Skip to content

Instantly share code, notes, and snippets.

@kgsws

kgsws/arbcall.jop Secret

Created November 11, 2017 01:57
Show Gist options
  • Save kgsws/f135ffbfff3a7a9d55517189d31d2386 to your computer and use it in GitHub Desktop.
Save kgsws/f135ffbfff3a7a9d55517189d31d2386 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
arbcall.jop
ArbCall:
0x0000003d00017d80: ldr x8, [x23] // X8 = IPC (0x24)
0x0000003d00017d84: ldr x8, [x8, #56] // ipc[15] + ipc[16]
0x0000003d00017d88: mov x0, x23 // X0 = ptr 24
0x0000003d00017d8c: blr x8
-1------
0x0000003d0000f194: ldr x8, [x0] // X8 = IPC (0x24)
0x0000003d0000f198: ldr x2, [x8, #72] // ipc[19] + ipc[20]
0x0000003d0000f19c: br x2
-2------
0x0000003d0003f8a8: ldr x0, [x8, #16] // X0 = ipc[5] + ipc[6]; pdmEntry
0x0000003d0003f8ac: ldr x8, [x0] // X8 = *(pdmEntry+0)
0x0000003d0003f8b0: ldr x8, [x8, #48] // X8 = *(*(pdmEntry+0)+48)
0x0000003d0003f8b4: blr x8
-3------
0x0000003d000033d0: ldr x8, [x0] // X8 = *(pdmEntry+0)
0x0000003d000033d4: ldr x8, [x8, #16] // X8 = *(*(pdmEntry+0)+16)
0x0000003d000033d8: blr x8
-4------ called
0x0000003d000026cc: sub sp, sp, #0xd0 // STACK MOVE
0x0000003d000026d0: stp x26, x25, [sp, #128]
0x0000003d000026d4: stp x24, x23, [sp, #144]
0x0000003d000026d8: stp x22, x21, [sp, #160]
0x0000003d000026dc: stp x20, x19, [sp, #176]
0x0000003d000026e0: stp x29, x30, [sp, #192]
0x0000003d000026e4: add x29, sp, #0xc0
0x0000003d000026e8: ldr x19, [x0, #8] // X19 = *(pdmEntry+8)
0x0000003d000026ec: ldr x8, [x19] // X8 = *(*(pdmEntry+8)+0)
0x0000003d000026f0: ldr x8, [x8] // X8 = (*(*(pdmEntry+8)+0)+0)
0x0000003d000026f4: ldr w26, [x0, #16]
0x0000003d000026f8: mov x0, x19 // X0 = *(pdmEntry+8)
0x0000003d000026fc: mov w22, w3
0x0000003d00002700: mov x24, x2
0x0000003d00002704: mov x25, x1
0x0000003d00002708: blr x8
-5------
0x0000003d00014104: sub sp, sp, #0x310 // STACK: -0x310
0x0000003d00014108: mov x19, x0 // X19 = *(pdmEntry+8)
0x0000003d0001410c: ldr x24, [x19, #8] // X24 = *(*(pdmEntry+8)+8)
0x0000003d00014110: mov x22, x2
0x0000003d00014114: mov w20, w1
0x0000003d00014118: cmp x24, x19 // *(*(pdmEntry+8)+8) != *(pdmEntry+8)
0x0000003d0001411c: b.eq 0x3d00014168 // b.none
0x0000003d00014120: mov w21, wzr
0x0000003d00014124: add x25, sp, #0x20c
0x0000003d00014128: add x26, sp, #0x8
0x0000003d0001412c: mov x23, x24 // X23 = *(*(pdmEntry+8)+8)
0x0000003d00014130: ldr x8, [x23, #-8]! // X8 = *(*(*(pdmEntry+8)+8)-8); X23 -= 8
0x0000003d00014134: ldr x8, [x8, #24] // X8 = *(*(*(*(pdmEntry+8)+8)-8)+24)
0x0000003d00014138: sub x1, x29, #0x54
0x0000003d0001413c: mov x0, x23 // X0 = *(*(pdmEntry+8)+0)
0x0000003d00014140: blr x8
-6------
0x0000003d0001349c: ldp x0, x8, [x19, #96] // X0 = *(*(pdmEntry+8)+96); X8 = *(*(pdmEntry+8)+104)
0x0000003d000134a0: blr x8
-7------
0x0000003d000002c0: mov x16, x0 // X16 = *(*(pdmEntry+8)+96); callAddr
0x0000003d000002c4: ldp q0, q1, [sp], #32
