Manifold
/
vmprofiler
forked from vmp3/vmprofiler
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed a bug in the deadstore removal algo...

Browse Source
master
John Doe 2 years ago
parent 703245ffc9
commit 4c4bcf8a18
3 changed files with 5 additions and 19 deletions
Show Stats Download Patch File Download Diff File

1
src/vmctx.cpp
Unescape View File

@ -19,6 +19,7 @@ bool vmctx_t::init() {
return false;
vm::utils::deobfuscate(m_vm_entry);
vm::utils::print(m_vm_entry);
// find mov reg, [rsp+0x90]. this register will be VIP...
const auto vip_fetch = std::find_if(

9
src/vminstrs.cpp
Unescape View File

@ -20,12 +20,9 @@ void deobfuscate(hndlr_trace_t& trace) {
static const auto _reads = [](zydis_decoded_instr_t& instr,
zydis_reg_t reg) -> bool {
if (instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
vm::utils::reg::compare(instr.operands[0].mem.base, reg))
return true;
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
if (instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ &&
if ((instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ ||
instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_MEMORY) &&
_uses_reg(instr.operands[op_idx], reg))
return true;
return false;
@ -34,10 +31,8 @@ void deobfuscate(hndlr_trace_t& trace) {
static const auto _writes = [](zydis_decoded_instr_t& instr,
zydis_reg_t reg) -> bool {
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
// if instruction writes to the specific register...
if (instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_WRITE &&
!(instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ) &&
vm::utils::reg::compare(instr.operands[op_idx].reg.value, reg))
return true;
return false;

14
src/vmutils.cpp
Unescape View File

@ -99,12 +99,9 @@ void deobfuscate(zydis_rtn_t& routine) {
static const auto _reads = [](zydis_decoded_instr_t& instr,
zydis_reg_t reg) -> bool {
if (instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
vm::utils::reg::compare(instr.operands[0].mem.base, reg))
return true;
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
if (instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ &&
if ((instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ ||
instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_MEMORY) &&
_uses_reg(instr.operands[op_idx], reg))
return true;
return false;
@ -113,10 +110,8 @@ void deobfuscate(zydis_rtn_t& routine) {
static const auto _writes = [](zydis_decoded_instr_t& instr,
zydis_reg_t reg) -> bool {
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
// if instruction writes to the specific register...
if (instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_WRITE &&
!(instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ) &&
vm::utils::reg::compare(instr.operands[op_idx].reg.value, reg))
return true;
return false;
@ -151,11 +146,6 @@ void deobfuscate(zydis_rtn_t& routine) {
break;
}
if (is_jmp(itr->instr)) {
routine.erase(itr);
break;
}
zydis_reg_t reg = ZYDIS_REGISTER_NONE;
// look for operands with writes to a register...
for (auto op_idx = 0u; op_idx < itr->instr.operand_count; ++op_idx)

Write Preview
Loading…
Cancel
Save