code blocks are working

4 years ago · b0d76cd4d8
parent 5fd0d89b4c
commit b0d76cd4d8
4 changed files with 30 additions and 77 deletions
--- a/src/main.cpp
+++ b/src/main.cpp
@ -8,7 +8,7 @@

 int __cdecl main( int argc, const char *argv[] )
 {
-    argparse::argument_parser_t parser( "VMEmu", "VMProtect 2 Static VM Handler Emulator" );
+    argparse::argument_parser_t parser( "VMEmu", "VMProtect 2 VM Handler Emulator" );

    parser.add_argument()
        .name( "--vmentry" )
@ -36,43 +36,24 @@ int __cdecl main( int argc, const char *argv[] )
    auto umtils = xtils::um_t::get_instance();
    const auto vm_entry_rva = std::strtoull( parser.get< std::string >( "vmentry" ).c_str(), nullptr, 16 );
    const auto image_base = umtils->image_base( parser.get< std::string >( "vmpbin" ).c_str() );
+    const auto image_size = umtils->image_size( parser.get< std::string >( "vmpbin" ).c_str() );
    const auto module_base = reinterpret_cast< std::uintptr_t >(
        LoadLibraryExA( parser.get< std::string >( "vmpbin" ).c_str(), NULL, DONT_RESOLVE_DLL_REFERENCES ) );

-    zydis_routine_t vm_entry, calc_jmp;
-    if ( !vm::util::flatten( vm_entry, vm_entry_rva + module_base ) )
-    {
-        std::printf( "> failed to flatten vm entry...\n" );
-        return -1;
-    }
+    std::printf( "> image base = %p, image size = %p, module base = %p\n", image_base, image_size, module_base );

-    vm::util::deobfuscate( vm_entry );
-    std::printf( "> flattened vm entry...\n" );
-    std::printf( "> deobfuscated vm entry...\n" );
-    std::printf( "==================================================================================\n" );
-    vm::util::print( vm_entry );
+    std::vector< vm::instrs::code_block_t > code_blocks;
+    vm::ctx_t vmctx( module_base, image_base, image_size, vm_entry_rva );

-    if ( !vm::calc_jmp::get( vm_entry, calc_jmp ) )
+    if ( !vmctx.init() )
    {
-        std::printf( "> failed to get calc_jmp...\n" );
+        std::printf( "[!] failed to init vmctx... this can be for many reasons..."
+                     " try validating your vm entry rva... make sure the binary is unpacked and is"
+                     "protected with VMProtect 2...\n" );
        return -1;
    }

-    vm::util::deobfuscate( calc_jmp );
-    std::printf( "> calc_jmp extracted from vm_entry... calc_jmp:\n" );
-    std::printf( "==================================================================================\n" );
-    vm::util::print( calc_jmp );
-
-    const auto advancment = vm::calc_jmp::get_advancement( calc_jmp );
-
-    if ( !advancment.has_value() )
-    {
-        std::printf( "> failed to determine advancment...\n" );
-        return -1;
-    }
-
-    std::vector< vmp2::v2::entry_t > entries;
-    vm::emu_t emu( vm_entry_rva, image_base, module_base );
+    vm::emu_t emu( &vmctx );

    if ( !emu.init() )
    {
@ -80,34 +61,8 @@ int __cdecl main( int argc, const char *argv[] )
        return -1;
    }

-    if ( !emu.get_trace( entries ) )
+    if ( !emu.get_trace( code_blocks ) )
        std::printf( "[!] something failed during tracing, review the console for more information...\n" );

-    std::printf( "> creating trace file...\n" );
-    std::printf( "> finished tracing... number of virtual instructions = %d\n", entries.size() );
-    std::ofstream output( parser.get< std::string >( "out" ), std::ios::binary );
-
-    vmp2::v2::file_header file_header;
-    memcpy( &file_header.magic, "VMP2", sizeof( "VMP2" ) - 1 );
-
-    file_header.epoch_time = time( nullptr );
-    file_header.entry_offset = sizeof file_header + NT_HEADER( module_base )->OptionalHeader.SizeOfImage;
-    file_header.entry_count = entries.size();
-    file_header.advancement = advancment.value();
-    file_header.image_base = image_base;
-    file_header.vm_entry_rva = vm_entry_rva;
-
-    file_header.version = vmp2::version_t::v2;
-    file_header.module_base = module_base;
-    file_header.module_offset = sizeof file_header;
-    file_header.module_size = umtils->image_size( parser.get< std::string >( "vmpbin" ).c_str() );
-
-    output.write( reinterpret_cast< const char * >( &file_header ), sizeof file_header );
-    output.write( reinterpret_cast< const char * >( module_base ), file_header.module_size );
-
-    for ( auto &entry : entries )
-        output.write( reinterpret_cast< const char * >( &entry ), sizeof entry );
-
-    output.close();
-    std::printf( "> finished writing trace to disk...\n" );
+    std::printf( "> number of blocks = %d\n", code_blocks.size() );
 }
--- a/src/vmemu_t.cpp
+++ b/src/vmemu_t.cpp
@ -2,9 +2,7 @@

 namespace vm
 {
-    emu_t::emu_t( std::uint32_t vm_entry_rva, std::uintptr_t image_base, std::uintptr_t module_base )
-        : module_base( module_base ), image_base( image_base ), vm_entry_rva( vm_entry_rva ), uc( nullptr ),
-          code_blocks( nullptr ), vmctx( new vm::ctx_t( module_base, image_base, vm_entry_rva ) )
+    emu_t::emu_t( vm::ctx_t *vmctx ) : uc( nullptr ), code_blocks( nullptr ), vmctx( vmctx )
    {
    }