0x0000003d000002c8: ldp q2, q3, [sp], #32
0x0000003d000002cc: ldp q4, q5, [sp], #32
0x0000003d000002d0: ldp q6, q7, [sp], #32
0x0000003d000002d4: ldp x0, x1, [sp], #16
0x0000003d000002d8: ldp x2, x3, [sp], #16
0x0000003d000002dc: ldp x4, x5, [sp], #16
0x0000003d000002e0: ldp x6, x7, [sp], #16
0x0000003d000002e4: ldp x8, x19, [sp], #16 // X19 = storeAddr (200)
0x0000003d000002e8: ldp x29, x30, [sp], #16 // X30 = nextAddr (216)
0x0000003d000002ec: br x16 // call callAddr; STACK: -0x230 (224)
-RET0---
0x0000003d000579a8: stp x0, x1, [x19] // store result at storeAddr
0x0000003d000579ac: ldp x29, x30, [sp, #16] // X30 = nextAddr (248)
0x0000003d000579b0: ldr x19, [sp], #32
0x0000003d000579b4: ret // STACK: -0x210 (256)
-RET1---
0x0000003d00001d44: ldp x29, x30, [sp, #32] // X30 = nextAddr (296)
0x0000003d00001d48: ldr x19, [sp, #16]
0x0000003d00001d4c: add sp, sp, #0x30
0x0000003d00001d50: ret // STACK: -0x1E0 (304)
-RET2---
0x0000003d0004e950: ldp x29, x30, [sp, #176] // X30 = nextAddr (488)
0x0000003d0004e954: ldp x20, x19, [sp, #160]
0x0000003d0004e958: ldp x22, x21, [sp, #144] // X21 = pdmNext0; storeAddr - 24; (456)
0x0000003d0004e95c: ldp x24, x23, [sp, #128]
0x0000003d0004e960: ldp x26, x25, [sp, #112]
0x0000003d0004e964: ldp x28, x27, [sp, #96]
0x0000003d0004e968: add sp, sp, #0xc0
0x0000003d0004e96c: ret // STACK: -0x120 (496)
-RET3---
0x0000003d0001a0b8: ldp x29, x30, [sp, #272] // X30 = nextAddr (776)
0x0000003d0001a0bc: ldr x28, [sp, #240]
0x0000003d0001a0c0: ldp x20, x19, [sp, #256] // X19 = pdmNext1 (760)
0x0000003d0001a0c4: add sp, sp, #0x120
0x0000003d0001a0c8: ret // STACK: OK
-8------
0x0000003d0003ca1c: ldr x8, [x21] // X8 = *(pdmNext0+0)
0x0000003d0003ca20: ldr x2, [x21, #24] // X2 = *(pdmNext0+24); result
0x0000003d0003ca24: mov x0, x20
0x0000003d0003ca28: mov x1, x19
0x0000003d0003ca2c: blr x8
-9------
0x0000003d0004de98: ldr x0, [x19, #8] // X0 = *(pdmNext1+8)
0x0000003d0004de9c: ldr x9, [x19, #32] // X9 = *(pdmNext1+32)
0x0000003d0004dea0: sub x1, x9, x0
0x0000003d0004dea4: ldr x8, [x19, #48] // X8 = *(pdmNext1+48)
0x0000003d0004dea8: blr x8
-10-----
0x0000003d00002850: ldp x29, x30, [sp, #192]
0x0000003d00002854: ldp x20, x19, [sp, #176]
0x0000003d00002858: ldp x22, x21, [sp, #160]
0x0000003d0000285c: ldp x24, x23, [sp, #144]
0x0000003d00002860: ldp x26, x25, [sp, #128]
0x0000003d00002864: add sp, sp, #0xd0 // STACK BACK
0x0000003d00002868: ret
-RET---- returned
0x0000003d000033dc: ldr x8, [x0] // X8 = *(*(pdmNext1+8)+0)
0x0000003d000033e0: ldr x8, [x8] // X8 = *(*(*(pdmNext1+8)+0)+0)
0x0000003d000033e4: blr x8
-11-----
0x0000003d00035180: mov x0, x2 // return X2
0x0000003d00035184: ldr x8, [x9, #40] // X8 = *(*(pdmNext1+32)+40)
0x0000003d00035188: mov x2, x19
0x0000003d0003518c: mov x3, x19
0x0000003d00035190: mov w5, wzr
0x0000003d00035194: blr x8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment