|
|
|
@ -23,18 +23,31 @@ profiler_t jmp = {
|
|
|
|
|
instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
|
|
|
|
|
instr.operands[1].imm.value.u == 8;
|
|
|
|
|
},
|
|
|
|
|
// MOV VIP, REG
|
|
|
|
|
// MOV REG, IMM_64
|
|
|
|
|
[&](const zydis_reg_t vip,
|
|
|
|
|
const zydis_reg_t vsp,
|
|
|
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
|
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
|
|
|
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
|
|
|
instr.operands[0].reg.value == vip &&
|
|
|
|
|
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
|
|
|
|
|
instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
|
|
|
|
|
instr.operands[1].size == 64;
|
|
|
|
|
},
|
|
|
|
|
// LEA REG, [0x0] ; disp is -7...
|
|
|
|
|
[&](const zydis_reg_t vip,
|
|
|
|
|
const zydis_reg_t vsp,
|
|
|
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
|
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_LEA &&
|
|
|
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
|
|
|
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
|
|
|
|
|
instr.operands[1].mem.disp.has_displacement &&
|
|
|
|
|
instr.operands[1].mem.disp.value == -7;
|
|
|
|
|
}}},
|
|
|
|
|
[&](zydis_reg_t& vip,
|
|
|
|
|
zydis_reg_t& vsp,
|
|
|
|
|
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
|
|
|
|
|
std::printf("> found a jmp...\n");
|
|
|
|
|
std::getchar();
|
|
|
|
|
|
|
|
|
|
const auto& instrs = hndlr.m_instrs;
|
|
|
|
|
const auto xchg = std::find_if(
|
|
|
|
|
instrs.begin(), instrs.end(), [&](const emu_instr_t& instr) -> bool {
|
|
|
|
|