void* cls_pointer_fn1(void* a1, void* a2)
{
long double trample1 = (intptr_t)a1 + (intptr_t)a2;
char trample2 = ((char*)&a1)[0] + ((char*)&a2)[0];
long double trample3 = (intptr_t)trample1 + (intptr_t)a1;
char trample4 = trample2 + ((char*)&a1)[1];
long double trample5 = (intptr_t)trample3 + (intptr_t)a2;
char trample6 = trample4 + ((char*)&a2)[1];
long double trample7 = (intptr_t)trample5 + (intptr_t)trample1;
char trample8 = trample6 + trample2;
dummyVar = dummy_func(trample1, trample2, trample3, trample4,
trample5, trample6, trample7, trample8);
void* result = (void*)((intptr_t)a1 + (intptr_t)a2);
printf("0x%08x 0x%08x: 0x%08x\n",
(unsigned int)(intptr_t) a1,
(unsigned int)(intptr_t) a2,
(unsigned int)(intptr_t) result);
result = cls_pointer_fn2(result, a1);
return result;
}
void dummy_func(uint8_t stack){
uint8_t* tmp;
unsigned i;
if(stack==0){
for(i=0;i<1000;++i){
tmp = malloc(100);
if(tmp)
free(tmp);
}
} else {
dummy_func(stack-1);
}
}
void patch()
{
HANDLE rmalloc = LoadLibraryA("rmalloc.dll");
void *my_malloc = GetProcAddress(rmalloc, "rmalloc");
void *my_calloc = GetProcAddress(rmalloc, "rcalloc");
void *my_realloc = GetProcAddress(rmalloc, "rrealloc");
void *my_free = GetProcAddress(rmalloc, "rfree");
init = (void *)GetProcAddress(rmalloc, "init");
hProcess = GetCurrentProcess();
base = (int)GetModuleHandle(NULL) + 0xC00;
MessageBoxA(NULL, "TH145 patcher loaded successfully.", "Hello World!", 0);
init_rmalloc();
hook_jmp(0x38d34e + base, my_malloc); /* patch malloc functions */
hook_jmp(0x3961c7 + base, my_calloc);
hook_jmp(0x38bf41 + base, my_realloc);
hook_jmp(0x38a804 + base, my_free);
dummy_func(0x2579a0 + base); /* disable th145 antidebugger */
dummy_func(0x258a20 + base);
}
/*
To place heap_base directly above the ZI area, use e.g:
extern unsigned int Image$$ZI$$Limit;
config.heap_base = (unsigned int)&Image$$ZI$$Limit;
(or &Image$$region_name$$ZI$$Limit for scatterloaded images)
To specify the limits for the heap & stack, use e.g:
config.heap_limit = SL;
config.stack_limit = SL;
*/
__value_in_regs struct __initial_stackheap __user_initial_stackheap(
unsigned R0, unsigned SP, unsigned R2, unsigned SL)
{
extern unsigned int bottom_of_heap; /* defined in heap.s */
extern unsigned int top_of_stacks; /* defined in stack.s */
struct __initial_stackheap config;
config.heap_base = (unsigned int)&bottom_of_heap; // defined in heap.s
// placed by scatterfile
config.heap_limit = config.heap_base + 0x100000;
// config.stack_base = SP; // inherit SP from the execution environment
config.stack_base = (unsigned int)&top_of_stacks; // inherit SP from the execution environment
dummy_func(); // This dummy function was used to ensure the vector.s could be linked
return config;
}
int main(int argc, char *argv[])
{
int pid;
switch(pid = fork())
{
case 0:
target_func(pid);
break;
case -1:
fprintf(stderr, "ERROR: fork\n");
break;
default:
dummy_func(pid);
break;
}
return 0;
}
cls_pointer_gn(ffi_cif* cif __UNUSED__, void* resp,
void** args, void* userdata __UNUSED__)
{
void* a1 = *(void**)(args[0]);
void* a2 = *(void**)(args[1]);
long double trample1 = (long)a1 + (long)a2;
char trample2 = ((char*)&a1)[0] + ((char*)&a2)[0];
long double trample3 = (long)trample1 + (long)a1;
char trample4 = trample2 + ((char*)&a1)[1];
long double trample5 = (long)trample3 + (long)a2;
char trample6 = trample4 + ((char*)&a2)[1];
long double trample7 = (long)trample5 + (long)trample1;
char trample8 = trample6 + trample2;
dummyVar = dummy_func(trample1, trample2, trample3, trample4,
trample5, trample6, trample7, trample8);
*(void**)resp = cls_pointer_fn1(a1, a2);
}
int main (void)
{
ffi_cif cif;
#ifndef USING_MMAP
static ffi_closure cl;
#endif
ffi_closure* pcl;
void* args[3];
// ffi_type cls_pointer_type;
ffi_type* arg_types[3];
DR_EXPORT
void dr_init(client_id_t id)
{
char buf[MAXIMUM_PATH];
int64 pos;
int i;
uint prot;
byte *base_pc;
size_t size;
size_t bytes_read, bytes_written;
byte *edge, *mbuf;
bool ok;
byte *f_map;
/* The Makefile will pass a full absolute path (for Windows and Linux) as the client
* option to a dummy file in the which we use to exercise the file api routines.
