fixed rip moving

main
James 3 years ago
parent 6d9ce964bf
commit fa0967c2d5

@ -149,8 +149,6 @@ PNATIVE_CODE_BLOCK JitEmitPreRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
RipDelta += ((FourByte - Count) * 4);
RipDelta += Delta;
//Add the actual instruction
printf("%p IS THE DATAOFFSET\n", DataOffset);
system("pause");
if (!JitEmitRipRelativeMovD(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
@ -242,7 +240,7 @@ PNATIVE_CODE_BLOCK JitEmitPostRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4) - (TwoByte * 2);
RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
RipDelta += WORD_MOV_INST_LENGTH;
RipDelta += (TwoByte * WORD_MOV_INST_LENGTH);
RipDelta += BYTE_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;

@ -37,21 +37,75 @@ UCHAR TestBuffer[] = {
};
ULONG TestBufferSize = sizeof(TestBuffer);
UCHAR meme1[] = { 0x31, 0xc0 };
UCHAR meme1[] = { 0xb8, 0xde, 0xc0, 0xac, 0x0e };
UCHAR meme2[] = { 0xc3 };
int main()
{
XedTablesInit();
srand(time(NULL));
PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2));
PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776);
PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776);
PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst);
PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst);
NcAppendToBlock(Pre1, Return1776);
NcInsertBlockAfter(Pre1->End, Post1, 0);
Pre1->End = Post1->End;
NcInsertBlockAfter(Pre1->End, Pre2, 0);
Pre1->End = Pre2->End;
NcAppendToBlock(Pre1, RetInst);
NcInsertBlockAfter(Pre1->End, Post2, 0);
Pre1->End = Post2->End;
/*Pre->Start = Return1776;
Pre->End = Return1776;*/
for (ULONG i = 0; i < Return1776->RawDataSize; i++)
Return1776->RawData[i] = (UCHAR)rand();
for (ULONG i = 0; i < RetInst->RawDataSize; i++)
RetInst->RawData[i] = (UCHAR)rand();
/*NcDebugPrint(Pre);
NcPrintBlockCode(Pre);*/
ULONG AsmLen;
PVOID Asm = NcAssemble(Pre1, &AsmLen);
PUCHAR Tb = (PUCHAR)Asm;
for (uint32_t i = 0; i < AsmLen; i++)
{
std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
}
system("pause");
typedef ULONG64(*FnGet1776)();
FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen);
if (ExecBuffer)
{
printf("The numba was: %X\n", ExecBuffer());
printf("The numba was: %X\n", ExecBuffer());
printf("The numba was: %X\n", ExecBuffer());
printf("The numba was: %X\n", ExecBuffer());
NATIVE_CODE_BLOCK Block;
}
//NcDebugPrint(Post);
/*NATIVE_CODE_BLOCK Block;
NcDisassemble(&Block, TestBuffer, TestBufferSize);
PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink);
ULONG AssembledSize;
PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize);
if (!AssembledBlock || !AssembledSize)
@ -65,6 +119,7 @@ int main()
{
std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
}
*/
//PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End);

@ -28,6 +28,8 @@ _NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG F, PVOID Rd, ULONG Rds)
RawData = new UCHAR[Rds];
if (Rd)
RtlCopyMemory(RawData, Rd, Rds);
XedDecode(&XedInstruction, RawData, RawDataSize);
}
_NATIVE_CODE_LINK::~_NATIVE_CODE_LINK()
@ -120,7 +122,7 @@ VOID NcUnlink(PNATIVE_CODE_LINK Link)
ULONG NcCalcBlockSize(PNATIVE_CODE_BLOCK Block)
{
ULONG TotalSize = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
for (PNATIVE_CODE_LINK T = Block->Start; T != Block->End->Next; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
@ -173,7 +175,7 @@ BOOL NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block, BOOL F
Block->Start->Prev = Link;
Link->Next = Block->Start;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
T->Block = Link->Block;
return TRUE;
@ -193,7 +195,7 @@ BOOL NcInsertBlockBefore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block, BOOL
Block->End->Next = Link;
Link->Prev = Block->End;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
T->Block = Link->Block;
return TRUE;
@ -504,7 +506,7 @@ PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PULONG OutSize)
PUCHAR BufferOffset = Buffer;
for (PNATIVE_CODE_LINK T = Block->Start; T != Block->End->Next; T = T->Next)
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
@ -535,7 +537,7 @@ VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block)
if (!ConsoleHandle)
return;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
{
@ -561,7 +563,7 @@ VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block)
VOID NcPrintBlockCode(PNATIVE_CODE_BLOCK Block)
{
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
if (!(T->Flags & CODE_FLAG_IS_LABEL))
{

