From 6a93cee74e8f076068bea1463b95ee0374c50a3a Mon Sep 17 00:00:00 2001 From: vaxerski Date: Thu, 28 Dec 2023 13:36:09 +0100 Subject: [PATCH] pluginapi: manually detect endbr64 opcodes in function hooks ref #4277 --- src/plugins/HookSystem.cpp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/plugins/HookSystem.cpp b/src/plugins/HookSystem.cpp index d0a3aeee..e52fd749 100644 --- a/src/plugins/HookSystem.cpp +++ b/src/plugins/HookSystem.cpp @@ -93,6 +93,22 @@ CFunctionHook::SAssembly CFunctionHook::fixInstructionProbeRIPCalls(const SInstr } else { return {}; } + } else if (code.contains("invalid")) { + std::vector bytes; + bytes.resize(len); + memcpy(bytes.data(), (std::byte*)currentAddress, len); + if (len == 4 && bytes[0] == 0xF3 && bytes[1] == 0x0F && bytes[2] == 0x1E && bytes[3] == 0xFA) { + // F3 0F 1E FA = endbr64, udis doesn't understand that one + assemblyBuilder += "endbr64\n"; + } else { + // raise error, unknown op + std::string strBytes; + for (auto& b : bytes) { + strBytes += std::format("{:x} ", b); + } + Debug::log(ERR, "[functionhook] unknown bytes: {}", strBytes); + return {}; + } } else { assemblyBuilder += code + "\n"; }