* TODO - these tests should be a lot more thorough, but the basic functionality
* is there (should add write tests, file_exists, directory etc. tests). */
file = dr_open_file(dr_get_options(id), DR_FILE_READ);
if (file == INVALID_FILE)
dr_fprintf(STDERR, "Error opening file\n");
memset(buf, 0, sizeof(buf));
dr_read_file(file, buf, 10);
pos = dr_file_tell(file);
if (pos < 0)
dr_fprintf(STDERR, "tell error\n");
dr_fprintf(STDERR, "%s\n", buf);
if (!dr_file_seek(file, 0, DR_SEEK_SET))
dr_fprintf(STDERR, "seek error\n");
memset(buf, 0, sizeof(buf));
dr_read_file(file, buf, 5);
dr_fprintf(STDERR, "%s\n", buf);
for (i = 0; i < 100; i++) buf[i] = 0;
if (!dr_file_seek(file, pos - 5, DR_SEEK_CUR))
dr_fprintf(STDERR, "seek error\n");
memset(buf, 0, sizeof(buf));
dr_read_file(file, buf, 7);
dr_fprintf(STDERR, "%s\n", buf);
if (!dr_file_seek(file, -6, DR_SEEK_END))
dr_fprintf(STDERR, "seek error\n");
memset(buf, 0, sizeof(buf));
/* read "x\nEOF\n" from the data file */
dr_read_file(file, buf, 6);
/* check for DOS line ending */
if (buf[4] == '\r') {
/* Account for two line endings: the snippet is "x\r\nEOF\r\n".
* No conversion required--ctest will discard the '\r' when comparing results.
*/
if (!dr_file_seek(file, -8, DR_SEEK_END))
dr_fprintf(STDERR, "seek error\n");
memset(buf, 0, sizeof(buf));
dr_read_file(file, buf, 8);
}
dr_fprintf(STDERR, "%s\n", buf);
#define EXTRA_SIZE 0x60
size = PAGE_SIZE + EXTRA_SIZE;
f_map = dr_map_file(file, &size, 0, NULL, DR_MEMPROT_READ, DR_MAP_PRIVATE);
if (f_map == NULL || size < (PAGE_SIZE + EXTRA_SIZE))
dr_fprintf(STDERR, "map error\n");
/* test unaligned unmap */
if (!dr_unmap_file(f_map + PAGE_SIZE, EXTRA_SIZE))
dr_fprintf(STDERR, "unmap error\n");
/* leave file open and check in exit event that it's still open after
* app tries to close it
*/
dr_register_exit_event(event_exit);
/* Test dr_rename_file. */
test_dr_rename_delete();
/* Test the memory query routines */
dummy_func();
if (!dr_memory_is_readable((byte *)dummy_func, 1) ||
!dr_memory_is_readable(read_only_buf+1000, 4000) ||
!dr_memory_is_readable(writable_buf+1000, 4000)) {
dr_fprintf(STDERR, "ERROR : dr_memory_is_readable() incorrect results\n");
}
if (!dr_query_memory((byte *)dummy_func, &base_pc, &size, &prot))
dr_fprintf(STDERR, "ERROR : can't find dummy_func mem region\n");
dr_fprintf(STDERR, "dummy_func is %s%s%s\n", TEST(DR_MEMPROT_READ, prot) ? "r" : "",
TEST(DR_MEMPROT_WRITE, prot) ? "w" : "",
TEST(DR_MEMPROT_EXEC, prot) ? "x" : "");
if (base_pc > (byte *)dummy_func || base_pc + size < (byte *)dummy_func)
dr_fprintf(STDERR, "dummy_func region mismatch");
memset(writable_buf, 0, sizeof(writable_buf)); /* strip off write copy */
