From 9befa18eaaa76e3949a58da06570121634e99159 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Sat, 22 May 2021 21:47:45 -0700 Subject: [PATCH] testing new transform called generic0 or primer... --- include/transform.hpp | 1 + src/vm.cpp | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/include/transform.hpp b/include/transform.hpp index 3dc6f11..b6d568f 100644 --- a/include/transform.hpp +++ b/include/transform.hpp @@ -48,6 +48,7 @@ namespace vm enum class type { + generic0, rolling_key, generic1, generic2, diff --git a/src/vm.cpp b/src/vm.cpp index de43506..127b367 100644 --- a/src/vm.cpp +++ b/src/vm.cpp @@ -5,12 +5,17 @@ namespace vm std::pair decrypt_operand(transform::map_t& transforms, std::uint64_t operand, std::uint64_t rolling_key) { + const auto generic_decrypt_0 = &transforms[transform::type::generic0]; const auto key_decrypt = &transforms[transform::type::rolling_key]; const auto generic_decrypt_1 = &transforms[transform::type::generic1]; const auto generic_decrypt_2 = &transforms[transform::type::generic2]; const auto generic_decrypt_3 = &transforms[transform::type::generic3]; const auto update_key = &transforms[transform::type::update_key]; + if (generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID) + operand = transform::apply(generic_decrypt_0->operands[0].size, + generic_decrypt_0->mnemonic, operand, rolling_key); + // apply transformation with rolling decrypt key... operand = transform::apply(key_decrypt->operands[0].size, key_decrypt->mnemonic, operand, rolling_key); @@ -62,6 +67,10 @@ namespace vm void inverse_transforms(transform::map_t& transforms, transform::map_t& inverse) { + inverse[transform::type::generic0] = transforms[transform::type::generic0]; + inverse[transform::type::generic0].mnemonic = + transform::inverse[transforms[transform::type::generic0].mnemonic]; + inverse[transform::type::rolling_key] = transforms[transform::type::rolling_key]; inverse[transform::type::rolling_key].mnemonic = transform::inverse[transforms[transform::type::rolling_key].mnemonic]; @@ -89,6 +98,7 @@ namespace vm transform::map_t inverse; inverse_transforms(transforms, inverse); + const auto generic_decrypt_0 = &inverse[transform::type::generic0]; const auto key_decrypt = &inverse[transform::type::rolling_key]; const auto generic_decrypt_1 = &inverse[transform::type::generic1]; const auto generic_decrypt_2 = &inverse[transform::type::generic2]; @@ -138,6 +148,10 @@ namespace vm operand = transform::apply(key_decrypt->operands[0].size, key_decrypt->mnemonic, operand, rolling_key); + if (generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID) + operand = transform::apply(generic_decrypt_0->operands[0].size, + generic_decrypt_0->mnemonic, operand, rolling_key); + return { operand, rolling_key }; } @@ -401,6 +415,21 @@ namespace vm if (imm_fetch == vm_handler.end()) return false; + // look for a primer/instruction that alters RAX prior to the 5 transformations... + auto generic0 = std::find_if(imm_fetch + 1, vm_handler.end(), + [](const zydis_instr_t& instr_data) -> bool + { + return util::reg::compare( + instr_data.instr.operands[0].reg.value, ZYDIS_REGISTER_RAX); + } + ); + + ZydisDecodedInstruction nogeneric0; + nogeneric0.mnemonic = ZYDIS_MNEMONIC_INVALID; + + transforms[transform::type::generic0] = + generic0 != vm_handler.end() ? generic0->instr : nogeneric0; + // this finds the first transformation which looks like: // transform rax, rbx <--- note these registers can be smaller so we to64 them... auto key_transform = std::find_if(imm_fetch, vm_handler.end(),