|
|
@ -51,9 +51,8 @@ start: |
|
|
mov x5, x0 |
|
|
mov x5, x0 |
|
|
mov x4, x1 |
|
|
mov x4, x1 |
|
|
|
|
|
|
|
|
// Save lr, context pointer, main thread handler |
|
|
// Save ASLR Base to use later |
|
|
adrp x0, _aslr_base |
|
|
mov x0, x6 |
|
|
str x6, [x0, #:lo12:_aslr_base] |
|
|
|
|
|
|
|
|
|
|
|
// clear .bss |
|
|
// clear .bss |
|
|
adrp x5, __bss_start |
|
|
adrp x5, __bss_start |
|
|
@ -70,26 +69,10 @@ bssloop: |
|
|
|
|
|
|
|
|
run: |
|
|
run: |
|
|
// process .dynamic section |
|
|
// process .dynamic section |
|
|
adrp x0, _aslr_base |
|
|
// ASLR base on x0 |
|
|
ldr x0, [x0, #:lo12:_aslr_base] |
|
|
|
|
|
adrp x1, _DYNAMIC |
|
|
adrp x1, _DYNAMIC |
|
|
add x1, x1, #:lo12:_DYNAMIC |
|
|
add x1, x1, #:lo12:_DYNAMIC |
|
|
bl __dynamic_loader |
|
|
bl __dynamic_loader |
|
|
|
|
|
|
|
|
// set LR to svcExitProcess if it's null |
|
|
|
|
|
adrp x3, exit |
|
|
|
|
|
add x3, x3, #:lo12:exit |
|
|
|
|
|
cmp x30, xzr |
|
|
|
|
|
csel x30, x3, x30, eq |
|
|
|
|
|
|
|
|
|
|
|
// call entrypoint |
|
|
// call entrypoint |
|
|
mov x3, sp |
|
|
|
|
|
sub sp, sp, 0x10 |
|
|
|
|
|
stp x29, x30, [sp] |
|
|
|
|
|
b main |
|
|
b main |
|
|
|
|
|
|
|
|
.section .data.horizon |
|
|
|
|
|
.align 8 |
|
|
|
|
|
.global _aslr_base // Placeholder for ASLR Base Address |
|
|
|
|
|
_aslr_base: |
|
|
|
|
|
.dword 0 |
|
|
|
|
|
|
Lucas Teske
4 years ago
Ron Evans