if (!dr_query_memory(writable_buf+100, &base_pc, &size, &prot))
dr_fprintf(STDERR, "ERROR : can't find dummy_func mem region\n");
dr_fprintf(STDERR, "writable_buf is %s%s%s\n", TEST(DR_MEMPROT_READ, prot) ? "r" : "",
TEST(DR_MEMPROT_WRITE, prot) ? "w" : "",
#ifdef UNIX
/* Linux sometimes (probably depends on version and hardware NX
* support) lists all readable regions as also exectuable in the
* maps file. We just skip checking here for Linux to make
* matching the template file easier. */
""
#else
TEST(DR_MEMPROT_EXEC, prot) ? "x" : ""
#endif
);
if (base_pc > writable_buf || base_pc + size < writable_buf)
dr_fprintf(STDERR, "writable_buf region mismatch\n");
if (base_pc + size < writable_buf + sizeof(writable_buf))
dr_fprintf(STDERR, "writable_buf size mismatch "PFX" "PFX" "PFX" "PFX"\n",
base_pc, size, writable_buf, sizeof(writable_buf));
if (!dr_query_memory(read_only_buf+100, &base_pc, &size, &prot))
dr_fprintf(STDERR, "ERROR : can't find dummy_func mem region\n");
dr_fprintf(STDERR, "read_only_buf is %s%s\n", TEST(DR_MEMPROT_READ, prot) ? "r" : "",
TEST(DR_MEMPROT_WRITE, prot) ? "w" : "");
if (base_pc > read_only_buf || base_pc + size < read_only_buf)
dr_fprintf(STDERR, "read_only_buf region mismatch");
if (base_pc + size < read_only_buf + sizeof(read_only_buf))
dr_fprintf(STDERR, "read_only_buf size mismatch");
/* test the safe_read functions */
/* TODO - extend test to cover racy writes and reads (won't work on Linux yet). */
memset(safe_buf, 0xcd, sizeof(safe_buf));
if (!dr_safe_read(read_only_buf + 4000, 1000, safe_buf, &bytes_read) ||
bytes_read != 1000 || !memchk(safe_buf, 0, 1000) || *(safe_buf+1000) != 0xcd) {
dr_fprintf(STDERR, "ERROR in plain dr_safe_read()\n");
}
memset(safe_buf, 0xcd, sizeof(safe_buf));
/* read_only_buf will be in .rodata on Linux, and can be followed by string
* constants with the same page protections. In order to be sure that we're
* copying zeroes, we map our own memory.
*/
mbuf = dr_nonheap_alloc(PAGE_SIZE*3, DR_MEMPROT_READ|DR_MEMPROT_WRITE);
memset(mbuf, 0, PAGE_SIZE*3);
dr_memory_protect(mbuf + PAGE_SIZE*2, PAGE_SIZE, DR_MEMPROT_NONE);
edge = find_prot_edge(mbuf, DR_MEMPROT_READ);
bytes_read = 0xcdcdcdcd;
if (dr_safe_read(edge - (PAGE_SIZE + 10), PAGE_SIZE+20, safe_buf, &bytes_read) ||
bytes_read == 0xcdcdcdcd || bytes_read > PAGE_SIZE+10 ||
!memchk(safe_buf, 0, bytes_read)) {
dr_fprintf(STDERR, "ERROR in overlap dr_safe_read()\n");
}
dr_nonheap_free(mbuf, PAGE_SIZE*3);
dr_fprintf(STDERR, "dr_safe_read() check\n");
/* test DR_TRY_EXCEPT */
DR_TRY_EXCEPT(dr_get_current_drcontext(), {
ok = false;
*((int *)4) = 37;
}, { /* EXCEPT */