You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
491 lines
29 KiB
491 lines
29 KiB
4 years ago
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
|
||
|
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
|
||
|
<meta name="generator" content="Doxygen 1.9.1"/>
|
||
|
<meta name="viewport" content="width=device-width, initial-scale=1"/>
|
||
|
<title>VMProfiler: vm::instrs Namespace Reference</title>
|
||
|
<link href="tabs.css" rel="stylesheet" type="text/css"/>
|
||
|
<script type="text/javascript" src="jquery.js"></script>
|
||
|
<script type="text/javascript" src="dynsections.js"></script>
|
||
|
<link href="search/search.css" rel="stylesheet" type="text/css"/>
|
||
|
<script type="text/javascript" src="search/searchdata.js"></script>
|
||
|
<script type="text/javascript" src="search/search.js"></script>
|
||
|
<link href="doxygen.css" rel="stylesheet" type="text/css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
|
||
|
<div id="titlearea">
|
||
|
<table cellspacing="0" cellpadding="0">
|
||
|
<tbody>
|
||
|
<tr style="height: 56px;">
|
||
|
<td id="projectlogo"><img alt="Logo" src="icon.png"/></td>
|
||
|
<td id="projectalign" style="padding-left: 0.5em;">
|
||
|
<div id="projectname">VMProfiler
|
||
|
 <span id="projectnumber">v1.8</span>
|
||
|
</div>
|
||
|
<div id="projectbrief">vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu.</div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<!-- end header part -->
|
||
|
<!-- Generated by Doxygen 1.9.1 -->
|
||
|
<script type="text/javascript">
|
||
|
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */
|
||
|
var searchBox = new SearchBox("searchBox", "search",false,'Search','.html');
|
||
|
/* @license-end */
|
||
|
</script>
|
||
|
<script type="text/javascript" src="menudata.js"></script>
|
||
|
<script type="text/javascript" src="menu.js"></script>
|
||
|
<script type="text/javascript">
|
||
|
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */
|
||
|
$(function() {
|
||
|
initMenu('',true,false,'search.php','Search');
|
||
|
$(document).ready(function() { init_search(); });
|
||
|
});
|
||
|
/* @license-end */</script>
|
||
|
<div id="main-nav"></div>
|
||
|
<!-- window showing the filter options -->
|
||
|
<div id="MSearchSelectWindow"
|
||
|
onmouseover="return searchBox.OnSearchSelectShow()"
|
||
|
onmouseout="return searchBox.OnSearchSelectHide()"
|
||
|
onkeydown="return searchBox.OnSearchSelectKey(event)">
|
||
|
</div>
|
||
|
|
||
|
<!-- iframe showing the search results (closed by default) -->
|
||
|
<div id="MSearchResultsWindow">
|
||
|
<iframe src="javascript:void(0)" frameborder="0"
|
||
|
name="MSearchResults" id="MSearchResults">
|
||
|
</iframe>
|
||
|
</div>
|
||
|
|
||
|
<div id="nav-path" class="navpath">
|
||
|
<ul>
|
||
|
<li class="navelem"><a class="el" href="namespacevm.html">vm</a></li><li class="navelem"><a class="el" href="namespacevm_1_1instrs.html">instrs</a></li> </ul>
|
||
|
</div>
|
||
|
</div><!-- top -->
|
||
|
<div class="header">
|
||
|
<div class="summary">
|
||
|
<a href="#nested-classes">Classes</a> |
|
||
|
<a href="#enum-members">Enumerations</a> |
|
||
|
<a href="#func-members">Functions</a> </div>
|
||
|
<div class="headertitle">
|
||
|
<div class="title">vm::instrs Namespace Reference</div> </div>
|
||
|
</div><!--header-->
|
||
|
<div class="contents">
|
||
|
|
||
|
<p>contains all functions related to virtual instructions...
