Compare commits

...

10 Commits

Author SHA1 Message Date
xtremegamer1 f65c84050d fixed this fucking bullshit
2 years ago
xtremegamer1 1516e2a278 changed deobfuscation to keep register jumps
2 years ago
xtremegamer1 80b5c20795 fixed svsp.cpp
2 years ago
xtremegamer1 d63f9b1af1 basically added a bool and stuff
2 years ago
xtremegamer1 63c10f71dd Merge branch 'main'
2 years ago
xtremegamer1 e3abc955e1 ok so basicallt i
2 years ago
xtremegamer1 39a906f837 added pragma once
2 years ago
xtremegamer1 fcdc3866c6 Corrected typos
2 years ago
xtremegamer1 f78333e3fe Fixed typo and fixed nor vs nand fuckup
2 years ago
xtremegamer1 1491e62d72 minor fixes
2 years ago

@ -1,3 +1,4 @@
#pragma once
#include <unicorn\unicorn.h> #include <unicorn\unicorn.h>
extern int g_allocation_tracker; extern int g_allocation_tracker;

@ -109,6 +109,8 @@ enum class vbranch_type {
/// virtual code block /// virtual code block
/// </summary> /// </summary>
struct vblk_t { struct vblk_t {
bool is_branch;
/// <summary> /// <summary>
/// start address VIP of this basic block... /// start address VIP of this basic block...
/// </summary> /// </summary>

@ -11,7 +11,7 @@ uc_err uct_context_alloc(uc_engine *uc, uc_context **context)
} }
uc_err uct_context_free(uc_context *context) uc_err uct_context_free(uc_context *context)
{ {
+g_allocation_tracker--; --g_allocation_tracker;
//std::printf("Allocations: %p\n", g_allocation_tracker); //std::printf("Allocations: %p\n", g_allocation_tracker);
return uc_context_free(context); return uc_context_free(context);
} }

@ -69,7 +69,7 @@ void deobfuscate(hndlr_trace_t& trace) {
break; break;
} }
if (vm::utils::is_jmp(itr->m_instr)) { if (vm::utils::is_jmp(itr->m_instr) && itr->m_instr.operands[0].type != ZYDIS_OPERAND_TYPE_REGISTER) {
uct_context_free(itr->m_cpu); uct_context_free(itr->m_cpu);
trace.m_instrs.erase(itr); trace.m_instrs.erase(itr);
break; break;

@ -46,6 +46,7 @@ profiler_t add = {
[](zydis_reg_t& vip, zydis_reg_t& vsp, [](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> { hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::add}; vinstr_t res{mnemonic_t::add};
res.imm.has_imm = false;
// MOV REG, [VSP] // MOV REG, [VSP]
const auto mov_reg_vsp = std::find_if( const auto mov_reg_vsp = std::find_if(
@ -71,7 +72,6 @@ profiler_t add = {
}); });
res.stack_size = mov_vsp_offset->m_instr.operands[1].size; res.stack_size = mov_vsp_offset->m_instr.operands[1].size;
res.imm.size = mov_reg_vsp->m_instr.operands[1].size;
return res; return res;
}}; }};
} }

@ -1,19 +1,21 @@
#include <vminstrs.hpp> #include <vminstrs.hpp>
// Loads an address and value from the stack, ands the derefed address with the value
namespace vm::instrs { namespace vm::instrs {
profiler_t _and = { profiler_t _and = {
"AND", "AND",
mnemonic_t::_and, mnemonic_t::_and,
{{// MOV REG, [VSP] {{// MOV REG, [VSP] This is the address
LOAD_VALUE, LOAD_VALUE,
// MOV REG, [VSP+OFFSET] // MOV REG, [VSP+8]
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool { const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV && return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[1].mem.base == vsp && instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement; instr.operands[1].mem.disp.has_displacement,
instr.operands[1].mem.disp.value == 8;
}, },
// AND [REG], REG // AND [REG], REG
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,

