Courgette: Extend pointer detection in x64.

courgette/rel32_finder_x64.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "courgette/rel32_finder_x64.h"
 
 namespace courgette {
 
 Rel32FinderX64::Rel32FinderX64(RVA relocs_start_rva,
                                RVA relocs_end_rva,
@@ skipping 38 matching lines @@
     bool is_rip_relative = false;
 
     if (p + 5 <= end_pointer) {
       if (p[0] == 0xE8 || p[0] == 0xE9)  // jmp rel32 and call rel32
         rel32 = p + 1;
     }
     if (p + 6 <= end_pointer) {
       if (p[0] == 0x0F && (p[1] & 0xF0) == 0x80) {  // Jcc long form
         if (p[1] != 0x8A && p[1] != 0x8B)           // JPE/JPO unlikely
           rel32 = p + 2;
-      } else if (p[0] == 0xFF && (p[1] == 0x15 || p[1] == 0x25)) {
-        // rip relative CALL/JMP
+      } else if ((p[0] == 0xFF &&
+                  (p[1] == 0x15 || p[1] == 0x25)) ||  // CALL / JMP
+                 ((p[0] == 0x89 || p[0] == 0x8B ||
+                   p[0] == 0x8D) &&          // MOV / LEA

[huangs, 2016/06/17 18:05:51]

I think this is sufficient complex to warrant more detailed high-level comments:
// 6-byte instructions:
//   FF 15 [XXXXXXXX] : call QWORD PTR [rip+XXXXXXXX]
//   FF 25 [XXXXXXXX] : jmp  QWORD PTR [rip+XXXXXXXX]
//   89 [05|0D|...|3D] [XXXXXXXX]: mov DWORD PTR [rip+XXXXXXXX],reg
//   8B [05|0D|...|3D] [XXXXXXXX]: mov reg,DWORD PTR [rip+XXXXXXXX]
//   8D [05|0D|...|3D] [XXXXXXXX]: lea reg,[rip+XXXXXXXX]
// [05|0D|...|3D] selects reg = [eax|ecx|...|edi].
// We filter these by (p[1] & 0xC7) == 0x05.

[etiennep, 2016/06/27 19:41:21]

Done.

+                  (p[1] & 0xC7) == 0x05)) {  // Dst reg : [05,0D,...3D] =
+        //  [rax,rbx,...,rdi]/[r8,r9,...,r15]
         rel32 = p + 2;
         is_rip_relative = true;
       }
     }
-    // TODO(etiennep): Many rip mov/lea variants are not detected. Experiment,
-    // fix and combine logic.
     if (p + 7 <= end_pointer) {

[huangs, 2016/06/17 18:05:51]

// 7-byte instructions:
//   [48/4C] 89 [05|0D|...|3D] [XXXXXXXX]: mov QWORD PTR [rip+XXXXXXXX],reg
//   [48/4C] 8B [05|0D|...|3D] [XXXXXXXX]: mov reg,QWORD PTR [rip+XXXXXXXX]
//   [48/4C] 8D [05|0D|...|3D] [XXXXXXXX]: lea reg,[rip+XXXXXXXX]
// Prefix 48: [05|0D|...|3D] selects reg = [rax|rcx|...|rdi].
// Prefix 4C: [05|0D|...|3D] selects reg = [r9|r10|...|r15].

[etiennep, 2016/06/27 19:41:21]

Done.

       if ((p[0] & 0xFB) == 0x48 &&  // Dst reg : 48/4C [rax-rdi]/[r8-r15]
-          p[1] == 0x8D &&           // LEA
+          (p[1] == 0x89 || p[1] == 0x8B || p[1] == 0x8D) &&  // MOV / LEA
           (p[2] & 0xC7) == 0x05) {  // Dst reg : [05,0D,...3D] =
                                     //  [rax,rbx,...,rdi]/[r8,r9,...,r15]
-        // LEA dst, QWORD [rip + rel32]
-        rel32 = p + 3;
-        is_rip_relative = true;
-      } else if ((p[0] & 0xFB) == 0x48 &&  // Dst reg : 48/4C [rax-rdi]/[r8-r15]
-                 p[1] == 0x8B &&           // MOV
-                 (p[2] & 0xC7) == 0x05) {  // Dst reg : [05,0D,...3D] =
-                                           //  [rax,rbx,...,rdi]/[r8,r9,...,r15]
-        // MOV dst, QWORD PTR[rip + rel32]
         rel32 = p + 3;
         is_rip_relative = true;
       }
     }
 
     if (rel32) {
       RVA rel32_rva = static_cast<RVA>(rel32 - adjust_pointer_to_rva);
 
       // Is there an abs32 reloc overlapping the candidate?
       while (abs32_pos != abs32_locations.end() && *abs32_pos < rel32_rva - 3)
@@ skipping 22 matching lines @@
 #endif
         p = rel32 + 4;
         continue;
       }
     }
     p += 1;
   }
 }
 
 }  // namespace courgette