search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
3.93k stars 809 forks source link

X86_64 crashed when call origin func. #105

Closed NianJi closed 3 years ago

NianJi commented 3 years ago

Func code before hook:

(anonymous namespace)::AArch64PassConfig::addPreEmitPass:
0x1000da140 <+0>:   pushq  %rbp
0x1000da141 <+1>:   movq   %rsp, %rbp
0x1000da144 <+4>:   pushq  %rbx
0x1000da145 <+5>:   pushq  %rax
0x1000da146 <+6>:   movq   %rdi, %rbx
0x1000da149 <+9>:   cmpb   $0x0, 0x33071e8(%rip)     ; EnableA53Fix835769 + 151
0x1000da150 <+16>:  je     0x1000da16c               ; <+44>
0x1000da152 <+18>:  callq  0x10004d230               ; llvm::createAArch64A53Fix835769()
0x1000da157 <+23>:  movl   $0x1, %edx
0x1000da15c <+28>:  movl   $0x1, %ecx
0x1000da161 <+33>:  movq   %rbx, %rdi
0x1000da164 <+36>:  movq   %rax, %rsi
0x1000da167 <+39>:  callq  0x10096dbc0               ; llvm::TargetPassConfig::addPass(llvm::Pass*, bool, bool)
0x1000da16c <+44>:  cmpb   $0x0, 0x3307335(%rip)     ; BranchRelaxation + 151
0x1000da173 <+51>:  je     0x1000da191               ; <+81>
0x1000da175 <+53>:  leaq   0x31e5c94(%rip), %rax     ; llvm::BranchRelaxationPassID
0x1000da17c <+60>:  movq   (%rax), %rsi
0x1000da17f <+63>:  movl   $0x1, %edx
0x1000da184 <+68>:  movl   $0x1, %ecx
0x1000da189 <+73>:  movq   %rbx, %rdi
0x1000da18c <+76>:  callq  0x10096e0a0               ; llvm::TargetPassConfig::addPass(void const*, bool, bool)
0x1000da191 <+81>:  movq   0x50(%rbx), %rdi
0x1000da195 <+85>:  callq  0x101945880               ; llvm::TargetMachine::getOptLevel() const
0x1000da19a <+90>:  testl  %eax, %eax
0x1000da19c <+92>:  je     0x1000da1d5               ; <+149>
0x1000da19e <+94>:  movb   0x3306c8c(%rip), %al      ; EnableCollectLOH + 152
0x1000da1a4 <+100>: testb  %al, %al
0x1000da1a6 <+102>: je     0x1000da1d5               ; <+149>
0x1000da1a8 <+104>: movq   0x50(%rbx), %rax
0x1000da1ac <+108>: cmpl   $0x3, 0x21c(%rax)
0x1000da1b3 <+115>: jne    0x1000da1d5               ; <+149>
0x1000da1b5 <+117>: callq  0x10001cb70               ; llvm::createAArch64CollectLOHPass()
0x1000da1ba <+122>: movl   $0x1, %edx
0x1000da1bf <+127>: movl   $0x1, %ecx
0x1000da1c4 <+132>: movq   %rbx, %rdi
0x1000da1c7 <+135>: movq   %rax, %rsi
0x1000da1ca <+138>: addq   $0x8, %rsp
0x1000da1ce <+142>: popq   %rbx
0x1000da1cf <+143>: popq   %rbp
0x1000da1d0 <+144>: jmp    0x10096dbc0               ; llvm::TargetPassConfig::addPass(llvm::Pass*, bool, bool)
0x1000da1d5 <+149>: addq   $0x8, %rsp
0x1000da1d9 <+153>: popq   %rbx
0x1000da1da <+154>: popq   %rbp
0x1000da1db <+155>: retq   
0x1000da1dc <+156>: nopl   (%rax)

Func code after hook:

