From ecd7f5abc1f97a2743334e942e50f66c55cf039f Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 23:44:31 -0700 Subject: [PATCH] fixed operand decryption transform map ref's --- include/transform.hpp | 2 +- src/vminstrs.cpp | 74 +++++++++++++++++++++---------------------- 2 files changed, 38 insertions(+), 38 deletions(-) diff --git a/include/transform.hpp b/include/transform.hpp index bc2ef88..f0a4624 100644 --- a/include/transform.hpp +++ b/include/transform.hpp @@ -211,7 +211,7 @@ namespace vm } } - inline bool has_imm( zydis_decoded_instr_t *instr ) + inline bool has_imm( const zydis_decoded_instr_t *instr ) { return instr->operand_count > 1 && ( instr->operands[ 1 ].type & ZYDIS_OPERAND_TYPE_IMMEDIATE ); } diff --git a/src/vminstrs.cpp b/src/vminstrs.cpp index 99ebf3f..9d92817 100644 --- a/src/vminstrs.cpp +++ b/src/vminstrs.cpp @@ -7,48 +7,48 @@ namespace vm std::pair< std::uint64_t, std::uint64_t > decrypt_operand( transform::map_t &transforms, std::uint64_t operand, std::uint64_t rolling_key ) { - const auto generic_decrypt_0 = &transforms[ transform::type::generic0 ]; - const auto key_decrypt = &transforms[ transform::type::rolling_key ]; - const auto generic_decrypt_1 = &transforms[ transform::type::generic1 ]; - const auto generic_decrypt_2 = &transforms[ transform::type::generic2 ]; - const auto generic_decrypt_3 = &transforms[ transform::type::generic3 ]; - const auto update_key = &transforms[ transform::type::update_key ]; - - if ( generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID ) + const auto& generic_decrypt_0 = transforms[ transform::type::generic0 ]; + const auto& key_decrypt = transforms[ transform::type::rolling_key ]; + const auto& generic_decrypt_1 = transforms[ transform::type::generic1 ]; + const auto& generic_decrypt_2 = transforms[ transform::type::generic2 ]; + const auto& generic_decrypt_3 = transforms[ transform::type::generic3 ]; + const auto& update_key = transforms[ transform::type::update_key ]; + + if ( generic_decrypt_0.mnemonic != ZYDIS_MNEMONIC_INVALID ) { operand = transform::apply( - generic_decrypt_0->operands[ 0 ].size, generic_decrypt_0->mnemonic, operand, + generic_decrypt_0.operands[ 0 ].size, generic_decrypt_0.mnemonic, operand, // check to see if this instruction has an IMM... - transform::has_imm( generic_decrypt_0 ) ? generic_decrypt_0->operands[ 1 ].imm.value.u : 0 ); + transform::has_imm( &generic_decrypt_0 ) ? generic_decrypt_0.operands[ 1 ].imm.value.u : 0 ); } // apply transformation with rolling decrypt key... - operand = transform::apply( key_decrypt->operands[ 0 ].size, key_decrypt->mnemonic, operand, rolling_key ); + operand = transform::apply( key_decrypt.operands[ 0 ].size, key_decrypt.mnemonic, operand, rolling_key ); // apply three generic transformations... { operand = transform::apply( - generic_decrypt_1->operands[ 0 ].size, generic_decrypt_1->mnemonic, operand, + generic_decrypt_1.operands[ 0 ].size, generic_decrypt_1.mnemonic, operand, // check to see if this instruction has an IMM... - transform::has_imm( generic_decrypt_1 ) ? generic_decrypt_1->operands[ 1 ].imm.value.u : 0 ); + transform::has_imm( &generic_decrypt_1 ) ? generic_decrypt_1.operands[ 1 ].imm.value.u : 0 ); operand = transform::apply( - generic_decrypt_2->operands[ 0 ].size, generic_decrypt_2->mnemonic, operand, + generic_decrypt_2.operands[ 0 ].size, generic_decrypt_2.mnemonic, operand, // check to see if this instruction has an IMM... - transform::has_imm( generic_decrypt_2 ) ? generic_decrypt_2->operands[ 1 ].imm.value.u : 0 ); + transform::has_imm( &generic_decrypt_2 ) ? generic_decrypt_2.operands[ 1 ].imm.value.u : 0 ); operand = transform::apply( - generic_decrypt_3->operands[ 0 ].size, generic_decrypt_3->mnemonic, operand, + generic_decrypt_3.operands[ 0 ].size, generic_decrypt_3.mnemonic, operand, // check to see if this instruction has an IMM... - transform::has_imm( generic_decrypt_3 ) ? generic_decrypt_3->operands[ 1 ].imm.value.u : 0 ); + transform::has_imm( &generic_decrypt_3 ) ? generic_decrypt_3.operands[ 1 ].imm.value.u : 0 ); } // update rolling key... auto result = - transform::apply( update_key->operands[ 0 ].size, update_key->mnemonic, rolling_key, operand ); + transform::apply( update_key.operands[ 0 ].size, update_key.mnemonic, rolling_key, operand ); // update decryption key correctly... - switch ( update_key->operands[ 0 ].size ) + switch ( update_key.operands[ 0 ].size ) { case 8: rolling_key = ( rolling_key & ~0xFFull ) + result; @@ -70,18 +70,18 @@ namespace vm transform::map_t inverse; inverse_transforms( transforms, inverse ); - const auto generic_decrypt_0 = &inverse[ transform::type::generic0 ]; - const auto key_decrypt = &inverse[ transform::type::rolling_key ]; - const auto generic_decrypt_1 = &inverse[ transform::type::generic1 ]; - const auto generic_decrypt_2 = &inverse[ transform::type::generic2 ]; - const auto generic_decrypt_3 = &inverse[ transform::type::generic3 ]; - const auto update_key = &inverse[ transform::type::update_key ]; + const auto& generic_decrypt_0 = inverse[ transform::type::generic0 ]; + const auto& key_decrypt = inverse[ transform::type::rolling_key ]; + const auto& generic_decrypt_1 = inverse[ transform::type::generic1 ]; + const auto& generic_decrypt_2 = inverse[ transform::type::generic2 ]; + const auto& generic_decrypt_3 = inverse[ transform::type::generic3 ]; + const auto& update_key = inverse[ transform::type::update_key ]; auto result = - transform::apply( update_key->operands[ 0 ].size, update_key->mnemonic, rolling_key, operand ); + transform::apply( update_key.operands[ 0 ].size, update_key.mnemonic, rolling_key, operand ); // make sure we update the rolling decryption key correctly... - switch ( update_key->operands[ 0 ].size ) + switch ( update_key.operands[ 0 ].size ) { case 8: rolling_key = ( rolling_key & ~0xFFull ) + result; @@ -96,29 +96,29 @@ namespace vm { operand = transform::apply( - generic_decrypt_3->operands[ 0 ].size, generic_decrypt_3->mnemonic, operand, + generic_decrypt_3.operands[ 0 ].size, generic_decrypt_3.mnemonic, operand, // check to see if this instruction has an IMM... - transform::has_imm( generic_decrypt_3 ) ? generic_decrypt_3->operands[ 1 ].imm.value.u : 0 ); + transform::has_imm( &generic_decrypt_3 ) ? generic_decrypt_3.operands[ 1 ].imm.value.u : 0 ); operand = transform::apply( - generic_decrypt_2->operands[ 0 ].size, generic_decrypt_2->mnemonic, operand, + generic_decrypt_2.operands[ 0 ].size, generic_decrypt_2.mnemonic, operand, // check to see if this instruction has an IMM... - transform::has_imm( generic_decrypt_2 ) ? generic_decrypt_2->operands[ 1 ].imm.value.u : 0 ); + transform::has_imm( &generic_decrypt_2 ) ? generic_decrypt_2.operands[ 1 ].imm.value.u : 0 ); operand = transform::apply( - generic_decrypt_1->operands[ 0 ].size, generic_decrypt_1->mnemonic, operand, + generic_decrypt_1.operands[ 0 ].size, generic_decrypt_1.mnemonic, operand, // check to see if this instruction has an IMM... - transform::has_imm( generic_decrypt_1 ) ? generic_decrypt_1->operands[ 1 ].imm.value.u : 0 ); + transform::has_imm( &generic_decrypt_1 ) ? generic_decrypt_1.operands[ 1 ].imm.value.u : 0 ); } - operand = transform::apply( key_decrypt->operands[ 0 ].size, key_decrypt->mnemonic, operand, rolling_key ); + operand = transform::apply( key_decrypt.operands[ 0 ].size, key_decrypt.mnemonic, operand, rolling_key ); - if ( generic_decrypt_0->mnemonic != ZYDIS_MNEMONIC_INVALID ) + if ( generic_decrypt_0.mnemonic != ZYDIS_MNEMONIC_INVALID ) { operand = transform::apply( - generic_decrypt_0->operands[ 0 ].size, generic_decrypt_0->mnemonic, operand, + generic_decrypt_0.operands[ 0 ].size, generic_decrypt_0.mnemonic, operand, // check to see if this instruction has an IMM... - transform::has_imm( generic_decrypt_0 ) ? generic_decrypt_0->operands[ 1 ].imm.value.u : 0 ); + transform::has_imm( &generic_decrypt_0 ) ? generic_decrypt_0.operands[ 1 ].imm.value.u : 0 ); } return { operand, rolling_key };