fixed this fucking bullshit

changed deobfuscation to keep register jumps
fixed svsp.cpp
14 changed files with 29 additions and 22 deletions
--- a/include/uc_allocation_tracker.hpp
+++ b/include/uc_allocation_tracker.hpp
@ -1,3 +1,4 @@
+#pragma once
 #include <unicorn\unicorn.h>

 extern int g_allocation_tracker;
--- a/include/vminstrs.hpp
+++ b/include/vminstrs.hpp
@ -109,6 +109,8 @@ enum class vbranch_type {
 /// virtual code block
 /// </summary>
 struct vblk_t {
+  bool is_branch;
+
  /// <summary>
  /// start address VIP of this basic block...
  /// </summary>
--- a/src/uc_allocation_tracker.cpp
+++ b/src/uc_allocation_tracker.cpp
@ -11,7 +11,7 @@ uc_err uct_context_alloc(uc_engine *uc, uc_context **context)
 }
 uc_err uct_context_free(uc_context *context)
 {
-  +g_allocation_tracker--;
+  --g_allocation_tracker;
  //std::printf("Allocations: %p\n", g_allocation_tracker);
  return uc_context_free(context);
 }
--- a/src/vminstrs.cpp
+++ b/src/vminstrs.cpp
@ -69,7 +69,7 @@ void deobfuscate(hndlr_trace_t& trace) {
        break;
      }

-      if (vm::utils::is_jmp(itr->m_instr)) {
+      if (vm::utils::is_jmp(itr->m_instr) && itr->m_instr.operands[0].type != ZYDIS_OPERAND_TYPE_REGISTER) {
        uct_context_free(itr->m_cpu);
        trace.m_instrs.erase(itr);
        break;
--- a/src/vmprofiles/add.cpp
+++ b/src/vmprofiles/add.cpp
@ -46,6 +46,7 @@ profiler_t add = {
    [](zydis_reg_t& vip, zydis_reg_t& vsp,
       hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
      vinstr_t res{mnemonic_t::add};
+      res.imm.has_imm = false;

      // MOV REG, [VSP]
      const auto mov_reg_vsp = std::find_if(
@ -71,7 +72,6 @@ profiler_t add = {
          });

      res.stack_size = mov_vsp_offset->m_instr.operands[1].size;
-      res.imm.size = mov_reg_vsp->m_instr.operands[1].size;
      return res;
    }};
 }
--- a/src/vmprofiles/and.cpp
+++ b/src/vmprofiles/and.cpp
@ -1,19 +1,21 @@
 #include <vminstrs.hpp>

+// Loads an address and value from the stack, ands the derefed address with the value
 namespace vm::instrs {
 profiler_t _and = {
    "AND",
    mnemonic_t::_and,
-    {{// MOV REG, [VSP]
+    {{// MOV REG, [VSP] This is the address
      LOAD_VALUE,
-      // MOV REG, [VSP+OFFSET]
+      // MOV REG, [VSP+8]
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
         const zydis_decoded_instr_t& instr) -> bool {
        return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
               instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
               instr.operands[1].mem.base == vsp &&
-               instr.operands[1].mem.disp.has_displacement;
+               instr.operands[1].mem.disp.has_displacement,
+               instr.operands[1].mem.disp.value == 8;
      },
      // AND [REG], REG
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
--- a/src/vmprofiles/jmp.cpp
+++ b/src/vmprofiles/jmp.cpp
@ -142,6 +142,7 @@ profiler_t jmp = {
      vinstr_t res;
      res.mnemonic = mnemonic_t::jmp;
      res.imm.has_imm = false;
+      res.stack_size = 64;
      return res;
    }};
 }
--- a/src/vmprofiles/lvsp.cpp
+++ b/src/vmprofiles/lvsp.cpp
@ -15,7 +15,7 @@ profiler_t lvsp = {
      }}},
    [](zydis_reg_t& vip, zydis_reg_t& vsp,
       hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
-      vinstr_t res{mnemonic_t::svsp};
+      vinstr_t res{mnemonic_t::lvsp};
      res.imm.has_imm = false;

