EAST BOUND AND DOWN

merge-requests/1/head
_xeroxz 4 years ago
parent 9befa18eaa
commit cd8b79f28b

@ -13,8 +13,14 @@ namespace vm
const auto update_key = &transforms[transform::type::update_key]; const auto update_key = &transforms[transform::type::update_key];
if (generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID) if (generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID)
operand = transform::apply(generic_decrypt_0->operands[0].size, {
generic_decrypt_0->mnemonic, operand, rolling_key); operand = transform::apply(
generic_decrypt_0->operands[0].size,
generic_decrypt_0->mnemonic, operand,
// check to see if this instruction has an IMM...
transform::has_imm(generic_decrypt_0) ?
generic_decrypt_0->operands[1].imm.value.u : 0);
}
// apply transformation with rolling decrypt key... // apply transformation with rolling decrypt key...
operand = transform::apply(key_decrypt->operands[0].size, operand = transform::apply(key_decrypt->operands[0].size,
@ -149,8 +155,14 @@ namespace vm
key_decrypt->mnemonic, operand, rolling_key); key_decrypt->mnemonic, operand, rolling_key);
if (generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID) if (generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID)
operand = transform::apply(generic_decrypt_0->operands[0].size, {
generic_decrypt_0->mnemonic, operand, rolling_key); operand = transform::apply(
generic_decrypt_0->operands[0].size,
generic_decrypt_0->mnemonic, operand,
// check to see if this instruction has an IMM...
transform::has_imm(generic_decrypt_0) ?
generic_decrypt_0->operands[1].imm.value.u : 0);
}
return { operand, rolling_key }; return { operand, rolling_key };
} }
@ -415,21 +427,6 @@ namespace vm
if (imm_fetch == vm_handler.end()) if (imm_fetch == vm_handler.end())
return false; return false;
// look for a primer/instruction that alters RAX prior to the 5 transformations...
auto generic0 = std::find_if(imm_fetch + 1, vm_handler.end(),
[](const zydis_instr_t& instr_data) -> bool
{
return util::reg::compare(
instr_data.instr.operands[0].reg.value, ZYDIS_REGISTER_RAX);
}
);
ZydisDecodedInstruction nogeneric0;
nogeneric0.mnemonic = ZYDIS_MNEMONIC_INVALID;
transforms[transform::type::generic0] =
generic0 != vm_handler.end() ? generic0->instr : nogeneric0;
// this finds the first transformation which looks like: // this finds the first transformation which looks like:
// transform rax, rbx <--- note these registers can be smaller so we to64 them... // transform rax, rbx <--- note these registers can be smaller so we to64 them...
auto key_transform = std::find_if(imm_fetch, vm_handler.end(), auto key_transform = std::find_if(imm_fetch, vm_handler.end(),
@ -442,6 +439,25 @@ namespace vm
} }
); );
if (key_transform == vm_handler.end())
return false;
// look for a primer/instruction that alters RAX prior to the 5 transformations...
auto generic0 = std::find_if(imm_fetch + 1, key_transform,
[](const zydis_instr_t& instr_data) -> bool
{
return util::reg::compare(
instr_data.instr.operands[0].reg.value, ZYDIS_REGISTER_RAX) &&
!util::reg::compare(instr_data.instr.operands[1].reg.value, ZYDIS_REGISTER_RBX);
}
);
ZydisDecodedInstruction nogeneric0;
nogeneric0.mnemonic = ZYDIS_MNEMONIC_INVALID;
transforms[transform::type::generic0] =
generic0 != key_transform ? generic0->instr : nogeneric0;
// last transformation is the same as the first except src and dest are swwapped... // last transformation is the same as the first except src and dest are swwapped...
transforms[transform::type::rolling_key] = key_transform->instr; transforms[transform::type::rolling_key] = key_transform->instr;
auto instr_copy = key_transform->instr; auto instr_copy = key_transform->instr;
@ -449,13 +465,10 @@ namespace vm
instr_copy.operands[1].reg.value = key_transform->instr.operands[0].reg.value; instr_copy.operands[1].reg.value = key_transform->instr.operands[0].reg.value;
transforms[transform::type::update_key] = instr_copy; transforms[transform::type::update_key] = instr_copy;
if (key_transform == vm_handler.end())
return false;
// three generic transformations... // three generic transformations...
auto generic_transform = key_transform; auto generic_transform = key_transform;
for (auto idx = 0u; idx < 3; ++idx) for (auto idx = 2u; idx < 5; ++idx)
{ {
generic_transform = std::find_if(++generic_transform, vm_handler.end(), generic_transform = std::find_if(++generic_transform, vm_handler.end(),
[](const zydis_instr_t& instr_data) -> bool [](const zydis_instr_t& instr_data) -> bool
@ -470,7 +483,7 @@ namespace vm
if (generic_transform == vm_handler.end()) if (generic_transform == vm_handler.end())
return false; return false;
transforms[(transform::type)(idx + 1)] = generic_transform->instr; transforms[(transform::type)(idx)] = generic_transform->instr;
} }
return true; return true;

