Implement Arm64 tlbi intrinsic

[bb33bb]

What is the feature you'd like to have? Please add the arm64 reverse c code for tlbi vaae1is, x8 tlbi vmalle1is

Is your feature request related to a problem? NO Are any alternative solutions acceptable? NO Additional Information: Here is the asm code for arm64

ffffff954fe06b7c    int64_t sub_ffffff954fe06b7c(int64_t arg1, int64_t arg2)

ffffff954fe06b7c  fd7bbda9   stp     x29, x30, [sp, #-0x30]! {__saved_x29} {__saved_x30}
ffffff954fe06b80  f50b00f9   str     x21, [sp, #0x10 {__saved_x21}]
ffffff954fe06b84  f44f02a9   stp     x20, x19, [sp, #0x20] {__saved_x20} {__saved_x19}
ffffff954fe06b88  fd030091   mov     x29, sp {__saved_x29}
ffffff954fe06b8c  3300008b   add     x19, x1, x0
ffffff954fe06b90  f50301aa   mov     x21, x1
ffffff954fe06b94  e10313aa   mov     x1, x19
ffffff954fe06b98  f40300aa   mov     x20, x0
ffffff954fe06b9c  94ffff97   bl      sub_ffffff954fe069ec
ffffff954fe06ba0  bf0250f1   cmp     x21, #0x400, lsl #0xc
ffffff954fe06ba4  09010054   b.ls    0xffffff954fe06bc4

ffffff954fe06ba8  9f3a03d5   dsb     ishst
🚫ffffff954fe06bac  1f8308d5   tlbi    vmalle1is
ffffff954fe06bb0  1f2003d5   nop     
ffffff954fe06bb4  1f2003d5   nop     
ffffff954fe06bb8  9f3b03d5   dsb     ish
ffffff954fe06bbc  df3f03d5   isb     
ffffff954fe06bc0  0e000014   b       0xffffff954fe06bf8

ffffff954fe06bc4  9f3a03d5   dsb     ishst
ffffff954fe06bc8  88de4cd3   ubfx    x8, x20, #0xc, #0x2c
ffffff954fe06bcc  69de4cd3   ubfx    x9, x19, #0xc, #0x2c
ffffff954fe06bd0  1f0109eb   cmp     x8, x9
ffffff954fe06bd4  e2000054   b.hs    0xffffff954fe06bf0

🚫ffffff954fe06bd8  688308d5   tlbi    vaae1is, x8
ffffff954fe06bdc  1f2003d5   nop     
ffffff954fe06be0  1f2003d5   nop     
ffffff954fe06be4  08050091   add     x8, x8, #0x1
ffffff954fe06be8  3f0108eb   cmp     x9, x8
ffffff954fe06bec  61ffff54   b.ne    0xffffff954fe06bd8

ffffff954fe06bf0  9f3b03d5   dsb     ish
ffffff954fe06bf4  df3f03d5   isb     

ffffff954fe06bf8  f44f42a9   ldp     x20, x19, [sp, #0x20] {__saved_x20} {__saved_x19}
ffffff954fe06bfc  f50b40f9   ldr     x21, [sp, #0x10 {__saved_x21}]
ffffff954fe06c00  fd7bc3a8   ldp     x29, x30, [sp], #0x30 {__saved_x29} {__saved_x30}
ffffff954fe06c04  c0035fd6   ret     

and the reverse code is

ffffff954fe06b7c    int64_t sub_ffffff954fe06b7c(int64_t arg1, int64_t arg2)

ffffff954fe06b7c    {
ffffff954fe06b7c        int64_t x19 = arg2 + arg1;
ffffff954fe06b9c        int64_t result = sub_ffffff954fe069ec(arg1, x19);
ffffff954fe06b9c        
ffffff954fe06ba4        if (arg2 <= 0x400000)
ffffff954fe06ba4        {
ffffff954fe06bc4            __dsb();
ffffff954fe06bc8            uint64_t x8_1 = arg1 >> 0xc & 0xfffffffffff;
ffffff954fe06bcc            uint64_t x9_1 = x19 >> 0xc & 0xfffffffffff;
ffffff954fe06bcc            
ffffff954fe06bd4            if (x8_1 < x9_1)
ffffff954fe06bd4            {
ffffff954fe06bec                do
ffffff954fe06bec                {
🚫ffffff954fe06bd8                    /* !!!!  unimplemented  {tlbi vaae1is, x8} !!!!*/
ffffff954fe06be4                    x8_1 += 1;
ffffff954fe06bec                } while (x9_1 != x8_1);
ffffff954fe06bd4            }
ffffff954fe06bd4            
ffffff954fe06bf0            __dsb();
ffffff954fe06bf4            __isb();
ffffff954fe06ba4        }
ffffff954fe06ba4        else
ffffff954fe06ba4        {
ffffff954fe06ba8            __dsb();
🚫ffffff954fe06bac            /* !!!!   unimplemented  {tlbi vmalle1is}  !!!!*/
ffffff954fe06bb8            __dsb();
ffffff954fe06bbc            __isb();
ffffff954fe06ba4        }
ffffff954fe06ba4        
ffffff954fe06c04        return result;
ffffff954fe06b7c    }

