Thread: Which ARM64 disassembler engine best to use in a driver?
View Single Post
  #4  
Old 04-04-2022, 23:52
DavidXanatos DavidXanatos is offline
Family
  
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 351 Times in 116 Posts
DavidXanatos Reputation: 46
Yea seams not to be soo bad after all, i went with an approach like this:

Code:
    for (i = 0; i < 0x40; i += 4, ptr += 4) {

        union {
            ULONG OP;
            struct {
                ULONG
                    Rd : 5,
                    immHi : 19,
                    op1 : 5,
                    immLo : 2,
                    op2 : 1;
            };
        } ADRP;

        ADRP.OP = *(ULONG*)ptr;

        if (ADRP.op1 == 0b10000 && ADRP.op2 == 0b1 && ADRP.Rd == 8) // adrp x8, #0x575000
        {
            union {
                ULONG OP;
                struct {
                    ULONG
                        Rd : 5,
                        Rn : 5,
                        imm12 : 12,
                        shift : 2,
                        op1 : 5,
                        S : 1,
                        op2 : 1,
                        sf : 1;
                };
            } ADD;

            ADD.OP = *(ULONG*)(ptr + 4);

            if (ADD.sf == 0b1 && ADD.op2 == 0b0 && ADD.S == 0b0 && ADD.op1 == 0b10001 && ADD.shift == 0 && ADD.Rn == 8 && ADD.Rd == 12) // add  x12, x8, #0xf80
            {
                LONG delta = (ADRP.immHi << 2 | ADRP.immLo) << 12;
                delta += ADD.imm12;

                // Note: ADRP clears the lower 12 bits of the PC
                nt = ((ULONG_PTR)ptr & ~0xFFF) + delta;

         
                return (void*)nt;
            }
        }
    }
Reply With Quote