From 599a685b9e1b8e2f36526a61a2f77ecdc49a7288 Mon Sep 17 00:00:00 2001 From: John Doe Date: Tue, 21 Dec 2021 23:32:42 -0800 Subject: [PATCH] fixed jmp profile... --- src/vminstrs.cpp | 11 +++++++++-- src/vmprofiles/jmp.cpp | 19 ++++++++++++++++--- src/vmutils.cpp | 11 +++++++++-- 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/src/vminstrs.cpp b/src/vminstrs.cpp index ad885af..9909558 100644 --- a/src/vminstrs.cpp +++ b/src/vminstrs.cpp @@ -45,8 +45,15 @@ void deobfuscate(hndlr_trace_t& trace) { std::uint32_t last_size = 0u; static const std::vector blacklist = { - ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT, ZYDIS_MNEMONIC_TEST, - ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC}; + ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT, ZYDIS_MNEMONIC_TEST, + ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC, + ZYDIS_MNEMONIC_CMOVB, ZYDIS_MNEMONIC_CMOVBE, ZYDIS_MNEMONIC_CMOVL, + ZYDIS_MNEMONIC_CMOVLE, ZYDIS_MNEMONIC_CMOVNB, ZYDIS_MNEMONIC_CMOVNBE, + ZYDIS_MNEMONIC_CMOVNL, ZYDIS_MNEMONIC_CMOVNLE, ZYDIS_MNEMONIC_CMOVNO, + ZYDIS_MNEMONIC_CMOVNP, ZYDIS_MNEMONIC_CMOVNS, ZYDIS_MNEMONIC_CMOVNZ, + ZYDIS_MNEMONIC_CMOVO, ZYDIS_MNEMONIC_CMOVP, ZYDIS_MNEMONIC_CMOVS, + ZYDIS_MNEMONIC_CMOVZ, + }; static const std::vector whitelist = { ZYDIS_MNEMONIC_PUSH, ZYDIS_MNEMONIC_POP, ZYDIS_MNEMONIC_CALL, diff --git a/src/vmprofiles/jmp.cpp b/src/vmprofiles/jmp.cpp index b1d283f..485b8ee 100644 --- a/src/vmprofiles/jmp.cpp +++ b/src/vmprofiles/jmp.cpp @@ -23,18 +23,31 @@ profiler_t jmp = { instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && instr.operands[1].imm.value.u == 8; }, - // MOV VIP, REG + // MOV REG, IMM_64 [&](const zydis_reg_t vip, const zydis_reg_t vsp, const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && - instr.operands[0].reg.value == vip && - instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; + instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[1].size == 64; + }, + // LEA REG, [0x0] ; disp is -7... + [&](const zydis_reg_t vip, + const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_LEA && + instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[1].mem.disp.has_displacement && + instr.operands[1].mem.disp.value == -7; }}}, [&](zydis_reg_t& vip, zydis_reg_t& vsp, hndlr_trace_t& hndlr) -> std::optional { + std::printf("> found a jmp...\n"); + std::getchar(); + const auto& instrs = hndlr.m_instrs; const auto xchg = std::find_if( instrs.begin(), instrs.end(), [&](const emu_instr_t& instr) -> bool { diff --git a/src/vmutils.cpp b/src/vmutils.cpp index dfdbd4c..65466f3 100644 --- a/src/vmutils.cpp +++ b/src/vmutils.cpp @@ -124,8 +124,15 @@ void deobfuscate(zydis_rtn_t& routine) { std::uint32_t last_size = 0u; static const std::vector blacklist = { - ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT, ZYDIS_MNEMONIC_TEST, - ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC}; + ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT, ZYDIS_MNEMONIC_TEST, + ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC, + ZYDIS_MNEMONIC_CMOVB, ZYDIS_MNEMONIC_CMOVBE, ZYDIS_MNEMONIC_CMOVL, + ZYDIS_MNEMONIC_CMOVLE, ZYDIS_MNEMONIC_CMOVNB, ZYDIS_MNEMONIC_CMOVNBE, + ZYDIS_MNEMONIC_CMOVNL, ZYDIS_MNEMONIC_CMOVNLE, ZYDIS_MNEMONIC_CMOVNO, + ZYDIS_MNEMONIC_CMOVNP, ZYDIS_MNEMONIC_CMOVNS, ZYDIS_MNEMONIC_CMOVNZ, + ZYDIS_MNEMONIC_CMOVO, ZYDIS_MNEMONIC_CMOVP, ZYDIS_MNEMONIC_CMOVS, + ZYDIS_MNEMONIC_CMOVZ, + }; static const std::vector whitelist = { ZYDIS_MNEMONIC_PUSH, ZYDIS_MNEMONIC_POP, ZYDIS_MNEMONIC_CALL,