Language: English
Prism is Microsoft's binary translator on Windows on ARM, JIT-compiling x86 and x64 to ARM64 at runtime. Five binaries, ~11K functions, no symbols. We reversed the full JIT pipeline, the CHPE/ARM64X hybrid loading mechanism, and the undocumented .jc translation cache format. Along the way we found that the x64se variant runs CRC32C integrity verification on translated code while x86 does not. The cache has no integrity checks on x86 translations: four structural checks, then arbitrary ARM64 executes verbatim. We release prism-cache-parser and demonstrate cache poisoning on Snapdragon X: drop a crafted .jc file, hijack translations for any DLL, survive reboots, invisible to every default detection layer.
Every Windows on ARM machine ships Prism, a binary translator that JIT-compiles x86 and x64 to ARM64 at runtime. Five binaries, ~11K functions, no symbols, no documentation. We reversed all of it: the translation pipeline from opcode decoding to ARM64 emission, the CHPE/ARM64X hybrid loading mechanism that ties the two JIT engines together across architectures, and the undocumented .jc translation cache format (validated against 341 real files from a Snapdragon X install).
We found that the x64se "strict" variant runs CRC32C integrity checks on translated code while the x86 variant does not, and that the cache service validates .jc files with four structural checks and nothing else. We demonstrate cache poisoning: drop a crafted file, hijack function translations, survive reboots, invisible to every default security layer. We release prism-cache-parser, detection rules, and annotated RE artifacts for all five Prism binaries.