testing new transform called generic0 or primer...

merge-requests/1/head
_xeroxz 4 years ago
parent 50fd6c75b4
commit 9befa18eaa

@ -48,6 +48,7 @@ namespace vm
enum class type
{
generic0,
rolling_key,
generic1,
generic2,

@ -5,12 +5,17 @@ namespace vm
std::pair<std::uint64_t, std::uint64_t> decrypt_operand(transform::map_t& transforms,
std::uint64_t operand, std::uint64_t rolling_key)
{
const auto generic_decrypt_0 = &transforms[transform::type::generic0];
const auto key_decrypt = &transforms[transform::type::rolling_key];
const auto generic_decrypt_1 = &transforms[transform::type::generic1];
const auto generic_decrypt_2 = &transforms[transform::type::generic2];
const auto generic_decrypt_3 = &transforms[transform::type::generic3];
const auto update_key = &transforms[transform::type::update_key];
if (generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID)
operand = transform::apply(generic_decrypt_0->operands[0].size,
generic_decrypt_0->mnemonic, operand, rolling_key);
// apply transformation with rolling decrypt key...
operand = transform::apply(key_decrypt->operands[0].size,
key_decrypt->mnemonic, operand, rolling_key);
@ -62,6 +67,10 @@ namespace vm
void inverse_transforms(transform::map_t& transforms, transform::map_t& inverse)
{
inverse[transform::type::generic0] = transforms[transform::type::generic0];
inverse[transform::type::generic0].mnemonic =
transform::inverse[transforms[transform::type::generic0].mnemonic];
inverse[transform::type::rolling_key] = transforms[transform::type::rolling_key];
inverse[transform::type::rolling_key].mnemonic =
transform::inverse[transforms[transform::type::rolling_key].mnemonic];
@ -89,6 +98,7 @@ namespace vm
transform::map_t inverse;
inverse_transforms(transforms, inverse);
const auto generic_decrypt_0 = &inverse[transform::type::generic0];
const auto key_decrypt = &inverse[transform::type::rolling_key];
const auto generic_decrypt_1 = &inverse[transform::type::generic1];
const auto generic_decrypt_2 = &inverse[transform::type::generic2];
@ -138,6 +148,10 @@ namespace vm
operand = transform::apply(key_decrypt->operands[0].size,
key_decrypt->mnemonic, operand, rolling_key);
if (generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID)
operand = transform::apply(generic_decrypt_0->operands[0].size,
generic_decrypt_0->mnemonic, operand, rolling_key);
return { operand, rolling_key };
}
@ -401,6 +415,21 @@ namespace vm
if (imm_fetch == vm_handler.end())
return false;
// look for a primer/instruction that alters RAX prior to the 5 transformations...
auto generic0 = std::find_if(imm_fetch + 1, vm_handler.end(),
[](const zydis_instr_t& instr_data) -> bool
{
return util::reg::compare(
instr_data.instr.operands[0].reg.value, ZYDIS_REGISTER_RAX);
}
);
ZydisDecodedInstruction nogeneric0;
nogeneric0.mnemonic = ZYDIS_MNEMONIC_INVALID;
transforms[transform::type::generic0] =
generic0 != vm_handler.end() ? generic0->instr : nogeneric0;
// this finds the first transformation which looks like:
// transform rax, rbx <--- note these registers can be smaller so we to64 them...
auto key_transform = std::find_if(imm_fetch, vm_handler.end(),

Loading…
Cancel
Save