Trampoline issue about asmjit HOT 8 CLOSED

Hi,

what would be the output that is expected it your case? AsmJit expects that the jump can be encoded by using relative addressing, but supports trampolines in case it's not possible (you hit it). If you modify your code slightly:

    a.push(rax);
    a.pop(rax);
    a.jmp(&testFunc);
    a.ret();

you would see that trampolines are put at the end of the machine code generated:

push        rax  
pop         rax  
jmp         HERE
ret
HERE:
jmp         qword ptr [testFuncPtr]
; 95 20 2a 3f 01 00 00 00

Well, I don't know how to solve this better.

Basically there are some other ways, like this post http://www.ragestorm.net/blogs/?p=107 , but all of the solutions have pros/cons. Basically in assembler I can't trash any register by doing a jmp.

from asmjit.

Hey, I'm aware that trashing a register is not an option, however it appears that at some cases it skips all the code by jumping around it. I'm not sure yet how to exactly reproduce the problem but it seems related to the trampolines.

from asmjit.

Well,

I think that the best solution in this case would be to remove the first jump, leaving just:

jmp qword ptr [testFuncPtr]

But the problem is that relocation is the last step, thus, it can't modify the size of the original jmp instruction. Let me think about other possibilities.

from asmjit.

Well,

I was thinking about this and I think I can add more options to asmjit. Basically if I increase an instruction size from 5 to 6 bytes in 64-bit mode (when absolute address is used) I can encode jmp qword ptr[...] directly, thus removing the need for a second jump (and basically saving 6 bytes). The added byte would be REX prefix (which is fine).

What do you think about this solution?

from asmjit.

Sounds good, as long the jmp is no longer making all my code skip 👍

from asmjit.

My workaround is following:

        _obfs(a, a.push(*rax));
        _obfs(a, a.push(*zcx));
        _obfs(a, a.pushf());
        _obfs(a, a.mov(*rax, Imm(imageBase)));
        _obfs(a, a.mov(*zcx, returnRva));
        _obfs(a, a.add(*rax, *zcx));
        _obfs(a, a.popf());
        _obfs(a, a.pop(*zcx));
        _obfs(a, a.xchg(qword_ptr(*zsp), *rax));
        _obfs(a, a.ret());

Don't mind the pointers, I had to avoid initterm for other reasons.

from asmjit.

Let me know if my changes improved the behavior. I'm not sure if we can get rid off implicit trampolines in case that the jump is unencodable (and I'm not sure if this can be actually called trampoline after second jump disappeared).

from asmjit.

Seems solved.

from asmjit.