asmjit/asmjit

Complete x86/x64 JIT and Remote Assembler for C++

Patrick Mackinlay

@pmackinlay

With different load addresses and flags and such?

Petr Kobalicek

@kobalicek

yeah sections are about that

Patrick Mackinlay

@pmackinlay

Petr Kobalicek

@kobalicek

they are powerful, but not many people really use them

but

you can use sections, for example to generate two functions at the same time

or have multiple code streams, that would get then flattened at some point

and labels work at cross-section as well

etc

Patrick Mackinlay

@pmackinlay

Petr Kobalicek

@kobalicek

it's really pretty cool feature I think :)

Patrick Mackinlay

@pmackinlay

I'll keep that in mind; my first objective is simply to replace the current code emitter. I'll see if I can make it a bit smarter after that.

Petr Kobalicek

@kobalicek

In ZScript (GZDoom) they just used x86::Compiler for that and it seems to do well

but I have no idea what you are generating, sticking to assembler may be okay as well

Patrick Mackinlay

@pmackinlay

Generating x86_64 assembly corresponding to the "UML" virtual instructions that have been produced from the source CPU instructions :)

Patrick Mackinlay

@pmackinlay

So for call(imm32), asmjit will not try to adjust the immediate value, right? I need to give it with the +5 already?

I guess your fiddler will tell me - lemme try.

Petr Kobalicek

@kobalicek

it will do everything to reach the address

it sees it as absolute

Yeah try the fiddler

set the base to FFFF

and use call 0xFFFFFFFF

and then other values

I have to update the fiddler as well haha

Patrick Mackinlay

@pmackinlay

Ok, I understand - so I pass it the absolute address (after checking it's within range) and we're good.

Tennn

@stonedreamforest

When I assemble the following instructions I get an error：

push 0x1DE7CC31
jmp 0x00007FF75B9BCF8A

asmjit[error]:

177C12D0000 - 68 31CCE71D           - push 1DE7CC31 
177C12D0005 - 40 E9 00000000        - jmp 177C12D000B

X64DBG[correct]:

00000177C12D0000 | 68 31CCE71D              | push 1DE7CC31                           |
00000177C12D0005 | FF25 00000000            | jmp qword ptr ds:[177C12D000B]          |
00000177C12D000B | 8ACF                     | mov cl,bh                               |
00000177C12D000D | 9B                       | fwait                                   |
00000177C12D000E | 5B                       | pop rbx                                 |
00000177C12D000F | F77F 00                  | idiv dword ptr ds:[rdi]                 |
00000177C12D0012 | 00FA                     | add dl,bh                               |

Petr Kobalicek

@kobalicek

I think x64dbg is not flattening the sections

This would create a relocation, and that would be put into the address table section

Tennn

@stonedreamforest

Yes, can asmjit do this? Of course, more cases need to be considered here. such as:

push 0x1DE7CC31
jmp 0x00007FF75B9BCF8A
mov rax,rbx

asmjit can be handled like this:

00000177C12D0000 | 68 31CCE71D              | push 1DE7CC31                           |
00000177C12D0005 | FF25 00000000            | jmp qword ptr ds:[177C12D000B]          |
00000177C12D000B | 8A CF 9B 5B F7 7F 00 00 // 0x00007FF75B9BCF8A
00000177C12D0013 | 48:8BC3                  | mov rax,rbx                             |

Petr Kobalicek

@kobalicek

it does that, but it creates a relocation in another section, so it all has to be flattened into a single code stream before using

you can alternatively just do:

jmp [Label]
Label: .dq address

That would work exactly the same, but it's more verbose though

Tennn

@stonedreamforest

I will try it

Petr Kobalicek

@kobalicek

BTW that case:

push 0x1DE7CC31
jmp 0x00007FF75B9BCF8A
mov rax,rbx

Would be more problematic though. AsmJit doesn't embed addresses after the jump, it creates a section with addresses, which is then added either after the code or somewhere else

your option is, to use Builder, instead of Assembler, and to post-process the code

before you assemble it

that would give you the freedom to do any transformation

Tennn

@stonedreamforest

I have no experience with Builder. I will see how to do it

😂

Petr Kobalicek

@kobalicek

I think I initially misunderstood the case - x64dbg prob uses asmjit correct and you are doing something on your own right?

Tennn

@stonedreamforest

I need to copy part of the instruction area of another dynamic library to execute in my dynamic library. So builder seems useless to me, my understanding builder will generate a new execution file. I don’t need this

So there is no need to create a new section, the base address I gave is writable, readable and executable

Petr Kobalicek

@kobalicek

Builder just emits things into a representation that can be processed, and then serialized to assembler - that's it

it gives you the opportunity to rewrite what you have

Tennn

@stonedreamforest

ah, it looks like I guessed wrong

Petr Kobalicek

@kobalicek

so for example, you can iterate over nodes, and when you find jump absolute_address you can rewrite it to:

jmp [Label]
Label: DQ Address

Which is what you want to do, and you would avoid address table section

it's really powerful what you can do with it

Petr Kobalicek

@kobalicek

I can even write a snippet if you are interested in that approach

Where communities thrive

People

Repo info

Activity