diff --git a/src/dbg/TraceRecord.cpp b/src/dbg/TraceRecord.cpp index 5e48bed9..ef22daff 100644 --- a/src/dbg/TraceRecord.cpp +++ b/src/dbg/TraceRecord.cpp @@ -205,14 +205,14 @@ void TraceRecordManager::TraceExecute(duint address, duint size) //See https://www.felixcloutier.com/x86/FXSAVE.html, max 512 bytes #define memoryContentSize 512 -static void HandleZydisOperand(const Zydis & cp, int opindex, DISASM_ARGTYPE* argType, duint* value, unsigned char memoryContent[memoryContentSize], unsigned char* memorySize) +static void HandleZydisOperand(const Zydis & zydis, int opindex, DISASM_ARGTYPE* argType, duint* value, unsigned char memoryContent[memoryContentSize], unsigned char* memorySize) { - *value = cp.ResolveOpValue(opindex, [&cp](ZydisRegister reg) + *value = (duint)zydis.ResolveOpValue(opindex, [&zydis](ZydisRegister reg) -> uint64_t { - auto regName = cp.RegName(reg); + auto regName = zydis.RegName(reg); return regName ? getregister(nullptr, regName) : 0; //TODO: temporary needs enums + caching }); - const auto & op = cp[opindex]; + const auto & op = zydis[opindex]; switch(op.type) { case ZYDIS_OPERAND_TYPE_REGISTER: @@ -269,7 +269,7 @@ void TraceRecordManager::TraceExecuteRecord(const Zydis & newInstruction) if(newInstruction.Success() && !newInstruction.IsNop() && newInstruction.GetId() != ZYDIS_MNEMONIC_LEA) { // This can happen when trace execute instruction is used, we need to fix that or something would go wrong with the GUI. - newContext.registers.regcontext.cip = newInstruction.Address(); + newContext.registers.regcontext.cip = (duint)newInstruction.Address(); DISASM_ARGTYPE argType; duint value; unsigned char memoryContent[memoryContentSize]; @@ -553,13 +553,13 @@ bool TraceRecordManager::enableTraceRecording(bool enabled, const char* fileName for(size_t i = 0; i < _countof(rtOldContextChanged); i++) rtOldContextChanged[i] = true; dprintf(QT_TRANSLATE_NOOP("DBG", "Started trace recording to file: %s\r\n"), fileName); - Zydis cp; + Zydis zydis; unsigned char instr[MAX_DISASM_BUFFER]; auto cip = GetContextDataEx(hActiveThread, UE_CIP); if(MemRead(cip, instr, MAX_DISASM_BUFFER)) { - cp.DisassembleSafe(cip, instr, MAX_DISASM_BUFFER); - TraceExecuteRecord(cp); + zydis.DisassembleSafe(cip, instr, MAX_DISASM_BUFFER); + TraceExecuteRecord(zydis); } GuiOpenTraceFile(fileName); return true; diff --git a/src/dbg/_exports.cpp b/src/dbg/_exports.cpp index af886300..3f456efb 100644 --- a/src/dbg/_exports.cpp +++ b/src/dbg/_exports.cpp @@ -102,8 +102,8 @@ extern "C" DLL_EXPORT bool _dbg_isjumpgoingtoexecute(duint addr) unsigned char data[16]; if(MemRead(addr, data, sizeof(data), nullptr, true)) { - Zydis cp; - if(cp.Disassemble(addr, data)) + Zydis zydis; + if(zydis.Disassemble(addr, data)) { CONTEXT ctx; memset(&ctx, 0, sizeof(ctx)); @@ -116,7 +116,7 @@ extern "C" DLL_EXPORT bool _dbg_isjumpgoingtoexecute(duint addr) auto cflags = ctx.EFlags; auto ccx = ctx.Ecx; #endif //_WIN64 - return cp.IsBranchGoingToExecute(cflags, ccx); + return zydis.IsBranchGoingToExecute(cflags, ccx); } } return false; @@ -329,11 +329,11 @@ static bool getAutoComment(duint addr, String & comment) BRIDGE_ADDRINFO newinfo; char string_text[MAX_STRING_SIZE] = ""; - Zydis cp; + Zydis zydis; auto getregs = !bOnlyCipAutoComments || addr == lastContext.cip; - disasmget(cp, addr, &instr, getregs); + disasmget(zydis, addr, &instr, getregs); // Some nop variants have 'operands' that should be ignored - if(cp.Success() && !cp.IsNop()) + if(zydis.Success() && !zydis.IsNop()) { //Ignore register values when not on CIP and OnlyCipAutoComments is enabled: https://github.com/x64dbg/x64dbg/issues/1383 if(!getregs) @@ -342,7 +342,7 @@ static bool getAutoComment(duint addr, String & comment) instr.arg[i].value = instr.arg[i].constant; } - if(addr == lastContext.cip && (cp.GetId() == ZYDIS_MNEMONIC_SYSCALL || (cp.GetId() == ZYDIS_MNEMONIC_INT && cp[0].imm.value.u == 0x2e))) + if(addr == lastContext.cip && (zydis.GetId() == ZYDIS_MNEMONIC_SYSCALL || (zydis.GetId() == ZYDIS_MNEMONIC_INT && zydis[0].imm.value.u == 0x2e))) { auto syscallName = SyscallToName((unsigned int)lastContext.cax); if(!syscallName.empty()) @@ -367,9 +367,9 @@ static bool getAutoComment(duint addr, String & comment) if(instr.arg[i].constant == instr.arg[i].value) //avoid: call ; addr:label { auto constant = instr.arg[i].constant; - if(instr.arg[i].type == arg_normal && instr.arg[i].value == addr + instr.instr_size && cp.IsCall()) + if(instr.arg[i].type == arg_normal && instr.arg[i].value == addr + instr.instr_size && zydis.IsCall()) temp_string.assign("call $0"); - else if(instr.arg[i].type == arg_normal && instr.arg[i].value == addr + instr.instr_size && cp.IsJump()) + else if(instr.arg[i].type == arg_normal && instr.arg[i].value == addr + instr.instr_size && zydis.IsJump()) temp_string.assign("jmp $0"); else if(instr.type == instr_branch) continue; @@ -881,12 +881,12 @@ extern "C" DLL_EXPORT duint _dbg_getbranchdestination(duint addr) unsigned char data[MAX_DISASM_BUFFER]; if(!MemIsValidReadPtr(addr, true) || !MemRead(addr, data, sizeof(data))) return 0; - Zydis cp; - if(!cp.Disassemble(addr, data)) + Zydis zydis; + if(!zydis.Disassemble(addr, data)) return 0; - if(cp.IsBranchType(Zydis::BTJmp | Zydis::BTCall | Zydis::BTLoop | Zydis::BTXbegin)) + if(zydis.IsBranchType(Zydis::BTJmp | Zydis::BTCall | Zydis::BTLoop | Zydis::BTXbegin)) { - auto opValue = cp.ResolveOpValue(0, [](ZydisRegister reg) -> size_t + auto opValue = (duint)zydis.ResolveOpValue(0, [](ZydisRegister reg) -> uint64_t { switch(reg) { @@ -949,10 +949,10 @@ extern "C" DLL_EXPORT duint _dbg_getbranchdestination(duint addr) return 0; } }); - if(cp.OpCount() && cp[0].type == ZYDIS_OPERAND_TYPE_MEMORY) + if(zydis.OpCount() && zydis[0].type == ZYDIS_OPERAND_TYPE_MEMORY) { auto const tebseg = ArchValue(ZYDIS_REGISTER_FS, ZYDIS_REGISTER_GS); - if(cp[0].mem.segment == tebseg) + if(zydis[0].mem.segment == tebseg) opValue += duint(GetTEBLocation(hActiveThread)); if(MemRead(opValue, &opValue, sizeof(opValue))) return opValue; @@ -960,7 +960,7 @@ extern "C" DLL_EXPORT duint _dbg_getbranchdestination(duint addr) else return opValue; } - if(cp.IsRet()) + if(zydis.IsRet()) { auto csp = lastContext.csp; duint dest = 0; diff --git a/src/dbg/analysis/CodeFollowPass.cpp b/src/dbg/analysis/CodeFollowPass.cpp index 5c78e3db..f6d821eb 100644 --- a/src/dbg/analysis/CodeFollowPass.cpp +++ b/src/dbg/analysis/CodeFollowPass.cpp @@ -31,9 +31,9 @@ bool CodeFollowPass::Analyse() return false; } -duint CodeFollowPass::GetReferenceOperand(const ZydisDecodedInstruction & Context) +duint CodeFollowPass::GetReferenceOperand(const ZydisDisassembledInstruction & Context) { - for(int i = 0; i < Context.operandCount; i++) + for(int i = 0; i < Context.info.operand_count; i++) { auto operand = Context.operands[i]; @@ -50,9 +50,9 @@ duint CodeFollowPass::GetReferenceOperand(const ZydisDecodedInstruction & Contex return 0; } -duint CodeFollowPass::GetMemoryOperand(Zydis & Disasm, const ZydisDecodedInstruction & Context, bool* Indirect) +duint CodeFollowPass::GetMemoryOperand(Zydis & Disasm, const ZydisDisassembledInstruction & Context, bool* Indirect) { - if(Context.operandCount <= 0) + if(Context.info.operand_count <= 0) return 0; // Only the first operand matters diff --git a/src/dbg/analysis/CodeFollowPass.h b/src/dbg/analysis/CodeFollowPass.h index b25d00d5..83e8b5a0 100644 --- a/src/dbg/analysis/CodeFollowPass.h +++ b/src/dbg/analysis/CodeFollowPass.h @@ -14,6 +14,6 @@ public: virtual bool Analyse() override; private: - duint GetReferenceOperand(const ZydisDecodedInstruction & Context); - duint GetMemoryOperand(Zydis & Disasm, const ZydisDecodedInstruction & Context, bool* Indirect); + duint GetReferenceOperand(const ZydisDisassembledInstruction & Context); + duint GetMemoryOperand(Zydis & Disasm, const ZydisDisassembledInstruction & Context, bool* Indirect); }; \ No newline at end of file diff --git a/src/dbg/analysis/advancedanalysis.cpp b/src/dbg/analysis/advancedanalysis.cpp index 56ca9176..228d8f79 100644 --- a/src/dbg/analysis/advancedanalysis.cpp +++ b/src/dbg/analysis/advancedanalysis.cpp @@ -94,7 +94,7 @@ void AdvancedAnalysis::analyzeFunction(duint entryPoint, bool writedata) while(true) { node.icount++; - if(!mCp.Disassemble(node.end, translateAddr(node.end))) + if(!mZydis.Disassemble(node.end, translateAddr(node.end))) { if(writedata) mEncMap[node.end - mBase] = (byte)enc_byte; @@ -109,7 +109,7 @@ void AdvancedAnalysis::analyzeFunction(duint entryPoint, bool writedata) } // If the memory range doesn't fit the entire instruction // mark it as bytes and finish this node - if(!inRange(node.end + mCp.Size() - 1)) + if(!inRange(node.end + mZydis.Size() - 1)) { duint remainingSize = mBase + mSize - node.end; memset(&mEncMap[node.end - mBase], (byte)enc_byte, remainingSize); @@ -119,15 +119,15 @@ void AdvancedAnalysis::analyzeFunction(duint entryPoint, bool writedata) if(writedata) { mEncMap[node.end - mBase] = (byte)enc_code; - for(int i = 1; i < mCp.Size(); i++) + for(size_t i = 1; i < mZydis.Size(); i++) mEncMap[node.end - mBase + i] = (byte)enc_middle; } - if(mCp.IsJump() || mCp.IsLoop()) //jump + if(mZydis.IsJump() || mZydis.IsLoop()) //jump { //set the branch destinations - node.brtrue = mCp.BranchDestination(); - if(mCp.GetId() != ZYDIS_MNEMONIC_JMP) //unconditional jumps dont have a brfalse - node.brfalse = node.end + mCp.Size(); + node.brtrue = (duint)mZydis.BranchDestination(); + if(mZydis.GetId() != ZYDIS_MNEMONIC_JMP) //unconditional jumps dont have a brfalse + node.brfalse = node.end + mZydis.Size(); //add node to the function graph graph.AddNode(node); @@ -140,26 +140,26 @@ void AdvancedAnalysis::analyzeFunction(duint entryPoint, bool writedata) break; } - if(mCp.IsCall()) //call + if(mZydis.IsCall()) //call { //TODO: handle no return - duint target = mCp.BranchDestination(); + auto target = (duint)mZydis.BranchDestination(); if(inRange(target) && mEntryPoints.find(target) == mEntryPoints.end()) mCandidateEPs.insert(target); } - if(mCp.IsRet()) //return + if(mZydis.IsRet()) //return { node.terminal = true; graph.AddNode(node); break; } // If this instruction finishes the memory range, end the loop for this entry point - if(!inRange(node.end + mCp.Size())) + if(!inRange(node.end + mZydis.Size())) { graph.AddNode(node); break; } - node.end += mCp.Size(); + node.end += mZydis.Size(); } } mFunctions.push_back(graph); @@ -173,20 +173,20 @@ void AdvancedAnalysis::linearXrefPass() for(auto addr = mBase; addr < mBase + mSize;) { - if(!mCp.Disassemble(addr, translateAddr(addr))) + if(!mZydis.Disassemble(addr, translateAddr(addr))) { addr++; continue; } - addr += mCp.Size(); + addr += mZydis.Size(); XREF xref; xref.valid = true; xref.addr = 0; - xref.from = mCp.Address(); - for(auto i = 0; i < mCp.OpCount(); i++) + xref.from = (duint)mZydis.Address(); + for(auto i = 0; i < mZydis.OpCount(); i++) { - duint dest = mCp.ResolveOpValue(i, [](ZydisRegister)->size_t + auto dest = (duint)mZydis.ResolveOpValue(i, [](ZydisRegister) -> uint64_t { return 0; }); @@ -198,9 +198,9 @@ void AdvancedAnalysis::linearXrefPass() } if(xref.addr) { - if(mCp.IsCall()) + if(mZydis.IsCall()) xref.type = XREF_CALL; - else if(mCp.IsJump()) + else if(mZydis.IsJump()) xref.type = XREF_JMP; else xref.type = XREF_DATA; @@ -270,16 +270,16 @@ void AdvancedAnalysis::writeDataXrefs() { if(xref.type == XREF_DATA && xref.valid) { - if(!mCp.Disassemble(xref.from, translateAddr(xref.from))) + if(!mZydis.Disassemble(xref.from, translateAddr(xref.from))) { xref.valid = false; continue; } - auto opcode = mCp.GetId(); + auto opcode = mZydis.GetId(); bool isfloat = isFloatInstruction(opcode); - for(auto i = 0; i < mCp.OpCount(); i++) + for(auto i = 0; i < mZydis.OpCount(); i++) { - auto & op = mCp[i]; + auto & op = mZydis[i]; ENCODETYPE type = enc_unknown; //Todo: Analyze op type and set correct type diff --git a/src/dbg/analysis/analysis.h b/src/dbg/analysis/analysis.h index da79e23e..e775a708 100644 --- a/src/dbg/analysis/analysis.h +++ b/src/dbg/analysis/analysis.h @@ -17,7 +17,7 @@ protected: duint mBase; duint mSize; unsigned char* mData; - Zydis mCp; + Zydis mZydis; bool inRange(duint addr) const { diff --git a/src/dbg/analysis/controlflowanalysis.cpp b/src/dbg/analysis/controlflowanalysis.cpp index 85265737..b5755784 100644 --- a/src/dbg/analysis/controlflowanalysis.cpp +++ b/src/dbg/analysis/controlflowanalysis.cpp @@ -140,26 +140,26 @@ void ControlFlowAnalysis::BasicBlockStarts() for(duint i = 0; i < mSize;) { auto addr = mBase + i; - if(mCp.Disassemble(addr, translateAddr(addr), MAX_DISASM_BUFFER)) + if(mZydis.Disassemble(addr, translateAddr(addr), MAX_DISASM_BUFFER)) { if(bSkipFilling) //handle filling skip mode { - if(!mCp.IsFilling()) //do nothing until the filling stopped + if(!mZydis.IsFilling()) //do nothing until the filling stopped { bSkipFilling = false; mBlockStarts.insert(addr); } } - else if(mCp.IsRet()) //RET breaks control flow + else if(mZydis.IsRet()) //RET breaks control flow { bSkipFilling = true; //skip INT3/NOP/whatever filling bytes (those are not part of the control flow) } - else if(mCp.IsJump() || mCp.IsLoop()) //branches + else if(mZydis.IsJump() || mZydis.IsLoop()) //branches { auto dest1 = getReferenceOperand(); duint dest2 = 0; - if(mCp.GetId() != ZYDIS_MNEMONIC_JMP) //conditional jump - dest2 = addr + mCp.Size(); + if(mZydis.GetId() != ZYDIS_MNEMONIC_JMP) //conditional jump + dest2 = addr + mZydis.Size(); if(!dest1 && !dest2) //TODO: better code for this (make sure absolutely no filling is inserted) bSkipFilling = true; @@ -168,7 +168,7 @@ void ControlFlowAnalysis::BasicBlockStarts() if(dest2) mBlockStarts.insert(dest2); } - else if(mCp.IsCall()) + else if(mZydis.IsCall()) { auto dest1 = getReferenceOperand(); if(dest1) @@ -183,7 +183,7 @@ void ControlFlowAnalysis::BasicBlockStarts() if(dest1) mBlockStarts.insert(dest1); } - i += mCp.Size(); + i += mZydis.Size(); } else i++; @@ -204,23 +204,23 @@ void ControlFlowAnalysis::BasicBlocks() for(duint addr = start, prevaddr; addr < mBase + mSize;) { prevaddr = addr; - if(mCp.Disassemble(addr, translateAddr(addr), MAX_DISASM_BUFFER)) + if(mZydis.Disassemble(addr, translateAddr(addr), MAX_DISASM_BUFFER)) { - if(mCp.IsRet()) + if(mZydis.IsRet()) { insertBlock(BasicBlock(start, addr, 0, 0)); //leaf block break; } - else if(mCp.IsJump() || mCp.IsLoop()) + else if(mZydis.IsJump() || mZydis.IsLoop()) { auto dest1 = getReferenceOperand(); - auto dest2 = mCp.GetId() != ZYDIS_MNEMONIC_JMP ? addr + mCp.Size() : 0; + auto dest2 = mZydis.GetId() != ZYDIS_MNEMONIC_JMP ? addr + mZydis.Size() : 0; insertBlock(BasicBlock(start, addr, dest1, dest2)); insertParent(dest1, start); insertParent(dest2, start); break; } - addr += mCp.Size(); + addr += mZydis.Size(); } else addr++; @@ -413,9 +413,9 @@ String ControlFlowAnalysis::blockToString(const BasicBlock* block) duint ControlFlowAnalysis::getReferenceOperand() const { - for(auto i = 0; i < mCp.OpCount(); i++) + for(auto i = 0; i < mZydis.OpCount(); i++) { - const auto & op = mCp[i]; + const auto & op = mZydis[i]; if(op.type == ZYDIS_OPERAND_TYPE_IMMEDIATE) { auto dest = duint(op.imm.value.u); @@ -426,7 +426,7 @@ duint ControlFlowAnalysis::getReferenceOperand() const { auto dest = duint(op.mem.disp.value); if(op.mem.base == ZYDIS_REGISTER_RIP) //rip-relative - dest += mCp.Address() + mCp.Size(); + dest += (duint)mZydis.Address() + mZydis.Size(); if(inRange(dest)) return dest; } diff --git a/src/dbg/analysis/linearanalysis.cpp b/src/dbg/analysis/linearanalysis.cpp index 85ef8872..ea0c0074 100644 --- a/src/dbg/analysis/linearanalysis.cpp +++ b/src/dbg/analysis/linearanalysis.cpp @@ -45,12 +45,12 @@ void LinearAnalysis::populateReferences() for(duint i = 0; i < mSize;) { auto addr = mBase + i; - if(mCp.Disassemble(addr, translateAddr(addr), MAX_DISASM_BUFFER)) + if(mZydis.Disassemble(addr, translateAddr(addr), MAX_DISASM_BUFFER)) { auto ref = getReferenceOperand(); if(ref) mFunctions.push_back({ ref, 0 }); - i += mCp.Size(); + i += mZydis.Size(); } else i++; @@ -72,8 +72,8 @@ void LinearAnalysis::analyseFunctions() auto end = findFunctionEnd(function.start, maxaddr); if(end) { - if(mCp.Disassemble(end, translateAddr(end), MAX_DISASM_BUFFER)) - function.end = end + mCp.Size() - 1; + if(mZydis.Disassemble(end, translateAddr(end), MAX_DISASM_BUFFER)) + function.end = end + mZydis.Size() - 1; else function.end = end; } @@ -83,10 +83,10 @@ void LinearAnalysis::analyseFunctions() duint LinearAnalysis::findFunctionEnd(duint start, duint maxaddr) { //disassemble first instruction for some heuristics - if(mCp.Disassemble(start, translateAddr(start), MAX_DISASM_BUFFER)) + if(mZydis.Disassemble(start, translateAddr(start), MAX_DISASM_BUFFER)) { //JMP [123456] ; import - if(mCp.IsJump() && mCp.OpCount() && mCp[0].type == ZYDIS_OPERAND_TYPE_MEMORY) + if(mZydis.IsJump() && mZydis.OpCount() && mZydis[0].type == ZYDIS_OPERAND_TYPE_MEMORY) return 0; } @@ -95,14 +95,14 @@ duint LinearAnalysis::findFunctionEnd(duint start, duint maxaddr) duint jumpback = 0; for(duint addr = start, fardest = 0; addr < maxaddr;) { - if(mCp.Disassemble(addr, translateAddr(addr), MAX_DISASM_BUFFER)) + if(mZydis.Disassemble(addr, translateAddr(addr), MAX_DISASM_BUFFER)) { - if(addr + mCp.Size() > maxaddr) //we went past the maximum allowed address + if(addr + mZydis.Size() > maxaddr) //we went past the maximum allowed address break; - if((mCp.IsJump() || mCp.IsLoop()) && mCp.OpCount() && mCp[0].type == ZYDIS_OPERAND_TYPE_IMMEDIATE) //jump + if((mZydis.IsJump() || mZydis.IsLoop()) && mZydis.OpCount() && mZydis[0].type == ZYDIS_OPERAND_TYPE_IMMEDIATE) //jump { - auto dest = duint(mCp[0].imm.value.u); + auto dest = duint(mZydis[0].imm.value.u); if(dest >= maxaddr) //jump across function boundaries { @@ -112,19 +112,19 @@ duint LinearAnalysis::findFunctionEnd(duint start, duint maxaddr) { fardest = dest; } - else if(end && dest < end && (mCp.GetId() == ZYDIS_MNEMONIC_JMP || mCp.GetId() == ZYDIS_MNEMONIC_LOOP)) //save the last JMP backwards + else if(end && dest < end && (mZydis.GetId() == ZYDIS_MNEMONIC_JMP || mZydis.GetId() == ZYDIS_MNEMONIC_LOOP)) //save the last JMP backwards { jumpback = addr; } } - else if(mCp.IsRet()) //possible function end? + else if(mZydis.IsRet()) //possible function end? { end = addr; if(fardest < addr) //we stop if the farthest JXX destination forward is before this RET break; } - addr += mCp.Size(); + addr += mZydis.Size(); } else addr++; @@ -134,10 +134,10 @@ duint LinearAnalysis::findFunctionEnd(duint start, duint maxaddr) duint LinearAnalysis::getReferenceOperand() const { - for(auto i = 0; i < mCp.OpCount(); i++) + for(auto i = 0; i < mZydis.OpCount(); i++) { - const auto & op = mCp[i]; - if(mCp.IsJump() || mCp.IsLoop()) //skip jumps/loops + const auto & op = mZydis[i]; + if(mZydis.IsJump() || mZydis.IsLoop()) //skip jumps/loops continue; if(op.type == ZYDIS_OPERAND_TYPE_IMMEDIATE) //we are looking for immediate references { diff --git a/src/dbg/analysis/recursiveanalysis.cpp b/src/dbg/analysis/recursiveanalysis.cpp index 507e4b0f..d161ce68 100644 --- a/src/dbg/analysis/recursiveanalysis.cpp +++ b/src/dbg/analysis/recursiveanalysis.cpp @@ -59,11 +59,11 @@ void RecursiveAnalysis::SetMarkers() duint rangeStart = 0, rangeEnd = 0, rangeInstructionCount = 0; for(auto rangeItr = blockRanges.begin(); rangeItr != blockRanges.end(); ++rangeItr) { - auto disasmLen = [this](duint addr) + auto disasmLen = [this](duint addr) -> size_t { - if(!mCp.Disassemble(addr, translateAddr(addr))) + if(!mZydis.Disassemble(addr, translateAddr(addr))) return 1; - return mCp.Size(); + return mZydis.Size(); }; const auto & node = *rangeItr->second; if(!rangeStart) @@ -171,14 +171,14 @@ void RecursiveAnalysis::analyzeFunction(duint entryPoint) { if(!inRange(node.end)) { - node.end = mCp.Address(); + node.end = (duint)mZydis.Address(); node.terminal = true; graph.AddNode(node); break; } node.icount++; - if(!mCp.Disassemble(node.end, translateAddr(node.end))) + if(!mZydis.Disassemble(node.end, translateAddr(node.end))) { node.end++; continue; @@ -187,10 +187,10 @@ void RecursiveAnalysis::analyzeFunction(duint entryPoint) //do xref analysis on the instruction XREF xref; xref.addr = 0; - xref.from = mCp.Address(); - for(auto i = 0; i < mCp.OpCount(); i++) + xref.from = (duint)mZydis.Address(); + for(auto i = 0; i < mZydis.OpCount(); i++) { - duint dest = mCp.ResolveOpValue(i, [](ZydisRegister)->size_t + auto dest = (duint)mZydis.ResolveOpValue(i, [](ZydisRegister) -> uint64_t { return 0; }); @@ -203,23 +203,23 @@ void RecursiveAnalysis::analyzeFunction(duint entryPoint) if(xref.addr) mXrefs.push_back(xref); - if(!mCp.IsNop() && (mCp.IsJump() || mCp.IsLoop())) //non-nop jump + if(!mZydis.IsNop() && (mZydis.IsJump() || mZydis.IsLoop())) //non-nop jump { //set the branch destinations - node.brtrue = mCp.BranchDestination(); - if(mCp.GetId() != ZYDIS_MNEMONIC_JMP) //unconditional jumps dont have a brfalse - node.brfalse = node.end + mCp.Size(); + node.brtrue = (duint)mZydis.BranchDestination(); + if(mZydis.GetId() != ZYDIS_MNEMONIC_JMP) //unconditional jumps dont have a brfalse + node.brfalse = node.end + mZydis.Size(); //consider register/memory branches as terminal nodes - if(mCp.OpCount() && mCp[0].type != ZYDIS_OPERAND_TYPE_IMMEDIATE) + if(mZydis.OpCount() && mZydis[0].type != ZYDIS_OPERAND_TYPE_IMMEDIATE) { //jmp ptr [index * sizeof(duint) + switchTable] - if(mCp[0].type == ZYDIS_OPERAND_TYPE_MEMORY && mCp[0].mem.base == ZYDIS_REGISTER_NONE && mCp[0].mem.index != ZYDIS_REGISTER_NONE - && mCp[0].mem.scale == sizeof(duint) && MemIsValidReadPtr(duint(mCp[0].mem.disp.value))) + if(mZydis[0].type == ZYDIS_OPERAND_TYPE_MEMORY && mZydis[0].mem.base == ZYDIS_REGISTER_NONE && mZydis[0].mem.index != ZYDIS_REGISTER_NONE + && mZydis[0].mem.scale == sizeof(duint) && MemIsValidReadPtr(duint(mZydis[0].mem.disp.value))) { Memory switchTable(512 * sizeof(duint)); duint actualSize, index; - MemRead(duint(mCp[0].mem.disp.value), switchTable(), 512 * sizeof(duint), &actualSize); + MemRead(duint(mZydis[0].mem.disp.value), switchTable(), 512 * sizeof(duint), &actualSize); actualSize /= sizeof(duint); for(index = 0; index < actualSize; index++) if(MemIsCodePage(switchTable()[index], false) == false) @@ -257,17 +257,17 @@ void RecursiveAnalysis::analyzeFunction(duint entryPoint) break; } - if(mCp.IsCall()) + if(mZydis.IsCall()) { //TODO: add this to a queue to be analyzed later } - if(mCp.IsRet()) + if(mZydis.IsRet()) { node.terminal = true; graph.AddNode(node); break; } - node.end += mCp.Size(); + node.end += mZydis.Size(); } } //second pass: split overlapping blocks introduced by backedges @@ -279,7 +279,7 @@ void RecursiveAnalysis::analyzeFunction(duint entryPoint) while(addr < node.end) { icount++; - auto size = mCp.Disassemble(addr, translateAddr(addr)) ? mCp.Size() : 1; + auto size = mZydis.Disassemble(addr, translateAddr(addr)) ? mZydis.Size() : 1; if(graph.nodes.count(addr + size)) { node.end = addr; @@ -312,10 +312,10 @@ void RecursiveAnalysis::analyzeFunction(duint entryPoint) auto addr = node.start; while(addr <= node.end) //disassemble all instructions { - auto size = mCp.Disassemble(addr, translateAddr(addr)) ? mCp.Size() : 1; - if(mCp.IsCall() && mCp.OpCount()) //call reg / call [reg+X] + auto size = mZydis.Disassemble(addr, translateAddr(addr)) ? mZydis.Size() : 1; + if(mZydis.IsCall() && mZydis.OpCount()) //call reg / call [reg+X] { - auto & op = mCp[0]; + auto & op = mZydis[0]; switch(op.type) { case ZYDIS_OPERAND_TYPE_REGISTER: diff --git a/src/dbg/analysis/xrefsanalysis.cpp b/src/dbg/analysis/xrefsanalysis.cpp index f27751fd..f8e74086 100644 --- a/src/dbg/analysis/xrefsanalysis.cpp +++ b/src/dbg/analysis/xrefsanalysis.cpp @@ -17,19 +17,19 @@ void XrefsAnalysis::Analyse() for(auto addr = mBase; addr < mBase + mSize;) { - if(!mCp.Disassemble(addr, translateAddr(addr))) + if(!mZydis.Disassemble(addr, translateAddr(addr))) { addr++; continue; } - addr += mCp.Size(); + addr += mZydis.Size(); XREF xref; xref.addr = 0; - xref.from = mCp.Address(); - for(auto i = 0; i < mCp.OpCount(); i++) + xref.from = (duint)mZydis.Address(); + for(auto i = 0; i < mZydis.OpCount(); i++) { - duint dest = mCp.ResolveOpValue(i, [](ZydisRegister)->size_t + auto dest = (duint)mZydis.ResolveOpValue(i, [](ZydisRegister) -> uint64_t { return 0; }); diff --git a/src/dbg/commands/cmd-debug-control.cpp b/src/dbg/commands/cmd-debug-control.cpp index de137d63..afce0653 100644 --- a/src/dbg/commands/cmd-debug-control.cpp +++ b/src/dbg/commands/cmd-debug-control.cpp @@ -504,7 +504,7 @@ static bool IsRepeated(const Zydis & zydis) case ZYDIS_MNEMONIC_SCASW: case ZYDIS_MNEMONIC_SCASD: case ZYDIS_MNEMONIC_SCASQ: - return (zydis.GetInstr()->attributes & (ZYDIS_ATTRIB_HAS_REP | ZYDIS_ATTRIB_HAS_REPZ | ZYDIS_ATTRIB_HAS_REPNZ)) != 0; + return (zydis.GetInstr()->info.attributes & (ZYDIS_ATTRIB_HAS_REP | ZYDIS_ATTRIB_HAS_REPZ | ZYDIS_ATTRIB_HAS_REPNZ)) != 0; } return false; } diff --git a/src/dbg/commands/cmd-searching.cpp b/src/dbg/commands/cmd-searching.cpp index 82a4fcdf..6863a69d 100644 --- a/src/dbg/commands/cmd-searching.cpp +++ b/src/dbg/commands/cmd-searching.cpp @@ -710,9 +710,9 @@ static bool cbModCallFind(Zydis* disasm, BASIC_INSTRUCTION_INFO* basicinfo, REFI duint foundaddr = 0; char label[MAX_LABEL_SIZE] = ""; char module[MAX_MODULE_SIZE] = ""; - duint base = ModBaseFromAddr(disasm->Address()), size = 0; + duint base = ModBaseFromAddr((duint)disasm->Address()), size = 0; if(!base) - base = MemFindBaseAddr(disasm->Address(), &size); + base = MemFindBaseAddr((duint)disasm->Address(), &size); else size = ModSizeFromAddr(base); if(!base || !size) diff --git a/src/dbg/commands/cmd-undocumented.cpp b/src/dbg/commands/cmd-undocumented.cpp index 1b148bbb..a9655d06 100644 --- a/src/dbg/commands/cmd-undocumented.cpp +++ b/src/dbg/commands/cmd-undocumented.cpp @@ -243,23 +243,26 @@ bool cbInstrZydis(int argc, char* argv[]) if(!valfromstring(argv[2], &addr, false)) return false; - Zydis cp; - if(!cp.Disassemble(addr, data)) + Zydis zydis; + if(!zydis.Disassemble(addr, data)) { dputs_untranslated("Failed to disassemble!