cur_probe_space]) : "rax");
}
void signal32(uint32_t state)
{
uint32_t a, b, c, d;
a = state & 0xFF;
b = state>>8 & 0xFF | 0x100;
c = state>>16 & 0xFF| 0x200;
d = state>>24 & 0xFF| 0x300;
asm volatile (
"mov (%0), %%rax\n"
"mov (%1), %%rbx\n"
"mov (%2), %%rcx\n"
"mov (%3), %%rdx\n"
:: "r"(&probe_buf[a*cur_probe_space]),
"r"(&probe_buf[b*cur_probe_space]),
"r"(&probe_buf[c*cur_probe_space]),
"r"(&probe_buf[d*cur_probe_space]) : "rax", "rbx", "rcx", "rdx");
}
void signal40(uint64_t state)
{
uint32_t a, b, c, d, e, f, g, h;
a = state & 0x1F;
b = state>>0x05 & 0x1F | 0x20;
c = state>>0x0A & 0x1F | 0x40;
d = state>>0x0F & 0x1F | 0x60;
e = state>>0x14 & 0x1F | 0x80;
f = state>>0x19 & 0x1F | 0xA0;
g = state>>0x1E & 0x1F | 0xC0;
h = state>>0x23 & 0x1F | 0xE0;
asm volatile (
"mov (%0), %%rax\n"
"mov (%1), %%rbx\n"
"mov (%2), %%rcx\n"
"mov (%3), %%rdx\n"
"mov (%4), %%rsi\n"
"mov (%5), %%rdi\n"
"mov (%6), %%r8\n"
"mov (%7), %%r9\n"
:: "r"(&probe_buf[a*cur_probe_space]),
"r"(&probe_buf[b*cur_probe_space]),
"r"(&probe_buf[c*cur_probe_space]),
"r"(&probe_buf[d*cur_probe_space]),
"r"(&probe_buf[e*cur_probe_space]),
"r"(&probe_buf[f*cur_probe_space]),
"r"(&probe_buf[g*cur_probe_space]),
"r"(&probe_buf[h*cur_probe_space])
: "rax", "rbx", "rcx", "rdx");
}
void target_fn(void) __attribute__((section(".targetfn")));
void target_fn(void)
{
// register uint8_t *pb = (uint8_t*)*((uint8_t**)0x480000); // probe_buf
// register uint64_t cps = *((uint64_t*)0x480010); // cur_probe_space
// asm volatile ("mov (%%rcx), %%rax" :: "c"(&pb[13*cps]) : "rax");
//*/
//while(1);
//*(uint8_t*)(0);
/*
asm volatile("pop %%rbx\n" // From target_fn
"pop %%r12\n" // From target_fn
"pop %%rbp\n" // From target_fn
"pop %%rbx\n" // From indirect_camellia
"pop %%rbp\n" // From indirect_camellia
"retq\n"
:::);
*/
signal(0x11);
// signal(0x23);
// signal(0x37);
// signal32(0xDEADBEEF);
// signal40(0xDEADBEEF44);
// __uint128_t register pt = aes_ctr(signal_idx / 16);
// signal(pt >> ((signal_idx % 16)*8) & 0xff);
// __uint128_t register pt = aes_ctr(signal_idx / 4);
// signal32(pt >> ((signal_idx % 4)*32));
}
void end_target_fn(void) __attribute__((section(".targetfn")));
void end_target_fn(void) {
}