14 changed files with 22 additions and 29 deletions
--- a/include/uc_allocation_tracker.hpp
+++ b/include/uc_allocation_tracker.hpp
@ -1,4 +1,3 @@
-#pragma once
 #include <unicorn\unicorn.h>

 extern int g_allocation_tracker;
--- a/include/vminstrs.hpp
+++ b/include/vminstrs.hpp
@ -109,8 +109,6 @@ enum class vbranch_type {
 /// virtual code block
 /// </summary>
 struct vblk_t {
-  bool is_branch;
-
  /// <summary>
  /// start address VIP of this basic block...
  /// </summary>
--- a/src/uc_allocation_tracker.cpp
+++ b/src/uc_allocation_tracker.cpp
@ -11,7 +11,7 @@ uc_err uct_context_alloc(uc_engine *uc, uc_context **context)
 }
 uc_err uct_context_free(uc_context *context)
 {
-  --g_allocation_tracker;
+  +g_allocation_tracker--;
  //std::printf("Allocations: %p\n", g_allocation_tracker);
  return uc_context_free(context);
 }
--- a/src/vminstrs.cpp
+++ b/src/vminstrs.cpp
@ -69,7 +69,7 @@ void deobfuscate(hndlr_trace_t& trace) {
        break;
      }

-      if (vm::utils::is_jmp(itr->m_instr) && itr->m_instr.operands[0].type != ZYDIS_OPERAND_TYPE_REGISTER) {
+      if (vm::utils::is_jmp(itr->m_instr)) {
        uct_context_free(itr->m_cpu);
        trace.m_instrs.erase(itr);
        break;
--- a/src/vmprofiles/add.cpp
+++ b/src/vmprofiles/add.cpp
@ -46,7 +46,6 @@ profiler_t add = {
    [](zydis_reg_t& vip, zydis_reg_t& vsp,
       hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
      vinstr_t res{mnemonic_t::add};
-      res.imm.has_imm = false;

      // MOV REG, [VSP]
      const auto mov_reg_vsp = std::find_if(
@ -72,6 +71,7 @@ profiler_t add = {
          });

      res.stack_size = mov_vsp_offset->m_instr.operands[1].size;
+      res.imm.size = mov_reg_vsp->m_instr.operands[1].size;
      return res;
    }};
 }
--- a/src/vmprofiles/and.cpp
+++ b/src/vmprofiles/and.cpp
@ -1,21 +1,19 @@
 #include <vminstrs.hpp>

-// Loads an address and value from the stack, ands the derefed address with the value
 namespace vm::instrs {
 profiler_t _and = {
    "AND",
    mnemonic_t::_and,
-    {{// MOV REG, [VSP] This is the address
+    {{// MOV REG, [VSP]
      LOAD_VALUE,
-      // MOV REG, [VSP+8]
+      // MOV REG, [VSP+OFFSET]
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
         const zydis_decoded_instr_t& instr) -> bool {
        return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
               instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
               instr.operands[1].mem.base == vsp &&
-               instr.operands[1].mem.disp.has_displacement,
-               instr.operands[1].mem.disp.value == 8;
+               instr.operands[1].mem.disp.has_displacement;
      },
      // AND [REG], REG
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
--- a/src/vmprofiles/jmp.cpp
+++ b/src/vmprofiles/jmp.cpp
@ -142,7 +142,6 @@ profiler_t jmp = {
      vinstr_t res;
      res.mnemonic = mnemonic_t::jmp;
      res.imm.has_imm = false;
-      res.stack_size = 64;
      return res;
    }};
 }
--- a/src/vmprofiles/lvsp.cpp
+++ b/src/vmprofiles/lvsp.cpp
@ -15,7 +15,7 @@ profiler_t lvsp = {
      }}},
    [](zydis_reg_t& vip, zydis_reg_t& vsp,
       hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
-      vinstr_t res{mnemonic_t::lvsp};
+      vinstr_t res{mnemonic_t::svsp};
      res.imm.has_imm = false;