@ -135,6 +135,7 @@ PNATIVE_CODE_BLOCK ObfGenOpaqueBranch(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK
NcAppendToBlock(Taken, new NATIVE_CODE_LINK(JmpLabel, Taken));
NcInsertBlockAfter(NotTaken->End, Taken, FALSE);
NotTaken->End = Taken->End;
delete Taken;
return NotTaken;

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

@ -607,7 +607,7 @@ pdata ENDS
; COMDAT pdata
pdata SEGMENT
$pdata$?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z DD imagerel $LN29
DD imagerel $LN29+1160
DD imagerel $LN29+1176
DD imagerel $unwind$?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z
pdata ENDS
; COMDAT pdata
@ -4232,7 +4232,7 @@ $T12 = 808
$T13 = 840
$T14 = 872
$T15 = 904
tv214 = 920
tv216 = 920
tv204 = 920
tv189 = 920
tv171 = 920
@ -4297,7 +4297,7 @@ $LN3@ObfGenOpaq:
; 91 : return NULL;
00086 33 c0 xor eax, eax
00088 e9 cc 03 00 00 jmp $LN1@ObfGenOpaq
00088 e9 dc 03 00 00 jmp $LN1@ObfGenOpaq
$LN2@ObfGenOpaq:
; 92 :
@ -4319,7 +4319,7 @@ $LN2@ObfGenOpaq:
; 96 : return NULL;
000ab 33 c0 xor eax, eax
000ad e9 a7 03 00 00 jmp $LN1@ObfGenOpaq
000ad e9 b7 03 00 00 jmp $LN1@ObfGenOpaq
$LN4@ObfGenOpaq:
; 97 : }
@ -4367,7 +4367,7 @@ $LN10@ObfGenOpaq:
; 103 : return NULL;
00113 33 c0 xor eax, eax
00115 e9 3f 03 00 00 jmp $LN1@ObfGenOpaq
00115 e9 4f 03 00 00 jmp $LN1@ObfGenOpaq
$LN5@ObfGenOpaq:
; 104 : }
@ -4486,7 +4486,7 @@ $LN14@ObfGenOpaq:
; 118 : return NULL;
00234 33 c0 xor eax, eax
00236 e9 1e 02 00 00 jmp $LN1@ObfGenOpaq
00236 e9 2e 02 00 00 jmp $LN1@ObfGenOpaq
$LN6@ObfGenOpaq:
; 119 : }
@ -4583,7 +4583,7 @@ $LN20@ObfGenOpaq:
; 128 : return NULL;
00320 33 c0 xor eax, eax
00322 e9 32 01 00 00 jmp $LN1@ObfGenOpaq
00322 e9 42 01 00 00 jmp $LN1@ObfGenOpaq
$LN7@ObfGenOpaq:
; 129 : }
@ -4674,50 +4674,57 @@ $LN24@ObfGenOpaq:
00412 48 8b 48 08 mov rcx, QWORD PTR [rax+8]
00416 e8 00 00 00 00 call ?NcInsertBlockAfter@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z ; NcInsertBlockAfter
; 138 :
; 139 : delete Taken;
; 138 : NotTaken->End = Taken->End;
0041b 48 8b 45 08 mov rax, QWORD PTR NotTaken$[rbp]
0041f 48 8b 4d 28 mov rcx, QWORD PTR Taken$[rbp]
00423 48 8b 49 08 mov rcx, QWORD PTR [rcx+8]
00427 48 89 48 08 mov QWORD PTR [rax+8], rcx
0041b 48 8b 45 28 mov rax, QWORD PTR Taken$[rbp]
0041f 48 89 85 88 03
; 139 :
; 140 : delete Taken;
0042b 48 8b 45 28 mov rax, QWORD PTR Taken$[rbp]
0042f 48 89 85 88 03
00 00 mov QWORD PTR $T15[rbp], rax
00426 48 83 bd 88 03
00436 48 83 bd 88 03
