Skip to content

Instantly share code, notes, and snippets.

@lambda-fairy

lambda-fairy/main.s

Created December 8, 2016 09:41
Show Gist options
  • Save lambda-fairy/424201f43bf93c118b513ff4f49289a5 to your computer and use it in GitHub Desktop.
Save lambda-fairy/424201f43bf93c118b513ff4f49289a5 to your computer and use it in GitHub Desktop.
Download ZIP
Maud HTML escaper assembly
Raw
main.s
.text
.intel_syntax noprefix
.file "rust_out.cgu-0.rs"
.section ".text._ZN40_$LT$alloc..raw_vec..RawVec$LT$T$GT$$GT$6double17h17920b8a90cfe6cfE","ax",@progbits
.p2align 4, 0x90
.type _ZN40_$LT$alloc..raw_vec..RawVec$LT$T$GT$$GT$6double17h17920b8a90cfe6cfE,@function
_ZN40_$LT$alloc..raw_vec..RawVec$LT$T$GT$$GT$6double17h17920b8a90cfe6cfE:
.cfi_startproc
push r14
.Ltmp0:
.cfi_def_cfa_offset 16
push rbx
.Ltmp1:
.cfi_def_cfa_offset 24
push rax
.Ltmp2:
.cfi_def_cfa_offset 32
.Ltmp3:
.cfi_offset rbx, -24
.Ltmp4:
.cfi_offset r14, -16
mov rbx, rdi
mov rsi, qword ptr [rbx + 8]
test rsi, rsi
je .LBB0_2
mov rdi, qword ptr [rbx]
lea r14, [rsi + rsi]
mov ecx, 1
mov rdx, r14
call __rust_reallocate@PLT
jmp .LBB0_3
.LBB0_2:
mov r14d, 4
mov edi, 4
mov esi, 1
call __rust_allocate@PLT
.LBB0_3:
test rax, rax
je .LBB0_5
mov qword ptr [rbx], rax
mov qword ptr [rbx + 8], r14
add rsp, 8
pop rbx
pop r14
ret
.LBB0_5:
call _ZN5alloc3oom3oom17he12d244509df7328E@PLT
.Lfunc_end0:
.size _ZN40_$LT$alloc..raw_vec..RawVec$LT$T$GT$$GT$6double17h17920b8a90cfe6cfE, .Lfunc_end0-_ZN40_$LT$alloc..raw_vec..RawVec$LT$T$GT$$GT$6double17h17920b8a90cfe6cfE
.cfi_endproc
.section .text._ZN8rust_out4main17ha208b69ccbc11839E,"ax",@progbits
.p2align 4, 0x90
.type _ZN8rust_out4main17ha208b69ccbc11839E,@function
_ZN8rust_out4main17ha208b69ccbc11839E:
.Lfunc_begin0:
.cfi_startproc
.cfi_personality 155, DW.ref.rust_eh_personality
.cfi_lsda 27, .Lexception0
push rbp
.Ltmp25:
.cfi_def_cfa_offset 16
push r15
.Ltmp26:
.cfi_def_cfa_offset 24
push r14
.Ltmp27:
.cfi_def_cfa_offset 32
push r13
.Ltmp28:
.cfi_def_cfa_offset 40
push r12
.Ltmp29:
.cfi_def_cfa_offset 48
push rbx
.Ltmp30:
.cfi_def_cfa_offset 56
sub rsp, 40
.Ltmp31:
.cfi_def_cfa_offset 96
.Ltmp32:
.cfi_offset rbx, -56
.Ltmp33:
.cfi_offset r12, -48
.Ltmp34:
.cfi_offset r13, -40
.Ltmp35:
.cfi_offset r14, -32
.Ltmp36:
.cfi_offset r15, -24
.Ltmp37:
.cfi_offset rbp, -16
mov qword ptr [rsp], 1
xorps xmm0, xmm0
movups xmmword ptr [rsp + 8], xmm0
lea rax, [rip + str.8]
mov qword ptr [rsp + 24], rax
mov qword ptr [rsp + 32], 3