      const auto load_vsp = std::find_if(
--- a/src/vmprofiles/nand.cpp
+++ b/src/vmprofiles/nand.cpp
@ -21,10 +21,10 @@ profiler_t nand = {
        return instr.mnemonic == ZYDIS_MNEMONIC_NOT &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER;
      },
-      // OR REG, REG
+      // AND REG, REG
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
         const zydis_decoded_instr_t& instr) -> bool {
-        return instr.mnemonic == ZYDIS_MNEMONIC_OR &&
+        return instr.mnemonic == ZYDIS_MNEMONIC_AND &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
               instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
      },
--- a/src/vmprofiles/nor.cpp
+++ b/src/vmprofiles/nor.cpp
@ -21,10 +21,10 @@ profiler_t nor = {
        return instr.mnemonic == ZYDIS_MNEMONIC_NOT &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER;
      },
-      // AND REG, REG
+      // OR REG, REG
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
         const zydis_decoded_instr_t& instr) -> bool {
-        return instr.mnemonic == ZYDIS_MNEMONIC_AND &&
+        return instr.mnemonic == ZYDIS_MNEMONIC_OR &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
               instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
      },
@ -51,7 +51,7 @@ profiler_t nor = {
      }}},
    [](zydis_reg_t& vip, zydis_reg_t& vsp,
       hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
-      vinstr_t res{mnemonic_t::nor};
+      vinstr_t res{mnemonic_t::nand};
      res.imm.has_imm = false;

      // MOV [VSP+OFFSET], REG
--- a/src/vmprofiles/shld.cpp
+++ b/src/vmprofiles/shld.cpp
@ -24,7 +24,7 @@ profiler_t shld = {
               instr.operands[1].mem.base == vsp &&
               instr.operands[1].mem.disp.has_displacement;
      },
-      // SHLD REG, REG
+      // SHL REG, REG
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
         const zydis_decoded_instr_t& instr) -> bool {
        return instr.mnemonic == ZYDIS_MNEMONIC_SHLD &&
--- a/src/vmprofiles/shr.cpp
+++ b/src/vmprofiles/shr.cpp
@ -2,7 +2,7 @@

 namespace vm::instrs {
 profiler_t shr = {
-    "SHR",
+    "SHRD",
    mnemonic_t::shr,
    {{// MOV REG, [VSP]
      LOAD_VALUE,
--- a/src/vmprofiles/shrd.cpp
+++ b/src/vmprofiles/shrd.cpp
@ -24,7 +24,7 @@ profiler_t shrd = {
               instr.operands[1].mem.base == vsp &&
               instr.operands[1].mem.disp.has_displacement;
      },
-      // SHRD REG, REG
+      // SHR REG, REG
      [](const zydis_reg_t vip, const zydis_reg_t vsp,
         const zydis_decoded_instr_t& instr) -> bool {
        return instr.mnemonic == ZYDIS_MNEMONIC_SHRD &&
--- a/src/vmprofiles/svsp.cpp
+++ b/src/vmprofiles/svsp.cpp
@ -31,20 +31,19 @@ profiler_t svsp = {
      }}},
    [](zydis_reg_t& vip, zydis_reg_t& vsp,
       hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
-      vinstr_t res{mnemonic_t::svsp};
-      const auto mov_vsp_reg = std::find_if(
+      vinstr_t res{mnemonic_t::lvsp};
+      const auto sub_vsp = std::find_if(
          hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
          [&](emu_instr_t& instr) -> bool {
            const auto& i = instr.m_instr;
-          return i.mnemonic == ZYDIS_MNEMONIC_MOV &&
-                 i.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
-                 i.operands[0].mem.base == vsp &&
-                 i.operands[0].mem.disp.has_displacement == false &&
-                 i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
+            return i.mnemonic == ZYDIS_MNEMONIC_SUB &&
+                   i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                   i.operands[0].reg.value == vsp &&
+                   i.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE;
          });

      res.imm.has_imm = false;
-      res.stack_size = mov_vsp_reg->m_instr.operands[1].size;
+      res.stack_size = sub_vsp->m_instr.operands[1].imm.value.u;
      return res;
    }};
 }