|
|
|
|
@ -217,11 +217,21 @@ namespace vm::transform
|
|
|
|
|
{ ZYDIS_MNEMONIC_ROR, ZYDIS_MNEMONIC_ROL }, { ZYDIS_MNEMONIC_ROL, ZYDIS_MNEMONIC_ROR },
|
|
|
|
|
{ ZYDIS_MNEMONIC_INC, ZYDIS_MNEMONIC_DEC }, { ZYDIS_MNEMONIC_DEC, ZYDIS_MNEMONIC_INC } };
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
/// determines if the given mnemonic is a valid transformation...
|
|
|
|
|
/// </summary>
|
|
|
|
|
/// <param name="op">mnemonic of the native instruction...</param>
|
|
|
|
|
/// <returns>returns true if the mnemonic is a transformation...</returns>
|
|
|
|
|
inline bool valid( zydis_mnemonic_t op )
|
|
|
|
|
{
|
|
|
|
|
return transforms< std::uint64_t >.find( op ) != transforms< std::uint64_t >.end();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
/// inverse operand decryption transformations...
|
|
|
|
|
/// </summary>
|
|
|
|
|
/// <param name="transforms">reference to the transformations to be inversed...</param>
|
|
|
|
|
/// <param name="inverse">reference to the resulting inversed transformations...</param>
|
|
|
|
|
inline void inverse_transforms( transform::map_t &transforms, transform::map_t &inverse )
|
|
|
|
|
{
|
|
|
|
|
inverse[ transform::type::generic0 ] = transforms[ transform::type::generic0 ];
|
|
|
|
|
@ -249,6 +259,11 @@ namespace vm::transform
|
|
|
|
|
transform::inverse[ transforms[ transform::type::update_key ].mnemonic ];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
/// inverse transformations given a vector of them...
|
|
|
|
|
/// </summary>
|
|
|
|
|
/// <param name="instrs">reference to a vector of transformations...</param>
|
|
|
|
|
/// <returns>returns true if all transformations were inversed...</returns>
|
|
|
|
|
inline auto inverse_transforms( std::vector< zydis_decoded_instr_t > &instrs ) -> bool
|
|
|
|
|
{
|
|
|
|
|
for ( auto idx = 0u; idx < instrs.size(); idx++ )
|
|
|
|
|
@ -279,6 +294,11 @@ namespace vm::transform
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
/// determines if a given decoded instruction has a second operand that is an immediate value...
|
|
|
|
|
/// </summary>
|
|
|
|
|
/// <param name="instr">pointer to a decoded instruction...</param>
|
|
|
|
|
/// <returns>returns true if the second operand is of type immediate...</returns>
|
|
|
|
|
inline bool has_imm( const zydis_decoded_instr_t *instr )
|
|
|
|
|
{
|
|
|
|
|
return instr->operand_count > 1 && ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE );
|
|
|
|
|
|
_xeroxz
3 years ago