|
|
|
#pragma once
|
|
|
|
#include <obf/pass.hpp>
|
|
|
|
|
|
|
|
namespace theo::obf {
|
|
|
|
/// <summary>
|
|
|
|
/// This pass is used to generate transformations and jmp code to change RIP to
|
|
|
|
/// the next instruction.
|
|
|
|
///
|
|
|
|
/// given the following code (get pml4 address from cr3):
|
|
|
|
///
|
|
|
|
/// get_pml4:
|
|
|
|
/// 0: 48 c7 c0 ff 0f 00 00 mov rax,0xfff
|
|
|
|
/// 7: 48 f7 d0 not rax
|
|
|
|
/// a: 0f 20 da mov rdx,cr3
|
|
|
|
/// d: 48 21 c2 and rdx,rax
|
|
|
|
/// 10: b1 00 mov cl,0x0
|
|
|
|
/// 12: 48 d3 e2 shl rdx,cl
|
|
|
|
/// 15: 48 89 d0 mov rax,rdx
|
|
|
|
/// 18: c3 ret
|
|
|
|
///
|
|
|
|
/// this pass will break up each instruction so that it can be anywhere in a
|
|
|
|
/// linear virtual address space. this pass will not work on rip relative code,
|
|
|
|
/// however clang will not generate such code when compiled with
|
|
|
|
/// "-mcmodel=large"
|
|
|
|
///
|
|
|
|
/// get_pml4@0:
|
|
|
|
/// mov rax, 0xFFF
|
|
|
|
/// push [next_inst_addr_enc]
|
|
|
|
/// xor [rsp], 0x3243342
|
|
|
|
/// ; a random number of transformations here...
|
|
|
|
/// ret
|
|
|
|
/// next_inst_addr_enc:
|
|
|
|
/// ; encrypted address of the next instruction goes here.
|
|
|
|
///
|
|
|
|
/// get_pml4@7:
|
|
|
|
/// not rax
|
|
|
|
/// push [next_inst_addr_enc]
|
|
|
|
/// xor [rsp], 0x93983498
|
|
|
|
/// ; a random number of transformations here...
|
|
|
|
/// ret
|
|
|
|
/// next_inst_addr_enc:
|
|
|
|
/// ; encrypted address of the next instruction goes here.
|
|
|
|
///
|
|
|
|
/// this process is continued for each instruction in the function. the last
|
|
|
|
/// instruction "ret" will have no code generated for it as there is no next
|
|
|
|
/// instruction.
|
|
|
|
///
|
|
|
|
///
|
|
|
|
/// this pass also only runs at the instruction level, theodosius internally
|
|
|
|
/// breaks up functions inside of the ".split" section into individual
|
|
|
|
/// instruction symbols. this process also creates a psuedo relocation which
|
|
|
|
/// simply tells this pass that there needs to be a relocation to the next
|
|
|
|
/// symbol. the offset for these psuedo relocations is zero.
|
|
|
|
/// </summary>
|
|
|
|
class next_inst_pass_t : public pass_t {
|
|
|
|
explicit next_inst_pass_t() : pass_t(decomp::sym_type_t::instruction) {
|
|
|
|
xed_state_t istate{XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b};
|
|
|
|
xed_decoded_inst_zero_set_mode(&m_tmp_inst, &istate);
|
|
|
|
xed_decode(&m_tmp_inst, m_type_inst_bytes, sizeof(m_type_inst_bytes));
|
|
|
|
};
|
|
|
|
|
|
|
|
public:
|
|
|
|
static next_inst_pass_t* get();
|
|
|
|
void run(decomp::symbol_t* sym);
|
|
|
|
|
|
|
|
private:
|
|
|
|
std::optional<recomp::reloc_t*> has_next_inst_reloc(decomp::symbol_t*);
|
|
|
|
xed_decoded_inst_t m_tmp_inst;
|
|
|
|
std::uint8_t m_type_inst_bytes[9] = {0x48, 0xC7, 0x44, 0x24, 0x08,
|
|
|
|
0x44, 0x33, 0x22, 0x11};
|
|
|
|
};
|
|
|
|
} // namespace theo::obf
|