|
||
|
<a href="namespacevm_1_1instrs.html#details">More...</a></p>
|
||
|
<table class="memberdecls">
|
||
|
<tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="nested-classes"></a>
|
||
|
Classes</h2></td></tr>
|
||
|
<tr class="memitem:"><td class="memItemLeft" align="right" valign="top">struct  </td><td class="memItemRight" valign="bottom"><a class="el" href="structvm_1_1instrs_1_1virt__instr__t.html">virt_instr_t</a></td></tr>
|
||
|
<tr class="separator:"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
<tr class="memitem:"><td class="memItemLeft" align="right" valign="top">struct  </td><td class="memItemRight" valign="bottom"><a class="el" href="structvm_1_1instrs_1_1jcc__data.html">jcc_data</a></td></tr>
|
||
|
<tr class="separator:"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
<tr class="memitem:"><td class="memItemLeft" align="right" valign="top">struct  </td><td class="memItemRight" valign="bottom"><a class="el" href="structvm_1_1instrs_1_1code__block__t.html">code_block_t</a></td></tr>
|
||
|
<tr class="separator:"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
</table><table class="memberdecls">
|
||
|
<tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="enum-members"></a>
|
||
|
Enumerations</h2></td></tr>
|
||
|
<tr class="memitem:a6266fd623fdf44291ecc8897b060fd57"><td class="memItemLeft" align="right" valign="top">enum class  </td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a6266fd623fdf44291ecc8897b060fd57">jcc_type</a> { <a class="el" href="namespacevm_1_1instrs.html#a6266fd623fdf44291ecc8897b060fd57a334c4a4c42fdb79d7ebc3e73b517e6f8">none</a>
|
||
|
, <a class="el" href="namespacevm_1_1instrs.html#a6266fd623fdf44291ecc8897b060fd57a2c28b4e01b26788eab59ce1479b88494">branching</a>
|
||
|
, <a class="el" href="namespacevm_1_1instrs.html#a6266fd623fdf44291ecc8897b060fd57adc4d53aa0d117d8b189b36d161af4e96">absolute</a>
|
||
|
}</td></tr>
|
||
|
<tr class="separator:a6266fd623fdf44291ecc8897b060fd57"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
</table><table class="memberdecls">
|
||
|
<tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="func-members"></a>
|
||
|
Functions</h2></td></tr>
|
||
|
<tr class="memitem:abfbe5c819730d2693296df3c71393de3"><td class="memItemLeft" align="right" valign="top">bool </td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#abfbe5c819730d2693296df3c71393de3">get_rva_decrypt</a> (const <a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &vm_entry, std::vector< <a class="el" href="vmutils_8hpp.html#ad180fbf8cef52662febedec0f54b6188">zydis_decoded_instr_t</a> > &transform_instrs)</td></tr>
|
||
|
<tr class="memdesc:abfbe5c819730d2693296df3c71393de3"><td class="mdescLeft"> </td><td class="mdescRight">gets the native instructions that are used to decrypt the relative virtual address to virtual instructions located on the stack at RSP+0xA0... you can learn about this <a class="el" href="">https://back.engineering/17/05/2021/#vm_entry</a> <a href="namespacevm_1_1instrs.html#abfbe5c819730d2693296df3c71393de3">More...</a><br /></td></tr>
|
||
|
<tr class="separator:abfbe5c819730d2693296df3c71393de3"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
<tr class="memitem:a995be4b7dd3764aec88207611a2b879d"><td class="memItemLeft" align="right" valign="top">std::pair< std::uint64_t, std::uint64_t > </td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a995be4b7dd3764aec88207611a2b879d">decrypt_operand</a> (<a class="el" href="namespacevm_1_1transform.html#af3bd71c380a50beece9341287b7cc025">transform::map_t</a> &transforms, std::uint64_t operand, std::uint64_t rolling_key)</td></tr>
|
||
|
