def load_rdx_offset(r64, o16):
check_r64(r64)
check_o16(o16)
shellcode = asm('push %s; push rax' % (r64,)) # save value and allocate space
shellcode += encoder.zero_rax() # save zero into rbx for next step
shellcode += asm('pop rax; pop rax') # deallocate space and restore value
shellcode += encoder.add_ax(o16)
shellcode += load_rdx_r64('rax')
return shellcode
def load_rdx_indirect_r64_i64(r64, o64):
check_r64(r64)
if r64 == 'rsp':
return load_rdx_indirect_rsp(o64)
shellcode = ''
shellcode += asm('push %s; push rax' % (r64,)) # save value and allocate space
shellcode += encoder.zero_rax() # save zero into rbx for next step. also zeroes rsi
if o64 != 0:
shellcode += encoder.set_rax(o64)
shellcode += asm('push rax; pop rdi')
shellcode += asm('pop rax; pop rax') # deallocate space and restore value
shellcode += asm('xor rsi, [rax + rdi]')
shellcode += load_rdx_r64('rsi')
return shellcode
def load_rdx_indirect_r64_r64(r64, or64):
check_r64(r64)
check_r64(or64)
if r64 == 'rsp':
raise ValueError('register offset indirect to rsp not supported')
shellcode = ''
shellcode += asm('push %s; push rax' % (r64,)) # save value and allocate space
shellcode += encoder.zero_rax() # zero rsi
shellcode += asm('pop rax; pop rax') # deallocate space and restore value
if r64 != 'rax':
shellcode += asm('push %s; pop rax;' % (r64,))
if or64 != 'rdi':
shellcode += asm('push %s; pop rdi;' % (or64,))
shellcode += asm('xor rsi, [rax + rdi]')
shellcode += load_rdx_r64('rsi')
return shellcode
def load_rdx_indirect_i64(i64):
shellcode = encoder.zero_rax()
shellcode += encoder.set_rax(i64)
shellcode += load_rdx_indirect_r64_i64('rax', 0)
return shellcode
def load_rdx_i64(i64):
shellcode = encoder.zero_rax() # save zero into rbx for next step
shellcode += encoder.set_rax(i64)
shellcode += load_rdx_r64('rax')
return shellcode