fixed jmp profile...

2 years ago · 599a685b9e
parent b560b35284
commit 599a685b9e
3 changed files with 34 additions and 7 deletions
--- a/src/vminstrs.cpp
+++ b/src/vminstrs.cpp
@ -45,8 +45,15 @@ void deobfuscate(hndlr_trace_t& trace) {
  std::uint32_t last_size = 0u;
  static const std::vector<ZydisMnemonic> blacklist = {
-      ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT,  ZYDIS_MNEMONIC_TEST,
+      ZYDIS_MNEMONIC_CLC,    ZYDIS_MNEMONIC_BT,      ZYDIS_MNEMONIC_TEST,
-      ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC};
+      ZYDIS_MNEMONIC_CMP,    ZYDIS_MNEMONIC_CMC,     ZYDIS_MNEMONIC_STC,
      ZYDIS_MNEMONIC_CMOVB,  ZYDIS_MNEMONIC_CMOVBE,  ZYDIS_MNEMONIC_CMOVL,
      ZYDIS_MNEMONIC_CMOVLE, ZYDIS_MNEMONIC_CMOVNB,  ZYDIS_MNEMONIC_CMOVNBE,
      ZYDIS_MNEMONIC_CMOVNL, ZYDIS_MNEMONIC_CMOVNLE, ZYDIS_MNEMONIC_CMOVNO,
      ZYDIS_MNEMONIC_CMOVNP, ZYDIS_MNEMONIC_CMOVNS,  ZYDIS_MNEMONIC_CMOVNZ,
      ZYDIS_MNEMONIC_CMOVO,  ZYDIS_MNEMONIC_CMOVP,   ZYDIS_MNEMONIC_CMOVS,
      ZYDIS_MNEMONIC_CMOVZ,
  };
  static const std::vector<ZydisMnemonic> whitelist = {
      ZYDIS_MNEMONIC_PUSH, ZYDIS_MNEMONIC_POP, ZYDIS_MNEMONIC_CALL,
--- a/src/vmprofiles/jmp.cpp
+++ b/src/vmprofiles/jmp.cpp
@ -23,18 +23,31 @@ profiler_t jmp = {
               instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
               instr.operands[1].imm.value.u == 8;
      },
-      // MOV VIP, REG
+      // MOV REG, IMM_64
      [&](const zydis_reg_t vip,
          const zydis_reg_t vsp,
          const zydis_decoded_instr_t& instr) -> bool {
        return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
-               instr.operands[0].reg.value == vip &&
+               instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
-               instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
+               instr.operands[1].size == 64;
      },
      // LEA REG, [0x0] ; disp is -7...
      [&](const zydis_reg_t vip,
          const zydis_reg_t vsp,
          const zydis_decoded_instr_t& instr) -> bool {
        return instr.mnemonic == ZYDIS_MNEMONIC_LEA &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
               instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
               instr.operands[1].mem.disp.has_displacement &&
               instr.operands[1].mem.disp.value == -7;
      }}},
    [&](zydis_reg_t& vip,
        zydis_reg_t& vsp,
        hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
      std::printf("> found a jmp...\n");
      std::getchar();
      const auto& instrs = hndlr.m_instrs;
      const auto xchg = std::find_if(
          instrs.begin(), instrs.end(), [&](const emu_instr_t& instr) -> bool {
--- a/src/vmutils.cpp
+++ b/src/vmutils.cpp
@ -124,8 +124,15 @@ void deobfuscate(zydis_rtn_t& routine) {
  std::uint32_t last_size = 0u;
  static const std::vector<ZydisMnemonic> blacklist = {
-      ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT,  ZYDIS_MNEMONIC_TEST,
+      ZYDIS_MNEMONIC_CLC,    ZYDIS_MNEMONIC_BT,      ZYDIS_MNEMONIC_TEST,
-      ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC};
+      ZYDIS_MNEMONIC_CMP,    ZYDIS_MNEMONIC_CMC,     ZYDIS_MNEMONIC_STC,
      ZYDIS_MNEMONIC_CMOVB,  ZYDIS_MNEMONIC_CMOVBE,  ZYDIS_MNEMONIC_CMOVL,
      ZYDIS_MNEMONIC_CMOVLE, ZYDIS_MNEMONIC_CMOVNB,  ZYDIS_MNEMONIC_CMOVNBE,
      ZYDIS_MNEMONIC_CMOVNL, ZYDIS_MNEMONIC_CMOVNLE, ZYDIS_MNEMONIC_CMOVNO,
      ZYDIS_MNEMONIC_CMOVNP, ZYDIS_MNEMONIC_CMOVNS,  ZYDIS_MNEMONIC_CMOVNZ,
      ZYDIS_MNEMONIC_CMOVO,  ZYDIS_MNEMONIC_CMOVP,   ZYDIS_MNEMONIC_CMOVS,
      ZYDIS_MNEMONIC_CMOVZ,
  };
  static const std::vector<ZydisMnemonic> whitelist = {
      ZYDIS_MNEMONIC_PUSH, ZYDIS_MNEMONIC_POP, ZYDIS_MNEMONIC_CALL,