Question about Indirect Call with Specified Address #15
Description
Hello:
Since vmir is such a efficient interpreter for bitcode, I decide to fix it for daily use(I work for Android/IOS code protection). After I fixed some function in Linker such as dlopen & dlsym, it seems to have a logic error about VMOP(JSR_R). Once I use dlopen&dlsym to get a function address and try to call it, the interpreter can not call this indirect function by using the specified address. I tried to fix this problem with the code below.
VMOP(JSR_R)
vm_tracef(&F, "Calling indirect %s (%d)", vm_funcname(R32(0), iu), R32(0));
if (R32(0) >= VECTOR_LEN(&iu->iu_functions))
{
printf("[-] JSR_R out of length: 0x%08x\n", R32(0));
vm_bad_function(iu, R32(0));
}
SET_CALLEE_FUNC(R32(0));
if (iu->iu_vm_funcs[R32(0)])
{
r = vm_exec(iu->iu_vm_funcs[R32(0)], rf + I[1], rf + I[2], &F);
RESTORE_CURRENT_FRAME();
if (r)
return r;
}
else if (iu->iu_function_table[R32(0)])
{
iu->iu_function_table[R32(0)](rf + I[2], rf + I[1], iu, hostmem);
RESTORE_CURRENT_FRAME();
}
else if ((int32_t)R32(0) + iu->iu_mem > 0x10000000) // bad, how to locate a func ptr
{
// (rf + I[0]) func_addr
void *params = rf + I[1];
printf("\n----------[JSR_R] args: %08x %08x %08x\n", vmir_vm_ptr(¶ms, iu), vmir_vm_ptr(¶ms, iu), vmir_vm_ptr(¶ms, iu));
typedef int (*indirect_func)(int, ...);
void *func_addr = R32(0) + iu->iu_mem;
// TODO: args
}
else
{
vm_bad_function(iu, R32(0));
}
I found that R32(0) is address in vm_mem and rf + I[1] locate on the params, but I can not find a way to figure out how many params the indirect function use, any advice, please.