00 00 00 cmp QWORD PTR $T15[rbp], 0
0042e 74 1a je SHORT $LN25@ObfGenOpaq
00430 ba 01 00 00 00 mov edx, 1
00435 48 8b 8d 88 03
0043e 74 1a je SHORT $LN25@ObfGenOpaq
00440 ba 01 00 00 00 mov edx, 1
00445 48 8b 8d 88 03
00 00 mov rcx, QWORD PTR $T15[rbp]
0043c e8 00 00 00 00 call ??_G_NATIVE_CODE_BLOCK@@QEAAPEAXI@Z
00441 48 89 85 98 03
00 00 mov QWORD PTR tv214[rbp], rax
00448 eb 0b jmp SHORT $LN26@ObfGenOpaq
0044c e8 00 00 00 00 call ??_G_NATIVE_CODE_BLOCK@@QEAAPEAXI@Z
00451 48 89 85 98 03
00 00 mov QWORD PTR tv216[rbp], rax
00458 eb 0b jmp SHORT $LN26@ObfGenOpaq
$LN25@ObfGenOpaq:
0044a 48 c7 85 98 03
0045a 48 c7 85 98 03
00 00 00 00 00
00 mov QWORD PTR tv214[rbp], 0
00 mov QWORD PTR tv216[rbp], 0
$LN26@ObfGenOpaq:
; 140 : return NotTaken;
; 141 : return NotTaken;
00455 48 8b 45 08 mov rax, QWORD PTR NotTaken$[rbp]
00465 48 8b 45 08 mov rax, QWORD PTR NotTaken$[rbp]
$LN1@ObfGenOpaq:
; 141 : }
; 142 : }
00459 48 8b f8 mov rdi, rax
0045c 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32]
00460 48 8d 15 00 00
00469 48 8b f8 mov rdi, rax
0046c 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32]
00470 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z$rtcFrameData
00467 e8 00 00 00 00 call _RTC_CheckStackVars
0046c 48 8b c7 mov rax, rdi
0046f 48 8b 8d a0 03
00477 e8 00 00 00 00 call _RTC_CheckStackVars
0047c 48 8b c7 mov rax, rdi
0047f 48 8b 8d a0 03
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
00476 48 33 cd xor rcx, rbp
00479 e8 00 00 00 00 call __security_check_cookie
0047e 48 8d a5 b8 03
00486 48 33 cd xor rcx, rbp
00489 e8 00 00 00 00 call __security_check_cookie
0048e 48 8d a5 b8 03
00 00 lea rsp, QWORD PTR [rbp+952]
00485 5f pop rdi
00486 5d pop rbp
00487 c3 ret 0
00495 5f pop rdi
00496 5d pop rbp
00497 c3 ret 0
?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z ENDP ; ObfGenOpaqueBranch
_TEXT ENDS
; COMDAT text$x
@ -4739,7 +4746,7 @@ $T12 = 808
$T13 = 840
$T14 = 872
$T15 = 904
tv214 = 920
tv216 = 920
tv204 = 920
tv189 = 920
tv171 = 920
@ -4789,7 +4796,7 @@ $T12 = 808
$T13 = 840
$T14 = 872
$T15 = 904
tv214 = 920
tv216 = 920
tv204 = 920
tv189 = 920
tv171 = 920
@ -4840,7 +4847,7 @@ $T12 = 808
$T13 = 840
$T14 = 872
$T15 = 904
tv214 = 920
tv216 = 920
tv204 = 920
tv189 = 920
tv171 = 920
@ -4891,7 +4898,7 @@ $T12 = 808
$T13 = 840
$T14 = 872
$T15 = 904
tv214 = 920
tv216 = 920
tv204 = 920
tv189 = 920
tv171 = 920

Binary file not shown.
Loading…
Cancel
Save