theo::obf::next_inst_pass_t Class Reference

This pass is used to generate transformations and jmp code to change RIP to the next instruction. More...

#include "next_inst_pass.hpp"

Inheritance diagram for theo::obf::next_inst_pass_t:

Public Member Functions
void	run (decomp::symbol_t *sym)
	virtual method which must be implimented by the pass that inherits this class. More...
Public Member Functions inherited from theo::obf::pass_t
	pass_t (decomp::sym_type_t sym_type)
	the explicit constructor of the pass_t base class. More...
virtual void	run (decomp::symbol_t *sym)=0
	virtual method which must be implimented by the pass that inherits this class. More...
decomp::sym_type_t	sym_type ()
	gets the passes symbol type. More...

Static Public Member Functions
static next_inst_pass_t *	get ()

Detailed Description

This pass is used to generate transformations and jmp code to change RIP to the next instruction.

given the following code (get pml4 address from cr3):

get_pml4: 0: 48 c7 c0 ff 0f 00 00 mov rax,0xfff 7: 48 f7 d0 not rax a: 0f 20 da mov rdx,cr3 d: 48 21 c2 and rdx,rax 10: b1 00 mov cl,0x0 12: 48 d3 e2 shl rdx,cl 15: 48 89 d0 mov rax,rdx 18: c3 ret

this pass will break up each instruction so that it can be anywhere in a linear virtual address space. this pass will not work on rip relative code, however clang will not generate such code when compiled with "-mcmodel=large"

get_pml4@0: mov rax, 0xFFF push [next_inst_addr_enc] xor [rsp], 0x3243342 ; a random number of transformations here... ret next_inst_addr_enc: ; encrypted address of the next instruction goes here.

get_pml4@7: not rax push [next_inst_addr_enc] xor [rsp], 0x93983498 ; a random number of transformations here... ret next_inst_addr_enc: ; encrypted address of the next instruction goes here.

this process is continued for each instruction in the function. the last instruction "ret" will have no code generated for it as there is no next instruction.

this pass also only runs at the instruction level, theodosius internally breaks up functions inside of the ".split" section into individual instruction symbols. this process also creates a psuedo relocation which simply tells this pass that there needs to be a relocation to the next symbol. the offset for these psuedo relocations is zero.

Definition at line 85 of file next_inst_pass.hpp.

Member Function Documentation

get()

next_inst_pass_t * theo::obf::next_inst_pass_t::get ( )

static

Definition at line 34 of file next_inst_pass.cpp.

                                        {
  static next_inst_pass_t obj;
  return &obj;
}

Referenced by main(), and theo::obf::jcc_rewrite_pass_t::run().

run()

void theo::obf::next_inst_pass_t::run ( decomp::symbol_t *  sym )

virtual

virtual method which must be implimented by the pass that inherits this class.

Parameters

sym	a symbol of the same type of m_sym_type.

Implements theo::obf::pass_t.

Definition at line 38 of file next_inst_pass.cpp.

                                              {
  std::optional<recomp::reloc_t*> reloc;
  if (!(reloc = has_next_inst_reloc(sym)).has_value())
    return;
 
  xed_decoded_inst_t inst = m_tmp_inst;
  std::vector<std::uint8_t> new_inst_bytes =
      transform::generate(&inst, reloc.value(), 3, 6);
 
  // add a push [rip+offset] and update reloc->offset()...
  //
  std::uint32_t inst_len = {};
  std::uint8_t inst_buff[XED_MAX_INSTRUCTION_BYTES];
 
  xed_error_enum_t err;
  xed_encoder_request_t req;
  xed_state_t istate{XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b};
 
  xed_encoder_request_zero_set_mode(&req, &istate);
  xed_encoder_request_set_effective_operand_width(&req, 64);
  xed_encoder_request_set_iclass(&req, XED_ICLASS_PUSH);
 
  xed_encoder_request_set_mem0(&req);
  xed_encoder_request_set_operand_order(&req, 0, XED_OPERAND_MEM0);
 
  xed_encoder_request_set_base0(&req, XED_REG_RIP);
  xed_encoder_request_set_seg0(&req, XED_REG_INVALID);
  xed_encoder_request_set_index(&req, XED_REG_INVALID);
  xed_encoder_request_set_scale(&req, 0);
 
  xed_encoder_request_set_memory_operand_length(&req, 8);
  xed_encoder_request_set_memory_displacement(&req, new_inst_bytes.size() + 1,
                                              1);
 
  if ((err = xed_encode(&req, inst_buff, sizeof(inst_buff), &inst_len)) !=
      XED_ERROR_NONE) {
    spdlog::info("failed to encode instruction... reason: {}",
                 xed_error_enum_t2str(err));
 
    assert(err == XED_ERROR_NONE);
  }
 
  new_inst_bytes.insert(new_inst_bytes.begin(), inst_buff,
                        inst_buff + inst_len);
 
  // put a return instruction at the end of the decrypt instructions...
  //
  new_inst_bytes.push_back(0xC3);
 
  sym->data().insert(sym->data().end(), new_inst_bytes.begin(),
                     new_inst_bytes.end());
 
  reloc.value()->offset(sym->data().size());
  sym->data().resize(sym->data().size() + 8);
}

References theo::decomp::symbol_t::data(), and theo::obf::transform::generate().

Referenced by theo::obf::jcc_rewrite_pass_t::run().

---

The documentation for this class was generated from the following files:

• include/obf/passes/next_inst_pass.hpp
• src/obf/passes/next_inst_pass.cpp