<tr class="memdesc:a995be4b7dd3764aec88207611a2b879d"><td class="mdescLeft"> </td><td class="mdescRight">decrypt virtual instruction operand given the decryption transformations... you can read about these transformations <a class="el" href="">https://back.engineering/17/05/2021/#operand-decryption</a> <a href="namespacevm_1_1instrs.html#a995be4b7dd3764aec88207611a2b879d">More...</a><br /></td></tr>
|
||
|
<tr class="separator:a995be4b7dd3764aec88207611a2b879d"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
<tr class="memitem:a388b00855c582da503850d72de7e8f57"><td class="memItemLeft" align="right" valign="top">std::pair< std::uint64_t, std::uint64_t > </td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a388b00855c582da503850d72de7e8f57">encrypt_operand</a> (<a class="el" href="namespacevm_1_1transform.html#af3bd71c380a50beece9341287b7cc025">transform::map_t</a> &transforms, std::uint64_t operand, std::uint64_t rolling_key)</td></tr>
|
||
|
<tr class="memdesc:a388b00855c582da503850d72de7e8f57"><td class="mdescLeft"> </td><td class="mdescRight">encrypt a virtual instructions operand given the transformations to decrypt the operand... the transformations are inversed by this functions so you dont need to worry about doing that. <a href="namespacevm_1_1instrs.html#a388b00855c582da503850d72de7e8f57">More...</a><br /></td></tr>
|
||
|
<tr class="separator:a388b00855c582da503850d72de7e8f57"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
<tr class="memitem:aa7a629de41909a287c549397a4043c2f"><td class="memItemLeft" align="right" valign="top">std::optional< <a class="el" href="structvm_1_1instrs_1_1virt__instr__t.html">virt_instr_t</a> > </td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#aa7a629de41909a287c549397a4043c2f">get</a> (<a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> &ctx, <a class="el" href="structvmp2_1_1v2_1_1entry__t.html">vmp2::v2::entry_t</a> &entry)</td></tr>
|
||
|
<tr class="memdesc:aa7a629de41909a287c549397a4043c2f"><td class="mdescLeft"> </td><td class="mdescRight">get <a class="el" href="structvm_1_1instrs_1_1virt__instr__t.html">virt_instr_t</a> filled in with data given a <a class="el" href="namespacevmp2.html">vmp2</a> trace entry and vm context... <a href="namespacevm_1_1instrs.html#aa7a629de41909a287c549397a4043c2f">More...</a><br /></td></tr>
|
||
|
<tr class="separator:aa7a629de41909a287c549397a4043c2f"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
<tr class="memitem:a432536e816a10200518676e5616335a6"><td class="memItemLeft" align="right" valign="top">std::optional< std::uint64_t > </td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a432536e816a10200518676e5616335a6">get_imm</a> (<a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> &ctx, std::uint8_t imm_size, std::uintptr_t vip)</td></tr>
|
||
|
<tr class="memdesc:a432536e816a10200518676e5616335a6"><td class="mdescLeft"> </td><td class="mdescRight">gets the encrypted second operand (imm) given vip and <a class="el" href="classvm_1_1ctx__t.html" title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a>... <a href="namespacevm_1_1instrs.html#a432536e816a10200518676e5616335a6">More...</a><br /></td></tr>
|
||
|
<tr class="separator:a432536e816a10200518676e5616335a6"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
<tr class="memitem:a093e8f1c37d98c4454a3d0b58fda6188"><td class="memItemLeft" align="right" valign="top">std::optional< <a class="el" href="structvm_1_1instrs_1_1jcc__data.html">jcc_data</a> > </td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a093e8f1c37d98c4454a3d0b58fda6188">get_jcc_data</a> (<a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> &ctx, <a class="el" href="structvm_1_1instrs_1_1code__block__t.html">code_block_t</a> &code_block)</td></tr>
|
||
|
