Theodosius v3.0
Jit linker, symbol mapper, and obfuscator
Public Member Functions | Static Public Member Functions
theo::obf::jcc_rewrite_pass_t Class Reference

jcc rewrite pass which rewrites rip relative jcc's so that they are position independent. More...

#include "jcc_rewrite_pass.hpp"

Inheritance diagram for theo::obf::jcc_rewrite_pass_t:
theo::obf::pass_t

Public Member Functions

void run (decomp::symbol_t *sym)
 virtual method which must be implimented by the pass that inherits this class. More...
 
- Public Member Functions inherited from theo::obf::pass_t
 pass_t (decomp::sym_type_t sym_type)
 the explicit constructor of the pass_t base class. More...
 
virtual void run (decomp::symbol_t *sym)=0
 virtual method which must be implimented by the pass that inherits this class. More...
 
decomp::sym_type_t sym_type ()
 gets the passes symbol type. More...
 

Static Public Member Functions

static jcc_rewrite_pass_tget ()
 

Detailed Description

jcc rewrite pass which rewrites rip relative jcc's so that they are position independent.

given the following code: 

jnz label1
; other code goes here

label1: ; more code here

the jnz instruction will be rewritten so that the following code is generated: 

jnz br2

br1: jmp [rip] ; address after this instruction contains the address ; of the instruction after the jcc. br2: jmp [rip] ; address after this instruction contains the address of where ; branch 2 is located.

its important to note that other passes will encrypt (transform) the address of the next instruction. There is actually no jmp [rip] either, push/ret is used.

Definition at line 61 of file jcc_rewrite_pass.hpp.

Member Function Documentation

◆ get()

jcc_rewrite_pass_t * theo::obf::jcc_rewrite_pass_t::get ( )
static

Definition at line 35 of file jcc_rewrite_pass.cpp.

35 {
36 static jcc_rewrite_pass_t obj;
37 return &obj;
38}

Referenced by main().

◆ run()

void theo::obf::jcc_rewrite_pass_t::run ( decomp::symbol_t sym)
virtual

virtual method which must be implimented by the pass that inherits this class.

Parameters
syma symbol of the same type of m_sym_type.

Implements theo::obf::pass_t.

Definition at line 40 of file jcc_rewrite_pass.cpp.

40 {
41 std::int32_t disp = {};
42 xed_decoded_inst_t inst;
43 xed_state_t istate{XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b};
44 xed_decoded_inst_zero_set_mode(&inst, &istate);
45 xed_decode(&inst, sym->data().data(), XED_MAX_INSTRUCTION_BYTES);
46
47 // if the instruction is branching...
48 if ((disp = xed_decoded_inst_get_branch_displacement(&inst))) {
49 disp += xed_decoded_inst_get_length(&inst);
50
51 // update displacement...
52 xed_decoded_inst_set_branch_displacement(
53 &inst, sym->data().size() - xed_decoded_inst_get_length(&inst),
54 xed_decoded_inst_get_branch_displacement_width(&inst));
55
56 xed_encoder_request_init_from_decode(&inst);
57 xed_encoder_request_t* req = &inst;
58
59 // update jcc in the buffer...
60 std::uint32_t len = {};
61 xed_encode(req, sym->data().data(), xed_decoded_inst_get_length(&inst),
62 &len);
63
64 // create a relocation to the instruction the branch would normally go
65 // too...
66 auto offset = disp < 0 ? sym->offset() - std::abs(disp)
67 : sym->offset() + std::abs(disp);
68
69 auto sym_name =
70 std::string(
71 sym->sym()->name.to_string(sym->img()->get_strings()).data())
72 .append("@")
73 .append(std::to_string(offset));
74
75 sym->relocs().push_back(
76 recomp::reloc_t(0, decomp::symbol_t::hash(sym_name), sym_name.data()));
77
78 // run next_inst_pass on this symbol to generate the transformations for the
79 // relocation to the jcc branch dest instruction...
80 next_inst_pass_t::get()->run(sym);
81 }
82};

References theo::decomp::symbol_t::data(), theo::obf::next_inst_pass_t::get(), theo::decomp::symbol_t::hash(), theo::decomp::symbol_t::img(), theo::decomp::symbol_t::offset(), theo::decomp::symbol_t::relocs(), theo::obf::next_inst_pass_t::run(), and theo::decomp::symbol_t::sym().

The documentation for this class was generated from the following files:
Generated by doxygen 1.9.3