|
|
@ -48,7 +48,7 @@ int __cdecl main( int argc, const char *argv[] )
|
|
|
|
|
|
|
|
|
|
|
|
const auto image_base = xtils::um_t::get_instance()->image_base( parser.get< std::string >( "bin" ).c_str() );
|
|
|
|
const auto image_base = xtils::um_t::get_instance()->image_base( parser.get< std::string >( "bin" ).c_str() );
|
|
|
|
|
|
|
|
|
|
|
|
zydis_routine_t vm_entry;
|
|
|
|
zydis_routine_t vm_entry, calc_jmp;
|
|
|
|
std::printf( "> vm entry start = 0x%p\n", vm_entry_ptr );
|
|
|
|
std::printf( "> vm entry start = 0x%p\n", vm_entry_ptr );
|
|
|
|
|
|
|
|
|
|
|
|
if ( !vm::util::flatten( vm_entry, vm_entry_ptr ) )
|
|
|
|
if ( !vm::util::flatten( vm_entry, vm_entry_ptr ) )
|
|
|
@ -63,6 +63,18 @@ int __cdecl main( int argc, const char *argv[] )
|
|
|
|
std::printf( "==================================================================================\n" );
|
|
|
|
std::printf( "==================================================================================\n" );
|
|
|
|
vm::util::print( vm_entry );
|
|
|
|
vm::util::print( vm_entry );
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ( !vm::calc_jmp::get( vm_entry, calc_jmp ) )
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
std::printf( "> failed to extract calc_jmp from vm_entry...\n" );
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
vm::util::deobfuscate( calc_jmp );
|
|
|
|
|
|
|
|
std::printf( "> calc_jmp extracted from vm_entry... calc_jmp:\n" );
|
|
|
|
|
|
|
|
std::printf( "==================================================================================\n" );
|
|
|
|
|
|
|
|
vm::util::print( calc_jmp );
|
|
|
|
|
|
|
|
std::printf( "==================================================================================\n" );
|
|
|
|
|
|
|
|
|
|
|
|
const auto vm_handler_table = vm::handler::table::get( vm_entry );
|
|
|
|
const auto vm_handler_table = vm::handler::table::get( vm_entry );
|
|
|
|
|
|
|
|
|
|
|
|
if ( !vm_handler_table )
|
|
|
|
if ( !vm_handler_table )
|
|
|
@ -71,7 +83,13 @@ int __cdecl main( int argc, const char *argv[] )
|
|
|
|
return -1;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
std::printf( "==================================================================================\n" );
|
|
|
|
auto advancement = vm::calc_jmp::get_advancement( calc_jmp );
|
|
|
|
|
|
|
|
if ( advancement.has_value() )
|
|
|
|
|
|
|
|
std::printf( "> virtual instruction pointer advancement: %s\n",
|
|
|
|
|
|
|
|
advancement == vmp2::exec_type_t::forward ? "forward" : "backward" );
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
std::printf( "> virtual instruction pointer advancement was unable to be parsed!\n" );
|
|
|
|
|
|
|
|
|
|
|
|
std::printf( "> located vm handler table... at = 0x%p, rva = 0x%p\n", vm_handler_table,
|
|
|
|
std::printf( "> located vm handler table... at = 0x%p, rva = 0x%p\n", vm_handler_table,
|
|
|
|
( reinterpret_cast< std::uintptr_t >( vm_handler_table ) - module_base ) + image_base );
|
|
|
|
( reinterpret_cast< std::uintptr_t >( vm_handler_table ) - module_base ) + image_base );
|
|
|
|
|
|
|
|
|
|
|
@ -103,6 +121,7 @@ int __cdecl main( int argc, const char *argv[] )
|
|
|
|
std::printf( "\t" );
|
|
|
|
std::printf( "\t" );
|
|
|
|
vm::util::print( transform );
|
|
|
|
vm::util::print( transform );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
std::printf( "==================================================================================\n" );
|
|
|
|
|
|
|
|
|
|
|
|
std::vector< vm::handler::handler_t > vm_handlers;
|
|
|
|
std::vector< vm::handler::handler_t > vm_handlers;
|
|
|
|
if ( !vm::handler::get_all( module_base, image_base, vm_entry, vm_handler_table, vm_handlers ) )
|
|
|
|
if ( !vm::handler::get_all( module_base, image_base, vm_entry, vm_handler_table, vm_handlers ) )
|
|
|
|