<tr class="memdesc:a093e8f1c37d98c4454a3d0b58fda6188"><td class="mdescLeft"> </td><td class="mdescRight">get jcc data out of a code block... this function will loop over the code block and look for the last LCONSTDW in the virtual instructions. <a href="namespacevm_1_1instrs.html#a093e8f1c37d98c4454a3d0b58fda6188">More...</a><br /></td></tr>
|
||
|
<tr class="separator:a093e8f1c37d98c4454a3d0b58fda6188"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
<tr class="memitem:a5ee4814b206e0a4f8fc27356efc9503a"><td class="memItemLeft" align="right" valign="top">std::uintptr_t </td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a5ee4814b206e0a4f8fc27356efc9503a">code_block_addr</a> (const <a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> &ctx, const <a class="el" href="structvmp2_1_1v2_1_1entry__t.html">vmp2::v2::entry_t</a> &entry)</td></tr>
|
||
|
<tr class="memdesc:a5ee4814b206e0a4f8fc27356efc9503a"><td class="mdescLeft"> </td><td class="mdescRight">the top of the stack will contain the lower 32bits of the RVA to the virtual instructions that will be jumping too... the RVA is image based (not module based, but optional header image based)... this means the value ontop of the stack could be "40007fd8" with image base being 0x140000000... as you can see the 0x100000000 is missing... the below statement deals with this... <a href="namespacevm_1_1instrs.html#a5ee4814b206e0a4f8fc27356efc9503a">More...</a><br /></td></tr>
|
||
|
<tr class="separator:a5ee4814b206e0a4f8fc27356efc9503a"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
<tr class="memitem:ab49694becc7c7cbd618468b675e1b22a"><td class="memItemLeft" align="right" valign="top">std::uintptr_t </td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#ab49694becc7c7cbd618468b675e1b22a">code_block_addr</a> (const <a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> &ctx, const std::uint32_t lower_32bits)</td></tr>
|
||
|
<tr class="memdesc:ab49694becc7c7cbd618468b675e1b22a"><td class="mdescLeft"> </td><td class="mdescRight">same routine as above except lower_32bits is passed directly and not extracted from the stack... <a href="namespacevm_1_1instrs.html#ab49694becc7c7cbd618468b675e1b22a">More...</a><br /></td></tr>
|
||
|
<tr class="separator:ab49694becc7c7cbd618468b675e1b22a"><td class="memSeparator" colspan="2"> </td></tr>
|
||
|
</table>
|
||
|
<a name="details" id="details"></a><h2 class="groupheader">Detailed Description</h2>
|
||
|
<div class="textblock"><p>contains all functions related to virtual instructions... </p>
|
||
|
</div><h2 class="groupheader">Enumeration Type Documentation</h2>
|
||
|
<a id="a6266fd623fdf44291ecc8897b060fd57"></a>
|
||
|
<h2 class="memtitle"><span class="permalink"><a href="#a6266fd623fdf44291ecc8897b060fd57">◆ </a></span>jcc_type</h2>
|
||
|
|
||
|
<div class="memitem">
|
||
|
<div class="memproto">
|
||
|
<table class="mlabels">
|
||
|
<tr>
|
||
|
<td class="mlabels-left">
|
||
|
<table class="memname">
|
||
|
<tr>
|
||
|
<td class="memname">enum <a class="el" href="namespacevm_1_1instrs.html#a6266fd623fdf44291ecc8897b060fd57">vm::instrs::jcc_type</a></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</td>
|
||
|
<td class="mlabels-right">
|
||
|
<span class="mlabels"><span class="mlabel">strong</span></span> </td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div><div class="memdoc">
|
||
|
<table class="fieldtable">
|
||
|
<tr><th colspan="2">Enumerator</th></tr><tr><td class="fieldname"><a id="a6266fd623fdf44291ecc8897b060fd57a334c4a4c42fdb79d7ebc3e73b517e6f8"></a>none </td><td class="fielddoc"></td></tr>
|
||
|
<tr><td class="fieldname"><a id="a6266fd623fdf44291ecc8897b060fd57a2c28b4e01b26788eab59ce1479b88494"></a>branching </td><td class="fielddoc"></td></tr>
|
||
|