[bb33bb]

we can see there are two places of unimplemented instructions 🚫ffffff954fe06bd8 / !!!! unimplemented {tlbi vaae1is, x8} !!!!/ and 🚫ffffff954fe06bac / !!!! unimplemented {tlbi vmalle1is} !!!!/

[bb33bb]

version: 4.2.6325-dev Personal (c3d1ad94) system: Linux version 6.10.13-3-MANJARO (builduser@fv-az1246-770) (gcc (GCC) 14.2.1 20240910, GNU ld (GNU Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Tue Oct 8 03:24:49 UTC 2024

ffffff93d1868b00                    do
ffffff93d1868b00                    {
🚫ffffff93d1868ae8                        /*   unimplemented  {ldxp x11, x26, [x10]} */
ffffff93d1868aec                        x11 ^= result;
ffffff93d1868af4                        arg4 = x11 | (arg4 ^ x8_6);
ffffff93d1868af4                        
ffffff93d1868af8                        if (arg4)
ffffff93d1868af8                            break;
ffffff93d1868af8                        
🚫ffffff93d1868afc                        /*   unimplemented  {stxp w11, x9, x12, [x10]} */
ffffff93d1868b00                    } while (x11);

also the unimplemented code

[galenbwill]

Are you able to share this binary? (You can email it to binaryninja@vector35.com or DM it via the public slack if you cannot or do not want to upload it publicly here)

[bb33bb]

Yes, I will send u as soon as possible

[bb33bb]

Yes, I will send u as soon as possible

https://1drv.ms/u/c/01e018a652fc6a6e/EemB2u0x9rZBtbsKQ5BeWI4BjTjxwyzPRO-pSH9cdhxpVA?e=XHiOYF expired tomorrow

so plz download as soon as pozzible

[xusheng6]

v35 folks should search for "whispered meadow sunset echo drift" to find the file

[xusheng6]

Yes, I will send u as soon as possible

https://1drv.ms/u/c/01e018a652fc6a6e/EemB2u0x9rZBtbsKQ5BeWI4BjTjxwyzPRO-pSH9cdhxpVA?e=XHiOYF expired tomorrow

so plz download as soon as pozzible

I opened the database and 0xffffff954fe06bac does not seem to be a valid address. Could you please verify it? Also, is the file the same one as https://github.com/Vector35/binaryninja-api/issues/6045?

Btw, since this issue is only relevant to a particular instruction, you can actually just send us the bytes of the instructions and you do not have to share the entire binary with us, I know it is huge

[bb33bb]

Yes, I will send u as soon as possible

https://1drv.ms/u/c/01e018a652fc6a6e/EemB2u0x9rZBtbsKQ5BeWI4BjTjxwyzPRO-pSH9cdhxpVA?e=XHiOYF expired tomorrow so plz download as soon as pozzible

I opened the database and 0xffffff954fe06bac does not seem to be a valid address. Could you please verify it? Also, is the file the same one as #6045?

