You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Theodosius/include/obf/passes/next_inst_pass.hpp

72 lines
2.6 KiB

#pragma once
#include <obf/pass.hpp>
namespace theo::obf {
/// <summary>
/// This pass is used to generate transformations and jmp code to change RIP to
/// the next instruction.
///
/// given the following code (get pml4 address from cr3):
///
/// get_pml4:
/// 0: 48 c7 c0 ff 0f 00 00 mov rax,0xfff
/// 7: 48 f7 d0 not rax
/// a: 0f 20 da mov rdx,cr3
/// d: 48 21 c2 and rdx,rax
/// 10: b1 00 mov cl,0x0
/// 12: 48 d3 e2 shl rdx,cl
/// 15: 48 89 d0 mov rax,rdx
/// 18: c3 ret
///
/// this pass will break up each instruction so that it can be anywhere in a
/// linear virtual address space. this pass will not work on rip relative code,
/// however clang will not generate such code when compiled with
/// "-mcmodel=large"
///
/// get_pml4@0:
/// mov rax, 0xFFF
/// push [next_inst_addr_enc]
/// xor [rsp], 0x3243342
/// ; a random number of transformations here...
/// ret
/// next_inst_addr_enc:
/// ; encrypted address of the next instruction goes here.
///
/// get_pml4@7:
/// not rax
/// push [next_inst_addr_enc]
/// xor [rsp], 0x93983498
/// ; a random number of transformations here...
/// ret
/// next_inst_addr_enc:
/// ; encrypted address of the next instruction goes here.
///
/// this process is continued for each instruction in the function. the last
/// instruction "ret" will have no code generated for it as there is no next
/// instruction.
///
///
/// this pass also only runs at the instruction level, theodosius internally
/// breaks up functions inside of the ".split" section into individual
/// instruction symbols. this process also creates a psuedo relocation which
/// simply tells this pass that there needs to be a relocation to the next
/// symbol. the offset for these psuedo relocations is zero.
/// </summary>
class next_inst_pass_t : public pass_t {
explicit next_inst_pass_t() : pass_t(decomp::sym_type_t::instruction) {
xed_state_t istate{XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b};
xed_decoded_inst_zero_set_mode(&m_tmp_inst, &istate);
xed_decode(&m_tmp_inst, m_type_inst_bytes, sizeof(m_type_inst_bytes));
};
public:
static next_inst_pass_t* get();
void run(decomp::symbol_t* sym);
private:
std::optional<recomp::reloc_t*> has_next_inst_reloc(decomp::symbol_t*);
xed_decoded_inst_t m_tmp_inst;
std::uint8_t m_type_inst_bytes[9] = {0x48, 0xC7, 0x44, 0x24, 0x08,
0x44, 0x33, 0x22, 0x11};
};
} // namespace theo::obf