<tr><td class="fieldname"><a id="a6266fd623fdf44291ecc8897b060fd57adc4d53aa0d117d8b189b36d161af4e96"></a>absolute </td><td class="fielddoc"></td></tr>
|
||
|
</table>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
<h2 class="groupheader">Function Documentation</h2>
|
||
|
<a id="ab49694becc7c7cbd618468b675e1b22a"></a>
|
||
|
<h2 class="memtitle"><span class="permalink"><a href="#ab49694becc7c7cbd618468b675e1b22a">◆ </a></span>code_block_addr() <span class="overload">[1/2]</span></h2>
|
||
|
|
||
|
<div class="memitem">
|
||
|
<div class="memproto">
|
||
|
<table class="memname">
|
||
|
<tr>
|
||
|
<td class="memname">std::uintptr_t vm::instrs::code_block_addr </td>
|
||
|
<td>(</td>
|
||
|
<td class="paramtype">const <a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> & </td>
|
||
|
<td class="paramname"><em>ctx</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype">const std::uint32_t </td>
|
||
|
<td class="paramname"><em>lower_32bits</em> </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td></td>
|
||
|
<td>)</td>
|
||
|
<td></td><td></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div><div class="memdoc">
|
||
|
|
||
|
<p>same routine as above except lower_32bits is passed directly and not extracted from the stack... </p>
|
||
|
<dl class="params"><dt>Parameters</dt><dd>
|
||
|
<table class="params">
|
||
|
<tr><td class="paramname">ctx</td><td>vm context</td></tr>
|
||
|
<tr><td class="paramname">lower_32bits</td><td>lower 32bits of the relative virtual address...</td></tr>
|
||
|
</table>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<dl class="section return"><dt>Returns</dt><dd>returns full linear virtual address of code block...</dd></dl>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
<a id="a5ee4814b206e0a4f8fc27356efc9503a"></a>
|
||
|
<h2 class="memtitle"><span class="permalink"><a href="#a5ee4814b206e0a4f8fc27356efc9503a">◆ </a></span>code_block_addr() <span class="overload">[2/2]</span></h2>
|
||
|
|
||
|
<div class="memitem">
|
||
|
<div class="memproto">
|
||
|
<table class="memname">
|
||
|
<tr>
|
||
|
<td class="memname">std::uintptr_t vm::instrs::code_block_addr </td>
|
||
|
<td>(</td>
|
||
|
<td class="paramtype">const <a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> & </td>
|
||
|
<td class="paramname"><em>ctx</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype">const <a class="el" href="structvmp2_1_1v2_1_1entry__t.html">vmp2::v2::entry_t</a> & </td>
|
||
|
<td class="paramname"><em>entry</em> </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td></td>
|
||
|
<td>)</td>
|
||
|
<td></td><td></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div><div class="memdoc">
|
||
|
|
||
|
<p>the top of the stack will contain the lower 32bits of the RVA to the virtual instructions that will be jumping too... the RVA is image based (not module based, but optional header image based)... this means the value ontop of the stack could be "40007fd8" with image base being 0x140000000... as you can see the 0x100000000 is missing... the below statement deals with this... </p>
|
||
|
<dl class="params"><dt>Parameters</dt><dd>
|
||
|
<table class="params">
|
||
|
<tr><td class="paramname">ctx</td><td>vm context</td></tr>
|
||
|
<tr><td class="paramname">entry</td><td>current trace entry for virtual JMP instruction</td></tr>
|
||
|
</table>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<dl class="section return"><dt>Returns</dt><dd>returns linear virtual address of the next code block...</dd></dl>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
<a id="a995be4b7dd3764aec88207611a2b879d"></a>
|
||
|
<h2 class="memtitle"><span class="permalink"><a href="#a995be4b7dd3764aec88207611a2b879d">◆ </a></span>decrypt_operand()</h2>
|
||
|
|
||
|