lea rax, [rsp + 24]
#APP
#NO_APP
mov r13, qword ptr [rsp + 32]
test r13, r13
je .LBB1_20
mov r14, qword ptr [rsp + 24]
xor ecx, ecx
mov r15d, 335544337
lea rbp, [rip + .LJTI1_0]
lea r12, [rsp]
jmp .LBB1_2
.LBB1_50:
mov rsi, qword ptr [rsp + 8]
mov rax, rsi
sub rax, rcx
cmp rax, 4
jae .LBB1_51
add rcx, 4
jb .LBB1_53
lea r12, [rsi + rsi]
cmp rcx, r12
cmovae r12, rcx
test rsi, rsi
je .LBB1_56
mov rdi, qword ptr [rsp]
mov ecx, 1
mov rdx, r12
call __rust_reallocate@PLT
jmp .LBB1_58
.LBB1_23:
mov rsi, qword ptr [rsp + 8]
mov rax, rsi
sub rax, rcx
cmp rax, 5
jae .LBB1_24
add rcx, 5
jb .LBB1_26
lea r12, [rsi + rsi]
cmp rcx, r12
cmovae r12, rcx
test rsi, rsi
je .LBB1_29
mov rdi, qword ptr [rsp]
mov ecx, 1
mov rdx, r12
call __rust_reallocate@PLT
jmp .LBB1_31
.LBB1_36:
mov rsi, qword ptr [rsp + 8]
mov rax, rsi
sub rax, rcx
cmp rax, 4
jae .LBB1_37
add rcx, 4
jb .LBB1_39
lea r12, [rsi + rsi]
cmp rcx, r12
cmovae r12, rcx
test rsi, rsi
je .LBB1_42
mov rdi, qword ptr [rsp]
mov ecx, 1
mov rdx, r12
call __rust_reallocate@PLT
jmp .LBB1_44
.LBB1_51:
mov rax, qword ptr [rsp]
jmp .LBB1_62
.LBB1_7:
mov rax, qword ptr [rsp]
jmp .LBB1_18
.LBB1_24:
mov rax, qword ptr [rsp]
jmp .LBB1_35
.LBB1_37:
mov rax, qword ptr [rsp]
jmp .LBB1_48
.LBB1_56:
mov esi, 1
mov rdi, r12
call __rust_allocate@PLT
.LBB1_58:
test rax, rax
je .LBB1_59
mov qword ptr [rsp], rax
mov qword ptr [rsp + 8], r12
mov rcx, qword ptr [rsp + 16]
lea r12, [rsp]
.LBB1_62:
mov byte ptr [rax + rcx], 38
mov byte ptr [rax + rcx + 1], 108
jmp .LBB1_49
.LBB1_12:
mov esi, 1
mov rdi, r12
call __rust_allocate@PLT
.LBB1_14:
test rax, rax
je .LBB1_15
mov qword ptr [rsp], rax
mov qword ptr [rsp + 8], r12
mov rcx, qword ptr [rsp + 16]
lea r12, [rsp]
.LBB1_18:
mov byte ptr [rax + rcx], 38
mov byte ptr [rax + rcx + 1], 113
mov byte ptr [rax + rcx + 2], 117
mov byte ptr [rax + rcx + 3], 111
mov byte ptr [rax + rcx + 4], 116
mov byte ptr [rax + rcx + 5], 59
add rcx, 6
jmp .LBB1_19
.LBB1_29:
mov esi, 1
mov rdi, r12
call __rust_allocate@PLT
.LBB1_31:
test rax, rax
je .LBB1_32
mov qword ptr [rsp], rax
mov qword ptr [rsp + 8], r12
mov rcx, qword ptr [rsp + 16]
lea r12, [rsp]
.LBB1_35:
mov byte ptr [rax + rcx], 38
mov byte ptr [rax + rcx + 1], 97
mov byte ptr [rax + rcx + 2], 109
mov byte ptr [rax + rcx + 3], 112
mov byte ptr [rax + rcx + 4], 59
add rcx, 5
jmp .LBB1_19
.LBB1_42:
mov esi, 1
mov rdi, r12
call __rust_allocate@PLT
.LBB1_44:
test rax, rax
je .LBB1_45
mov qword ptr [rsp], rax
