# pragma once
# include <Zydis/Utils.h>
# include <Zydis/Zydis.h>
# include <optional>
# include <vector>
# include <xmmintrin.h>
# define NOMINMAX
# include <Windows.h>
using u8 = unsigned char ;
using u16 = unsigned short ;
using u32 = unsigned int ;
using u64 = unsigned long long ;
using u128 = __m128 ;
using zydis_decoded_instr_t = ZydisDecodedInstruction ;
using zydis_register_t = ZydisRegister ;
using zydis_mnemonic_t = ZydisMnemonic ;
struct zydis_instr_t
{
zydis_decoded_instr_t instr ;
std : : vector < u8 > raw ;
std : : uintptr_t addr ;
} ;
using zydis_routine_t = std : : vector < zydis_instr_t > ;
/// <summary>
/// utils used by the other cpp files... misc things that get used a lot...
/// </summary>
namespace vm : : util
{
/// <summary>
/// utils pertaining to native registers...
/// </summary>
namespace reg
{
/// <summary>
/// converts say... AL to RAX...
/// </summary>
/// <param name="reg">a zydis decoded register value...</param>
/// <returns>returns the largest width register of the given register... AL gives RAX...</returns>
zydis_register_t to64 ( zydis_register_t reg ) ;
/// <summary>
/// compares to registers with each other... calls to64 and compares...
/// </summary>
/// <param name="a">register a...</param>
/// <param name="b">register b...</param>
/// <returns>returns true if register to64(a) == to64(b)...</returns>
bool compare ( zydis_register_t a , zydis_register_t b ) ;
} // namespace reg
/// <summary>
/// get the instruction that fetches an operand out of VIP...
/// </summary>
/// <param name="routine">this is a deobfuscated, flattened, view of any set of native instructions that read an operand out of VIP... can be calc_jmp, vm_entry, or vm handlers...</param>
/// <param name="fetch_instr"></param>
/// <returns>returns true of the fetch operand native instruction is found...</returns>
bool get_fetch_operand ( const zydis_routine_t & routine , zydis_instr_t & fetch_instr ) ;
/// <summary>
/// gets the instruction that fetches an operand out of VIP and returns an iterator to it...
/// </summary>
/// <param name="routine">this is a deobfuscated, flattened, view of any set of native instructions that read an operand out of VIP... can be calc_jmp, vm_entry, or vm handlers...</param>
/// <returns>returns the iterator of the native instruction, else an empty std::optional...</returns>
std : : optional < zydis_routine_t : : iterator > get_fetch_operand ( zydis_routine_t & routine ) ;
/// <summary>
/// prints a disassembly view of a routine...
/// </summary>
/// <param name="routine">reference to a zydis_routine_t to be printed...</param>
void print ( zydis_routine_t & routine ) ;
/// <summary>
/// prints a single disassembly view of an instruction...
/// </summary>
/// <param name="instr">instruction to print...</param>
void print ( const zydis_decoded_instr_t & instr ) ;
/// <summary>
/// determines if a given decoded native instruction is a JCC...
/// </summary>
/// <param name="instr"></param>
/// <returns></returns>
bool is_jmp ( const zydis_decoded_instr_t & instr ) ;
/// <summary>
/// flatten native instruction stream, takes every JCC (follows the branch)...
/// </summary>
/// <param name="routine">filled with decoded instructions...</param>
/// <param name="routine_addr">linear virtual address to start flattening from...</param>
/// <param name="keep_jmps">keep JCC's in the flattened instruction stream...</param>
/// <returns>returns true if flattened was successful...</returns>
bool flatten ( zydis_routine_t & routine , std : : uintptr_t routine_addr , bool keep_jmps = false ) ;
/// <summary>
/// deadstore deobfuscation of a flattened routine...
/// </summary>
/// <param name="routine">reference to a flattened instruction vector...</param>
void deobfuscate ( zydis_routine_t & routine ) ;
} // namespace vm::util
