// Copyright (c) 2022, _xeroxz // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, // this list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // 3. Neither the name of the copyright holder nor the names of its // contributors may be used to endorse or promote products derived from // this software without specific prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE // POSSIBILITY OF SUCH DAMAGE. // #pragma once #include namespace theo::obf { /// /// This pass is used to generate transformations and jmp code to change RIP to /// the next instruction. /// /// given the following code (get pml4 address from cr3): /// /// get_pml4: /// 0: 48 c7 c0 ff 0f 00 00 mov rax,0xfff /// 7: 48 f7 d0 not rax /// a: 0f 20 da mov rdx,cr3 /// d: 48 21 c2 and rdx,rax /// 10: b1 00 mov cl,0x0 /// 12: 48 d3 e2 shl rdx,cl /// 15: 48 89 d0 mov rax,rdx /// 18: c3 ret /// /// this pass will break up each instruction so that it can be anywhere in a /// linear virtual address space. this pass will not work on rip relative code, /// however clang will not generate such code when compiled with /// "-mcmodel=large" /// /// get_pml4@0: /// mov rax, 0xFFF /// push [next_inst_addr_enc] /// xor [rsp], 0x3243342 /// ; a random number of transformations here... /// ret /// next_inst_addr_enc: /// ; encrypted address of the next instruction goes here. /// /// get_pml4@7: /// not rax /// push [next_inst_addr_enc] /// xor [rsp], 0x93983498 /// ; a random number of transformations here... /// ret /// next_inst_addr_enc: /// ; encrypted address of the next instruction goes here. /// /// this process is continued for each instruction in the function. the last /// instruction "ret" will have no code generated for it as there is no next /// instruction. /// /// /// this pass also only runs at the instruction level, theodosius internally /// breaks up functions inside of the ".split" section into individual /// instruction symbols. this process also creates a psuedo relocation which /// simply tells this pass that there needs to be a relocation to the next /// symbol. the offset for these psuedo relocations is zero. /// class next_inst_pass_t : public pass_t { explicit next_inst_pass_t() : pass_t(decomp::sym_type_t::instruction) { xed_state_t istate{XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b}; xed_decoded_inst_zero_set_mode(&m_tmp_inst, &istate); xed_decode(&m_tmp_inst, m_type_inst_bytes, sizeof(m_type_inst_bytes)); }; public: static next_inst_pass_t* get(); void run(decomp::symbol_t* sym); private: std::optional has_next_inst_reloc(decomp::symbol_t*); xed_decoded_inst_t m_tmp_inst; std::uint8_t m_type_inst_bytes[9] = {0x48, 0xC7, 0x44, 0x24, 0x08, 0x44, 0x33, 0x22, 0x11}; }; } // namespace theo::obf