diff --git a/crates/vestal/src/main.rs b/crates/vestal/src/main.rs index 3794bff..1bbf072 100644 --- a/crates/vestal/src/main.rs +++ b/crates/vestal/src/main.rs @@ -55,34 +55,43 @@ impl Vestal { ep_rva, ep_off); if dll_path.as_ref() == path { - let buf = dll.get_buffer(); - //println!("{:?}\n", &buf[0..128]); - //println!("{:?}\n", &buf[0x000c8900..0x000c8900+128].hex_dump()); - //println!("{:?}", &buf[0x000c9500..0x000c9500+128].hex_dump()); - let section = dll.get_section_by_name(".text")?; - let section_ptr = section.pointer_to_raw_data.0 as usize; - let section_len = section.size_of_raw_data as usize; - //println!("{section:?}"); - //println!("{:?}\n", &buf[section_ptr..section_ptr+128].hex_dump()); - //println!("{:?}", &buf[ep_off.0 as usize..ep_off.0 as usize+128].hex_dump()); + let buf = dll.get_buffer(); + let section = dll.get_section_by_name(".text")?; + let section_ptr = section.pointer_to_raw_data.0 as usize; + let section_len = section.size_of_raw_data as usize; let section_data = &buf[section_ptr..section_ptr+section_len]; - println!("0x{:x}", section_data.len()); - let mut decoder = iced_x86::Decoder::with_ip(64, section_data, 0, 0); + let mut decoder = iced_x86::Decoder::with_ip(64, section_data, 0, 0); while decoder.can_decode() { let position = decoder.position(); let instruction = decoder.decode(); - let opcodes = §ion_data[position..position+instruction.len()].iter().map(|x|format!("{x:>02x}")).collect::>().join(" "); + let opcodes = §ion_data[position..position+instruction.len()]; //println!("0x{position:08x} {opcodes:32} {instruction}"); - if instruction.is_call_far() { + if (instruction.flow_control() == iced_x86::FlowControl::IndirectBranch + || instruction.flow_control() == iced_x86::FlowControl::IndirectCall) + && instruction.op0_kind() == iced_x86::OpKind::Memory { + match opcodes[0] { + 0xff => match opcodes[1] { + 0x10 | 0x12 | 0x13 | 0x50 | 0x52 | 0x53 | 0x55 | 0x56 | 0x57 | + 0x60 | 0x90 | 0x92 | 0x93 | 0x94 | 0x97 => continue, + _ => {}, + }, + 0x41 | 0x42 | 0x43 | 0x49 => match opcodes[1] { + 0xff => continue, + _ => {}, + }, + 0x48 => match opcodes[2] { + 0x20 | 0x60 | 0x62 | 0xa0 | 0xa2 => continue, + _ => {}, + }, + _ => {} + } + let offset = (position + section_ptr) as u32; + println!("0x{:08x} (0x{:08x}) {:32} {instruction}", + position + section_ptr, + dll.offset_to_rva(Offset(offset))?.0, + opcodes.iter().map(|x|format!("{x:>02x}")).collect::>().join(" ")); //println!("0x{:08x} {}", decoder.position(), instruction); - } else if instruction.is_call_far_indirect() { - //println!("0x{:08x} {}", decoder.position(), instruction); - } else if instruction.is_call_near() { - //println!("0x{:08x} {}", decoder.position(), instruction); - } else if instruction.is_call_near_indirect() { - println!("0x{:08x} {opcodes:32} {instruction}", position+section_ptr); - //println!("0x{:08x} {}", decoder.position(), instruction); - return Ok(()) + //return Ok(()) } } }