      const auto load_vsp = std::find_if(
--- a/src/vmprofiles/nand.cpp
+++ b/src/vmprofiles/nand.cpp
@ -21,10 +21,10 @@ profiler_t nand = {
        return instr.mnemonic == ZYDIS_MNEMONIC_NOT &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER;
      },
-      // AND REG, REG
+      // OR REG, REG
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
         const zydis_decoded_instr_t& instr) -> bool {
-        return instr.mnemonic == ZYDIS_MNEMONIC_AND &&
+        return instr.mnemonic == ZYDIS_MNEMONIC_OR &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
               instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
      },
--- a/src/vmprofiles/nor.cpp
+++ b/src/vmprofiles/nor.cpp
@ -21,10 +21,10 @@ profiler_t nor = {
        return instr.mnemonic == ZYDIS_MNEMONIC_NOT &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER;
      },
-      // OR REG, REG
+      // AND REG, REG
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
         const zydis_decoded_instr_t& instr) -> bool {
-        return instr.mnemonic == ZYDIS_MNEMONIC_OR &&
+        return instr.mnemonic == ZYDIS_MNEMONIC_AND &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
               instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
      },
@ -51,7 +51,7 @@ profiler_t nor = {
      }}},
    [](zydis_reg_t& vip, zydis_reg_t& vsp,
       hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
-      vinstr_t res{mnemonic_t::nand};
+      vinstr_t res{mnemonic_t::nor};
      res.imm.has_imm = false;

      // MOV [VSP+OFFSET], REG
--- a/src/vmprofiles/shld.cpp
+++ b/src/vmprofiles/shld.cpp
@ -24,7 +24,7 @@ profiler_t shld = {
               instr.operands[1].mem.base == vsp &&
               instr.operands[1].mem.disp.has_displacement;
      },
-      // SHL REG, REG
+      // SHLD REG, REG
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
         const zydis_decoded_instr_t& instr) -> bool {
        return instr.mnemonic == ZYDIS_MNEMONIC_SHLD &&
--- a/src/vmprofiles/shr.cpp
+++ b/src/vmprofiles/shr.cpp
@ -2,7 +2,7 @@

 namespace vm::instrs {
 profiler_t shr = {
-    "SHRD",
+    "SHR",
    mnemonic_t::shr,
    {{// MOV REG, [VSP]
      LOAD_VALUE,
--- a/src/vmprofiles/shrd.cpp
+++ b/src/vmprofiles/shrd.cpp
@ -24,7 +24,7 @@ profiler_t shrd = {
               instr.operands[1].mem.base == vsp &&
               instr.operands[1].mem.disp.has_displacement;
      },
-      // SHR REG, REG
+      // SHRD REG, REG
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
         const zydis_decoded_instr_t& instr) -> bool {
        return instr.mnemonic == ZYDIS_MNEMONIC_SHRD &&
--- a/src/vmprofiles/svsp.cpp
+++ b/src/vmprofiles/svsp.cpp
@ -31,19 +31,20 @@ profiler_t svsp = {
      }}},
    [](zydis_reg_t& vip, zydis_reg_t& vsp,
       hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
-      vinstr_t res{mnemonic_t::lvsp};
-      const auto sub_vsp = std::find_if(
+      vinstr_t res{mnemonic_t::svsp};
+      const auto mov_vsp_reg = std::find_if(
          hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
          [&](emu_instr_t& instr) -> bool {
            const auto& i = instr.m_instr;
-            return i.mnemonic == ZYDIS_MNEMONIC_SUB &&
-                   i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
-                   i.operands[0].reg.value == vsp &&
-                   i.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE;
+          return i.mnemonic == ZYDIS_MNEMONIC_MOV &&
+                 i.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+                 i.operands[0].mem.base == vsp &&
+                 i.operands[0].mem.disp.has_displacement == false &&
+                 i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
          });

      res.imm.has_imm = false;
-      res.stack_size = sub_vsp->m_instr.operands[1].imm.value.u;
+      res.stack_size = mov_vsp_reg->m_instr.operands[1].size;
      return res;
    }};
 }
Author	SHA1	Message	Date
xtremegamer1	f65c84050d	fixed this fucking bullshit	1 year ago
xtremegamer1	1516e2a278	changed deobfuscation to keep register jumps	1 year ago
xtremegamer1	80b5c20795	fixed svsp.cpp	1 year ago
xtremegamer1	d63f9b1af1	basically added a bool and stuff	1 year ago
xtremegamer1	63c10f71dd	Merge branch 'main'	2 years ago
xtremegamer1	e3abc955e1	ok so basicallt i	2 years ago
xtremegamer1	39a906f837	added pragma once	2 years ago
xtremegamer1	fcdc3866c6	Corrected typos	2 years ago
xtremegamer1	f78333e3fe	Fixed typo and fixed nor vs nand fuckup	2 years ago
xtremegamer1	1491e62d72	minor fixes	2 years ago