theo::obf::jcc_rewrite_pass_t Class Reference

jcc rewrite pass which rewrites rip relative jcc's so that they are position independent. More...

#include <jcc_rewrite_pass.hpp>

Inheritance diagram for theo::obf::jcc_rewrite_pass_t:

Public Member Functions
void	run (decomp::symbol_t *sym)
	virtual method which must be implimented by the pass that inherits this class. More...
Public Member Functions inherited from theo::obf::pass_t
	pass_t (decomp::sym_type_t sym_type)
	the explicit constructor of the pass_t base class. More...
decomp::sym_type_t	sym_type ()
	gets the passes symbol type. More...

Static Public Member Functions
static jcc_rewrite_pass_t *	get ()

Detailed Description

jcc rewrite pass which rewrites rip relative jcc's so that they are position independent.

given the following code:

jnz label1
; other code goes here

label1: ; more code here

the jnz instruction will be rewritten so that the following code is generated:

jnz br2

br1: jmp [rip] ; address after this instruction contains the address ; of the instruction after the jcc. br2: jmp [rip] ; address after this instruction contains the address of where ; branch 2 is located.

its important to note that other passes will encrypt (transform) the address of the next instruction. There is actually no jmp [rip] either, push/ret is used.

Member Function Documentation

get()

jcc_rewrite_pass_t * theo::obf::jcc_rewrite_pass_t::get ( )

static

                                            {
  static jcc_rewrite_pass_t obj;
  return &obj;
}

run()

void theo::obf::jcc_rewrite_pass_t::run ( decomp::symbol_t *  sym )

virtual

virtual method which must be implimented by the pass that inherits this class.

Parameters

sym	a symbol of the same type of m_sym_type.

Implements theo::obf::pass_t.

                                                {
  std::int32_t disp = {};
  xed_decoded_inst_t inst;
  xed_state_t istate{XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b};
  xed_decoded_inst_zero_set_mode(&inst, &istate);
  xed_decode(&inst, sym->data().data(), XED_MAX_INSTRUCTION_BYTES);
 
  // if the instruction is branching...
  if ((disp = xed_decoded_inst_get_branch_displacement(&inst))) {
    disp += xed_decoded_inst_get_length(&inst);
 
    // update displacement...
    xed_decoded_inst_set_branch_displacement(
        &inst, sym->data().size() - xed_decoded_inst_get_length(&inst),
        xed_decoded_inst_get_branch_displacement_width(&inst));
 
    xed_encoder_request_init_from_decode(&inst);
    xed_encoder_request_t* req = &inst;
 
    // update jcc in the buffer...
    std::uint32_t len = {};
    xed_encode(req, sym->data().data(), xed_decoded_inst_get_length(&inst),
               &len);
 
    // create a relocation to the instruction the branch would normally go
    // too...
    auto offset = disp < 0 ? sym->offset() - std::abs(disp)
                           : sym->offset() + std::abs(disp);
 
    auto sym_name =
        std::string(
            sym->sym()->name.to_string(sym->img()->get_strings()).data())
            .append("@")
            .append(std::to_string(offset));
 
    sym->relocs().push_back(
        recomp::reloc_t(0, decomp::symbol_t::hash(sym_name), sym_name.data()));
 
    // run next_inst_pass on this symbol to generate the transformations for the
    // relocation to the jcc branch dest instruction...
    next_inst_pass_t::get()->run(sym);
  }
};

---

The documentation for this class was generated from the following files:

• include/obf/passes/jcc_rewrite_pass.hpp
• src/obf/passes/jcc_rewrite_pass.cpp