xzre_code: add find_lea_instruction

smx-smx · Aug 3, 2024 · c05fdcf · c05fdcf
1 parent 43e7fc9
commit c05fdcf
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 24 deletions.
diff --git a/xzre.h b/xzre.h
@@ -301,41 +301,49 @@ typedef struct {
 // opcode is always +0x80 for the sake of it (yet another obfuscation)
 #define XZDASM_OPC(op) (op - 0x80)
 
+enum X86_OPCODE {
+	X86_OPCODE_LEA = 0x8D
+};
+
 typedef int BOOL;
 
 #define TRUE 1
 #define FALSE 0
 
 typedef enum {
 	// has lock or rep prefix
-	DF_LOCK_REP = 1,
-	// has segment override
-	DF_SEG = 2,
-	// has operand size override
-	DF_OSIZE = 4,
-	// has address size override
-	DF_ASIZE = 8,
-	// vex instruction
-	DF_VEX = 0x10,
-	// has rex
-	DF_REX = 0x20,
-	// has modrm
-	DF_MODRM = 0x40,
-	// has sib
-	DF_SIB = 0x80
+	DF1_LOCK_REP = 1,
+	//1 has segment override
+	DF1_SEG = 2,
+	//1 has operand size override
+	DF1_OSIZE = 4,
+	//1 has address size override
+	DF1_ASIZE = 8,
+	//1 vex instruction
+	DF1_VEX = 0x10,
+	//1 has rex
+	DF1_REX = 0x20,
+	//1 has modrm
+	DF1_MODRM = 0x40,
+	//1 has sib
+	DF1_SIB = 0x80
 } InstructionFlags;
 
 typedef enum {
 	// memory with displacement
-	DF_MEM_DISP = 0x1,
-	// 8-bit displacement
-	DF_MEM_DISP8 = 0x2,
-	// memory seg+offs (0xa0-0xa3)
-	DF_MEM_SEG_OFFS = 0x4,
-	// has immediate
-	DF_IMM = 0x8,
-	// 64-bit immediate (movabs)
-	DF_IMM64 = 0x10
+	DF2_MEM_DISP = 0x1,
+	//2 8-bit displacement
+	DF2_MEM_DISP8 = 0x2,
+	//2 memory seg+offs (0xa0-0xa3)
+	DF2_MEM_SEG_OFFS = 0x4,
+
+	// mask to check for memory flags
+	DF2_FLAGS_MEM = DF2_MEM_DISP | DF2_MEM_DISP8 | DF2_MEM_SEG_OFFS,
+
+	//2 has immediate
+	DF2_IMM = 0x8,
+	//2 64-bit immediate (movabs)
+	DF2_IMM64 = 0x10
 } InstructionFlags2;
 
 typedef enum {

diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt
@@ -6,6 +6,7 @@ add_library(xzre_code
 	elf_parse.c
 	elf_symbol_get_addr.c
 	get_lzma_allocator.c
+	find_lea_instruction.c
 	find_string_reference.c
 	is_endbr64_instruction.c
 	init_elf_entry_ctx.c

diff --git a/xzre_code/find_lea_instruction.c b/xzre_code/find_lea_instruction.c
@@ -0,0 +1,25 @@
+/**
+ * Copyright (C) 2024 Stefano Moioli <[email protected]>
+ **/
+#include "xzre.h"
+
+BOOL find_lea_instruction(u8 *code_start, u8 *code_end, u64 displacement){
+
+	if(!secret_data_append_from_call_site(
+		(secret_data_shift_cursor_t){ 0x7C }, 
+		5, 6, 0)
+	){
+		return FALSE;
+	}
+	dasm_ctx_t dctx = {0};
+	for(;code_start < code_end; ++code_start){
+		if(x86_dasm(&dctx, code_start, code_end)
+			&& XZDASM_OPC(dctx.opcode) == X86_OPCODE_LEA
+			&& (dctx.flags2 & DF2_FLAGS_MEM) == DF2_MEM_DISP
+			&& (dctx.mem_disp == displacement || dctx.mem_disp == -displacement)
+		){
+			return TRUE;
+		}
+	}
+	return FALSE;
+}