\n"); return false; } - auto instr = cp.GetInstr(); - int argcount = instr->operandCount; - dputs_untranslated(cp.InstructionText(true).c_str()); - dprintf_untranslated("prefix size: %d\n", instr->raw.prefixes.count); - if(instr->attributes & ZYDIS_ATTRIB_HAS_REX) - dprintf_untranslated("rex.W: %d, rex.R: %d, rex.X: %d, rex.B: %d, rex.data: %02x\n", instr->raw.rex.W, instr->raw.rex.R, instr->raw.rex.X, instr->raw.rex.B, instr->raw.rex.data[0]); - dprintf_untranslated("disp.offset: %d, disp.size: %d\n", instr->raw.disp.offset, instr->raw.disp.size); - dprintf_untranslated("imm[0].offset: %d, imm[0].size: %d\n", instr->raw.imm[0].offset, instr->raw.imm[0].size); - dprintf_untranslated("imm[1].offset: %d, imm[1].size: %d\n", instr->raw.imm[1].offset, instr->raw.imm[1].size); - dprintf_untranslated("size: %d, id: %d, opcount: %d\n", cp.Size(), cp.GetId(), instr->operandCount); + auto instr = zydis.GetInstr(); + int argcount = zydis.OpCount(); + dputs_untranslated(zydis.InstructionText(true).c_str()); + dprintf_untranslated("prefix size: %d\n", instr->info.raw.prefix_count); + if(instr->info.attributes & ZYDIS_ATTRIB_HAS_REX) + { + auto rexdata = data[instr->info.raw.rex.offset]; + dprintf_untranslated("rex.W: %d, rex.R: %d, rex.X: %d, rex.B: %d, rex.data: %02x\n", instr->info.raw.rex.W, instr->info.raw.rex.R, instr->info.raw.rex.X, instr->info.raw.rex.B, rexdata); + } + dprintf_untranslated("disp.offset: %d, disp.size: %d\n", instr->info.raw.disp.offset, instr->info.raw.disp.size); + dprintf_untranslated("imm[0].offset: %d, imm[0].size: %d\n", instr->info.raw.imm[0].offset, instr->info.raw.imm[0].size); + dprintf_untranslated("imm[1].offset: %d, imm[1].size: %d\n", instr->info.raw.imm[1].offset, instr->info.raw.imm[1].size); + dprintf_untranslated("size: %d, id: %d, opcount: %d\n", zydis.Size(), zydis.GetId(), instr->info.operand_count); auto rwstr = [](uint8_t action) { switch(action) @@ -297,11 +300,11 @@ bool cbInstrZydis(int argc, char* argv[]) for(int i = 0; i < argcount; i++) { const auto & op = instr->operands[i]; - dprintf("operand %d (size: %d, access: %s, visibility: %s) \"%s\", ", i + 1, op.size, rwstr(op.action), vis(op.visibility), cp.OperandText(i).c_str()); + dprintf("operand %d (size: %d, access: %s, visibility: %s) \"%s\", ", i + 1, op.size, rwstr(op.actions), vis(op.visibility), zydis.OperandText(i).c_str()); switch(op.type) { case ZYDIS_OPERAND_TYPE_REGISTER: - dprintf_untranslated("register: %s\n", cp.RegName(op.reg.value)); + dprintf_untranslated("register: %s\n", zydis.RegName(op.reg.value)); break; case ZYDIS_OPERAND_TYPE_IMMEDIATE: dprintf_untranslated("immediate: 0x%p\n", op.imm.value.u); @@ -311,9 +314,9 @@ bool cbInstrZydis(int argc, char* argv[]) //[base + index * scale +/- disp] const auto & mem = op.mem; dprintf_untranslated("memory segment: %s, base: %s, index: %s, scale: %d, displacement: 0x%p\n", - cp.RegName(mem.segment), - cp.RegName(mem.base), - cp.RegName(mem.index), + zydis.RegName(mem.segment), + zydis.RegName(mem.base), + zydis.RegName(mem.index), mem.scale, mem.disp.value); } @@ -348,7 +351,7 @@ bool cbInstrVisualize(int argc, char* argv[]) //DisassemblyBreakpointColor = #000000 { //initialize - Zydis _cp; + Zydis zydis; duint _base = start; duint _size = maxaddr - start; Memory _data(_size); @@ -376,14 +379,14 @@ bool cbInstrVisualize(int argc, char* argv[]) //continue algorithm const unsigned char* curData = (addr >= _base && addr < _base + _size) ? _data() + (addr - _base) : nullptr; - if(_cp.Disassemble(addr, curData, MAX_DISASM_BUFFER)) + if(zydis.Disassemble(addr, curData, MAX_DISASM_BUFFER)) { - if(addr + _cp.Size() > maxaddr) //we went past the maximum allowed address + if(addr + zydis.Size() > maxaddr) //we went past the maximum allowed address break; - if((_cp.IsJump() || _cp.IsLoop()) && _cp.OpCount() && _cp[0].type == ZYDIS_OPERAND_TYPE_IMMEDIATE) //jump + if((zydis.IsJump() || zydis.IsLoop()) && zydis.OpCount() && zydis[0].type == ZYDIS_OPERAND_TYPE_IMMEDIATE) //jump { - duint dest = (duint)_cp[0].imm.value.u; + duint dest = (duint)zydis[0].imm.value.u; if(dest >= maxaddr) //jump across function boundaries { @@ -393,19 +396,19 @@ bool cbInstrVisualize(int argc, char* argv[]) { fardest = dest; } - else if(end && dest < end && _cp.GetId() == ZYDIS_MNEMONIC_JMP) //save the last JMP backwards + else if(end && dest < end && zydis.GetId() == ZYDIS_MNEMONIC_JMP) //save the last JMP backwards { jumpback = addr; } } - else if(_cp.IsRet()) //possible function end? + else if(zydis.IsRet()) //possible function end? { end = addr; if(fardest < addr) //we stop if the farthest JXX destination forward is before this RET break; } - addr += _cp.Size(); + addr += zydis.Size(); } else addr++; @@ -471,22 +474,22 @@ bool cbInstrBriefcheck(int argc, char* argv[]) return false; Memory buffer(size + 16); DbgMemRead(base, buffer(), size); - Zydis cp; + Zydis zydis; std::unordered_set reported; for(duint i = 0; i < size;) { - if(!cp.Disassemble(base + i, buffer() + i, 16)) + if(!zydis.Disassemble(base + i, buffer() + i, 16)) { i++; continue; } - i += cp.Size(); - auto mnem = StringUtils::ToLower(cp.Mnemonic()); + i += zydis.Size(); + auto mnem = StringUtils::ToLower(zydis.Mnemonic()); auto brief = MnemonicHelp::getBriefDescription(mnem.c_str()); if(brief.length() || reported.count(mnem)) continue; reported.insert(mnem); - dprintf_untranslated("%p: %s\n", cp.Address(), mnem.c_str()); + dprintf_untranslated("%p: %s\n", zydis.Address(), mnem.c_str()); } return true; } diff --git a/src/dbg/debugger.cpp b/src/dbg/debugger.cpp index 7d4b816f..09ee8bd2 100644 --- a/src/dbg/debugger.cpp +++ b/src/dbg/debugger.cpp @@ -1263,8 +1263,8 @@ void cbRtrStep() #endif //_WIN64 ) { - Zydis cp; - if(cp.Disassemble(cip, data) && cp.IsRet()) + Zydis zydis; + if(zydis.Disassemble(cip, data) && zydis.IsRet()) reachedReturn = true; } } diff --git a/src/dbg/disasm_fast.cpp b/src/dbg/disasm_fast.cpp index 9231bc39..55868557 100644 --- a/src/dbg/disasm_fast.cpp +++ b/src/dbg/disasm_fast.cpp @@ -83,17 +83,17 @@ bool disasmfast(const unsigned char* data, duint addr, BASIC_INSTRUCTION_INFO* b { if(!data || !basicinfo) return false; - Zydis cp; - cp.Disassemble(addr, data, MAX_DISASM_BUFFER); - if(trydisasmfast(data, addr, basicinfo, cp.Success() ? cp.Size() : 1)) + Zydis zydis; + zydis.Disassemble(addr, data, MAX_DISASM_BUFFER); + if(trydisasmfast(data, addr, basicinfo, zydis.Success() ? zydis.Size() : 1)) return true; - if(!cp.Success()) + if(!zydis.Success()) { strcpy_s(basicinfo->instruction, "???"); basicinfo->size = 1; return false; } - fillbasicinfo(&cp, basicinfo); + fillbasicinfo(&zydis, basicinfo); return true; } diff --git a/src/dbg/disasm_helper.cpp b/src/dbg/disasm_helper.cpp index a5b37dbd..a0a7eab5 100644 --- a/src/dbg/disasm_helper.cpp +++ b/src/dbg/disasm_helper.cpp @@ -22,7 +22,7 @@ duint disasmback(unsigned char* data, duint base, duint size, duint ip, int n) unsigned char* pdata; // Reset Disasm Structure - Zydis cp; + Zydis zydis; // Check if the pointer is not null if(data == NULL) @@ -58,10 +58,10 @@ duint disasmback(unsigned char* data, duint base, duint size, duint ip, int n) { abuf[i % 128] = addr; - if(!cp.Disassemble(0, pdata, (int)size)) + if(!zydis.Disassemble(0, pdata, (int)size)) cmdsize = 1; else - cmdsize = cp.Size(); + cmdsize = zydis.Size(); pdata += cmdsize; addr += cmdsize; @@ -82,7 +82,7 @@ duint disasmnext(unsigned char* data, duint base, duint size, duint ip, int n) unsigned char* pdata; // Reset Disasm Structure - Zydis cp; + Zydis zydis; if(data == NULL) return 0; @@ -98,10 +98,10 @@ duint disasmnext(unsigned char* data, duint base, duint size, duint ip, int n) for(i = 0; i < n && size > 0; i++) { - if(!cp.Disassemble(0, pdata, (int)size)) + if(!zydis.Disassemble(0, pdata, (int)size)) cmdsize = 1; else - cmdsize = cp.Size(); + cmdsize = zydis.Size(); pdata += cmdsize; ip += cmdsize; @@ -111,16 +111,16 @@ duint disasmnext(unsigned char* data, duint base, duint size, duint ip, int n) return ip; } -static void HandleZydisOperand(Zydis & cp, int opindex, DISASM_ARG* arg, bool getregs) +static void HandleZydisOperand(Zydis & zydis, int opindex, DISASM_ARG* arg, bool getregs) { - auto value = cp.ResolveOpValue(opindex, [&cp, getregs](ZydisRegister reg) + auto value = (duint)zydis.ResolveOpValue(opindex, [&zydis, getregs](ZydisRegister reg) { - auto regName = getregs ? cp.RegName(reg) : nullptr; + auto regName = getregs ? zydis.RegName(reg) : nullptr; return regName ? getregister(nullptr, regName) : 0; //TODO: temporary needs enums + caching }); - const auto & op = cp[opindex]; + const auto & op = zydis[opindex]; arg->segment = SEG_DEFAULT; - auto opText = cp.OperandText(opindex); + auto opText = zydis.OperandText(opindex); StringUtils::ReplaceAll(opText, "0x", ""); strcpy_s(arg->mnemonic, opText.c_str()); switch(op.type) @@ -144,7 +144,7 @@ static void HandleZydisOperand(Zydis & cp, int opindex, DISASM_ARG* arg, bool ge arg->type = arg_memory; const auto & mem = op.mem; if(mem.base == ZYDIS_REGISTER_RIP) //rip-relative - arg->constant = cp.Address() + duint(mem.disp.value) + cp.Size(); + arg->constant = (duint)zydis.Address() + duint(mem.disp.value) + zydis.Size(); else arg->constant = duint(mem.disp.value); if(mem.segment == ArchValue(ZYDIS_REGISTER_FS, ZYDIS_REGISTER_GS)) @@ -216,13 +216,13 @@ static void HandleZydisOperand(Zydis & cp, int opindex, DISASM_ARG* arg, bool ge } } -void disasmget(Zydis & cp, unsigned char* buffer, duint addr, DISASM_INSTR* instr, bool getregs) +void disasmget(Zydis & zydis, unsigned char* buffer, duint addr, DISASM_INSTR* instr, bool getregs) { memset(instr, 0, sizeof(DISASM_INSTR)); - cp.Disassemble(addr, buffer, MAX_DISASM_BUFFER); - if(trydisasm(buffer, addr, instr, cp.Success() ? cp.Size() : 1)) + zydis.Disassemble(addr, buffer, MAX_DISASM_BUFFER); + if(trydisasm(buffer, addr, instr, zydis.Success() ? zydis.Size() : 1)) return; - if(!cp.Success()) + if(!zydis.Success()) { strcpy_s(instr->instruction, "???"); instr->instr_size = 1; @@ -230,21 +230,21 @@ void disasmget(Zydis & cp, unsigned char* buffer, duint addr, DISASM_INSTR* inst instr->argcount = 0; return; } - auto cpInstr = cp.GetInstr(); - strncpy_s(instr->instruction, cp.InstructionText().c_str(), _TRUNCATE); - instr->instr_size = cpInstr->length; - if(cp.IsBranchType(Zydis::BTJmp | Zydis::BTLoop | Zydis::BTRet | Zydis::BTCall)) + auto zyInstr = zydis.GetInstr(); + strncpy_s(instr->instruction, zydis.InstructionText().c_str(), _TRUNCATE); + instr->instr_size = zyInstr->info.length; + if(zydis.IsBranchType(Zydis::BTJmp | Zydis::BTLoop | Zydis::BTRet | Zydis::BTCall)) instr->type = instr_branch; else if(strstr(instr->instruction, "sp") || strstr(instr->instruction, "bp")) instr->type = instr_stack; else instr->type = instr_normal; - instr->argcount = cp.OpCount() <= 3 ? cp.OpCount() : 3; + instr->argcount = zydis.OpCount() <= 3 ? zydis.OpCount() : 3; for(int i = 0; i < instr->argcount; i++) - HandleZydisOperand(cp, i, &instr->arg[i], getregs); + HandleZydisOperand(zydis, i, &instr->arg[i], getregs); } -void disasmget(Zydis & cp, duint addr, DISASM_INSTR* instr, bool getregs) +void disasmget(Zydis & zydis, duint addr, DISASM_INSTR* instr, bool getregs) { if(!DbgIsDebugging()) { @@ -254,15 +254,15 @@ void disasmget(Zydis & cp, duint addr, DISASM_INSTR* instr, bool getregs) } unsigned char buffer[MAX_DISASM_BUFFER] = ""; if(MemRead(addr, buffer, sizeof(buffer))) - disasmget(cp, buffer, addr, instr, getregs); + disasmget(zydis, buffer, addr, instr, getregs); else memset(instr, 0, sizeof(DISASM_INSTR)); // Buffer overflow } void disasmget(unsigned char* buffer, duint addr, DISASM_INSTR* instr, bool getregs) { - Zydis cp; - disasmget(cp, buffer, addr, instr, getregs); + Zydis zydis; + disasmget(zydis, buffer, addr, instr, getregs); } void disasmget(duint addr, DISASM_INSTR* instr, bool getregs) @@ -518,10 +518,10 @@ bool disasmgetstringatwrapper(duint addr, char* dest, bool cache) int disasmgetsize(duint addr, unsigned char* data) { - Zydis cp; - if(!cp.Disassemble(addr, data, MAX_DISASM_BUFFER)) + Zydis zydis; + if(!zydis.Disassemble(addr, data, MAX_DISASM_BUFFER)) return 1; - return int(EncodeMapGetSize(addr, cp.Size())); + return int(EncodeMapGetSize(addr, zydis.Size())); } int disasmgetsize(duint addr) diff --git a/src/dbg/disasm_helper.h b/src/dbg/disasm_helper.h index e8d7fd8e..5d80024d 100644 --- a/src/dbg/disasm_helper.h +++ b/src/dbg/disasm_helper.h @@ -7,8 +7,8 @@ //functions duint disasmback(unsigned char* data, duint base, duint size, duint ip, int n); duint disasmnext(unsigned char* data, duint base, duint size, duint ip, int n); -void disasmget(Zydis & cp, unsigned char* buffer, duint addr, DISASM_INSTR* instr, bool getregs = true); -void disasmget(Zydis & cp, duint addr, DISASM_INSTR* instr, bool getregs = true); +void disasmget(Zydis & zydis, unsigned char* buffer, duint addr, DISASM_INSTR* instr, bool getregs = true); +void disasmget(Zydis & zydis, duint addr, DISASM_INSTR* instr, bool getregs = true); void disasmget(unsigned char* buffer, duint addr, DISASM_INSTR* instr, bool getregs = true); void disasmget(duint addr, DISASM_INSTR* instr, bool getregs = true); bool disasmispossiblestring(duint addr, STRING_TYPE* type = nullptr); diff --git a/src/dbg/encodemap.cpp b/src/dbg/encodemap.cpp index 34b58f85..f33e6ef6 100644 --- a/src/dbg/encodemap.cpp +++ b/src/dbg/encodemap.cpp @@ -287,7 +287,7 @@ bool EncodeMapSetType(duint addr, duint size, ENCODETYPE type, bool* created) memset(map.data + offset, (byte)enc_middle, size); if(IsCodeType(type) && size > 1) { - Zydis cp; + Zydis zydis; Memory buffer(size); if(!MemRead(addr, buffer(), size)) return false; @@ -296,8 +296,8 @@ bool EncodeMapSetType(duint addr, duint size, ENCODETYPE type, bool* created) for(auto i = offset; i < offset + size;) { map.data[i] = (byte)type; - cp.Disassemble(base + i, buffer() + bufferoffset, int(buffersize - bufferoffset)); - cmdsize = cp.Success() ? cp.Size() : 1; + zydis.Disassemble(base + i, buffer() + bufferoffset, int(buffersize - bufferoffset)); + cmdsize = zydis.Success() ? zydis.Size() : 1; i += cmdsize; bufferoffset += cmdsize; buffersize -= cmdsize; diff --git a/src/dbg/exprfunc.cpp b/src/dbg/exprfunc.cpp index ea2a1a52..7819fa66 100644 --- a/src/dbg/exprfunc.cpp +++ b/src/dbg/exprfunc.cpp @@ -282,9 +282,9 @@ namespace Exprfunc unsigned char data[16]; if(MemRead(addr, data, sizeof(data), nullptr, true)) { - Zydis cp; - if(cp.Disassemble(addr, data)) - return cp.IsNop(); + Zydis zydis; + if(zydis.Disassemble(addr, data)) + return zydis.IsNop(); } return false; } @@ -294,9 +294,9 @@ namespace Exprfunc unsigned char data[16]; if(MemRead(addr, data, sizeof(data), nullptr, true)) { - Zydis cp; - if(cp.Disassemble(addr, data)) - return cp.IsUnusual(); + Zydis zydis; + if(zydis.Disassemble(addr, data)) + return zydis.IsUnusual(); } return false; } @@ -455,7 +455,7 @@ namespace Exprfunc duint rdtsc() { - return __rdtsc(); + return (duint)__rdtsc(); } static duint readMem(duint addr, duint size) diff --git a/src/dbg/reference.cpp b/src/dbg/reference.cpp index 0f57f00b..24ec14cd 100644 --- a/src/dbg/reference.cpp +++ b/src/dbg/reference.cpp @@ -63,14 +63,14 @@ int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Sile sprintf_s(fullName, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "%s (Region %p)")), Name, scanStart); // Initialize disassembler - Zydis cp; + Zydis zydis; // Allow an "initialization" notice refInfo.refcount = 0; refInfo.userinfo = UserData; refInfo.name = fullName; - RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, cp, true, [](int percent) + RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, zydis, true, [](int percent) { GuiReferenceSetCurrentTaskProgress(percent, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Region