Pre-loaded patterns

[zachriggle]

Let's have this be a general tracking bug for patterns which are useful to signature against.

• e8000000XX is a small relative forward call, as part of getpc
• e8ffffffXX is a small relative backward call, as part of getpc

Almost any FPU instruction can be used as a getpc. Here's a pretty exhaustive list from some old pwntools code which generates them dynamically:

    fpu = []
    fpu += ['\xd9' + p8(x) for x in range(0xe8, 0xee)]
    fpu += ['\xd9' + p8(x) for x in range(0xc0, 0xcf)]
    fpu += ['\xd9' + x for x in '\xd0\xe1\xf6\xf7\xe5']
    fpu += ['\xda' + p8(x) for x in range(0xc0, 0xdf)]
    fpu += ['\xdb' + p8(x) for x in range(0xc0, 0xdf)]
    fpu += ['\xdd' + p8(x) for x in range(0xc0, 0xc7)]
    fnstenv = '\xd9\x74\x24\xf4'
    getpc = choose(fpu) + fnstenv + p8(0x58 + bufptr)

[zachriggle]

Actually, that FPU range is pretty lacking -- it's only a bunch of instructions which don't require memory operands. There are lots more which do. It seems like the only way to signature will be to either actually perform disassembly live, or to search for the following prefixes:

• 0fae fxsave
• 9bdd fsave
• d9X4 fnstenv for X in 3,7

These patterns will hit on random with (1/8192) to (1/65535) odds. Not sure how we feel about that.