|
|
|
|
@ -5,12 +5,17 @@ namespace vm
|
|
|
|
|
std::pair<std::uint64_t, std::uint64_t> decrypt_operand(transform::map_t& transforms,
|
|
|
|
|
std::uint64_t operand, std::uint64_t rolling_key)
|
|
|
|
|
{
|
|
|
|
|
const auto generic_decrypt_0 = &transforms[transform::type::generic0];
|
|
|
|
|
const auto key_decrypt = &transforms[transform::type::rolling_key];
|
|
|
|
|
const auto generic_decrypt_1 = &transforms[transform::type::generic1];
|
|
|
|
|
const auto generic_decrypt_2 = &transforms[transform::type::generic2];
|
|
|
|
|
const auto generic_decrypt_3 = &transforms[transform::type::generic3];
|
|
|
|
|
const auto update_key = &transforms[transform::type::update_key];
|
|
|
|
|
|
|
|
|
|
if (generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID)
|
|
|
|
|
operand = transform::apply(generic_decrypt_0->operands[0].size,
|
|
|
|
|
generic_decrypt_0->mnemonic, operand, rolling_key);
|
|
|
|
|
|
|
|
|
|
// apply transformation with rolling decrypt key...
|
|
|
|
|
operand = transform::apply(key_decrypt->operands[0].size,
|
|
|
|
|
key_decrypt->mnemonic, operand, rolling_key);
|
|
|
|
|
@ -62,6 +67,10 @@ namespace vm
|
|
|
|
|
|
|
|
|
|
void inverse_transforms(transform::map_t& transforms, transform::map_t& inverse)
|
|
|
|
|
{
|
|
|
|
|
inverse[transform::type::generic0] = transforms[transform::type::generic0];
|
|
|
|
|
inverse[transform::type::generic0].mnemonic =
|
|
|
|
|
transform::inverse[transforms[transform::type::generic0].mnemonic];
|
|
|
|
|
|
|
|
|
|
inverse[transform::type::rolling_key] = transforms[transform::type::rolling_key];
|
|
|
|
|
inverse[transform::type::rolling_key].mnemonic =
|
|
|
|
|
transform::inverse[transforms[transform::type::rolling_key].mnemonic];
|
|
|
|
|
@ -89,6 +98,7 @@ namespace vm
|
|
|
|
|
transform::map_t inverse;
|
|
|
|
|
inverse_transforms(transforms, inverse);
|
|
|
|
|
|
|
|
|
|
const auto generic_decrypt_0 = &inverse[transform::type::generic0];
|
|
|
|
|
const auto key_decrypt = &inverse[transform::type::rolling_key];
|
|
|
|
|
const auto generic_decrypt_1 = &inverse[transform::type::generic1];
|
|
|
|
|
const auto generic_decrypt_2 = &inverse[transform::type::generic2];
|
|
|
|
|
@ -138,6 +148,10 @@ namespace vm
|
|
|
|
|
operand = transform::apply(key_decrypt->operands[0].size,
|
|
|
|
|
key_decrypt->mnemonic, operand, rolling_key);
|
|
|
|
|
|
|
|
|
|
if (generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID)
|
|
|
|
|
operand = transform::apply(generic_decrypt_0->operands[0].size,
|
|
|
|
|
generic_decrypt_0->mnemonic, operand, rolling_key);
|
|
|
|
|
|
|
|
|
|
return { operand, rolling_key };
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -401,6 +415,21 @@ namespace vm
|
|
|
|
|
if (imm_fetch == vm_handler.end())
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// look for a primer/instruction that alters RAX prior to the 5 transformations...
|
|
|
|
|
auto generic0 = std::find_if(imm_fetch + 1, vm_handler.end(),
|
|
|
|
|
[](const zydis_instr_t& instr_data) -> bool
|
|
|
|
|
{
|
|
|
|
|
return util::reg::compare(
|
|
|
|
|
instr_data.instr.operands[0].reg.value, ZYDIS_REGISTER_RAX);
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
ZydisDecodedInstruction nogeneric0;
|
|
|
|
|
nogeneric0.mnemonic = ZYDIS_MNEMONIC_INVALID;
|
|
|
|
|
|
|
|
|
|
transforms[transform::type::generic0] =
|
|
|
|
|
generic0 != vm_handler.end() ? generic0->instr : nogeneric0;
|
|
|
|
|
|
|
|
|
|
// this finds the first transformation which looks like:
|
|
|
|
|
// transform rax, rbx <--- note these registers can be smaller so we to64 them...
|
|
|
|
|
auto key_transform = std::find_if(imm_fetch, vm_handler.end(),
|
|
|
|
|
|
_xeroxz
3 years ago