search

frida / frida-gum

Cross-platform instrumentation and introspection library written in C
https://frida.re
Other
753 stars 245 forks source link

Fix ARM Stalker handling of LDMIA without writeback #700

Closed WorksButNotTested closed 1 year ago

WorksButNotTested commented 1 year ago

Inspecting binaries generated with an old compiler (gcc 4.7.1), we can observer the following prologue...

cpy r12,sp
stmdb sp!,{r3, r4, r5, r6, r11, r12, lr, pc}

And the corresponding epilogue...

ldmia sp, {r3, r4, r5, r6, r11, sp, pc}

Note, however that the ldmia instruction for the epilogue is missing the !, hence although the value of sp is incremented after the load of the other registers from the stack, it is not written back! The instruction does however, modify sp since it is one of the registers being popped from the stack. The mnemonic here is quite confusing!

Stalker for ARM had a defect whereby it would incorrectly modify the sp when executing such an instruction.

oleavr commented 1 year ago

Just landed with some minor tweaks, split into two commits. Cheers! 🙌

WorksButNotTested commented 1 year ago

Fantastic. Thanks very much!