@ -142,6 +142,7 @@ profiler_t jmp = {
vinstr_t res; vinstr_t res;
res.mnemonic = mnemonic_t::jmp; res.mnemonic = mnemonic_t::jmp;
res.imm.has_imm = false; res.imm.has_imm = false;
res.stack_size = 64;
return res; return res;
}}; }};
} }

@ -15,7 +15,7 @@ profiler_t lvsp = {
}}}, }}},
[](zydis_reg_t& vip, zydis_reg_t& vsp, [](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> { hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::svsp}; vinstr_t res{mnemonic_t::lvsp};
res.imm.has_imm = false; res.imm.has_imm = false;
const auto load_vsp = std::find_if( const auto load_vsp = std::find_if(

@ -21,10 +21,10 @@ profiler_t nand = {
return instr.mnemonic == ZYDIS_MNEMONIC_NOT && return instr.mnemonic == ZYDIS_MNEMONIC_NOT &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER; instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER;
}, },
// AND REG, REG // OR REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool { const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_AND && return instr.mnemonic == ZYDIS_MNEMONIC_OR &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
}, },

@ -21,10 +21,10 @@ profiler_t nor = {
return instr.mnemonic == ZYDIS_MNEMONIC_NOT && return instr.mnemonic == ZYDIS_MNEMONIC_NOT &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER; instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER;
}, },
// OR REG, REG // AND REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool { const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_OR && return instr.mnemonic == ZYDIS_MNEMONIC_AND &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
}, },
@ -51,7 +51,7 @@ profiler_t nor = {
}}}, }}},
[](zydis_reg_t& vip, zydis_reg_t& vsp, [](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> { hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::nand}; vinstr_t res{mnemonic_t::nor};
res.imm.has_imm = false; res.imm.has_imm = false;
// MOV [VSP+OFFSET], REG // MOV [VSP+OFFSET], REG

@ -24,7 +24,7 @@ profiler_t shld = {
instr.operands[1].mem.base == vsp && instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement; instr.operands[1].mem.disp.has_displacement;
}, },
// SHL REG, REG // SHLD REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool { const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SHLD && return instr.mnemonic == ZYDIS_MNEMONIC_SHLD &&

@ -2,7 +2,7 @@
namespace vm::instrs { namespace vm::instrs {
profiler_t shr = { profiler_t shr = {
"SHRD", "SHR",
mnemonic_t::shr, mnemonic_t::shr,
{{// MOV REG, [VSP] {{// MOV REG, [VSP]
LOAD_VALUE, LOAD_VALUE,

@ -24,7 +24,7 @@ profiler_t shrd = {
instr.operands[1].mem.base == vsp && instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement; instr.operands[1].mem.disp.has_displacement;
}, },
// SHR REG, REG // SHRD REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool { const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SHRD && return instr.mnemonic == ZYDIS_MNEMONIC_SHRD &&

@ -31,19 +31,20 @@ profiler_t svsp = {
}}}, }}},
[](zydis_reg_t& vip, zydis_reg_t& vsp, [](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> { hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::lvsp}; vinstr_t res{mnemonic_t::svsp};
const auto sub_vsp = std::find_if( const auto mov_vsp_reg = std::find_if(
hndlr.m_instrs.begin(), hndlr.m_instrs.end(), hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
[&](emu_instr_t& instr) -> bool { [&](emu_instr_t& instr) -> bool {
const auto& i = instr.m_instr; const auto& i = instr.m_instr;
return i.mnemonic == ZYDIS_MNEMONIC_SUB && return i.mnemonic == ZYDIS_MNEMONIC_MOV &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && i.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
i.operands[0].reg.value == vsp && i.operands[0].mem.base == vsp &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE; i.operands[0].mem.disp.has_displacement == false &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
}); });
res.imm.has_imm = false; res.imm.has_imm = false;
res.stack_size = sub_vsp->m_instr.operands[1].imm.value.u; res.stack_size = mov_vsp_reg->m_instr.operands[1].size;
return res; return res;
}}; }};
} }
Loading…
Cancel
Save