(anonymous namespace)::AArch64PassConfig::addPreEmitPass:
0x1000da140 <+0>:   jmpq   *(%rip)                   ; <+6>
0x1000da146 <+6>:   fsubr  %st(3), %st
0x1000da149 <+9>:   addl   (%rcx), %eax
0x1000da14b <+11>:  addb   %al, (%rax)
0x1000da14d <+13>:  addb   %al, (%rbx)
0x1000da14f <+15>:  addb   %dh, -0x18(%rdx,%rbx)
0x1000da153 <+19>:  fnstenv (%rax)
0x1000da155 <+21>:  idivl  %edi
0x1000da157 <+23>:  movl   $0x1, %edx
0x1000da15c <+28>:  movl   $0x1, %ecx
0x1000da161 <+33>:  movq   %rbx, %rdi
0x1000da164 <+36>:  movq   %rax, %rsi
0x1000da167 <+39>:  callq  0x10096dbc0               ; llvm::TargetPassConfig::addPass(llvm::Pass*, bool, bool)
0x1000da16c <+44>:  cmpb   $0x0, 0x3307335(%rip)     ; BranchRelaxation + 151
0x1000da173 <+51>:  je     0x1000da191               ; <+81>
0x1000da175 <+53>:  leaq   0x31e5c94(%rip), %rax     ; llvm::BranchRelaxationPassID
0x1000da17c <+60>:  movq   (%rax), %rsi
0x1000da17f <+63>:  movl   $0x1, %edx
0x1000da184 <+68>:  movl   $0x1, %ecx
0x1000da189 <+73>:  movq   %rbx, %rdi
0x1000da18c <+76>:  callq  0x10096e0a0               ; llvm::TargetPassConfig::addPass(void const*, bool, bool)
0x1000da191 <+81>:  movq   0x50(%rbx), %rdi
0x1000da195 <+85>:  callq  0x101945880               ; llvm::TargetMachine::getOptLevel() const
0x1000da19a <+90>:  testl  %eax, %eax
0x1000da19c <+92>:  je     0x1000da1d5               ; <+149>
0x1000da19e <+94>:  movb   0x3306c8c(%rip), %al      ; EnableCollectLOH + 152
0x1000da1a4 <+100>: testb  %al, %al
0x1000da1a6 <+102>: je     0x1000da1d5               ; <+149>
0x1000da1a8 <+104>: movq   0x50(%rbx), %rax
0x1000da1ac <+108>: cmpl   $0x3, 0x21c(%rax)
0x1000da1b3 <+115>: jne    0x1000da1d5               ; <+149>
0x1000da1b5 <+117>: callq  0x10001cb70               ; llvm::createAArch64CollectLOHPass()
0x1000da1ba <+122>: movl   $0x1, %edx
0x1000da1bf <+127>: movl   $0x1, %ecx
0x1000da1c4 <+132>: movq   %rbx, %rdi
0x1000da1c7 <+135>: movq   %rax, %rsi
0x1000da1ca <+138>: addq   $0x8, %rsp
0x1000da1ce <+142>: popq   %rbx
0x1000da1cf <+143>: popq   %rbp
0x1000da1d0 <+144>: jmp    0x10096dbc0               ; llvm::TargetPassConfig::addPass(llvm::Pass*, bool, bool)
0x1000da1d5 <+149>: addq   $0x8, %rsp
0x1000da1d9 <+153>: popq   %rbx
0x1000da1da <+154>: popq   %rbp
0x1000da1db <+155>: retq   
0x1000da1dc <+156>: nopl   (%rax)

origin_call returned

0x1047c9070: pushq  %rbp
0x1047c9071: movq   %rsp, %rbp
0x1047c9074: pushq  %rbx
0x1047c9075: pushq  %rax
0x1047c9076: movq   %rdi, %rbx
0x1047c9079: cmpb   $-0x1, -0x13e7d48(%rip)   ; EnableA53Fix835769 + 151
0x1047c9080: andl   $0x0, %eax
0x1047c9085: pushq  %rax
0x1047c9086: movabsl 0x1000d, %eax
0x1047c908f: addb   %al, (%rax)
0x1047c9091: addb   %al, (%rax)
0x1047c9093: addb   %al, (%rax)
0x1047c9095: addb   %al, (%rax)
0x1047c9097: addb   %al, (%rax)
0x1047c9099: addb   %al, (%rax)
0x1047c909b: addb   %al, (%rax)
0x1047c909d: addb   %al, (%rax)
0x1047c909f: addb   %al, (%rax)
0x1047c90a1: addb   %al, (%rax)
0x1047c90a3: addb   %al, (%rax)
jmpews commented 3 years ago

fixed at latest commit