Skip to content

Instantly share code, notes, and snippets.

@kgsws

kgsws/arbwrite.jop Secret

Created November 9, 2017 21:31
Show Gist options
  • Save kgsws/2f7722d7fa01e0b68f3d66d273da2872 to your computer and use it in GitHub Desktop.
Save kgsws/2f7722d7fa01e0b68f3d66d273da2872 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
arbwrite.jop
X9 = IPC (0x20)
X10 = IPC (0x24)
X23 = pointer to IPC (0x24)
X25 = pointer to IPC (0x00)
X22 = ptr to ptr to vtable
ArbWrite:
0x0000003d00017d80: ldr x8, [x23] // X8 = IPC (0x24)
0x0000003d00017d84: ldr x8, [x8, #56] // ipc[15] + ipc[16]
0x0000003d00017d88: mov x0, x23 // X0 = ptr 24
0x0000003d00017d8c: blr x8
-1------
0x0000003d0000f194: ldr x8, [x0] // X8 = IPC (0x24)
0x0000003d0000f198: ldr x2, [x8, #72] // ipc[19] + ipc[20]
0x0000003d0000f19c: br x2
-2------
0x0000003d0003f8a8: ldr x0, [x8, #16] // X0 = ipc[5] + ipc[6]; pdmEntry
0x0000003d0003f8ac: ldr x8, [x0] // X8 = *(pdmEntry+0)
0x0000003d0003f8b0: ldr x8, [x8, #48] // X8 = *(*(pdmEntry+0)+48)
0x0000003d0003f8b4: blr x8
-3------
0x0000003d000033d0: ldr x8, [x0] // X8 = *(pdmEntry+0)
0x0000003d000033d4: ldr x8, [x8, #16] // X8 = *(*(pdmEntry+0)+16)
0x0000003d000033d8: blr x8
-4------ called
0x0000003d000026cc: sub sp, sp, #0xd0 // STACK MOVE
0x0000003d000026d0: stp x26, x25, [sp, #128]
0x0000003d000026d4: stp x24, x23, [sp, #144]
0x0000003d000026d8: stp x22, x21, [sp, #160]
0x0000003d000026dc: stp x20, x19, [sp, #176]
0x0000003d000026e0: stp x29, x30, [sp, #192]
0x0000003d000026e4: add x29, sp, #0xc0
0x0000003d000026e8: ldr x19, [x0, #8] // X19 = *(pdmEntry+8)
0x0000003d000026ec: ldr x8, [x19] // X8 = *(*(pdmEntry+8)+0)
0x0000003d000026f0: ldr x8, [x8] // X8 = (*(*(pdmEntry+8)+0)+0)
0x0000003d000026f4: ldr w26, [x0, #16]
0x0000003d000026f8: mov x0, x19 // X0 = *(pdmEntry+8)
0x0000003d000026fc: mov w22, w3
0x0000003d00002700: mov x24, x2
0x0000003d00002704: mov x25, x1
0x0000003d00002708: blr x8
-5------
0x0000003d0004de9c: ldr x9, [x19, #32] // X9 = *(*(pdmEntry+8)+32)
0x0000003d0004dea0: sub x1, x9, x0
0x0000003d0004dea4: ldr x8, [x19, #48] // X8 = *(*(pdmEntry+8)+48)
0x0000003d0004dea8: blr x8
-6------
0x0000003d00025d08: ldr x8, [x0] // X8 = *(*(pdmEntry+8)+0)
0x0000003d00025d0c: ldr x1, [x8, #8] // X1 = *(*(*(pdmEntry+8)+0)+8)
0x0000003d00025d10: br x1
-7------
0x0000003d00014134: ldr x8, [x8, #24] // X8 = *(*(*(pdmEntry+8)+0)+24)
0x0000003d00014138: sub x1, x29, #0x54
0x0000003d0001413c: mov x0, x23 // X0 = ptr 24
0x0000003d00014140: blr x8
-8------
0x0000003d0002d6c8: ldr x8, [x0] // X8 = IPC (0x24)
0x0000003d0002d6cc: ldr x2, [x8, #64] // X2 = ipc[17] + ipc[18]
0x0000003d0002d6d0: br x2
