fixed jmp profile...

3 years ago · 599a685b9e
parent b560b35284
commit 599a685b9e
3 changed files with 34 additions and 7 deletions
--- a/src/vminstrs.cpp
+++ b/src/vminstrs.cpp
@ -45,8 +45,15 @@ void deobfuscate(hndlr_trace_t& trace) {

  std::uint32_t last_size = 0u;
  static const std::vector<ZydisMnemonic> blacklist = {
-      ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT,  ZYDIS_MNEMONIC_TEST,
-      ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC};
+      ZYDIS_MNEMONIC_CLC,    ZYDIS_MNEMONIC_BT,      ZYDIS_MNEMONIC_TEST,
+      ZYDIS_MNEMONIC_CMP,    ZYDIS_MNEMONIC_CMC,     ZYDIS_MNEMONIC_STC,
+      ZYDIS_MNEMONIC_CMOVB,  ZYDIS_MNEMONIC_CMOVBE,  ZYDIS_MNEMONIC_CMOVL,
+      ZYDIS_MNEMONIC_CMOVLE, ZYDIS_MNEMONIC_CMOVNB,  ZYDIS_MNEMONIC_CMOVNBE,
+      ZYDIS_MNEMONIC_CMOVNL, ZYDIS_MNEMONIC_CMOVNLE, ZYDIS_MNEMONIC_CMOVNO,
+      ZYDIS_MNEMONIC_CMOVNP, ZYDIS_MNEMONIC_CMOVNS,  ZYDIS_MNEMONIC_CMOVNZ,
+      ZYDIS_MNEMONIC_CMOVO,  ZYDIS_MNEMONIC_CMOVP,   ZYDIS_MNEMONIC_CMOVS,
+      ZYDIS_MNEMONIC_CMOVZ,
+  };

  static const std::vector<ZydisMnemonic> whitelist = {
      ZYDIS_MNEMONIC_PUSH, ZYDIS_MNEMONIC_POP, ZYDIS_MNEMONIC_CALL,
--- a/src/vmprofiles/jmp.cpp
+++ b/src/vmprofiles/jmp.cpp
@ -23,18 +23,31 @@ profiler_t jmp = {
               instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
               instr.operands[1].imm.value.u == 8;
      },
-      // MOV VIP, REG
+      // MOV REG, IMM_64
      [&](const zydis_reg_t vip,
          const zydis_reg_t vsp,
          const zydis_decoded_instr_t& instr) -> bool {
        return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
-               instr.operands[0].reg.value == vip &&
-               instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
+               instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+               instr.operands[1].size == 64;
+      },
+      // LEA REG, [0x0] ; disp is -7...
+      [&](const zydis_reg_t vip,
+          const zydis_reg_t vsp,
+          const zydis_decoded_instr_t& instr) -> bool {
+        return instr.mnemonic == ZYDIS_MNEMONIC_LEA &&
+               instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+               instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+               instr.operands[1].mem.disp.has_displacement &&
+               instr.operands[1].mem.disp.value == -7;
      }}},
    [&](zydis_reg_t& vip,
        zydis_reg_t& vsp,
        hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
+      std::printf("> found a jmp...\n");
+      std::getchar();
+
      const auto& instrs = hndlr.m_instrs;
      const auto xchg = std::find_if(
          instrs.begin(), instrs.end(), [&](const emu_instr_t& instr) -> bool {
--- a/src/vmutils.cpp
+++ b/src/vmutils.cpp
@ -124,8 +124,15 @@ void deobfuscate(zydis_rtn_t& routine) {

  std::uint32_t last_size = 0u;
  static const std::vector<ZydisMnemonic> blacklist = {
-      ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT,  ZYDIS_MNEMONIC_TEST,
-      ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC};
+      ZYDIS_MNEMONIC_CLC,    ZYDIS_MNEMONIC_BT,      ZYDIS_MNEMONIC_TEST,
+      ZYDIS_MNEMONIC_CMP,    ZYDIS_MNEMONIC_CMC,     ZYDIS_MNEMONIC_STC,
+      ZYDIS_MNEMONIC_CMOVB,  ZYDIS_MNEMONIC_CMOVBE,  ZYDIS_MNEMONIC_CMOVL,
+      ZYDIS_MNEMONIC_CMOVLE, ZYDIS_MNEMONIC_CMOVNB,  ZYDIS_MNEMONIC_CMOVNBE,
+      ZYDIS_MNEMONIC_CMOVNL, ZYDIS_MNEMONIC_CMOVNLE, ZYDIS_MNEMONIC_CMOVNO,
+      ZYDIS_MNEMONIC_CMOVNP, ZYDIS_MNEMONIC_CMOVNS,  ZYDIS_MNEMONIC_CMOVNZ,
+      ZYDIS_MNEMONIC_CMOVO,  ZYDIS_MNEMONIC_CMOVP,   ZYDIS_MNEMONIC_CMOVS,
+      ZYDIS_MNEMONIC_CMOVZ,
+  };

  static const std::vector<ZydisMnemonic> whitelist = {
      ZYDIS_MNEMONIC_PUSH, ZYDIS_MNEMONIC_POP, ZYDIS_MNEMONIC_CALL,