Add x86_84 shellcode

macho-go/go.mod

@@ -5,10 +5,11 @@ go 1.17
 require (
 	github.com/alecthomas/kong v0.2.16
 	github.com/sirupsen/logrus v1.8.0
-	google.golang.org/protobuf v1.26.0
+	google.golang.org/protobuf v1.31.0
 )
 
 require (
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/magefile/mage v1.10.0 // indirect
 	github.com/pkg/errors v0.8.1 // indirect
 	golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 // indirect

macho-go/go.sum

@@ -3,6 +3,8 @@ github.com/alecthomas/kong v0.2.16/go.mod h1:kQOmtJgV+Lb4aj+I2LEn40cbtawdWJ9Y8QL
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/magefile/mage v1.10.0 h1:3HiXzCUY12kh9bIuyXShaVe529fJfyqoVM42o/uom2g=
@@ -22,3 +24,5 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=

macho-go/pkg/ios/macho/edit.go

@@ -467,50 +467,91 @@ func (mc *MachoContext) ReworkForObjc() {
 	  ldr x9, [x8, #8]
 	  br x9
 	*/
-
-	// TODO: fix to work with offset larger than 0xffff
-	shellcode := []uint32{
-		0x10000008,
-		0, // x9 = (offset end of __DATA) - (offset shellcode)
-		0x8B090108,
-		0xA8BF23FE,
-		0xA8BF0BE3,
-		0xA8BF03E1,
-		0xF9400109,
-		0xD63F0120,
-		0xA9C103E1,
-		0xA9C10BE3,
-		0xA9C123FE,
-		0xF9400509,
-		0xD61F0120,
-	}
-
+	shellcode := []uint32{}
 	ins_size_byte := 4
-	shellcode_offset := text_start - (ins_size_byte * len(shellcode))
 	main_offset := int(mc.entryoff)
+	var shellcode_offset int
 	
-	encode_movz := func(v int) uint32 {
-		return uint32(uint32(v)<<5 | uint32(0x694)<<21 | uint32(0x09))
+	if mc.header.cputype == 12{
+		shellcode := []uint32{
+			0x10000008,
+			0, // x9 = (offset end of __DATA) - (offset shellcode)
+			0x8B090108,
+			0xA8BF23FE,
+			0xA8BF0BE3,
+			0xA8BF03E1,
+			0xF9400109,
+			0xD63F0120,
+			0xA9C103E1,
+			0xA9C10BE3,
+			0xA9C123FE,
+			0xF9400509,
+			0xD61F0120,
+		}
+	
+		shellcode_offset = text_start - (ins_size_byte * len(shellcode))
+	
+		encode_movz := func(v int) uint32 {
+			return uint32(uint32(v)<<5 | uint32(0x694)<<21 | uint32(0x09))
+		}
+	
+		// movz_shellcode_offset := encode_movz(shellcode_offset)
+		// movz_main_offset := encode_movz(main_offset)
+		// movz_data_end_offset := encode_movz(data_end)
+		movz_calculate_offset := encode_movz(data_end - shellcode_offset)
+	
+		shellcode[1] = movz_calculate_offset
+		// shellcode[10] = movz_data_end_offset
+		// shellcode[19] = movz_main_offset
+	
+		fmt.Printf("// shellcode_offset=%x\n", shellcode_offset)
+		fmt.Printf("// main_offset=%x\n", main_offset)
+		fmt.Printf("// data_end=%x\n", data_end)
+		fmt.Printf("// movz_calculate_offset=%x\n", movz_calculate_offset)
+		// fmt.Printf("// movz_shellcode_offset=%x\n", movz_shellcode_offset)
+		// fmt.Printf("// movz_main_offset=%x\n", movz_main_offset)
+		// fmt.Printf("// movz_data_end_offset=%x\n", movz_data_end_offset)
+		fmt.Printf("// lc_main_offset=%x\n", lc_main_offset)
+	} else {
+		// TODO: fix to work with offset larger than 0xffff
+		shellcode := []uint32{
+			0x00058d4c,
+			0x66000000,
+			0, 				// offset
+			0x57c8014d,
+			0x41515256,
+			0x088b4d50,
+			0x41d1ff41,
+			0x5e5a5958,
+			0x488b4d5f,
+			0xe1ff4108,
+		}
+
+		shellcode_offset = text_start - (ins_size_byte * len(shellcode))
+		
+		encode_movz := func(v int) uint32 {
+			return uint32(uint32(v-7)<<16 | uint32(0xb941))
+		}
+
+		// movz_shellcode_offset := encode_movz(shellcode_offset)
+		// movz_main_offset := encode_movz(main_offset)
+		// movz_data_end_offset := encode_movz(data_end)
+		movz_calculate_offset := encode_movz(data_end - shellcode_offset)
+
+		shellcode[2] = movz_calculate_offset
+		// shellcode[10] = movz_data_end_offset
+		// shellcode[19] = movz_main_offset
+
+		fmt.Printf("// shellcode_offset=%x\n", shellcode_offset)
+		fmt.Printf("// main_offset=%x\n", main_offset)
+		fmt.Printf("// data_end=%x\n", data_end)
+		// fmt.Printf("// movz_calculate_offset=%x\n", movz_calculate_offset)
+		// fmt.Printf("// movz_shellcode_offset=%x\n", movz_shellcode_offset)
+		// fmt.Printf("// movz_main_offset=%x\n", movz_main_offset)
+		// fmt.Printf("// movz_data_end_offset=%x\n", movz_data_end_offset)
+		fmt.Printf("// lc_main_offset=%x\n", lc_main_offset)
 	}
 
-	// movz_shellcode_offset := encode_movz(shellcode_offset)
-	// movz_main_offset := encode_movz(main_offset)
-	// movz_data_end_offset := encode_movz(data_end)
-	movz_calculate_offset := encode_movz(data_end - shellcode_offset)
-
-	shellcode[1] = movz_calculate_offset
-	// shellcode[10] = movz_data_end_offset
-	// shellcode[19] = movz_main_offset
-
-	fmt.Printf("// shellcode_offset=%x\n", shellcode_offset)
-	fmt.Printf("// main_offset=%x\n", main_offset)
-	fmt.Printf("// data_end=%x\n", data_end)
-	fmt.Printf("// movz_calculate_offset=%x\n", movz_calculate_offset)
-	// fmt.Printf("// movz_shellcode_offset=%x\n", movz_shellcode_offset)
-	// fmt.Printf("// movz_main_offset=%x\n", movz_main_offset)
-	// fmt.Printf("// movz_data_end_offset=%x\n", movz_data_end_offset)
-	fmt.Printf("// lc_main_offset=%x\n", lc_main_offset)
-
 	offset := int64(shellcode_offset)
 	{
 		// fix main to point to our newly created shellcode