fixed a bug in the deadstore removal algo...

main
John Doe 3 years ago
parent 703245ffc9
commit 4c4bcf8a18

@ -19,6 +19,7 @@ bool vmctx_t::init() {
return false; return false;
vm::utils::deobfuscate(m_vm_entry); vm::utils::deobfuscate(m_vm_entry);
vm::utils::print(m_vm_entry);
// find mov reg, [rsp+0x90]. this register will be VIP... // find mov reg, [rsp+0x90]. this register will be VIP...
const auto vip_fetch = std::find_if( const auto vip_fetch = std::find_if(

@ -20,12 +20,9 @@ void deobfuscate(hndlr_trace_t& trace) {
static const auto _reads = [](zydis_decoded_instr_t& instr, static const auto _reads = [](zydis_decoded_instr_t& instr,
zydis_reg_t reg) -> bool { zydis_reg_t reg) -> bool {
if (instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
vm::utils::reg::compare(instr.operands[0].mem.base, reg))
return true;
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx) for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
if (instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ && if ((instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ ||
instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_MEMORY) &&
_uses_reg(instr.operands[op_idx], reg)) _uses_reg(instr.operands[op_idx], reg))
return true; return true;
return false; return false;
@ -34,10 +31,8 @@ void deobfuscate(hndlr_trace_t& trace) {
static const auto _writes = [](zydis_decoded_instr_t& instr, static const auto _writes = [](zydis_decoded_instr_t& instr,
zydis_reg_t reg) -> bool { zydis_reg_t reg) -> bool {
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx) for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
// if instruction writes to the specific register...
if (instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER && if (instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_WRITE && instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_WRITE &&
!(instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ) &&
vm::utils::reg::compare(instr.operands[op_idx].reg.value, reg)) vm::utils::reg::compare(instr.operands[op_idx].reg.value, reg))
return true; return true;
return false; return false;

@ -99,12 +99,9 @@ void deobfuscate(zydis_rtn_t& routine) {
static const auto _reads = [](zydis_decoded_instr_t& instr, static const auto _reads = [](zydis_decoded_instr_t& instr,
zydis_reg_t reg) -> bool { zydis_reg_t reg) -> bool {
if (instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
vm::utils::reg::compare(instr.operands[0].mem.base, reg))
return true;
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx) for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
if (instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ && if ((instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ ||
instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_MEMORY) &&
_uses_reg(instr.operands[op_idx], reg)) _uses_reg(instr.operands[op_idx], reg))
return true; return true;
return false; return false;
@ -113,10 +110,8 @@ void deobfuscate(zydis_rtn_t& routine) {
static const auto _writes = [](zydis_decoded_instr_t& instr, static const auto _writes = [](zydis_decoded_instr_t& instr,
zydis_reg_t reg) -> bool { zydis_reg_t reg) -> bool {
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx) for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
// if instruction writes to the specific register...
if (instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER && if (instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_WRITE && instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_WRITE &&
!(instr.operands[op_idx].actions & ZYDIS_OPERAND_ACTION_READ) &&
vm::utils::reg::compare(instr.operands[op_idx].reg.value, reg)) vm::utils::reg::compare(instr.operands[op_idx].reg.value, reg))
return true; return true;
return false; return false;
@ -151,11 +146,6 @@ void deobfuscate(zydis_rtn_t& routine) {
break; break;
} }
if (is_jmp(itr->instr)) {
routine.erase(itr);
break;
}
zydis_reg_t reg = ZYDIS_REGISTER_NONE; zydis_reg_t reg = ZYDIS_REGISTER_NONE;
// look for operands with writes to a register... // look for operands with writes to a register...
for (auto op_idx = 0u; op_idx < itr->instr.operand_count; ++op_idx) for (auto op_idx = 0u; op_idx < itr->instr.operand_count; ++op_idx)

Loading…
Cancel
Save