stalker-x86: Fix put_chaining_return()

frida · Feb 12, 2024 · d48caa6 · d48caa6
1 parent c017d6c
commit d48caa6
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/gum/backend-x86/gumstalker-x86.c b/gum/backend-x86/gumstalker-x86.c
@@ -764,6 +764,8 @@ static void gum_exec_block_write_jmp_transfer_code (GumExecBlock * block,
     GumGeneratorContext * gc, guint id, GumAddress jcc_address);
 static void gum_exec_block_write_ret_transfer_code (GumExecBlock * block,
     GumGeneratorContext * gc);
+static void gum_exec_block_write_chaining_return_code (GumExecBlock * block,
+    GumGeneratorContext * gc, guint16 npop);
 static gpointer * gum_exec_block_write_inline_cache_code (GumExecBlock * block,
     GumGeneratorContext * gc, GumX86Writer * cw, GumX86Writer * cws);
 static void gum_exec_block_backpatch_slab (GumExecBlock * block,
@@ -3172,7 +3174,12 @@ gum_stalker_iterator_put_chaining_return (GumStalkerIterator * self)
   GumExecBlock * block = self->exec_block;
   GumGeneratorContext * gc = self->generator_context;
 
-  gum_exec_block_virtualize_ret_insn (block, gc);
+  if ((block->ctx->sink_mask & GUM_RET) != 0)
+    gum_exec_block_write_ret_event_code (block, gc, GUM_CODE_INTERRUPTIBLE);
+
+  gum_exec_block_write_adjust_depth (block, gc->code_writer, -1);
+
+  gum_exec_block_write_chaining_return_code (block, gc, 0);
 }
 
 GumMemoryAccess
@@ -5540,11 +5547,6 @@ gum_exec_block_write_ret_transfer_code (GumExecBlock * block,
   cs_x86 * x86 = &insn->ci->detail->x86;
   cs_x86_op * op = &x86->operands[0];
   guint16 npop = 0;
-  const gint trust_threshold = block->ctx->stalker->trust_threshold;
-  GumX86Writer * cw = gc->code_writer;
-  GumX86Writer * cws = gc->slow_writer;
-  gpointer * ic_match;
-  GumExecCtx * ctx = block->ctx;
 
   if (x86->op_count != 0)
   {
@@ -5554,6 +5556,20 @@ gum_exec_block_write_ret_transfer_code (GumExecBlock * block,
     npop = op->imm;
   }
 
+  gum_exec_block_write_chaining_return_code (block, gc, npop);
+}
+
+static void
+gum_exec_block_write_chaining_return_code (GumExecBlock * block,
+                                           GumGeneratorContext * gc,
+                                           guint16 npop)
+{
+  const gint trust_threshold = block->ctx->stalker->trust_threshold;
+  GumX86Writer * cw = gc->code_writer;
+  GumX86Writer * cws = gc->slow_writer;
+  gpointer * ic_match;
+  GumExecCtx * ctx = block->ctx;
+
   if (trust_threshold >= 0)
   {
     gum_exec_block_close_prolog (block, gc, gc->code_writer);