mov qword ptr [rsp + 8], r12
mov rcx, qword ptr [rsp + 16]
lea r12, [rsp]
.LBB1_48:
mov byte ptr [rax + rcx], 38
mov byte ptr [rax + rcx + 1], 103
.LBB1_49:
mov byte ptr [rax + rcx + 2], 116
mov byte ptr [rax + rcx + 3], 59
add rcx, 4
jmp .LBB1_19
.p2align 4, 0x90
.LBB1_2:
movzx ebx, byte ptr [r14]
mov eax, ebx
add al, -34
cmp al, 28
ja .LBB1_63
movzx edx, al
bt r15d, edx
jae .LBB1_63
cmp al, 28
ja .LBB1_63
movsxd rax, dword ptr [rbp + 4*rdx]
add rax, rbp
jmp rax
.LBB1_6:
mov rsi, qword ptr [rsp + 8]
mov rax, rsi
sub rax, rcx
cmp rax, 6
jae .LBB1_7
add rcx, 6
jb .LBB1_9
lea r12, [rsi + rsi]
cmp rcx, r12
cmovae r12, rcx
test rsi, rsi
je .LBB1_12
mov rdi, qword ptr [rsp]
mov ecx, 1
mov rdx, r12
call __rust_reallocate@PLT
jmp .LBB1_14
.p2align 4, 0x90
.LBB1_63:
cmp rcx, qword ptr [rsp + 8]
jne .LBB1_66
.Ltmp22:
mov rdi, r12
call _ZN40_$LT$alloc..raw_vec..RawVec$LT$T$GT$$GT$6double17h17920b8a90cfe6cfE
.Ltmp23:
mov rcx, qword ptr [rsp + 16]
.LBB1_66:
mov rax, qword ptr [rsp]
mov byte ptr [rax + rcx], bl
mov rcx, qword ptr [rsp + 16]
inc rcx
.LBB1_19:
mov qword ptr [rsp + 16], rcx
inc r14
dec r13
jne .LBB1_2
.LBB1_20:
lea rax, [rsp]
mov qword ptr [rsp + 24], rax
lea rax, [rsp + 24]
#APP
#NO_APP
mov rsi, qword ptr [rsp + 8]
test rsi, rsi
je .LBB1_22
mov rdi, qword ptr [rsp]
mov edx, 1
call __rust_deallocate@PLT
.LBB1_22:
add rsp, 40
pop rbx
pop r12
pop r13
pop r14
pop r15
pop rbp
ret
.LBB1_45:
.Ltmp9:
call _ZN5alloc3oom3oom17he12d244509df7328E@PLT
.Ltmp10:
.LBB1_39:
.Ltmp11:
lea rdi, [rip + str.0]
mov esi, 17
call _ZN4core6option13expect_failed17h6be288f6c3caa41aE@PLT
.Ltmp12:
.LBB1_59:
.Ltmp5:
call _ZN5alloc3oom3oom17he12d244509df7328E@PLT
.Ltmp6:
.LBB1_53:
.Ltmp7:
lea rdi, [rip + str.0]
mov esi, 17
call _ZN4core6option13expect_failed17h6be288f6c3caa41aE@PLT
.Ltmp8:
.LBB1_32:
.Ltmp13:
call _ZN5alloc3oom3oom17he12d244509df7328E@PLT
.Ltmp14:
.LBB1_26:
.Ltmp15:
lea rdi, [rip + str.0]
mov esi, 17
call _ZN4core6option13expect_failed17h6be288f6c3caa41aE@PLT
.Ltmp16:
.LBB1_15:
.Ltmp17:
call _ZN5alloc3oom3oom17he12d244509df7328E@PLT
.Ltmp18:
.LBB1_9:
.Ltmp19:
lea rdi, [rip + str.0]
mov esi, 17
call _ZN4core6option13expect_failed17h6be288f6c3caa41aE@PLT
.Ltmp20:
.LBB1_68:
.Ltmp21:
jmp .LBB1_69
.LBB1_67:
.Ltmp24:
.LBB1_69:
mov rbx, rax
mov rsi, qword ptr [rsp + 8]
test rsi, rsi
je .LBB1_71
mov rdi, qword ptr [rsp]
mov edx, 1
call __rust_deallocate@PLT
.LBB1_71:
mov rdi, rbx
call _Unwind_Resume@PLT
.Lfunc_end1:
