|
|
@ -99,12 +99,9 @@ void deobfuscate(zydis_rtn_t& routine) {
|
|
|
|
|
|
|
|
|
|
|
|
static const auto _reads = [](zydis_decoded_instr_t& instr,
|
|
|
|
static const auto _reads = [](zydis_decoded_instr_t& instr,
|
|
|
|
zydis_reg_t reg) -> bool {
|
|
|
|
zydis_reg_t reg) -> bool {
|
|
|
|
if (instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
|
|
|
|
|
|
|
|
vm::utils::reg::compare(instr.operands[0].mem.base, reg))
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
|
|
|
|
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
|
|
|
|
if (instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ &&
|
|
|
|
if ((instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ ||
|
|
|
|
|
|
|
|
instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_MEMORY) &&
|
|
|
|
_uses_reg(instr.operands[op_idx], reg))
|
|
|
|
_uses_reg(instr.operands[op_idx], reg))
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
@ -113,10 +110,8 @@ void deobfuscate(zydis_rtn_t& routine) {
|
|
|
|
static const auto _writes = [](zydis_decoded_instr_t& instr,
|
|
|
|
static const auto _writes = [](zydis_decoded_instr_t& instr,
|
|
|
|
zydis_reg_t reg) -> bool {
|
|
|
|
zydis_reg_t reg) -> bool {
|
|
|
|
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
|
|
|
|
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
|
|
|
|
// if instruction writes to the specific register...
|
|
|
|
|
|
|
|
if (instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
|
|
if (instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
|
|
instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_WRITE &&
|
|
|
|
instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_WRITE &&
|
|
|
|
!(instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ) &&
|
|
|
|
|
|
|
|
vm::utils::reg::compare(instr.operands[op_idx].reg.value, reg))
|
|
|
|
vm::utils::reg::compare(instr.operands[op_idx].reg.value, reg))
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
@ -151,11 +146,6 @@ void deobfuscate(zydis_rtn_t& routine) {
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (is_jmp(itr->instr)) {
|
|
|
|
|
|
|
|
routine.erase(itr);
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
zydis_reg_t reg = ZYDIS_REGISTER_NONE;
|
|
|
|
zydis_reg_t reg = ZYDIS_REGISTER_NONE;
|
|
|
|
// look for operands with writes to a register...
|
|
|
|
// look for operands with writes to a register...
|
|
|
|
for (auto op_idx = 0u; op_idx < itr->instr.operand_count; ++op_idx)
|
|
|
|
for (auto op_idx = 0u; op_idx < itr->instr.operand_count; ++op_idx)
|
|
|
|