Search"))); GuiReferenceSetProgress(percent); @@ -104,14 +104,14 @@ int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Sile sprintf_s(fullName, "%s (%p)", Name, scanStart); // Initialize disassembler - Zydis cp; + Zydis zydis; // Allow an "initialization" notice refInfo.refcount = 0; refInfo.userinfo = UserData; refInfo.name = fullName; - RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, cp, true, [](int percent) + RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, zydis, true, [](int percent) { GuiReferenceSetCurrentTaskProgress(percent, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "Module Search"))); GuiReferenceSetProgress(percent); @@ -147,7 +147,7 @@ int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Sile } // Initialize disassembler - Zydis cp; + Zydis zydis; // Determine the full module sprintf_s(fullName, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "User Modules (%s)")), Name); @@ -165,7 +165,7 @@ int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Sile scanStart = modList[i].base; scanSize = modList[i].size; - RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, cp, initCallBack, [&i, &modList](int percent) + RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, zydis, initCallBack, [&i, &modList](int percent) { float fPercent = (float)percent / 100.f; float fTotalPercent = ((float)i + fPercent) / (float)modList.size(); @@ -209,7 +209,7 @@ int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Sile } // Initialize disassembler - Zydis cp; + Zydis zydis; // Determine the full module sprintf_s(fullName, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "System Modules (%s)")), Name); @@ -228,7 +228,7 @@ int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Sile scanSize = modList[i].size; - RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, cp, initCallBack, [&i, &modList](int percent) + RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, zydis, initCallBack, [&i, &modList](int percent) { float fPercent = (float)percent / 100.f; float fTotalPercent = ((float)i + fPercent) / (float)modList.size(); @@ -271,7 +271,7 @@ int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Sile } // Initialize disassembler - Zydis cp; + Zydis zydis; // Determine the full module sprintf_s(fullName, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "All Modules (%s)")), Name); @@ -289,7 +289,7 @@ int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Sile if(i != 0) initCallBack = false; - RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, cp, initCallBack, [&i, &modList](int percent) + RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, zydis, initCallBack, [&i, &modList](int percent) { float fPercent = (float)percent / 100.f; float fTotalPercent = ((float)i + fPercent) / (float)modList.size(); @@ -309,7 +309,7 @@ int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Sile return refInfo.refcount; } -int RefFindInRange(duint scanStart, duint scanSize, CBREF Callback, void* UserData, bool Silent, REFINFO & refInfo, Zydis & cp, bool initCallBack, const CBPROGRESS & cbUpdateProgress, bool disasmText) +int RefFindInRange(duint scanStart, duint scanSize, CBREF Callback, void* UserData, bool Silent, REFINFO & refInfo, Zydis & zydis, bool initCallBack, const CBPROGRESS & cbUpdateProgress, bool disasmText) { // Allocate and read a buffer from the remote process Memory data(scanSize, "reffind:data"); @@ -339,15 +339,15 @@ int RefFindInRange(duint scanStart, duint scanSize, CBREF Callback, void* UserDa int disasmMaxSize = min(MAX_DISASM_BUFFER, (int)(scanSize - i)); // Prevent going past the boundary int disasmLen = 1; - if(cp.Disassemble(scanStart, data() + i, disasmMaxSize)) + if(zydis.Disassemble(scanStart, data() + i, disasmMaxSize)) { BASIC_INSTRUCTION_INFO basicinfo; - fillbasicinfo(&cp, &basicinfo, disasmText); + fillbasicinfo(&zydis, &basicinfo, disasmText); - if(Callback(&cp, &basicinfo, &refInfo)) + if(Callback(&zydis, &basicinfo, &refInfo)) refInfo.refcount++; - disasmLen = cp.Size(); + disasmLen = zydis.Size(); } else { diff --git a/src/dbg/reference.h b/src/dbg/reference.h index b1f09665..6c920b47 100644 --- a/src/dbg/reference.h +++ b/src/dbg/reference.h @@ -26,6 +26,6 @@ typedef bool (*CBREF)(Zydis* disasm, BASIC_INSTRUCTION_INFO* basicinfo, REFINFO* typedef std::function CBPROGRESS; int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Silent, const char* Name, REFFINDTYPE type, bool disasmText); -int RefFindInRange(duint scanStart, duint scanSize, CBREF Callback, void* UserData, bool Silent, REFINFO & refInfo, Zydis & cp, bool initCallBack, const CBPROGRESS & cbUpdateProgress, bool disasmText); +int RefFindInRange(duint scanStart, duint scanSize, CBREF Callback, void* UserData, bool Silent, REFINFO & refInfo, Zydis & zydis, bool initCallBack, const CBPROGRESS & cbUpdateProgress, bool disasmText); #endif // _REFERENCE_H diff --git a/src/dbg/x64dbg.cpp b/src/dbg/x64dbg.cpp index 8c32bd63..290d60b8 100644 --- a/src/dbg/x64dbg.cpp +++ b/src/dbg/x64dbg.cpp @@ -699,8 +699,6 @@ extern "C" DLL_EXPORT const char* _dbg_dbginit() dputs(QT_TRANSLATE_NOOP("DBG", "Setting JSON memory management functions...")); json_set_alloc_funcs(json_malloc, json_free); //#endif //ENABLE_MEM_TRACE - dputs(QT_TRANSLATE_NOOP("DBG", "Initializing Zydis...")); - Zydis::GlobalInitialize(); dputs(QT_TRANSLATE_NOOP("DBG", "Getting directory information...")); strcpy_s(scriptDllDir, szUserDir); @@ -833,7 +831,6 @@ extern "C" DLL_EXPORT void _dbg_dbgexitsignal() dputs(QT_TRANSLATE_NOOP("DBG", "Cleaning up allocated data...")); cmdfree(); varfree(); - Zydis::GlobalFinalize(); dputs(QT_TRANSLATE_NOOP("DBG", "Cleaning up wait objects...")); waitdeinitialize(); SafeDbghelpDeinitialize(); diff --git a/src/zydis_wrapper/zydis_wrapper.cpp b/src/zydis_wrapper/zydis_wrapper.cpp index 07808544..46613909 100644 --- a/src/zydis_wrapper/zydis_wrapper.cpp +++ b/src/zydis_wrapper/zydis_wrapper.cpp @@ -72,29 +72,29 @@ void Zydis::Reset(bool disasm64) ZydisDecoderInit(&mDecoder, ZYDIS_MACHINE_MODE_LEGACY_32, ZYDIS_STACK_WIDTH_32); } -bool Zydis::Disassemble(size_t addr, const unsigned char data[MAX_DISASM_BUFFER]) +bool Zydis::Disassemble(uint64_t addr, const unsigned char data[MAX_DISASM_BUFFER]) { return Disassemble(addr, data, MAX_DISASM_BUFFER); } -bool Zydis::Disassemble(size_t addr, const unsigned char* data, int size) +bool Zydis::Disassemble(uint64_t addr, const unsigned char* data, size_t size) { - if(!data || !size) + if(data == nullptr || size == 0) return false; mAddr = addr; mSuccess = false; // Decode instruction. - if(!ZYAN_SUCCESS(ZydisDecoderDecodeFull(&mDecoder, data, size, &mInstr, mOperands))) + if(!ZYAN_SUCCESS(ZydisDecoderDecodeFull(&mDecoder, data, size, &mInstr.info, mInstr.operands))) return false; // Format it to human readable representation. if(!ZYAN_SUCCESS(ZydisFormatterFormatInstruction( &mFormatter, - &mInstr, - mOperands, - mInstr.operand_count, + &mInstr.info, + mInstr.operands, + mInstr.info.operand_count, mInstrText, sizeof(mInstrText), mAddr, @@ -103,9 +103,9 @@ bool Zydis::Disassemble(size_t addr, const unsigned char* data, int size) // Count explicit operands. mVisibleOpCount = 0; - for(size_t i = 0; i < mInstr.operand_count; ++i) + for(ZyanU8 i = 0; i < mInstr.info.operand_count; ++i) { - auto & op = mOperands[i]; + auto & op = mInstr.operands[i]; // Rebase IMM if relative and DISP if absolute (codebase expects it this way). // Once, at some point in time, the disassembler is abstracted away more and more, @@ -113,7 +113,7 @@ bool Zydis::Disassemble(size_t addr, const unsigned char* data, int size) // such transformations in the getters instead. if(op.type == ZYDIS_OPERAND_TYPE_IMMEDIATE && op.imm.is_relative) { - ZydisCalcAbsoluteAddress(&mInstr, &op, mAddr, &op.imm.value.u); + ZydisCalcAbsoluteAddress(&mInstr.info, &op, mAddr, &op.imm.value.u); op.imm.is_relative = false; //hack to prevent OperandText from returning bogus values } else if(op.type == ZYDIS_OPERAND_TYPE_MEMORY && @@ -122,7 +122,7 @@ bool Zydis::Disassemble(size_t addr, const unsigned char* data, int size) op.mem.disp.value != 0) { //TODO: what is this used for? - ZydisCalcAbsoluteAddress(&mInstr, &op, mAddr, (uint64_t*)&op.mem.disp.value); + ZydisCalcAbsoluteAddress(&mInstr.info, &op, mAddr, (uint64_t*)&op.mem.disp.value); } if(op.visibility == ZYDIS_OPERAND_VISIBILITY_HIDDEN) @@ -135,15 +135,15 @@ bool Zydis::Disassemble(size_t addr, const unsigned char* data, int size) return true; } -bool Zydis::DisassembleSafe(size_t addr, const unsigned char* data, int size) +bool Zydis::DisassembleSafe(uint64_t addr, const unsigned char* data, size_t size) { unsigned char dataSafe[MAX_DISASM_BUFFER]; memset(dataSafe, 0, sizeof(dataSafe)); - memcpy(dataSafe, data, std::min(sizeof(dataSafe), size_t(size))); + memcpy(dataSafe, data, std::min(sizeof(dataSafe), size)); return Disassemble(addr, dataSafe); } -const ZydisDecodedInstruction* Zydis::GetInstr() const +const ZydisDisassembledInstruction* Zydis::GetInstr() const { if(!Success()) return nullptr; @@ -180,27 +180,27 @@ const char* Zydis::RegName(ZydisRegister reg) const } } -std::string Zydis::OperandText(int opindex) const +std::string Zydis::OperandText(uint8_t opindex) const { - if(!Success() || opindex >= mInstr.operand_count) + if(!Success() || opindex >= mInstr.info.operand_count) return std::string(); - auto & op = mOperands[opindex]; + auto & op = mInstr.operands[opindex]; char buf[200]; - if(ZYAN_SUCCESS(ZydisFormatterFormatOperand(&this->mFormatter, &mInstr, &mOperands[opindex], buf, sizeof(buf), mAddr, nullptr))) + if(ZYAN_SUCCESS(ZydisFormatterFormatOperand(&this->mFormatter, &mInstr.info, &mInstr.operands[opindex], buf, sizeof(buf), mAddr, nullptr))) return std::string(buf); else return std::string(); } -int Zydis::Size() const +uint8_t Zydis::Size() const { if(!Success()) return 1; - return GetInstr()->length; + return GetInstr()->info.length; } -size_t Zydis::Address() const +uint64_t Zydis::Address() const { if(!Success()) return 0; @@ -212,7 +212,7 @@ bool Zydis::IsFilling() const if(!Success()) return false; - switch(mInstr.mnemonic) + switch(mInstr.info.mnemonic) { case ZYDIS_MNEMONIC_NOP: case ZYDIS_MNEMONIC_INT3: @@ -228,18 +228,18 @@ bool Zydis::IsBranchType(std::underlying_type::type bt) const return false; std::underlying_type::type ref = 0; - const auto & op0 = mOperands[0]; + const auto & op0 = mInstr.operands[0]; - switch(mInstr.mnemonic) + switch(mInstr.info.mnemonic) { case ZYDIS_MNEMONIC_RET: - ref = (mInstr.meta.branch_type == ZYDIS_BRANCH_TYPE_FAR) ? BTFarRet : BTRet; + ref = (mInstr.info.meta.branch_type == ZYDIS_BRANCH_TYPE_FAR) ? BTFarRet : BTRet; break; case ZYDIS_MNEMONIC_CALL: - ref = (mInstr.meta.branch_type == ZYDIS_BRANCH_TYPE_FAR) ? BTFarCall : BTCall; + ref = (mInstr.info.meta.branch_type == ZYDIS_BRANCH_TYPE_FAR) ? BTFarCall : BTCall; break; case ZYDIS_MNEMONIC_JMP: - ref = (mInstr.meta.branch_type == ZYDIS_BRANCH_TYPE_FAR) ? BTFarJmp : BTUncondJmp; + ref = (mInstr.info.meta.branch_type == ZYDIS_BRANCH_TYPE_FAR) ? BTFarJmp : BTUncondJmp; break; case ZYDIS_MNEMONIC_JB: case ZYDIS_MNEMONIC_JBE: @@ -310,7 +310,7 @@ ZydisMnemonic Zydis::GetId() const { if(!Success()) return ZYDIS_MNEMONIC_INVALID; - return mInstr.mnemonic; + return mInstr.info.mnemonic; } std::string Zydis::InstructionText(bool replaceRipRelative) const @@ -337,10 +337,18 @@ std::string Zydis::InstructionText(bool replaceRipRelative) const auto end = result.find("]", found); auto ripStr = result.substr(found + 1, end - found - 1); uint64_t offset; +#ifdef _MSC_VER + sscanf_s(ripStr.substr(ripStr.rfind(' ') + 1).c_str(), "%llX", &offset); +#else sscanf(ripStr.substr(ripStr.rfind(' ') + 1).c_str(), "%llX", &offset); +#endif // _MSC_VER auto dest = ripPlus ? (wVA + offset + Size()) : (wVA - offset + Size()); char buf[20]; +#ifdef _MSC_VER + sprintf_s(buf, "0x%llx", dest); +#else snprintf(buf, sizeof(buf), "0x%llx", dest); +#endif // _MSC_VER result.replace(found + 1, ripStr.length(), buf); } } @@ -348,18 +356,18 @@ std::string Zydis::InstructionText(bool replaceRipRelative) const return result; } -int Zydis::OpCount() const +uint8_t Zydis::OpCount() const { if(!Success()) return 0; return mVisibleOpCount; } -const ZydisDecodedOperand & Zydis::operator[](int index) const +const ZydisDecodedOperand & Zydis::operator[](uint8_t index) const { - if(!Success() || index < 0 || index >= OpCount()) + if(!Success() || index >= OpCount()) throw std::out_of_range("Operand out of range"); - return mOperands[index]; + return mInstr.operands[index]; } bool Zydis::IsSafeNopRegOp(const ZydisDecodedOperand & op) const @@ -398,9 +406,9 @@ bool Zydis::IsNop() const if(!Success()) return false; - const auto & ops = mOperands; + const auto & ops = mInstr.operands; - switch(mInstr.mnemonic) + switch(mInstr.info.mnemonic) { case ZYDIS_MNEMONIC_NOP: case ZYDIS_MNEMONIC_PAUSE: @@ -497,7 +505,7 @@ bool Zydis::IsPushPop() const if(!Success()) return false; - switch(mInstr.meta.category) + switch(mInstr.info.meta.category) { case ZYDIS_CATEGORY_PUSH: case ZYDIS_CATEGORY_POP: @@ -513,13 +521,13 @@ bool Zydis::IsUnusual() const if(!Success()) return false; - auto id = mInstr.mnemonic; - return mInstr.attributes & ZYDIS_ATTRIB_IS_PRIVILEGED - || mInstr.meta.category == ZYDIS_CATEGORY_IO - || mInstr.meta.category == ZYDIS_CATEGORY_IOSTRINGOP - || mInstr.meta.category == ZYDIS_CATEGORY_RDWRFSGS - || mInstr.meta.category == ZYDIS_CATEGORY_SGX - || mInstr.meta.category == ZYDIS_CATEGORY_INTERRUPT + auto id = mInstr.info.mnemonic; + return mInstr.info.attributes & ZYDIS_ATTRIB_IS_PRIVILEGED + || mInstr.info.meta.category == ZYDIS_CATEGORY_IO + || mInstr.info.meta.category == ZYDIS_CATEGORY_IOSTRINGOP + || mInstr.info.meta.category == ZYDIS_CATEGORY_RDWRFSGS + || mInstr.info.meta.category == ZYDIS_CATEGORY_SGX + || mInstr.info.meta.category == ZYDIS_CATEGORY_INTERRUPT || id == ZYDIS_MNEMONIC_SYSCALL || id == ZYDIS_MNEMONIC_SYSENTER || id == ZYDIS_MNEMONIC_CPUID @@ -544,10 +552,10 @@ std::string Zydis::Mnemonic() const { if(!Success()) return "???"; - return ZydisMnemonicGetStringHook(mInstr.mnemonic); + return ZydisMnemonicGetStringHook(mInstr.info.mnemonic); } -const char* Zydis::MemSizeName(int size) const +const char* Zydis::MemSizeName(size_t size) const { switch(size) { @@ -578,30 +586,30 @@ const char* Zydis::MemSizeName(int size) const } } -size_t Zydis::BranchDestination() const +uint64_t Zydis::BranchDestination() const { if(!Success() - || mOperands[0].type != ZYDIS_OPERAND_TYPE_IMMEDIATE + || mInstr.operands[0].type != ZYDIS_OPERAND_TYPE_IMMEDIATE /*|| !mInstr.operands[0].imm.isRelative HACKED*/) return 0; - return size_t(mOperands[0].imm.value.u); + return uint64_t(mInstr.operands[0].imm.value.u); } -size_t Zydis::ResolveOpValue(int opindex, const std::function & resolveReg) const +uint64_t Zydis::ResolveOpValue(uint8_t opindex, const std::function & resolveReg) const { - size_t dest = 0; - const auto & op = mOperands[opindex]; + uint64_t dest = 0; + const auto & op = mInstr.operands[opindex]; switch(op.type) { case ZYDIS_OPERAND_TYPE_IMMEDIATE: - dest = size_t(op.imm.value.u); + dest = uint64_t(op.imm.value.u); break; case ZYDIS_OPERAND_TYPE_REGISTER: dest = resolveReg(op.reg.value); break; case ZYDIS_OPERAND_TYPE_MEMORY: - dest = size_t(op.mem.disp.value); + dest = uint64_t(op.mem.disp.value); if(op.mem.base == ZYDIS_REGISTER_RIP) //rip-relative dest += Address() + Size(); else @@ -613,13 +621,13 @@ size_t Zydis::ResolveOpValue(int opindex, const std::function= mInstr.operand_count) + if(opindex >= mInstr.info.operand_count) return Zydis::VETDefault; - const auto & op = mOperands[opindex]; + const auto & op = mInstr.operands[opindex]; switch(op.element_type) { case ZYDIS_ELEMENT_TYPE_FLOAT32: @@ -631,20 +639,20 @@ Zydis::VectorElementType Zydis::getVectorElementType(int opindex) const } } -bool Zydis::IsBranchGoingToExecute(size_t cflags, size_t ccx) const +bool Zydis::IsBranchGoingToExecute(uint32_t eflags, uint64_t ccx) const { if(!Success()) return false; - return IsBranchGoingToExecute(mInstr.mnemonic, cflags, ccx); + return IsBranchGoingToExecute(mInstr.info.mnemonic, eflags, ccx); } -bool Zydis::IsBranchGoingToExecute(ZydisMnemonic id, size_t cflags, size_t ccx) +bool Zydis::IsBranchGoingToExecute(ZydisMnemonic id, uint32_t eflags, uint64_t ccx) { - auto bCF = (cflags & (1 << 0)) != 0; - auto bPF = (cflags & (1 << 2)) != 0; - auto bZF = (cflags & (1 << 6)) != 0; - auto bSF = (cflags & (1 << 7)) != 0; - auto bOF = (cflags & (1 << 11)) != 0; + auto bCF = (eflags & (1 << 0)) != 0; + auto bPF = (eflags & (1 << 2)) != 0; + auto bZF = (eflags & (1 << 6)) != 0; + auto bSF = (eflags & (1 << 