You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
vmprofiler/doxygen/html/vminstrs_8cpp.html

122 lines
12 KiB

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.9.1"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>VMProfiler: D:/vmprofiler-qt/dependencies/vmprofiler/src/vminstrs.cpp File Reference</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/searchdata.js"></script>
<script type="text/javascript" src="search/search.js"></script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 56px;">
<td id="projectlogo"><img alt="Logo" src="icon.png"/></td>
<td id="projectalign" style="padding-left: 0.5em;">
<div id="projectname">VMProfiler
&#160;<span id="projectnumber">v1.8</span>
</div>
<div id="projectbrief">vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu.</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.9.1 -->
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
var searchBox = new SearchBox("searchBox", "search",false,'Search','.html');
/* @license-end */
</script>
<script type="text/javascript" src="menudata.js"></script>
<script type="text/javascript" src="menu.js"></script>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
$(function() {
initMenu('',true,false,'search.php','Search');
$(document).ready(function() { init_search(); });
});
/* @license-end */</script>
<div id="main-nav"></div>
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
</div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<div id="nav-path" class="navpath">
<ul>
<li class="navelem"><a class="el" href="dir_68267d1309a1af8e8297ef4c3efbcdba.html">src</a></li> </ul>
</div>
</div><!-- top -->
<div class="header">
<div class="summary">
<a href="#namespaces">Namespaces</a> &#124;
<a href="#func-members">Functions</a> </div>
<div class="headertitle">
<div class="title">vminstrs.cpp File Reference</div> </div>
</div><!--header-->
<div class="contents">
<div class="textblock"><code>#include &lt;<a class="el" href="vmprofiler_8hpp_source.html">vmprofiler.hpp</a>&gt;</code><br />
</div><table class="memberdecls">
<tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="namespaces"></a>
Namespaces</h2></td></tr>
<tr class="memitem:namespacevm"><td class="memItemLeft" align="right" valign="top"> &#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm.html">vm</a></td></tr>
<tr class="separator:"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:namespacevm_1_1instrs"><td class="memItemLeft" align="right" valign="top"> &#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html">vm::instrs</a></td></tr>
<tr class="memdesc:namespacevm_1_1instrs"><td class="mdescLeft">&#160;</td><td class="mdescRight">contains all functions related to virtual instructions... <br /></td></tr>
<tr class="separator:"><td class="memSeparator" colspan="2">&#160;</td></tr>
</table><table class="memberdecls">
<tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="func-members"></a>
Functions</h2></td></tr>
<tr class="memitem:a995be4b7dd3764aec88207611a2b879d"><td class="memItemLeft" align="right" valign="top">std::pair&lt; std::uint64_t, std::uint64_t &gt;&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a995be4b7dd3764aec88207611a2b879d">vm::instrs::decrypt_operand</a> (transform::map_t &amp;transforms, std::uint64_t operand, std::uint64_t rolling_key)</td></tr>
<tr class="memdesc:a995be4b7dd3764aec88207611a2b879d"><td class="mdescLeft">&#160;</td><td class="mdescRight">decrypt virtual instruction operand given the decryption transformations... you can read about these transformations <a class="el" href="">https://back.engineering/17/05/2021/#operand-decryption</a> <a href="namespacevm_1_1instrs.html#a995be4b7dd3764aec88207611a2b879d">More...</a><br /></td></tr>
<tr class="separator:a995be4b7dd3764aec88207611a2b879d"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:a388b00855c582da503850d72de7e8f57"><td class="memItemLeft" align="right" valign="top">std::pair&lt; std::uint64_t, std::uint64_t &gt;&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a388b00855c582da503850d72de7e8f57">vm::instrs::encrypt_operand</a> (transform::map_t &amp;transforms, std::uint64_t operand, std::uint64_t rolling_key)</td></tr>
<tr class="memdesc:a388b00855c582da503850d72de7e8f57"><td class="mdescLeft">&#160;</td><td class="mdescRight">encrypt a virtual instructions operand given the transformations to decrypt the operand... the transformations are inversed by this functions so you dont need to worry about doing that. <a href="namespacevm_1_1instrs.html#a388b00855c582da503850d72de7e8f57">More...</a><br /></td></tr>
<tr class="separator:a388b00855c582da503850d72de7e8f57"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:abfbe5c819730d2693296df3c71393de3"><td class="memItemLeft" align="right" valign="top">bool&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#abfbe5c819730d2693296df3c71393de3">vm::instrs::get_rva_decrypt</a> (const <a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;vm_entry, std::vector&lt; <a class="el" href="vmutils_8hpp.html#ad180fbf8cef52662febedec0f54b6188">zydis_decoded_instr_t</a> &gt; &amp;transform_instrs)</td></tr>
