@@ -211,12 +211,21 @@ def trampoline_payload_ast(self, astree: "ASTInterface") -> AST.ASTStmt:
211211 MOVxx R1, #1
212212 LSL R0, R1, #1
213213 BX LR
214+
215+ case 3: fallthrough
216+ LDR
217+ MOV R1, #0
218+ <condition>
219+ STRxx R1, <mem>
220+ MOVxx R1, #1
221+ MOV R0
214222 """
215223 if not self .trampoline :
216224 raise UF .CHBError ("Internal error" )
217225
218226 payloadblock = self .trampoline ["payload" ]
219227 payloadinstrs = sorted (payloadblock .instructions .items ())
228+ payloadlen = len (payloadblock .instructions )
220229 (iaddr2 , chkinstr2 ) = payloadinstrs [- 2 ]
221230 chkinstr2 = cast ("ARMInstruction" , chkinstr2 )
222231
@@ -232,11 +241,30 @@ def trampoline_payload_ast(self, astree: "ASTInterface") -> AST.ASTStmt:
232241 astree )
233242 brstmt = astree .mk_branch (cc , rstmt , estmt , "0x0" )
234243 return brstmt
235- else :
236- chklogger .logger .critical (
237- "trampoline payload cannot be lifted: "
238- + "expected to find conditional MOV instruction. "
239- + "Contact system maintainer for support." )
244+
245+ elif payloadlen == 7 :
246+ (iaddr3 , chkinstr3 ) = payloadinstrs [- 3 ]
247+ (iaddr4 , chkinstr4 ) = payloadinstrs [- 4 ]
248+ chkinstr3 = cast ("ARMInstruction" , chkinstr3 )
249+ chkinstr4 = cast ("ARMInstruction" , chkinstr4 )
250+ if (
251+ chkinstr3 .has_instruction_condition ()
252+ and chkinstr4 .has_instruction_condition ()):
253+ condition = chkinstr3 .get_instruction_condition ()
254+ rstmt = astree .mk_return_stmt (None )
255+ estmt = astree .mk_instr_sequence ([])
256+ cc = XU .xxpr_to_ast_def_expr (condition ,
257+ chkinstr2 .xdata ,
258+ chkinstr2 .iaddr ,
259+ astree )
260+ brstmt = astree .mk_branch (cc , rstmt , estmt , "0x0" )
261+ return brstmt
262+
263+ else :
264+ chklogger .logger .critical (
265+ "trampoline payload cannot be lifted: "
266+ + "expected to find conditional MOV instruction. "
267+ + "Contact system maintainer for support." )
240268
241269 # case 2
242270 elif chkinstr2 .mnemonic_stem == "LSL" :
0 commit comments