doxygen/html/transform_8hpp_source.html

 #pragma once

 #include <Zydis/Zydis.h>

 #include <functional>

 #include <map>

 #include <stdexcept>

 #include <vmutils.hpp>


 namespace vm::transform

 {

     template < class T > inline T __ROL__( T value, int count )

     {

         const unsigned int nbits = sizeof( T ) * 8;


         if ( count > 0 )

         {

             count %= nbits;

             T high = value >> ( nbits - count );

             if ( T( -1 ) < 0 ) // signed value

                 high &= ~( ( T( -1 ) << count ) );

             value <<= count;

             value |= high;

         }

         else

         {

             count = -count % nbits;

             T low = value << ( nbits - count );

             value >>= count;

             value |= low;

         }

         return value;

     }


     inline u8 __ROL1__( u8 value, int count )

     {

         return __ROL__( ( u8 )value, count );

     }


     inline u16 __ROL2__( u16 value, int count )

     {

         return __ROL__( ( u16 )value, count );

     }


     inline u32 __ROL4__( u32 value, int count )

     {

         return __ROL__( ( u32 )value, count );

     }


     inline u64 __ROL8__( u64 value, int count )

     {

         return __ROL__( ( u64 )value, count );

     }


     inline u8 __ROR1__( u8 value, int count )

     {

         return __ROL__( ( u8 )value, -count );

     }


     inline u16 __ROR2__( u16 value, int count )

     {

         return __ROL__( ( u16 )value, -count );

     }


     inline u32 __ROR4__( u32 value, int count )

     {

         return __ROL__( ( u32 )value, -count );

     }


     inline u64 __ROR8__( u64 value, int count )

     {

         return __ROL__( ( u64 )value, -count );

     }


     template < typename T > using transform_t = std::function< T( T, T ) >;


     enum class type

     {

         generic0,

         rolling_key,

         generic1,

         generic2,

         generic3,

         update_key

     };


     using map_t = std::map< transform::type, zydis_decoded_instr_t >;


     template < class T >

     inline const auto _bswap = []( T a, T b ) -> T {

         if constexpr ( std::is_same_v< T, std::uint64_t > )

             return _byteswap_uint64( a );

         if constexpr ( std::is_same_v< T, std::uint32_t > )

             return _byteswap_ulong( a );

         if constexpr ( std::is_same_v< T, std::uint16_t > )

             return _byteswap_ushort( a );


         throw std::invalid_argument( "invalid type size..." );

     };


     template < class T > inline const auto _add = []( T a, T b ) -> T { return a + b; };


     template < class T > inline const auto _xor = []( T a, T b ) -> T { return a ^ b; };


     template < class T > inline const auto _sub = []( T a, T b ) -> T { return a - b; };


     template < class T > inline const auto _neg = []( T a, T b ) -> T { return a * -1; };


     template < class T > inline const auto _not = []( T a, T b ) -> T { return ~a; };


     template < class T >

     inline const auto _ror = []( T a, T b ) -> T {

         if constexpr ( std::is_same_v< T, std::uint64_t > )

             return __ROR8__( a, b );

         if constexpr ( std::is_same_v< T, std::uint32_t > )

             return __ROR4__( a, b );

         if constexpr ( std::is_same_v< T, std::uint16_t > )

             return __ROR2__( a, b );

         if constexpr ( std::is_same_v< T, std::uint8_t > )

             return __ROR1__( a, b );


         throw std::invalid_argument( "invalid type size..." );

     };


     template < class T >

     inline const auto _rol = []( T a, T b ) -> T {

         if constexpr ( std::is_same_v< T, std::uint64_t > )

             return __ROL8__( a, b );

         if constexpr ( std::is_same_v< T, std::uint32_t > )

             return __ROL4__( a, b );

         if constexpr ( std::is_same_v< T, std::uint16_t > )

             return __ROL2__( a, b );

         if constexpr ( std::is_same_v< T, std::uint8_t > )

             return __ROL1__( a, b );


         throw std::invalid_argument( "invalid type size..." );

     };


     template < class T > inline const auto _inc = []( T a, T b ) -> T { return a + 1; };


     template < class T > inline const auto _dec = []( T a, T b ) -> T { return a - 1; };


     template < class T >

     inline std::map< zydis_mnemonic_t, transform_t< T > > transforms = {

         { ZYDIS_MNEMONIC_ADD, _add< T > }, { ZYDIS_MNEMONIC_XOR, _xor< T > }, { ZYDIS_MNEMONIC_BSWAP, _bswap< T > },

         { ZYDIS_MNEMONIC_SUB, _sub< T > }, { ZYDIS_MNEMONIC_NEG, _neg< T > }, { ZYDIS_MNEMONIC_NOT, _not< T > },

         { ZYDIS_MNEMONIC_ROR, _ror< T > }, { ZYDIS_MNEMONIC_ROL, _rol< T > }, { ZYDIS_MNEMONIC_INC, _inc< T > },

         { ZYDIS_MNEMONIC_DEC, _dec< T > } };


     inline std::map< zydis_mnemonic_t, zydis_mnemonic_t > inverse = {

         { ZYDIS_MNEMONIC_ADD, ZYDIS_MNEMONIC_SUB },     { ZYDIS_MNEMONIC_XOR, ZYDIS_MNEMONIC_XOR },

         { ZYDIS_MNEMONIC_BSWAP, ZYDIS_MNEMONIC_BSWAP }, { ZYDIS_MNEMONIC_SUB, ZYDIS_MNEMONIC_ADD },

         { ZYDIS_MNEMONIC_NEG, ZYDIS_MNEMONIC_NEG },     { ZYDIS_MNEMONIC_NOT, ZYDIS_MNEMONIC_NOT },

         { ZYDIS_MNEMONIC_ROR, ZYDIS_MNEMONIC_ROL },     { ZYDIS_MNEMONIC_ROL, ZYDIS_MNEMONIC_ROR },

         { ZYDIS_MNEMONIC_INC, ZYDIS_MNEMONIC_DEC },     { ZYDIS_MNEMONIC_DEC, ZYDIS_MNEMONIC_INC } };


     inline bool valid( zydis_mnemonic_t op )

     {

         return transforms< std::uint64_t >.find( op ) != transforms< std::uint64_t >.end();

     }


     inline void inverse_transforms( transform::map_t &transforms, transform::map_t &inverse )

     {

         inverse[ transform::type::generic0 ] = transforms[ transform::type::generic0 ];

         inverse[ transform::type::generic0 ].mnemonic =

             transform::inverse[ transforms[ transform::type::generic0 ].mnemonic ];


         inverse[ transform::type::rolling_key ] = transforms[ transform::type::rolling_key ];

         inverse[ transform::type::rolling_key ].mnemonic =

             transform::inverse[ transforms[ transform::type::rolling_key ].mnemonic ];


         inverse[ transform::type::generic1 ] = transforms[ transform::type::generic1 ];

         inverse[ transform::type::generic1 ].mnemonic =

             transform::inverse[ transforms[ transform::type::generic1 ].mnemonic ];


         inverse[ transform::type::generic2 ] = transforms[ transform::type::generic2 ];

         inverse[ transform::type::generic2 ].mnemonic =

             transform::inverse[ transforms[ transform::type::generic2 ].mnemonic ];


         inverse[ transform::type::generic3 ] = transforms[ transform::type::generic3 ];

         inverse[ transform::type::generic3 ].mnemonic =

             transform::inverse[ transforms[ transform::type::generic3 ].mnemonic ];


         inverse[ transform::type::update_key ] = transforms[ transform::type::update_key ];

         inverse[ transform::type::update_key ].mnemonic =

             transform::inverse[ transforms[ transform::type::update_key ].mnemonic ];

     }


     inline auto inverse_transforms( std::vector< zydis_decoded_instr_t > &instrs ) -> bool

     {

         for ( auto idx = 0u; idx < instrs.size(); idx++ )

             if ( !( instrs[ idx ].mnemonic = inverse[ instrs[ idx ].mnemonic ] ) )

                 return false;


         std::reverse( instrs.begin(), instrs.end() );

         return true;

     }


     // max size of a and b is 64 bits, a and b is then converted to

     // the number of bits in bitsize, the transformation is applied,

     // finally the result is converted back to 64bits... zero extended...

     inline auto apply( std::uint8_t bitsize, ZydisMnemonic op, std::uint64_t a, std::uint64_t b ) -> std::uint64_t

     {

         switch ( bitsize )

         {

         case 8:

             return transforms< std::uint8_t >[ op ]( a, b );

         case 16:

             return transforms< std::uint16_t >[ op ]( a, b );

         case 32:

             return transforms< std::uint32_t >[ op ]( a, b );

         case 64:

             return transforms< std::uint64_t >[ op ]( a, b );

         default:

             throw std::invalid_argument( "invalid bit size..." );

