I am attempting to modify the x64 assembly code of emacs to make it run vim in background using a shellcode. I normally do this on x32 with pushad and pushfd but I am blocked in x64. I will give more context.
The normal assembly of emacs is as follows:
00007FF631D014B0 | 48:83EC 28 | sub rsp,28 |
00007FF631D014B4 | 48:8B05 A5300000 | mov rax,qword ptr ds:[7FF631D04560] | rax:EntryPoint
00007FF631D014BB | C700 01000000 | mov dword ptr ds:[rax],1 | rax:EntryPoint
00007FF631D014C1 | E8 BAFCFFFF | call runemacs.7FF631D01180 |
00007FF631D014C6 | 90 | nop |
00007FF631D014C7 | 90 | nop |
00007FF631D014C8 | 48:83C4 28 | add rsp,28 |
00007FF631D014CC | C3 | ret |
00007FF631D014CD | 0F1F00 | nop dword ptr ds:[rax],eax |
00007FF631D014D0 | 48:83EC 28 | sub rsp,28 |
00007FF631D014D4 | 48:8B05 85300000 | mov rax,qword ptr ds:[7FF631D04560] |
.........
At the end there is a code cave with a lot of zeros. I want to put my shellcode there, make the binary run vim then go back and run emacs. To do that, I modify the above as follow:
00007FF6D23114B0 | E9 0C180000 | jmp runemacs_vim3.7FF6D2312CC1 | (make it jump to the code cave)
00007FF6D23114B5 | 8B05 A5300000 | mov eax,dword ptr ds:[7FF6D2314560] | (rax changed to eax by my debugger _x64dbg)
00007FF6D23114BB | C700 01000000 | mov dword ptr ds:[rax],1 | rax:EntryPoint
00007FF6D23114C1 | E8 BAFCFFFF | call runemacs_vim3.7FF6D2311180 |
00007FF6D23114C6 | 90 | nop |
00007FF6D23114C7 | 90 | nop |
00007FF6D23114C8 | 48:83C4 28 | add rsp,28 |
00007FF6D23114CC | C3 | ret |
00007FF6D23114CD | 0F1F00 | nop dword ptr ds:[rax],eax |
00007FF6D23114D0 | 48:83EC 28 | sub rsp,28 |
00007FF6D23114D4 | 48:8B05 85300000 | mov rax,qword ptr ds:[7FF6D2314560] | rax:EntryPoint
00007FF6D23114DB | C700 00000000 | mov dword ptr ds:[rax],0 | rax:EntryPoint
00007FF6D23114E1 | E8 9AFCFFFF | call runemacs_vim3.7FF6D2311180 |
Then down at runemacs_vim3.7FF6D2312CC1 at the code cave:
00007FF69D3D2CC1 | 9C | pushfq |
00007FF69D3D2CC2 | 50 | push rax | rax:EntryPoint
00007FF69D3D2CC3 | 51 | push rcx |
00007FF69D3D2CC4 | 52 | push rdx | rdx:EntryPoint
00007FF69D3D2CC5 | 53 | push rbx |
00007FF69D3D2CC6 | 54 | push rbp |
00007FF69D3D2CC7 | 55 | push rsi |
00007FF69D3D2CC8 | 56 | push rdi |
MY SHELLCODE THAT RUNS VIM
00007FF69D3D2DCD | EB 0F | jmp runemacs_vim2.7FF69D3D2DDE | ---- (to avoid the shellcode exiting the program)
00007FF69D3D2DCF | 59 | pop rcx | |
00007FF69D3D2DD0 | 41:89DA | mov r10d,ebx | |
00007FF69D3D2DD3 | FFD5 | call rbp | |
00007FF69D3D2DD5 | 76 69 | jbe runemacs_vim2.7FF69D3D2E40 | |
00007FF69D3D2DD7 | 6D | insd | |
00007FF69D3D2DD8 | 2E65:78 65 | js runemacs_vim2.7FF69D3D2E41 | |
00007FF69D3D2DDC | 0000 | add byte ptr ds:[rax],al | | rax:EntryPoint
00007FF69D3D2DDE | 5F | pop rdi | <---
00007FF69D3D2DDF | 5E | pop rsi |
00007FF69D3D2DE0 | 5D | pop rbp |
00007FF69D3D2DE1 | 5C | nop | ( a small mistake because I used to push rsp)
00007FF69D3D2DE2 | 5B | pop rbx |
00007FF69D3D2DE3 | 5A | pop rdx | rdx:EntryPoint
00007FF69D3D2DE4 | 59 | pop rcx |
00007FF69D3D2DE5 | 58 | pop rax | rax:EntryPoint
00007FF69D3D2DE6 | 9D | popfq |
00007FF69D3D2DE7 | 48:83EC 28 | sub rsp,28 |
00007FF69D3D2DEB | E9 C4E6FFFF | jmp runemacs_vim2.7FF69D3D14B4 |
00007FF69D3D2DF0 | 0000 | add byte ptr ds:[rax],al | rax:EntryPoint
00007FF69D3D2DF2 | 0000 | add byte ptr ds:[rax],al | rax:EntryPoint
When I run it, vim runs normally but emacs don't. The debugger shows that 00007FF69D3D14B5 | 8B05 A5300000 | mov eax,dword ptr ds:[7FF69D3D4560] | is giving an access violation. Why did my debbugger change rax to eax ? Am I missing something when simulating the pushad in x64 by pushing and poping all the registers ?