From 751330e8ee227984be788377f2edd038e9828d48 Mon Sep 17 00:00:00 2001
From: OB <omree10@gmail.com>
Date: Wed, 17 Nov 2021 19:22:37 +0200
Subject: [PATCH] Cmplog instrumentation (#382)

* add support for cbz/tbz

* remove unecessary print

* implemented support for tbz

* add support for tbnz

* fix an error in the emitted code for both tbz/tbnz

* add support for cbnz

* fix error in logic

* add special handling to "subs"

* add restoration for X5 for tbz/tbnz

* add "adds" support

* add special handling for different opcodes

* add support for cbz/tbz

* remove unecessary print

* implemented support for tbz

* add support for tbnz

* fix an error in the emitted code for both tbz/tbnz

* add support for cbnz

* fix error in logic

* add special handling to "subs"

* add restoration for X5 for tbz/tbnz

* add "adds" support

* add special handling for different opcodes

* add adcs to cmplog commands

* get rid of irrelevant allocations

* add flag restoration to cmplog instrumentation emitted code

* add restoration for x24

* save and restore all registers
---
 libafl_frida/src/cmplog_rt.rs | 22 +++++++++++++++++++---
 libafl_frida/src/helper.rs    |  3 +--
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/libafl_frida/src/cmplog_rt.rs b/libafl_frida/src/cmplog_rt.rs
index 966adab6ce..bc0bee6d90 100644
--- a/libafl_frida/src/cmplog_rt.rs
+++ b/libafl_frida/src/cmplog_rt.rs
@@ -52,15 +52,31 @@ impl CmpLogRuntime {
                 ; stp x10, x11, [sp, #-0x10]!
                 ; stp x12, x13, [sp, #-0x10]!
                 ; stp x14, x15, [sp, #-0x10]!
-                ; stp x29, x30, [sp, #-0x10]!
-              // jump to rust based population of the lists
+                ; stp x16, x17, [sp, #-0x10]!
+                ; stp x18, x19, [sp, #-0x10]!
+                ; stp x20, x21, [sp, #-0x10]!
+                ; stp x22, x23, [sp, #-0x10]!
+                ; stp x24, x25, [sp, #-0x10]!
+                ; stp x26, x27, [sp, #-0x10]!
+                ; stp x28, x29, [sp, #-0x10]!
+                ; stp x30, xzr, [sp, #-0x10]!
+                ; .dword 0xd53b4218u32 as i32 // mrs x24, nzcv
+                // jump to rust based population of the lists
                 ; mov x2, x0
                 ; adr x3, >done
                 ; ldr x4, >populate_lists
                 ; ldr x0, >self_addr
                 ; blr x4
                 // restore the reg state before returning to the caller
-                ; ldp x29, x30, [sp], #0x10
+                ; .dword 0xd51b4218u32 as i32 // msr nzcv, x24
+                ; ldp x30, xzr, [sp], #0x10
+                ; ldp x28, x29, [sp], #0x10
+                ; ldp x26, x27, [sp], #0x10
+                ; ldp x24, x25, [sp], #0x10
+                ; ldp x22, x23, [sp], #0x10
+                ; ldp x20, x21, [sp], #0x10
+                ; ldp x18, x19, [sp], #0x10
+                ; ldp x16, x17, [sp], #0x10
                 ; ldp x14, x15, [sp], #0x10
                 ; ldp x12, x13, [sp], #0x10
                 ; ldp x10, x11, [sp], #0x10
diff --git a/libafl_frida/src/helper.rs b/libafl_frida/src/helper.rs
index 9af558d950..8a60d37d8a 100644
--- a/libafl_frida/src/helper.rs
+++ b/libafl_frida/src/helper.rs
@@ -64,13 +64,12 @@ enum CmplogOperandType {
     Mem(capstone::RegId, capstone::RegId, i32, u32),
 }
 
-#[cfg(all(feature = "cmplog", target_arch = "aarch64"))]
 enum SpecialCmpLogCase {
     Tbz,
     Tbnz,
 }
 
-#[cfg(target_vendor = "apple")]
+#[cfg(any(target_vendor = "apple"))]
 const ANONYMOUS_FLAG: MapFlags = MapFlags::MAP_ANON;
 #[cfg(not(any(target_vendor = "apple", target_os = "windows")))]
 const ANONYMOUS_FLAG: MapFlags = MapFlags::MAP_ANONYMOUS;