<div class="memitem">
|
||
|
<div class="memproto">
|
||
|
<table class="memname">
|
||
|
<tr>
|
||
|
<td class="memname">std::pair< std::uint64_t, std::uint64_t > vm::instrs::decrypt_operand </td>
|
||
|
<td>(</td>
|
||
|
<td class="paramtype"><a class="el" href="namespacevm_1_1transform.html#af3bd71c380a50beece9341287b7cc025">transform::map_t</a> & </td>
|
||
|
<td class="paramname"><em>transforms</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype">std::uint64_t </td>
|
||
|
<td class="paramname"><em>operand</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype">std::uint64_t </td>
|
||
|
<td class="paramname"><em>rolling_key</em> </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td></td>
|
||
|
<td>)</td>
|
||
|
<td></td><td></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div><div class="memdoc">
|
||
|
|
||
|
<p>decrypt virtual instruction operand given the decryption transformations... you can read about these transformations <a class="el" href="">https://back.engineering/17/05/2021/#operand-decryption</a></p>
|
||
|
<dl class="params"><dt>Parameters</dt><dd>
|
||
|
<table class="params">
|
||
|
<tr><td class="paramname">transforms</td><td>decryption transformations...</td></tr>
|
||
|
<tr><td class="paramname">operand</td><td>encrypted virtual instruction operand...</td></tr>
|
||
|
<tr><td class="paramname">rolling_key</td><td>the decryption key (RBX)...</td></tr>
|
||
|
</table>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<dl class="section return"><dt>Returns</dt><dd></dd></dl>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
<a id="a388b00855c582da503850d72de7e8f57"></a>
|
||
|
<h2 class="memtitle"><span class="permalink"><a href="#a388b00855c582da503850d72de7e8f57">◆ </a></span>encrypt_operand()</h2>
|
||
|
|
||
|
<div class="memitem">
|
||
|
<div class="memproto">
|
||
|
<table class="memname">
|
||
|
<tr>
|
||
|
<td class="memname">std::pair< std::uint64_t, std::uint64_t > vm::instrs::encrypt_operand </td>
|
||
|
<td>(</td>
|
||
|
<td class="paramtype"><a class="el" href="namespacevm_1_1transform.html#af3bd71c380a50beece9341287b7cc025">transform::map_t</a> & </td>
|
||
|
<td class="paramname"><em>transforms</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype">std::uint64_t </td>
|
||
|
<td class="paramname"><em>operand</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype">std::uint64_t </td>
|
||
|
<td class="paramname"><em>rolling_key</em> </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td></td>
|
||
|
<td>)</td>
|
||
|
<td></td><td></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div><div class="memdoc">
|
||
|
|
||
|
<p>encrypt a virtual instructions operand given the transformations to decrypt the operand... the transformations are inversed by this functions so you dont need to worry about doing that. </p>
|
||
|
<p>you can learn about transformations <a class="el" href="">https://back.engineering/17/05/2021/#operand-decryption</a> </p><dl class="params"><dt>Parameters</dt><dd>
|
||
|
<table class="params">
|
||
|
<tr><td class="paramname">transforms</td><td>transformations to decrypt operand, these transformations are inversed by the function...</td></tr>
|
||
|
<tr><td class="paramname">operand</td><td>operand to be encrypted...</td></tr>
|
||
|
<tr><td class="paramname">rolling_key</td><td>encryption key... (RBX)...</td></tr>
|
||
|
</table>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<dl class="section return"><dt>Returns</dt><dd></dd></dl>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
<a id="aa7a629de41909a287c549397a4043c2f"></a>
|
||
|
<h2 class="memtitle"><span class="permalink"><a href="#aa7a629de41909a287c549397a4043c2f">◆ </a></span>get()</h2>
|
||
|
|
||
|
<div class="memitem">
