From 34af0a1044adb7d6841c82e0a22acefee82b02b9 Mon Sep 17 00:00:00 2001
From: _xeroxz <xerox@back.engineering>
Date: Tue, 1 Jun 2021 14:34:32 -0700
Subject: [PATCH] added code to determine advancment of VIP

---
 src/main.cpp | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/main.cpp b/src/main.cpp
index f4d740b..a9d2d89 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -48,7 +48,7 @@ int __cdecl main( int argc, const char *argv[] )
 
     const auto image_base = xtils::um_t::get_instance()->image_base( parser.get< std::string >( "bin" ).c_str() );
 
-    zydis_routine_t vm_entry;
+    zydis_routine_t vm_entry, calc_jmp;
     std::printf( "> vm entry start = 0x%p\n", vm_entry_ptr );
 
     if ( !vm::util::flatten( vm_entry, vm_entry_ptr ) )
@@ -63,6 +63,18 @@ int __cdecl main( int argc, const char *argv[] )
     std::printf( "==================================================================================\n" );
     vm::util::print( vm_entry );
 
+    if ( !vm::calc_jmp::get( vm_entry, calc_jmp ) )
+    {
+        std::printf( "> failed to extract calc_jmp from vm_entry...\n" );
+        return -1;
+    }
+
+    vm::util::deobfuscate( calc_jmp );
+    std::printf( "> calc_jmp extracted from vm_entry... calc_jmp:\n" );
+    std::printf( "==================================================================================\n" );
+    vm::util::print( calc_jmp );
+    std::printf( "==================================================================================\n" );
+
     const auto vm_handler_table = vm::handler::table::get( vm_entry );
 
     if ( !vm_handler_table )
@@ -71,7 +83,13 @@ int __cdecl main( int argc, const char *argv[] )
         return -1;
     }
 
-    std::printf( "==================================================================================\n" );
+    auto advancement = vm::calc_jmp::get_advancement( calc_jmp );
+    if ( advancement.has_value() )
+        std::printf( "> virtual instruction pointer advancement: %s\n",
+                     advancement == vmp2::exec_type_t::forward ? "forward" : "backward" );
+    else
+        std::printf( "> virtual instruction pointer advancement was unable to be parsed!\n" );
+
     std::printf( "> located vm handler table... at = 0x%p, rva = 0x%p\n", vm_handler_table,
                  ( reinterpret_cast< std::uintptr_t >( vm_handler_table ) - module_base ) + image_base );
 
@@ -103,6 +121,7 @@ int __cdecl main( int argc, const char *argv[] )
         std::printf( "\t" );
         vm::util::print( transform );
     }
+    std::printf( "==================================================================================\n" );
 
     std::vector< vm::handler::handler_t > vm_handlers;
     if ( !vm::handler::get_all( module_base, image_base, vm_entry, vm_handler_table, vm_handlers ) )