.size _ZN8rust_out4main17ha208b69ccbc11839E, .Lfunc_end1-_ZN8rust_out4main17ha208b69ccbc11839E
.cfi_endproc
.section .rodata._ZN8rust_out4main17ha208b69ccbc11839E,"a",@progbits
.p2align 2
.LJTI1_0:
.long .LBB1_6-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_23-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_50-.LJTI1_0
.long .LBB1_63-.LJTI1_0
.long .LBB1_36-.LJTI1_0
.section .gcc_except_table,"a",@progbits
.p2align 2
GCC_except_table1:
.Lexception0:
.byte 255
.byte 155
.byte 41
.byte 3
.byte 39
.long .Ltmp22-.Lfunc_begin0
.long .Ltmp23-.Ltmp22
.long .Ltmp24-.Lfunc_begin0
.byte 0
.long .Ltmp9-.Lfunc_begin0
.long .Ltmp20-.Ltmp9
.long .Ltmp21-.Lfunc_begin0
.byte 0
.long .Ltmp20-.Lfunc_begin0
.long .Lfunc_end1-.Ltmp20
.long 0
.byte 0
.p2align 2
.section .text.main,"ax",@progbits
.globl main
.p2align 4, 0x90
.type main,@function
main:
.cfi_startproc
mov rax, rsi
mov rcx, rdi
lea rdi, [rip + _ZN8rust_out4main17ha208b69ccbc11839E]
mov rsi, rcx
mov rdx, rax
jmp _ZN3std2rt10lang_start17h5d71a3afaaa4b2ffE@PLT
.Lfunc_end2:
.size main, .Lfunc_end2-main
.cfi_endproc
.type str.0,@object
.section .rodata.str.0,"a",@progbits
.p2align 4
str.0:
.ascii "capacity overflow"
.size str.0, 17
.type str.4,@object
.section .rodata.str.4,"a",@progbits
str.4:
.ascii "<"
.size str.4, 4
.type str.5,@object
.section .rodata.str.5,"a",@progbits
str.5:
.ascii ">"
.size str.5, 4
.type str.6,@object
.section .rodata.str.6,"a",@progbits
str.6:
.ascii "&"
.size str.6, 5
.type str.7,@object
.section .rodata.str.7,"a",@progbits
str.7:
.ascii """
.size str.7, 6
.type str.8,@object
.section .rodata.str.8,"a",@progbits
str.8:
.zero 3,97
.size str.8, 3
.hidden DW.ref.rust_eh_personality
.weak DW.ref.rust_eh_personality
.section .data.DW.ref.rust_eh_personality,"aGw",@progbits,DW.ref.rust_eh_personality,comdat
.p2align 3
.type DW.ref.rust_eh_personality,@object
.size DW.ref.rust_eh_personality, 8
DW.ref.rust_eh_personality:
.quad rust_eh_personality
.section ".note.GNU-stack","",@progbits
@lambda-fairy
Copy link
Author

.Ltmp37 and .LBB1_2 are the good parts. We see that it does two interesting things:

  • It checks in advance if the byte is within the range ['"', '>']:

    add	al, -34
cmp	al, 28
ja	.LBB1_63

  • Then, it uses a bit vector to filter out all but the four characters which need to be escaped:

    mov	r15d, 335544337
...
movzx	edx, al
bt	r15d, edx
jae	.LBB1_63

Clever!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment