Labels Milestones

New Issue

JCC inside of a vm handler that is only in packed modules #5

Closed

opened 3 years ago by root · 0 comments

root commented 3 years ago

Owner

packed modules have this xor/decrypt vm handler in them

	mov     rdx, [rbp+0]
	add     rbp, 8
	xor     eax, eax
label:
	mov     ecx, eax
	shl     eax, 7
	shr     ecx, 19h
	or      eax, ecx
	xor     al, [rdx]
	add     rdx, 1
	dec     dword ptr [rbp+0]
	jnz     label
	mov     [rbp+0], eax

The vm::utils::flatten function always takes a jump. It is used to flatten vm handlers as they were assumed to be linear before, however this is the first vm handler which a legit JCC in it!

Easy fix :)

packed modules have this xor/decrypt vm handler in them ``` mov rdx, [rbp+0] add rbp, 8 xor eax, eax label: mov ecx, eax shl eax, 7 shr ecx, 19h or eax, ecx xor al, [rdx] add rdx, 1 dec dword ptr [rbp+0] jnz label mov [rbp+0], eax ``` The vm::utils::flatten function always takes a jump. It is used to flatten vm handlers as they were assumed to be linear before, however this is the first vm handler which a legit JCC in it! Easy fix :)

root closed this issue 3 years ago

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

v2.0

v1.8

v1.7

v1.6

v1.5

v1.4

v1.3

v1.2

v1.1

v1.0

Labels

Apply labels

Clear labels

No items

No Label

Milestone

Set milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Assign users

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: vmp2/vmprofiler#5

Write Preview

Loading…

Cancel

Save

There is no content yet.