Open laino opened 3 years ago
maximegmd
commented
3 years ago Spectre mitigation is still present in 1.06.
I doubt you will be able to analyze a binary correctly with zydis, it very likely doesn't do deep analysis like IDA/Ghidra do allowing to find functions that are not directly called from the entry (vtables, function pointers etc).
laino
commented
3 years ago The tool is supposed to scan the entirety of executable memory. As long as we know where that is, it should work.
Basically just throw every .text sections at it.
It doesn't recursively walk the call graph or anything like that.
maximegmd
commented
3 years ago Interesting, it could be something I would contribute to, to add more than just trampoline removal
laino
commented
3 years ago I've added a preloadable variant that can be used to run this library on basically anything, which does what I described (on Linux so far).
For example running it on firefox:
LD_PRELOAD=$(pwd)/libnoseatbelt-auto.so firefoxI've been having a look at the latest cyberpunk binary and I couldn't find any spectre mitigations.
There's a lot of _guard_check_icall and _guard_dispatch_icall though which can be patched.
If it has spectre mitigations I don't know where to look for them or what to look for.
laino
commented
3 years ago Aaaand it works!
It catches a lot of stuff in Cyberpunk 2077 already.
Next step is gonna be adding support for removal/fixing of even more stuff.
Questions
Does Cyberpunk still contain spectre mitigations in version 1.06?
Could you provide me with assembly examples of the kind of spectre mitigations it uses (I was unable to infer that from the python code)?
Context
So I got a bit intrigued by this and ended up starting to work on a C library that would remove spectre mitigation from any binary you throw at it - without the need of knowing memory locations beforehand. Works on running binaries too!
Code is here: https://github.com/laino/noseatbelt/
For now it's closer to a POC because it only detects the retpolines generated by GCC with
-mindirect-branch=thunk.It works by disassembling the binary with zydis, looking for any calls to trampolines and rewriting them to "direct" calls.
The main() in that file contains some code to make GCC spit out a retpoline, removes the write protection from the memory, then runs the library on itself - for demo purposes.
It should be platform independent except for the aforementioned demo code.
Also, I don't know whether you can tell, but I'm not much of a low level / C developer usually. My code is probably horrible just as my understanding of this low-level stuff is flawed.