         }

     }


     inline bool has_imm( const zydis_decoded_instr_t *instr )

     {

         return instr->operand_count > 1 && ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE );

     }

 } // namespace vm::transform

vm::transform
Definition: transform.hpp:9

vm::transform::_inc
const auto _inc
Definition: transform.hpp:202

vm::transform::_dec
const auto _dec
Definition: transform.hpp:204

vm::transform::__ROR1__
u8 __ROR1__(u8 value, int count)
rotate right a one byte value...
Definition: transform.hpp:90

vm::transform::_add
const auto _add
Definition: transform.hpp:164

vm::transform::__ROL1__
u8 __ROL1__(u8 value, int count)
rotate left a one byte value...
Definition: transform.hpp:46

vm::transform::inverse_transforms
void inverse_transforms(transform::map_t &transforms, transform::map_t &inverse)
inverse operand decryption transformations...
Definition: transform.hpp:235

vm::transform::_xor
const auto _xor
Definition: transform.hpp:166

vm::transform::apply
auto apply(std::uint8_t bitsize, ZydisMnemonic op, std::uint64_t a, std::uint64_t b) -> std::uint64_t
Definition: transform.hpp:280

vm::transform::__ROL4__
u32 __ROL4__(u32 value, int count)
rotate left a four byte value...
Definition: transform.hpp:68

vm::transform::transform_t
std::function< T(T, T) > transform_t
transform function, such as ADD, SUB, BSWAP... etc...
Definition: transform.hpp:132

vm::transform::_bswap
const auto _bswap
Definition: transform.hpp:153

vm::transform::inverse
std::map< zydis_mnemonic_t, zydis_mnemonic_t > inverse
Definition: transform.hpp:213

vm::transform::_neg
const auto _neg
Definition: transform.hpp:170

vm::transform::__ROR4__
u32 __ROR4__(u32 value, int count)
rotate right a four byte value...
Definition: transform.hpp:112

vm::transform::__ROR8__
u64 __ROR8__(u64 value, int count)
rotate right an eight byte value...
Definition: transform.hpp:123

vm::transform::_sub
const auto _sub
Definition: transform.hpp:168

vm::transform::__ROL__
T __ROL__(T value, int count)
rotate left template function take from IDA SDK...
Definition: transform.hpp:17

vm::transform::_rol
const auto _rol
Definition: transform.hpp:189

vm::transform::has_imm
bool has_imm(const zydis_decoded_instr_t *instr)
determines if a given decoded instruction has a second operand that is an immediate value....
Definition: transform.hpp:302

vm::transform::valid
bool valid(zydis_mnemonic_t op)
determines if the given mnemonic is a valid transformation...
Definition: transform.hpp:225

vm::transform::type
type
type of transformation...
Definition: transform.hpp:138

vm::transform::type::generic2
@ generic2

vm::transform::type::update_key
@ update_key

vm::transform::type::generic3
@ generic3

vm::transform::type::rolling_key
@ rolling_key

vm::transform::type::generic1
@ generic1

vm::transform::type::generic0
@ generic0

vm::transform::_ror
const auto _ror
Definition: transform.hpp:175

vm::transform::transforms
std::map< zydis_mnemonic_t, transform_t< T > > transforms
Definition: transform.hpp:207

vm::transform::__ROL8__
u64 __ROL8__(u64 value, int count)
rotate left an eight byte value...
Definition: transform.hpp:79

vm::transform::__ROR2__
u16 __ROR2__(u16 value, int count)
rotate right a two byte value...
Definition: transform.hpp:101

vm::transform::_not
const auto _not
Definition: transform.hpp:172

vm::transform::map_t
std::map< transform::type, zydis_decoded_instr_t > map_t
map of transform type to zydis decoded instruction of the transform...
Definition: transform.hpp:150

vm::transform::__ROL2__
u16 __ROL2__(u16 value, int count)
rotate left a two byte value...
Definition: transform.hpp:57

vmutils.hpp

u64
unsigned long long u64
Definition: vmutils.hpp:15

u32
unsigned int u32
Definition: vmutils.hpp:14

u16
unsigned short u16
Definition: vmutils.hpp:13

zydis_mnemonic_t
ZydisMnemonic zydis_mnemonic_t
Definition: vmutils.hpp:20

zydis_decoded_instr_t
ZydisDecodedInstruction zydis_decoded_instr_t
Definition: vmutils.hpp:18

u8
unsigned char u8
Definition: vmutils.hpp:12