7)) != 0; + auto bOF = (eflags & (1 << 11)) != 0; switch(id) { case ZYDIS_MNEMONIC_CALL: @@ -698,20 +706,20 @@ bool Zydis::IsBranchGoingToExecute(ZydisMnemonic id, size_t cflags, size_t ccx) } } -bool Zydis::IsConditionalGoingToExecute(size_t cflags, size_t ccx) const +bool Zydis::IsConditionalGoingToExecute(uint32_t eflags, uint64_t ccx) const { if(!Success()) return false; - return IsConditionalGoingToExecute(mInstr.mnemonic, cflags, ccx); + return IsConditionalGoingToExecute(mInstr.info.mnemonic, eflags, ccx); } -bool Zydis::IsConditionalGoingToExecute(ZydisMnemonic id, size_t cflags, size_t ccx) +bool Zydis::IsConditionalGoingToExecute(ZydisMnemonic id, uint32_t eflags, uint64_t ccx) { - auto bCF = (cflags & (1 << 0)) != 0; - auto bPF = (cflags & (1 << 2)) != 0; - auto bZF = (cflags & (1 << 6)) != 0; - auto bSF = (cflags & (1 << 7)) != 0; - auto bOF = (cflags & (1 << 11)) != 0; + auto bCF = (eflags & (1 << 0)) != 0; + auto bPF = (eflags & (1 << 2)) != 0; + auto bZF = (eflags & (1 << 6)) != 0; + auto bSF = (eflags & (1 << 7)) != 0; + auto bOF = (eflags & (1 << 11)) != 0; switch(id) { case ZYDIS_MNEMONIC_CMOVNBE: //conditional move - above/not below nor equal @@ -805,9 +813,9 @@ void Zydis::RegInfo(uint8_t regs[ZYDIS_REGISTER_MAX_VALUE + 1]) const if(!Success() || IsNop()) return; - for(int i = 0; i < mInstr.operand_count; ++i) + for(int i = 0; i < mInstr.info.operand_count; ++i) { - const auto & op = mOperands[i]; + const auto & op = mInstr.operands[i]; switch(op.type) { @@ -897,16 +905,16 @@ void Zydis::BytesGroup(uint8_t* prefixSize, uint8_t* opcodeSize, uint8_t* group1 { if(Success()) { - *prefixSize = mInstr.raw.prefix_count; - *group1Size = mInstr.raw.disp.size / 8; - *group2Size = mInstr.raw.imm[0].size / 8; - *group3Size = mInstr.raw.imm[1].size / 8; - *opcodeSize = mInstr.length - *prefixSize - *group1Size - *group2Size - *group3Size; + *prefixSize = mInstr.info.raw.prefix_count; + *group1Size = mInstr.info.raw.disp.size / 8; + *group2Size = mInstr.info.raw.imm[0].size / 8; + *group3Size = mInstr.info.raw.imm[1].size / 8; + *opcodeSize = mInstr.info.length - *prefixSize - *group1Size - *group2Size - *group3Size; } else { *prefixSize = 0; - *opcodeSize = mInstr.length; + *opcodeSize = mInstr.info.length; *group1Size = 0; *group2Size = 0; *group3Size = 0; diff --git a/src/zydis_wrapper/zydis_wrapper.h b/src/zydis_wrapper/zydis_wrapper.h index 4e9a62c0..8105f26b 100644 --- a/src/zydis_wrapper/zydis_wrapper.h +++ b/src/zydis_wrapper/zydis_wrapper.h @@ -1,5 +1,7 @@ #pragma once +#define ZYCORE_STATIC_BUILD +#define ZYDIS_STATIC_BUILD #include "Zydis/Zydis.h" #include #include @@ -10,35 +12,41 @@ class Zydis { public: +#ifdef _WIN64 + Zydis() : Zydis(true) {} +#elif _WIN32 + Zydis() : Zydis(false) {} +#endif // _WIN64 + explicit Zydis(bool disasm64); Zydis(const Zydis & zydis) = delete; ~Zydis() = default; void Reset(bool disasm64); - bool Disassemble(size_t addr, const unsigned char data[MAX_DISASM_BUFFER]); - bool Disassemble(size_t addr, const unsigned char* data, int size); - bool DisassembleSafe(size_t addr, const unsigned char* data, int size); - const ZydisDecodedInstruction* GetInstr() const; + bool Disassemble(uint64_t addr, const unsigned char data[MAX_DISASM_BUFFER]); + bool Disassemble(uint64_t addr, const unsigned char* data, size_t size); + bool DisassembleSafe(uint64_t addr, const unsigned char* data, size_t size); + const ZydisDisassembledInstruction* GetInstr() const; bool Success() const; const char* RegName(ZydisRegister reg) const; - std::string OperandText(int opindex) const; - int Size() const; - size_t Address() const; + std::string OperandText(uint8_t opindex) const; + uint8_t Size() const; + uint64_t Address() const; bool IsFilling() const; bool IsUnusual() const; bool IsNop() const; bool IsPushPop() const; ZydisMnemonic GetId() const; std::string InstructionText(bool replaceRipRelative = true) const; - int OpCount() const; - const ZydisDecodedOperand & operator[](int index) const; + uint8_t OpCount() const; + const ZydisDecodedOperand & operator[](uint8_t index) const; std::string Mnemonic() const; - const char* MemSizeName(int size) const; - size_t BranchDestination() const; - size_t ResolveOpValue(int opindex, const std::function & resolveReg) const; - bool IsBranchGoingToExecute(size_t cflags, size_t ccx) const; - static bool IsBranchGoingToExecute(ZydisMnemonic id, size_t cflags, size_t ccx); - bool IsConditionalGoingToExecute(size_t cflags, size_t ccx) const; - static bool IsConditionalGoingToExecute(ZydisMnemonic id, size_t cflags, size_t ccx); + const char* MemSizeName(size_t size) const; + uint64_t BranchDestination() const; + uint64_t ResolveOpValue(uint8_t opindex, const std::function & resolveReg) const; + bool IsBranchGoingToExecute(uint32_t eflags, uint64_t ccx) const; + static bool IsBranchGoingToExecute(ZydisMnemonic id, uint32_t eflags, uint64_t ccx); + bool IsConditionalGoingToExecute(uint32_t eflags, uint64_t ccx) const; + static bool IsConditionalGoingToExecute(ZydisMnemonic id, uint32_t eflags, uint64_t ccx); void BytesGroup(uint8_t* prefixSize, uint8_t* opcodeSize, uint8_t* group1Size, uint8_t* group2Size, uint8_t* group3Size) const; enum RegAccessInfo : uint8_t @@ -98,7 +106,7 @@ public: VETInt32, VETInt64 }; - VectorElementType getVectorElementType(int opindex) const; + VectorElementType getVectorElementType(uint8_t opindex) const; // Shortcuts. bool IsRet() const { return IsBranchType(BTRet); } @@ -113,8 +121,7 @@ private: ZydisFormatter mFormatter; bool mDisasm64; uint64_t mAddr = 0; - ZydisDecodedInstruction mInstr; - ZydisDecodedOperand mOperands[ZYDIS_MAX_OPERAND_COUNT]; + ZydisDisassembledInstruction mInstr; char mInstrText[200]; bool mSuccess = false; uint8_t mVisibleOpCount = 0; diff --git a/src/zydis_wrapper/zydis_wrapper.vcxproj b/src/zydis_wrapper/zydis_wrapper.vcxproj index a8e8d439..0097668e 100644 --- a/src/zydis_wrapper/zydis_wrapper.vcxproj +++ b/src/zydis_wrapper/zydis_wrapper.vcxproj @@ -69,23 +69,23 @@ .lib $(ProjectDir)bin\x32\ $(Platform)\$(Configuration)\ - $(ProjectDir);$(ProjectDir)\zydis\include;$(ProjectDir)\zydis\src;$(IncludePath) + $(ProjectDir)\Zydis;$(ProjectDir)\zydis\include;$(ProjectDir)\zydis\src;$(IncludePath) .lib $(ProjectDir)bin\x64\ - $(ProjectDir);$(IncludePath);$(ProjectDir)\zydis\include;$(ProjectDir)\zydis\src + $(ProjectDir)\Zydis;$(IncludePath);$(ProjectDir)\zydis\include;$(ProjectDir)\zydis\src .lib $(ProjectDir)bin\x32d\ $(Platform)\$(Configuration)\ - $(ProjectDir);$(ProjectDir)\zydis\include;$(ProjectDir)\zydis\src;$(IncludePath) + $(ProjectDir)\Zydis;$(ProjectDir)\zydis\include;$(ProjectDir)\zydis\src;$(IncludePath) .lib $(ProjectDir)bin\x64d\ - $(ProjectDir);$(IncludePath);$(ProjectDir)\zydis\include;$(ProjectDir)\zydis\src + $(ProjectDir)\Zydis;$(IncludePath);$(ProjectDir)\zydis\include;$(ProjectDir)\zydis\src @@ -138,32 +138,20 @@ - - - - - - - - - - + + ZYCORE_STATIC_BUILD +;ZYDIS_STATIC_BUILD;_USING_V110_SDK71_;%(PreprocessorDefinitions) + ZYCORE_STATIC_BUILD +;ZYDIS_STATIC_BUILD;_USING_V110_SDK71_;%(PreprocessorDefinitions) + ZYCORE_STATIC_BUILD +;ZYDIS_STATIC_BUILD;_USING_V110_SDK71_;%(PreprocessorDefinitions) + ZYCORE_STATIC_BUILD +;ZYDIS_STATIC_BUILD;_USING_V110_SDK71_;%(PreprocessorDefinitions) + - - - - - - - - - - - - - + diff --git a/src/zydis_wrapper/zydis_wrapper.vcxproj.filters b/src/zydis_wrapper/zydis_wrapper.vcxproj.filters index c4f3c2b0..bb9bc087 100644 --- a/src/zydis_wrapper/zydis_wrapper.vcxproj.filters +++ b/src/zydis_wrapper/zydis_wrapper.vcxproj.filters @@ -10,44 +10,17 @@ h;hh;hpp;hxx;hm;inl;inc;xsd - {0f43347f-70ba-4bf2-b8bc-ae1df066b27a} + {d1e8e1c5-c3ed-4cbc-9c1b-3bfd92076ef9} - {9b6d6e4c-4e1e-48b2-b8ba-1b926c7c7302} + {73179162-d6f3-49e8-af4f-73b5a24dbbcf} Source Files - - Source Files\Zydis - - - Source Files\Zydis - - - Source Files\Zydis - - - Source Files\Zydis - - - Source Files\Zydis - - - Source Files\Zydis - - - Source Files\Zydis - - - Source Files\Zydis - - - Source Files\Zydis - - + Source Files\Zydis @@ -55,43 +28,7 @@ Header Files - - Header Files\Zydis - - - Header Files\Zydis - - - Header Files\Zydis - - - Header Files\Zydis - - - Header Files\Zydis - - - Header Files\Zydis - - - Header Files\Zydis - - - Header Files\Zydis - - - Header Files\Zydis - - - Header Files\Zydis - - - Header Files\Zydis - - - Header Files\Zydis - - + Header Files\Zydis