|
||
|
<div class="memproto">
|
||
|
<table class="memname">
|
||
|
<tr>
|
||
|
<td class="memname">std::optional< <a class="el" href="structvm_1_1instrs_1_1virt__instr__t.html">virt_instr_t</a> > vm::instrs::get </td>
|
||
|
<td>(</td>
|
||
|
<td class="paramtype"><a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> & </td>
|
||
|
<td class="paramname"><em>ctx</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype"><a class="el" href="structvmp2_1_1v2_1_1entry__t.html">vmp2::v2::entry_t</a> & </td>
|
||
|
<td class="paramname"><em>entry</em> </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td></td>
|
||
|
<td>)</td>
|
||
|
<td></td><td></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div><div class="memdoc">
|
||
|
|
||
|
<p>get <a class="el" href="structvm_1_1instrs_1_1virt__instr__t.html">virt_instr_t</a> filled in with data given a <a class="el" href="namespacevmp2.html">vmp2</a> trace entry and vm context... </p>
|
||
|
<dl class="params"><dt>Parameters</dt><dd>
|
||
|
<table class="params">
|
||
|
<tr><td class="paramname">ctx</td><td>current vm context</td></tr>
|
||
|
<tr><td class="paramname">entry</td><td><a class="el" href="namespacevmp2.html">vmp2</a> trace entry containing all of the native/virtual register/stack values...</td></tr>
|
||
|
</table>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<dl class="section return"><dt>Returns</dt><dd>returns a filled in <a class="el" href="structvm_1_1instrs_1_1virt__instr__t.html">virt_instr_t</a> on success...</dd></dl>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
<a id="a432536e816a10200518676e5616335a6"></a>
|
||
|
<h2 class="memtitle"><span class="permalink"><a href="#a432536e816a10200518676e5616335a6">◆ </a></span>get_imm()</h2>
|
||
|
|
||
|
<div class="memitem">
|
||
|
<div class="memproto">
|
||
|
<table class="memname">
|
||
|
<tr>
|
||
|
<td class="memname">std::optional< std::uint64_t > vm::instrs::get_imm </td>
|
||
|
<td>(</td>
|
||
|
<td class="paramtype"><a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> & </td>
|
||
|
<td class="paramname"><em>ctx</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype">std::uint8_t </td>
|
||
|
<td class="paramname"><em>imm_size</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype">std::uintptr_t </td>
|
||
|
<td class="paramname"><em>vip</em> </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td></td>
|
||
|
<td>)</td>
|
||
|
<td></td><td></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div><div class="memdoc">
|
||
|
|
||
|
<p>gets the encrypted second operand (imm) given vip and <a class="el" href="classvm_1_1ctx__t.html" title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a>... </p>
|
||
|
<dl class="params"><dt>Parameters</dt><dd>
|
||
|
<table class="params">
|
||
|
<tr><td class="paramname">ctx</td><td>vm context</td></tr>
|
||
|
<tr><td class="paramname">imm_size</td><td>immediate value size in bits...</td></tr>
|
||
|
<tr><td class="paramname">vip</td><td>virtual instruction pointer, linear virtual address...</td></tr>
|
||
|
</table>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<dl class="section return"><dt>Returns</dt><dd>returns immediate value if imm_size is not 0...</dd></dl>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
<a id="a093e8f1c37d98c4454a3d0b58fda6188"></a>
|
||
|
<h2 class="memtitle"><span class="permalink"><a href="#a093e8f1c37d98c4454a3d0b58fda6188">◆ </a></span>get_jcc_data()</h2>
|
||
|
|
||
|
<div class="memitem">
|
||
|
<div class="memproto">
|
||
|
<table class="memname">
|
||
|
<tr>
|
||
|
<td class="memname">std::optional< <a class="el" href="structvm_1_1instrs_1_1jcc__data.html">jcc_data</a> > vm::instrs::get_jcc_data </td>
|
||
|
<td>(</td>
|
||
|
<td class="paramtype"><a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> & </td>
|
||
|
<td class="paramname"><em>ctx</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype"><a class="el" href="structvm_1_1instrs_1_1code__block__t.html">code_block_t</a> & </td>
|
||
|
<td class="paramname"><em>code_block</em> </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td></td>
|
||
|
<td>)</td>
|
||
|
<td></td><td></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div><div class="memdoc">
|
||
|
|
||
|
<p>get jcc data out of a code block... this function will loop over the code block and look for the last LCONSTDW in the virtual instructions. </p>
|
||
|
<p>it will then loop and look for all PUSHVSP's, checking each to see if the stack contains two encrypted rva's to each branch.. if there is not two encrypted rva's then the virtual jmp instruction only has one dest...</p>
|
||
|
<dl class="params"><dt>Parameters</dt><dd>
|
||
|
<table class="params">
|
||
|
<tr><td class="paramname">ctx</td><td>vm context</td></tr>
|
||
|
<tr><td class="paramname">code_block</td><td>code block that does not have its <a class="el" href="structvm_1_1instrs_1_1jcc__data.html">jcc_data</a> yet</td></tr>
|
||
|
</table>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<dl class="section return"><dt>Returns</dt><dd>if last lconstdw is found, return filled in <a class="el" href="structvm_1_1instrs_1_1jcc__data.html">jcc_data</a> structure...</dd></dl>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
<a id="abfbe5c819730d2693296df3c71393de3"></a>
|
||
|
<h2 class="memtitle"><span class="permalink"><a href="#abfbe5c819730d2693296df3c71393de3">◆ </a></span>get_rva_decrypt()</h2>
|
||
|
|
||
|
<div class="memitem">
|
||
|
<div class="memproto">
|
||
|
<table class="memname">
|
||
|
<tr>
|
||
|
<td class="memname">bool vm::instrs::get_rva_decrypt </td>
|
||
|
<td>(</td>
|
||
|
<td class="paramtype">const <a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> & </td>
|
||
|
<td class="paramname"><em>vm_entry</em>, </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td class="paramkey"></td>
|
||
|
<td></td>
|
||
|
<td class="paramtype">std::vector< <a class="el" href="vmutils_8hpp.html#ad180fbf8cef52662febedec0f54b6188">zydis_decoded_instr_t</a> > & </td>
|
||
|
<td class="paramname"><em>transform_instrs</em> </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td></td>
|
||
|
<td>)</td>
|
||
|
<td></td><td></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div><div class="memdoc">
|
||
|
|
||
|
<p>gets the native instructions that are used to decrypt the relative virtual address to virtual instructions located on the stack at RSP+0xA0... you can learn about this <a class="el" href="">https://back.engineering/17/05/2021/#vm_entry</a></p>
|
||
|
<dl class="params"><dt>Parameters</dt><dd>
|
||
|
<table class="params">
|
||
|
<tr><td class="paramname">vm_entry</td><td>pass by reference of the specific vm entry you want to get the decryption instructions from...</td></tr>
|
||
|
<tr><td class="paramname">transform_instrs</td><td>pass by reference vector that will be filled with the decryption instructions...</td></tr>
|
||
|
</table>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<dl class="section return"><dt>Returns</dt><dd>returns true if the decryption instructions are extracted...</dd></dl>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
</div><!-- contents -->
|
||
|
<!-- start footer part -->
|
||
|
<hr class="footer"/><address class="footer"><small>
|
||
|
Generated by <a href="https://www.doxygen.org/index.html"><img class="footer" src="doxygen.svg" width="104" height="31" alt="doxygen"/></a> 1.9.1
|
||
|
</small></address>
|
||
|
</body>
|
||
|
</html>
|