optimize shellcode and recover main address at runtime

research/custom_loader/b.cc

@@ -1230,24 +1230,29 @@ void fix_initializer(struct libcache_item* libfixing, struct libcache& cache) {
   // (note: __TEXT segment is aligned to the end of the page, free space in the middle)
   //
   // Below is the shellcode.
-  //
-  // sub sp, sp, #0x10
-  // str x30, [sp]
-  // adr x8, 0
-  // movz x9, #0x3d68 ; offset at this point
-  // sub x8, x8, x9
-  // str x8, [sp, #8]
-  // movz x9, #0x81d8
-  // add x9, x8, x9
-  // ldr x9, [x9]
-  // blr x9
-  // ldr x8, [sp, #8]
-  // movz x9, #0x3e3c  ; offset to original main
-  // add x9, x8, x9
-  // blr x9
-  // ldr x30, [sp]
-  // add sp, sp, #0x10
-  // ret
+  /*
+  adr x8, 0
+  # x9 = (offset end of __DATA) - (offset shellcode)
+  movz x9, #0x9999
+  add x8, x8, x9
+
+  stp x30, x8, [sp], #-0x10
+  stp x3, x2, [sp], #-0x10
+  stp x1, x0, [sp], #-0x10
+
+  # custom intializer
+  ldr x9, [x8]
+  blr x9
+
+  ldp x1, x0, [sp, #0x10]!
+  ldp x3, x2, [sp, #0x10]!
+  ldp x30, x8, [sp, #0x10]!
+
+  # original main
+  # link register is set so jump only
+  ldr x9, [x8, #8]
+  br x9
+  */
 
   void* header = libfixing->header;
   const uint32_t magic = *(uint32_t *)header;
@@ -1309,7 +1314,8 @@ void fix_initializer(struct libcache_item* libfixing, struct libcache& cache) {
         uint64_t size = *((uint64_t*)sections_ptr + 5);
 
         uint64_t* dummy = (uint64_t*)(addr + slide + size);
-        *dummy = (uint64_t)custom_initializer;
+        dummy[0] = (uint64_t)custom_initializer;
+        dummy[1] = (uint64_t)(header) + bshield_data::main;
         printf("add custom main-peg at %p\n", dummy);
       } else if (custom_strcmp(name, "__LINKEDIT") == 0) {
         linkedit_vmaddr = vmaddr;