@ -13,8 +11,7 @@ namespace vm
        uc_err err;
        std::uintptr_t stack_base = 0x1000000;
        std::uintptr_t stack_addr = ( stack_base + ( 0x1000 * 20 ) ) - 0x6000;
-        const auto rip = module_base + vm_entry_rva;
-        const auto image_size = NT_HEADER( module_base )->OptionalHeader.SizeOfImage;
+        const auto rip = vmctx->module_base + vmctx->vm_entry_rva;

        if ( ( err = uc_open( UC_ARCH_X86, UC_MODE_64, &uc ) ) )
        {
@ -23,7 +20,7 @@ namespace vm
            return false;
        }

-        if ( ( err = uc_mem_map( uc, module_base, image_size, UC_PROT_ALL ) ) )
+        if ( ( err = uc_mem_map( uc, vmctx->module_base, vmctx->image_size, UC_PROT_ALL ) ) )
        {
            std::printf( "failed on uc_mem_map() with error returned %u: %s\n", err, uc_strerror( err ) );

@ -37,7 +34,8 @@ namespace vm
            return false;
        }

-        if ( ( err = uc_mem_write( uc, module_base, reinterpret_cast< void * >( module_base ), image_size ) ) )
+        if ( ( err = uc_mem_write( uc, vmctx->module_base, reinterpret_cast< void * >( vmctx->module_base ),
+                                   vmctx->image_size ) ) )
        {
            std::printf( "failed on uc_mem_write() with error returned %u: %s\n", err, uc_strerror( err ) );

@ -58,8 +56,8 @@ namespace vm
            return false;
        }

-        if ( ( err = uc_hook_add( uc, &trace, UC_HOOK_CODE, &vm::emu_t::hook_code, this, module_base,
-                                  module_base + image_size ) ) )
+        if ( ( err = uc_hook_add( uc, &trace, UC_HOOK_CODE, &vm::emu_t::hook_code, this, vmctx->module_base,
+                                  vmctx->module_base + vmctx->image_size ) ) )
        {
            std::printf( "failed on uc_hook_add() with error returned %u: %s\n", err, uc_strerror( err ) );

@ -80,8 +78,6 @@ namespace vm
    {
        if ( uc )
            uc_close( uc );
-
-        delete vmctx;
    }

    bool emu_t::get_trace( std::vector< vm::instrs::code_block_t > &entries )
@ -90,7 +86,7 @@ namespace vm
        code_blocks = &entries;
        uc_err err;

-        if ( ( err = uc_emu_start( uc, vm_entry_rva + module_base, NULL, NULL, NULL ) ) )
+        if ( ( err = uc_emu_start( uc, vmctx->vm_entry_rva + vmctx->module_base, NULL, NULL, NULL ) ) )
        {
            std::printf( "failed on uc_emu_start() with error returned %u: %s\n", err, uc_strerror( err ) );

@ -204,12 +200,15 @@ namespace vm

            obj->code_blocks->back().vinstrs.push_back( virt_instr.value() );

-            // if there is a virtual JMP instruction then we need to create a new code_block_t...
+            // if there is a virtual JMP instruction then we need to grab jcc data for the current code_block_t
+            // and then create a new code_block_t...
            if ( ( vm_handler_profile = obj->vmctx->vm_handlers[ new_entry.handler_idx ].profile ) &&
                 vm_handler_profile->mnemonic == vm::handler::mnemonic_t::JMP )
            {
-                const auto code_block_address =
-                    vm::instrs::code_block_addr( *obj->vmctx, new_entry, obj->image_base, obj->module_base );
+                const auto code_block_address = vm::instrs::code_block_addr( *obj->vmctx, new_entry );
+                auto jcc = vm::instrs::get_jcc_data( *obj->vmctx, obj->code_blocks->back() );
+                if ( jcc.has_value() )
+                    obj->code_blocks->back().jcc = jcc.value();

                // set the next code block up...
                obj->code_blocks->push_back( vm::instrs::code_block_t{ code_block_address } );
@ -218,6 +217,8 @@ namespace vm
        else if ( instr.mnemonic == ZYDIS_MNEMONIC_RET ) // finish tracing...
        {
            uc_emu_stop( uc );
+            // vmexit's cannot have a branch...
+            obj->code_blocks->back().jcc.has_jcc = false;
        }
    }

--- a/src/vmemu_t.hpp
+++ b/src/vmemu_t.hpp
@ -16,7 +16,7 @@ namespace vm
        using callback_t = std::function< void( uc_engine *, uint64_t, uint32_t, void * ) >;

      public:
-        explicit emu_t( std::uint32_t vm_entry_rva, std::uintptr_t image_base, std::uintptr_t module_base );
+        explicit emu_t( vm::ctx_t* vmctx );
        ~emu_t();

        bool init();
@ -31,9 +31,6 @@ namespace vm
        uc_engine *uc;
        uc_hook trace, trace1;

-        std::uintptr_t image_base, module_base;
-        std::uint32_t vm_entry_rva;
-
        vm::ctx_t *vmctx;
        std::vector< vm::instrs::code_block_t > *code_blocks;
    };
--- a/src/vmptest.vmp.exe
+++ b/src/vmptest.vmp.exe