Closed zachriggle closed 9 years ago
Actually, that FPU range is pretty lacking -- it's only a bunch of instructions which don't require memory operands. There are lots more which do. It seems like the only way to signature will be to either actually perform disassembly live, or to search for the following prefixes:
0fae
fxsave
9bdd
fsave
d9X4
fnstenv
for X in 3,7These patterns will hit on random with (1/8192) to (1/65535) odds. Not sure how we feel about that.
Let's have this be a general tracking bug for patterns which are useful to signature against.
e8000000XX
is a small relative forward call, as part of getpce8ffffffXX
is a small relative backward call, as part of getpcAlmost any FPU instruction can be used as a getpc. Here's a pretty exhaustive list from some old pwntools code which generates them dynamically: