diff --git a/include/vminstrs.hpp b/include/vminstrs.hpp index aa51aa8..ad5465b 100644 --- a/include/vminstrs.hpp +++ b/include/vminstrs.hpp @@ -4,6 +4,9 @@ #include #include +/// +/// contains all functions related to virtual instructions... +/// namespace vm::instrs { /// @@ -48,7 +51,7 @@ namespace vm::instrs std::optional< virt_instr_t > get( vm::ctx_t &ctx, vmp2::v2::entry_t &entry ); /// - /// gets the second operand (imm) given vip and vm::ctx_t... + /// gets the encrypted second operand (imm) given vip and vm::ctx_t... /// /// vm context /// immediate value size in bits... diff --git a/include/vmutils.hpp b/include/vmutils.hpp index afc877c..009be67 100644 --- a/include/vmutils.hpp +++ b/include/vmutils.hpp @@ -28,22 +28,78 @@ struct zydis_instr_t using zydis_routine_t = std::vector< zydis_instr_t >; +/// +/// utils used by the other cpp files... misc things that get used a lot... +/// namespace vm::util { + /// + /// utils pertaining to native registers... + /// namespace reg { - // converts say... AL to RAX... + /// + /// converts say... AL to RAX... + /// + /// a zydis decoded register value... + /// returns the largest width register of the given register... AL gives RAX... zydis_register_t to64( zydis_register_t reg ); + + /// + /// compares to registers with each other... calls to64 and compares... + /// + /// register a... + /// register b... + /// returns true if register to64(a) == to64(b)... bool compare( zydis_register_t a, zydis_register_t b ); } // namespace reg + /// + /// get the instruction that fetches an operand out of VIP... + /// + /// this is a deobfuscated, flattened, view of any set of native instructions that read an operand out of VIP... can be calc_jmp, vm_entry, or vm handlers... + /// + /// returns true of the fetch operand native instruction is found... bool get_fetch_operand( const zydis_routine_t &routine, zydis_instr_t &fetch_instr ); + + /// + /// gets the instruction that fetches an operand out of VIP and returns an iterator to it... + /// + /// this is a deobfuscated, flattened, view of any set of native instructions that read an operand out of VIP... can be calc_jmp, vm_entry, or vm handlers... + /// returns the iterator of the native instruction, else an empty std::optional... std::optional< zydis_routine_t::iterator > get_fetch_operand( zydis_routine_t &routine ); + /// + /// prints a disassembly view of a routine... + /// + /// reference to a zydis_routine_t to be printed... void print( zydis_routine_t &routine ); + + /// + /// prints a single disassembly view of an instruction... + /// + /// instruction to print... void print( const zydis_decoded_instr_t &instr ); + + /// + /// determines if a given decoded native instruction is a JCC... + /// + /// + /// bool is_jmp( const zydis_decoded_instr_t &instr ); + /// + /// flatten native instruction stream, takes every JCC (follows the branch)... + /// + /// filled with decoded instructions... + /// linear virtual address to start flattening from... + /// keep JCC's in the flattened instruction stream... + /// returns true if flattened was successful... bool flatten( zydis_routine_t &routine, std::uintptr_t routine_addr, bool keep_jmps = false ); + + /// + /// deadstore deobfuscation of a flattened routine... + /// + /// reference to a flattened instruction vector... void deobfuscate( zydis_routine_t &routine ); } // namespace vm::util \ No newline at end of file