<tr class="memdesc:abfbe5c819730d2693296df3c71393de3"><td class="mdescLeft">&#160;</td><td class="mdescRight">gets the native instructions that are used to decrypt the relative virtual address to virtual instructions located on the stack at RSP+0xA0... you can learn about this <a class="el" href="">https://back.engineering/17/05/2021/#vm_entry</a> <a href="namespacevm_1_1instrs.html#abfbe5c819730d2693296df3c71393de3">More...</a><br /></td></tr>
<tr class="separator:abfbe5c819730d2693296df3c71393de3"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:a432536e816a10200518676e5616335a6"><td class="memItemLeft" align="right" valign="top">std::optional&lt; std::uint64_t &gt;&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a432536e816a10200518676e5616335a6">vm::instrs::get_imm</a> (<a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> &amp;ctx, std::uint8_t imm_size, std::uintptr_t vip)</td></tr>
<tr class="memdesc:a432536e816a10200518676e5616335a6"><td class="mdescLeft">&#160;</td><td class="mdescRight">gets the encrypted second operand (imm) given vip and <a class="el" href="classvm_1_1ctx__t.html" title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a>... <a href="namespacevm_1_1instrs.html#a432536e816a10200518676e5616335a6">More...</a><br /></td></tr>
<tr class="separator:a432536e816a10200518676e5616335a6"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:aa7a629de41909a287c549397a4043c2f"><td class="memItemLeft" align="right" valign="top">std::optional&lt; virt_instr_t &gt;&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#aa7a629de41909a287c549397a4043c2f">vm::instrs::get</a> (<a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> &amp;ctx, <a class="el" href="structvmp2_1_1v2_1_1entry__t.html">vmp2::v2::entry_t</a> &amp;entry)</td></tr>
<tr class="memdesc:aa7a629de41909a287c549397a4043c2f"><td class="mdescLeft">&#160;</td><td class="mdescRight">get <a class="el" href="structvm_1_1instrs_1_1virt__instr__t.html">virt_instr_t</a> filled in with data given a <a class="el" href="namespacevmp2.html">vmp2</a> trace entry and vm context... <a href="namespacevm_1_1instrs.html#aa7a629de41909a287c549397a4043c2f">More...</a><br /></td></tr>
<tr class="separator:aa7a629de41909a287c549397a4043c2f"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:a093e8f1c37d98c4454a3d0b58fda6188"><td class="memItemLeft" align="right" valign="top">std::optional&lt; jcc_data &gt;&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a093e8f1c37d98c4454a3d0b58fda6188">vm::instrs::get_jcc_data</a> (<a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> &amp;ctx, code_block_t &amp;code_block)</td></tr>
<tr class="memdesc:a093e8f1c37d98c4454a3d0b58fda6188"><td class="mdescLeft">&#160;</td><td class="mdescRight">get jcc data out of a code block... this function will loop over the code block and look for the last LCONSTDW in the virtual instructions. <a href="namespacevm_1_1instrs.html#a093e8f1c37d98c4454a3d0b58fda6188">More...</a><br /></td></tr>
<tr class="separator:a093e8f1c37d98c4454a3d0b58fda6188"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:a5ee4814b206e0a4f8fc27356efc9503a"><td class="memItemLeft" align="right" valign="top">std::uintptr_t&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#a5ee4814b206e0a4f8fc27356efc9503a">vm::instrs::code_block_addr</a> (const <a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> &amp;ctx, const <a class="el" href="structvmp2_1_1v2_1_1entry__t.html">vmp2::v2::entry_t</a> &amp;entry)</td></tr>
<tr class="memdesc:a5ee4814b206e0a4f8fc27356efc9503a"><td class="mdescLeft">&#160;</td><td class="mdescRight">the top of the stack will contain the lower 32bits of the RVA to the virtual instructions that will be jumping too... the RVA is image based (not module based, but optional header image based)... this means the value ontop of the stack could be "40007fd8" with image base being 0x140000000... as you can see the 0x100000000 is missing... the below statement deals with this... <a href="namespacevm_1_1instrs.html#a5ee4814b206e0a4f8fc27356efc9503a">More...</a><br /></td></tr>
<tr class="separator:a5ee4814b206e0a4f8fc27356efc9503a"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:ab49694becc7c7cbd618468b675e1b22a"><td class="memItemLeft" align="right" valign="top">std::uintptr_t&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1instrs.html#ab49694becc7c7cbd618468b675e1b22a">vm::instrs::code_block_addr</a> (const <a class="el" href="classvm_1_1ctx__t.html">vm::ctx_t</a> &amp;ctx, const std::uint32_t lower_32bits)</td></tr>
<tr class="memdesc:ab49694becc7c7cbd618468b675e1b22a"><td class="mdescLeft">&#160;</td><td class="mdescRight">same routine as above except lower_32bits is passed directly and not extracted from the stack... <a href="namespacevm_1_1instrs.html#ab49694becc7c7cbd618468b675e1b22a">More...</a><br /></td></tr>
<tr class="separator:ab49694becc7c7cbd618468b675e1b22a"><td class="memSeparator" colspan="2">&#160;</td></tr>
</table>
</div><!-- contents -->
<!-- start footer part -->
<hr class="footer"/><address class="footer"><small>
Generated by&#160;<a href="https://www.doxygen.org/index.html"><img class="footer" src="doxygen.svg" width="104" height="31" alt="doxygen"/></a> 1.9.1
</small></address>
</body>
</html>