1 /* Force .got aligned to 4K, so it very likely gets at 0x804a100 2 (0x60 bytes .tdata and 0xa0 bytes .dynamic) */ 3 .section ".tdata", "awT", @progbits 4 .balign 4096 5 .globl sg1, sg2, sg3, sg4, sg5, sg6, sg7, sg8 6 .globl sh1, sh2, sh3, sh4, sh5, sh6, sh7, sh8 7 .hidden sh1, sh2, sh3, sh4, sh5, sh6, sh7, sh8 8sg1: .long 17 9sg2: .long 18 10sg3: .long 19 11sg4: .long 20 12sg5: .long 21 13sg6: .long 22 14sg7: .long 23 15sg8: .long 24 16sl1: .long 65 17sl2: .long 66 18sl3: .long 67 19sl4: .long 68 20sl5: .long 69 21sl6: .long 70 22sl7: .long 71 23sl8: .long 72 24sh1: .long 257 25sh2: .long 258 26sh3: .long 259 27sh4: .long 260 28sh5: .long 261 29sh6: .long 262 30sh7: .long 263 31sh8: .long 264 32 /* Force .text aligned to 4K, so it very likely gets at 0x8049000. */ 33 .text 34 .balign 4096 35 .globl fn2 36 .type fn2,@function 37fn2: 38 pushl %ebp 39 movl %esp, %ebp 40 pushl %ebx 41 pushl %eax 42 call 1f 431: popl %ebx 44 addl $_GLOBAL_OFFSET_TABLE_+[.-1b], %ebx 45 nop;nop;nop;nop 46 47 /* GD -> IE because variable is not defined in executable */ 48 leal sG1@tlsdesc(%ebx), %eax 49 call *sG1@tlscall(%eax) 50 nop;nop;nop;nop 51 52 /* GD -> IE because variable is not defined in executable where 53 the variable is referenced through @gottpoff too */ 54 leal sG2@tlsdesc(%ebx), %eax 55 call *sG2@tlscall(%eax) 56 nop;nop;nop;nop 57 58 /* GD -> IE because variable is not defined in executable where 59 the variable is referenced through @gotntpoff too */ 60 leal sG3@tlsdesc(%ebx), %eax 61 call *sG3@tlscall(%eax) 62 nop;nop;nop;nop 63 64 /* GD -> IE because variable is not defined in executable where 65 the variable is referenced through @gottpoff and @gotntpoff too */ 66 leal sG4@tlsdesc(%ebx), %eax 67 call *sG4@tlscall(%eax) 68 nop;nop;nop;nop 69 70 /* GD -> LE with global variable defined in executable */ 71 leal sg1@tlsdesc(%ebx), %eax 72 call *sg1@tlscall(%eax) 73 nop;nop;nop;nop 74 75 /* GD -> LE with local variable defined in executable */ 76 leal sl1@tlsdesc(%ebx), %eax 77 call *sl1@tlscall(%eax) 78 nop;nop;nop;nop 79 80 /* GD -> LE with hidden variable defined in executable */ 81 leal sh1@tlsdesc(%ebx), %eax 82 call *sh1@tlscall(%eax) 83 nop;nop;nop;nop 84 85 /* LD -> LE */ 86 leal _TLS_MODULE_BASE_@tlsdesc(%ebx), %eax 87 call *_TLS_MODULE_BASE_@tlscall(%eax) 88 nop;nop 89 leal sl1@dtpoff(%eax), %edx 90 nop;nop 91 leal sl2@dtpoff(%eax), %ecx 92 nop;nop;nop;nop 93 94 /* LD -> LE against hidden variables */ 95 leal _TLS_MODULE_BASE_@tlsdesc(%ebx), %eax 96 call *_TLS_MODULE_BASE_@tlscall(%eax) 97 nop;nop 98 leal sh1@dtpoff(%eax), %edx 99 nop;nop 100 leal sh2@dtpoff(%eax), %ecx 101 nop;nop;nop;nop 102 103 /* @gottpoff IE against global var */ 104 movl %gs:0, %ecx 105 nop;nop 106 subl sG2@gottpoff(%ebx), %ecx 107 nop;nop;nop;nop 108 109 /* @gottpoff IE against global var */ 110 movl %gs:0, %eax 111 nop;nop 112 subl sG4@gottpoff(%ebx), %eax 113 nop;nop;nop;nop 114 115 /* @gotntpoff IE against global var */ 116 movl %gs:0, %ecx 117 nop;nop 118 addl sG3@gotntpoff(%ebx), %ecx 119 nop;nop;nop;nop 120 121 /* @gotntpoff IE against global var */ 122 movl %gs:0, %eax 123 nop;nop 124 addl sG4@gotntpoff(%ebx), %eax 125 nop;nop;nop;nop 126 127 /* @gottpoff IE -> LE against global var defined in exec */ 128 movl %gs:0, %ecx 129 nop;nop 130 subl sg1@gottpoff(%ebx), %ecx 131 nop;nop;nop;nop 132 133 /* @gotntpoff IE -> LE against local var */ 134 movl %gs:0, %ecx 135 nop;nop 136 addl sl1@gotntpoff(%ebx), %eax 137 nop;nop;nop;nop 138 139 /* @gottpoff IE -> LE against hidden var */ 140 movl %gs:0, %ecx 141 nop;nop 142 subl sh1@gottpoff(%ebx), %ecx 143 nop;nop;nop;nop 144 145 /* Direct access through %gs */ 146 147 /* @gotntpoff IE against global var */ 148 movl sG5@gotntpoff(%ebx), %ecx 149 nop;nop 150 movl %gs:(%ecx), %edx 151 nop;nop;nop;nop 152 153 /* @gotntpoff IE->LE against local var */ 154 movl sl5@gotntpoff(%ebx), %eax 155 nop;nop 156 movl %gs:(%eax), %edx 157 nop;nop;nop;nop 158 159 /* @gotntpoff IE->LE against hidden var */ 160 movl sh5@gotntpoff(%ebx), %edx 161 nop;nop 162 movl %gs:(%edx), %edx 163 nop;nop;nop;nop 164 165 movl -4(%ebp), %ebx 166 leave 167 ret 168