Btw, since this issue is only relevant to a particular instruction, you can actually just send us the bytes of the instructions and you do not have to share the entire binary with us, I know it is huge

ffffff954fe06b7c    int64_t unmap_kernel_range(int64_t arg1, int64_t arg2)
ffffff954fe06b7c    {
ffffff954fe06b7c        int64_t x19 = arg2 + arg1;
ffffff954fe06b9c        int64_t result = sub_ffffff954fe069ec(arg1, x19);
ffffff954fe06b9c        
ffffff954fe06ba4        if (arg2 <= 0x400000)
ffffff954fe06ba4        {
ffffff954fe06bc4            __dsb();
ffffff954fe06bc8            uint64_t x8_1 = arg1 >> 0xc & 0xfffffffffff;
ffffff954fe06bcc            uint64_t x9_1 = x19 >> 0xc & 0xfffffffffff;
ffffff954fe06bcc            
ffffff954fe06bd4            if (x8_1 < x9_1)
ffffff954fe06bd4            {
ffffff954fe06bec                do
ffffff954fe06bec                {
🚫ffffff954fe06bd8                    /*   unimplemented  {tlbi vaae1is, x8} */
ffffff954fe06be4                    x8_1 += 1;
ffffff954fe06bec                } while (x9_1 != x8_1);
ffffff954fe06bd4            }

[bb33bb]

maybe because i renamed the function , and we should go to the address. Sorry

[bb33bb]

version: 4.2.6325-dev Personal (c3d1ad94) system: Linux version 6.10.13-3-MANJARO (builduser@fv-az1246-770) (gcc (GCC) 14.2.1 20240910, GNU ld (GNU Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Tue Oct 8 03:24:49 UTC 2024

ffffff93d1868b00                    do
ffffff93d1868b00                    {
🚫ffffff93d1868ae8                        /*   unimplemented  {ldxp x11, x26, [x10]} */
ffffff93d1868aec                        x11 ^= result;
ffffff93d1868af4                        arg4 = x11 | (arg4 ^ x8_6);
ffffff93d1868af4                        
ffffff93d1868af8                        if (arg4)
ffffff93d1868af8                            break;
ffffff93d1868af8                        
🚫ffffff93d1868afc                        /*   unimplemented  {stxp w11, x9, x12, [x10]} */
ffffff93d1868b00                    } while (x11);

also the unimplemented code

this is another file if needed i will upload it.

[xusheng6]

version: 4.2.6325-dev Personal (c3d1ad94) system: Linux version 6.10.13-3-MANJARO (builduser@fv-az1246-770) (gcc (GCC) 14.2.1 20240910, GNU ld (GNU Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Tue Oct 8 03:24:49 UTC 2024

ffffff93d1868b00                    do
ffffff93d1868b00                    {
🚫ffffff93d1868ae8                        /*   unimplemented  {ldxp x11, x26, [x10]} */
ffffff93d1868aec                        x11 ^= result;
ffffff93d1868af4                        arg4 = x11 | (arg4 ^ x8_6);
ffffff93d1868af4                        
ffffff93d1868af8                        if (arg4)
ffffff93d1868af8                            break;
ffffff93d1868af8                        
🚫ffffff93d1868afc                        /*   unimplemented  {stxp w11, x9, x12, [x10]} */
ffffff93d1868b00                    } while (x11);

also the unimplemented code

this is another file if needed i will upload it.

Sure, thx in advance! Also if the file is huge, you can also just tell the four bytes corresponding to the instruction

[bb33bb]

version: 4.2.6325-dev Personal (c3d1ad94) system: Linux version 6.10.13-3-MANJARO (builduser@fv-az1246-770) (gcc (GCC) 14.2.1 20240910, GNU ld (GNU Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Tue Oct 8 03:24:49 UTC 2024

ffffff93d1868b00                    do
ffffff93d1868b00                    {
🚫ffffff93d1868ae8                        /*   unimplemented  {ldxp x11, x26, [x10]} */
ffffff93d1868aec                        x11 ^= result;
ffffff93d1868af4                        arg4 = x11 | (arg4 ^ x8_6);
ffffff93d1868af4                        
ffffff93d1868af8                        if (arg4)
ffffff93d1868af8                            break;
ffffff93d1868af8                        
🚫ffffff93d1868afc                        /*   unimplemented  {stxp w11, x9, x12, [x10]} */
ffffff93d1868b00                    } while (x11);

also the unimplemented code

this is another file if needed i will upload it.

Sure, thx in advance! Also if the file is huge, you can also just tell the four bytes corresponding to the instruction

all of them are

ffffff93d1868ae8  4b697fc8   ldxp    x11, x26, [x10]
ffffff93d1868afc  49312bc8   stxp    w11, x9, x12, [x10]
ffffff954fe06bd8  688308d5   tlbi    vaae1is, x8
ffffff954fe06bac  1f8308d5   tlbi    vmalle1is
ffffff93d14813f4  340940b8   ldtr    w20, [x9]
ffffff93d148145c  6c094078   ldtrh   w12, [x11]