@ -1,6 +1,10 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations"> <ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="DBG|x64">
<Configuration>DBG</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64"> <ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration> <Configuration>Release</Configuration>
<Platform>x64</Platform> <Platform>x64</Platform>
@ -22,6 +26,13 @@
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DBG|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings"> <ImportGroup Label="ExtensionSettings">
</ImportGroup> </ImportGroup>
@ -30,11 +41,18 @@
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup> </ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='DBG|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" /> <PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental> <LinkIncremental>false</LinkIncremental>
<IncludePath>$(ProjectDir);$(ProjectDir)..\dependencies\zydis\msvc;$(ProjectDir)..\dependencies\zydis\dependencies\zycore\include;$(ProjectDir)..\include;$(ProjectDir)..\dependencies\zydis\include;$(IncludePath)</IncludePath> <IncludePath>$(ProjectDir);$(ProjectDir)..\dependencies\zydis\msvc;$(ProjectDir)..\dependencies\zydis\dependencies\zycore\include;$(ProjectDir)..\include;$(ProjectDir)..\dependencies\zydis\include;$(IncludePath)</IncludePath>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DBG|x64'">
<LinkIncremental>false</LinkIncremental>
<IncludePath>$(ProjectDir);$(ProjectDir)..\dependencies\zydis\msvc;$(ProjectDir)..\dependencies\zydis\dependencies\zycore\include;$(ProjectDir)..\include;$(ProjectDir)..\dependencies\zydis\include;$(IncludePath)</IncludePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile> <ClCompile>
<WarningLevel>Level3</WarningLevel> <WarningLevel>Level3</WarningLevel>
@ -45,6 +63,30 @@
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
<LanguageStandard>stdcpplatest</LanguageStandard> <LanguageStandard>stdcpplatest</LanguageStandard>
<Optimization>Disabled</Optimization> <Optimization>Disabled</Optimization>
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>$(ProjectDir)..\libs\*;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ProjectReference>
<LinkLibraryDependencies>true</LinkLibraryDependencies>
</ProjectReference>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='DBG|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<LanguageStandard>stdcpplatest</LanguageStandard>
<Optimization>Disabled</Optimization>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>

@ -156,31 +156,31 @@ namespace vm
{ {
switch (instr.mnemonic) switch (instr.mnemonic)
{ {
case ZYDIS_MNEMONIC_JB: case ZYDIS_MNEMONIC_JB:
case ZYDIS_MNEMONIC_JBE: case ZYDIS_MNEMONIC_JBE:
case ZYDIS_MNEMONIC_JCXZ: case ZYDIS_MNEMONIC_JCXZ:
case ZYDIS_MNEMONIC_JECXZ: case ZYDIS_MNEMONIC_JECXZ:
case ZYDIS_MNEMONIC_JKNZD: case ZYDIS_MNEMONIC_JKNZD:
case ZYDIS_MNEMONIC_JKZD: case ZYDIS_MNEMONIC_JKZD:
case ZYDIS_MNEMONIC_JL: case ZYDIS_MNEMONIC_JL:
case ZYDIS_MNEMONIC_JLE: case ZYDIS_MNEMONIC_JLE:
case ZYDIS_MNEMONIC_JMP: case ZYDIS_MNEMONIC_JMP:
case ZYDIS_MNEMONIC_JNB: case ZYDIS_MNEMONIC_JNB:
case ZYDIS_MNEMONIC_JNBE: case ZYDIS_MNEMONIC_JNBE:
case ZYDIS_MNEMONIC_JNL: case ZYDIS_MNEMONIC_JNL:
case ZYDIS_MNEMONIC_JNLE: case ZYDIS_MNEMONIC_JNLE:
case ZYDIS_MNEMONIC_JNO: case ZYDIS_MNEMONIC_JNO:
case ZYDIS_MNEMONIC_JNP: case ZYDIS_MNEMONIC_JNP:
case ZYDIS_MNEMONIC_JNS: case ZYDIS_MNEMONIC_JNS:
case ZYDIS_MNEMONIC_JNZ: case ZYDIS_MNEMONIC_JNZ:
case ZYDIS_MNEMONIC_JO: case ZYDIS_MNEMONIC_JO:
case ZYDIS_MNEMONIC_JP: case ZYDIS_MNEMONIC_JP:
case ZYDIS_MNEMONIC_JRCXZ: case ZYDIS_MNEMONIC_JRCXZ:
case ZYDIS_MNEMONIC_JS: case ZYDIS_MNEMONIC_JS:
case ZYDIS_MNEMONIC_JZ: case ZYDIS_MNEMONIC_JZ:
return true; return true;
default: default:
break; break;
} }
return false; return false;
} }
@ -233,14 +233,14 @@ namespace vm
{ {
switch (op.type) switch (op.type)
{ {
case ZYDIS_OPERAND_TYPE_MEMORY: case ZYDIS_OPERAND_TYPE_MEMORY:
{ {
return reg::compare(op.mem.base, reg) || reg::compare(op.mem.index, reg); return reg::compare(op.mem.base, reg) || reg::compare(op.mem.index, reg);
} }
case ZYDIS_OPERAND_TYPE_REGISTER: case ZYDIS_OPERAND_TYPE_REGISTER:
{ {
return reg::compare(op.reg.value, reg); return reg::compare(op.reg.value, reg);
} }
} }
return false; return false;
@ -330,5 +330,5 @@ namespace vm
} }
} }
} }
} }
} }
Loading…
Cancel
Save