-9------
0x0000003d000304c0: mov x1, x8 // X1 = IPC (0x24)
0x0000003d000304c4: blr x9
-10-----
0x0000003d0001349c: ldp x0, x8, [x19, #96] // X0 = *(*(pdmEntry+8)+96); X8 = *(*(pdmEntry+8)+104)
0x0000003d000134a0: blr x8
-11-----
0x0000003d0000638c: ldr x20, [x0, #8] // X20 = *(*(*(pdmEntry+8)+96)+8)
0x0000003d00006390: ldr x8, [x20] // X8 = *(*(*(*(pdmEntry+8)+96)+8)+0)
0x0000003d00006394: ldr x8, [x8] // X8 = *(*(*(*(*(pdmEntry+8)+96)+8)+0)+0)
0x0000003d00006398: ldr x26, [x2]
0x0000003d0000639c: ldr w27, [x0, #16]
0x0000003d000063a0: mov x0, x20 // X0 = *(*(*(pdmEntry+8)+96)+8)
0x0000003d000063a4: mov x19, x5
0x0000003d000063a8: mov w22, w4
0x0000003d000063ac: mov x23, x3
0x0000003d000063b0: mov x21, x1 // X21 = IPC (0x24)
0x0000003d000063b4: blr x8
-12-----
0x0000003d0004dbf8: ldr x0, [x21, #8] // X0 = ipc[3] + ipc[4]; arbAddr
0x0000003d0004dbfc: ldr x9, [x21, #32] // X9 = ipc[9] + ipc[10]; arbValue
0x0000003d0004dc00: sub x1, x9, x0
0x0000003d0004dc04: ldr x8, [x21, #48] // X8 = ipc[13] + ipc[14]
0x0000003d0004dc08: blr x8
-13-----
0x0000003d00029b50: ldr x8, [x20] // X8 = *(*(*(*(pdmEntry+8)+96)+8)+0)
0x0000003d00029b54: ldr x8, [x8, #8] // X8 = *(*(*(*(*(pdmEntry+8)+96)+8)+0)+8)
0x0000003d00029b58: mov x19, x0 // X19 = arbAddr
0x0000003d00029b5c: mov x0, x20 // X0 = *(*(*(pdmEntry+8)+96)+8)
0x0000003d00029b60: mov x1, x21
0x0000003d00029b64: blr x8
-14-----
0x0000003d0002de0c: str x9, [x19] // *arbAddr = arbValue
0x0000003d0002de10: str x8, [sp]
0x0000003d0002de14: ldr x8, [x20] // X8 = *(*(*(*(pdmEntry+8)+96)+8)+0)
0x0000003d0002de18: ldr x8, [x8, #64] // X8 = *(*(*(*(*(pdmEntry+8)+96)+8)+0)+64)
0x0000003d0002de1c: add x1, sp, #0x18
0x0000003d0002de20: mov x0, x20 // X0 = *(*(*(pdmEntry+8)+96)+8)
0x0000003d0002de24: blr x8
-15-----
0x0000003d000071e0: ldr x0, [x0, #8] // X0 = *(*(*(*(pdmEntry+8)+96)+8)+8)
0x0000003d000071e4: cbz x0, 0x3d000071f4
0x0000003d000071e8: ldr x8, [x0] // X8 = *(*(*(*(*(pdmEntry+8)+96)+8)+8)+0)
0x0000003d000071ec: ldr x1, [x8, #8] // X8 = *(*(*(*(*(*(pdmEntry+8)+96)+8)+8)+0)+8)
0x0000003d000071f0: br x1
-16-----
0x0000003d00002850: ldp x29, x30, [sp, #192]
0x0000003d00002854: ldp x20, x19, [sp, #176]
0x0000003d00002858: ldp x22, x21, [sp, #160]
0x0000003d0000285c: ldp x24, x23, [sp, #144]
0x0000003d00002860: ldp x26, x25, [sp, #128]
0x0000003d00002864: add sp, sp, #0xd0 // STACK BACK
0x0000003d00002868: ret
-RET---- returned
0x0000003d000033dc: ldr x8, [x0] // X8 = *(*(*(*(*(pdmEntry+8)+96)+8)+8)+0)
0x0000003d000033e0: ldr x8, [x8] // X8 = *(*(*(*(*(*(pdmEntry+8)+96)+8)+8)+0)+0)
0x0000003d000033e4: blr x8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment