|
|
@ -169,21 +169,21 @@ void deobfuscate(zydis_routine_t &routine) {
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
std::uint32_t last_size = 0u;
|
|
|
|
std::uint32_t last_size = 0u;
|
|
|
|
|
|
|
|
static const std::vector<ZydisMnemonic> blacklist = {
|
|
|
|
|
|
|
|
ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT, ZYDIS_MNEMONIC_TEST,
|
|
|
|
|
|
|
|
ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static const std::vector<ZydisMnemonic> whitelist = {
|
|
|
|
|
|
|
|
ZYDIS_MNEMONIC_PUSH, ZYDIS_MNEMONIC_POP, ZYDIS_MNEMONIC_CALL,
|
|
|
|
|
|
|
|
ZYDIS_MNEMONIC_DIV};
|
|
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
do {
|
|
|
|
last_size = routine.size();
|
|
|
|
last_size = routine.size();
|
|
|
|
|
|
|
|
|
|
|
|
for (auto itr = routine.begin(); itr != routine.end(); ++itr) {
|
|
|
|
for (auto itr = routine.begin(); itr != routine.end(); ++itr) {
|
|
|
|
// dont remove these... at all...
|
|
|
|
if (std::find(whitelist.begin(), whitelist.end(), itr->instr.mnemonic) !=
|
|
|
|
if (itr->instr.mnemonic == ZYDIS_MNEMONIC_PUSH ||
|
|
|
|
whitelist.end())
|
|
|
|
itr->instr.mnemonic == ZYDIS_MNEMONIC_POP ||
|
|
|
|
|
|
|
|
itr->instr.mnemonic == ZYDIS_MNEMONIC_CALL)
|
|
|
|
|
|
|
|
continue;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
static const std::vector<ZydisMnemonic> blacklist = {
|
|
|
|
|
|
|
|
ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT, ZYDIS_MNEMONIC_TEST,
|
|
|
|
|
|
|
|
ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (std::find(blacklist.begin(), blacklist.end(), itr->instr.mnemonic) !=
|
|
|
|
if (std::find(blacklist.begin(), blacklist.end(), itr->instr.mnemonic) !=
|
|
|
|
blacklist.end()) {
|
|
|
|
blacklist.end()) {
|
|
|
|
routine.erase(itr);
|
|
|
|
routine.erase(itr);
|
|
|
|