diff --git a/popnhax/omnimix_patch.cc b/popnhax/omnimix_patch.cc index d9bb771..8eab33d 100644 --- a/popnhax/omnimix_patch.cc +++ b/popnhax/omnimix_patch.cc @@ -24,6 +24,7 @@ #define NUM_IDX 5 bst_t *g_xref_bst = NULL; +bst_t *g_data_xref_bst = NULL; typedef struct table_s { char *name; @@ -76,41 +77,44 @@ uint32_t *find_binary_xref(char *data, DWORD dllSize, const char *search_pattern uint32_t get_table_size_by_xref(char *data, DWORD data_size, uint32_t *ea, uint32_t entry_size) { - fprintf(stderr, "get table size by xref\n"); + //fprintf(stderr, "get table size by xref\n"); uint32_t *orig_ea = ea; // Skip 10 entries because why not. We're looking for the end anyway ea = (uint32_t*)((uint32_t)ea+(entry_size*10)); - fprintf(stderr, "orig ea %p, entry size %u, ea %p\n", orig_ea, entry_size, ea); + //fprintf(stderr, "orig ea %p, entry size %u, ea %p\n", orig_ea, entry_size, ea); bool found = false; while (!found) { - uint32_t curr_limit = (((uint32_t)ea)-((uint32_t)orig_ea))/entry_size; - uint32_t *as_int = (uint32_t*)&ea; + //uint32_t curr_limit = (((uint32_t)ea)-((uint32_t)orig_ea))/entry_size; //fprintf(stderr, "limit candidate %u, looking for xref to %0X\n", curr_limit, *as_int); if ( bst_search(g_xref_bst, *as_int) != NULL ) { //fprintf(stderr, "found .text XREF in BST\n"); - found=true; - } else { - //look for Xref in data section - char *as_hex = (char*)&ea; - uint32_t *xref = find_binary(data, data_size, as_hex, 4, 0, 0); - if ( xref != NULL ) - { - //fprintf(stderr, "found .data XREF at addr %p\n", xref); - found = true; - } - } + found = true; + } else if ( bst_search(g_data_xref_bst, *as_int) != NULL ) + { + //fprintf(stderr, "found .data XREF at addr %p\n", xref); + found = true; + } /* else { + //look for Xref in data section + char *as_hex = (char*)&ea; + uint32_t *xref = find_binary(data, data_size, as_hex, 4, 0, 0); + if ( xref != NULL ) + { + fprintf(stderr, "found .data XREF at addr %p\n", xref); + found = true; + } + }*/ if (!found) ea = (uint32_t*)((uint32_t)ea+entry_size); } - fprintf(stderr, "found value %u (ea = %p, orig_ea = %p, entry size = %u)\n", ((((uint32_t)ea)-((uint32_t)orig_ea))/entry_size), ea, orig_ea, entry_size); + //fprintf(stderr, "found value %u (ea = %p, orig_ea = %p, entry size = %u)\n", ((((uint32_t)ea)-((uint32_t)orig_ea))/entry_size), ea, orig_ea, entry_size); return (((uint32_t)ea)-((uint32_t)orig_ea))/entry_size; } @@ -121,26 +125,21 @@ void print_cb(x86_insn_t *insn, void *arg) fprintf(stderr,"%s\n", line); } -static void add_xref_to_bst(uint32_t addr) +static void add_xref_to_bst(bst_t **bst, uint32_t addr) { - if ( bst_search(g_xref_bst, addr) == NULL ) + if ( bst_search(*bst, addr) == NULL ) { //LOG("added addr %0X to BST\n", addr); - g_xref_bst = bst_insert(g_xref_bst, addr); + *bst = bst_insert(*bst, addr); } } void add_xref(x86_insn_t *insn, void *arg) { - //char line[LINE_SIZE]; /* buffer of line to print */ - //x86_format_insn(insn, line, LINE_SIZE, intel_syntax); - //LOG("%s\n", line); - //LOG("it has %u operands\n", insn->operand_count); - uint32_t addr = x86_get_address(insn); if ( addr != 0 ) { - add_xref_to_bst(addr); + add_xref_to_bst(&g_xref_bst, addr); //LOG("found ref to %0X at ea %0X\n", addr, insn->addr); //fprintf(stderr, "\n"); return; @@ -152,7 +151,7 @@ void add_xref(x86_insn_t *insn, void *arg) { x86_ea_t exp = op->data.expression; // LOG("(expression) disp is %0X\n", exp.disp); - add_xref_to_bst(exp.disp); + add_xref_to_bst(&g_xref_bst, exp.disp); } op = x86_operand_2nd(insn); @@ -160,7 +159,7 @@ void add_xref(x86_insn_t *insn, void *arg) { x86_ea_t exp = op->data.expression; // LOG("(expression) disp is %0X\n", exp.disp); - add_xref_to_bst(exp.disp); + add_xref_to_bst(&g_xref_bst, exp.disp); } op = x86_operand_3rd(insn); @@ -168,11 +167,8 @@ void add_xref(x86_insn_t *insn, void *arg) { x86_ea_t exp = op->data.expression; // LOG("(expression) disp is %0X\n", exp.disp); - add_xref_to_bst(exp.disp); + add_xref_to_bst(&g_xref_bst, exp.disp); } - - - /* bst_search(g_xref_bst, idx) == NULL */ } @@ -218,13 +214,33 @@ for (WORD SectionIndex = 0; SectionIndex < headers->FileHeader.NumberOfSections; LOG("data section size %lX, addr %p, beginning %02X %02X %02X %02X\n", data_size, data, data[0], data[1], data[2], data[3]); LOG("rdata section size %lX, addr %p, beginning %02X %02X %02X %02X\n", rdata_size, rdata, rdata[0], rdata[1], rdata[2], rdata[3]); - // disassemble .text section and add all xrefs to our BST - LOG("START DISASSEMBLY\n"); + //add all data xrefs to BST (take anything which looks like 0x10****** in .data section) + { + LOG("Parsing .data section... "); + uint32_t *data_ea = 0; + while (true) + { + int64_t pattern_offset = search(data, data_size -((uint32_t) data_ea)-1, "\x10", 1, ((uint32_t) data_ea)+1); + if (pattern_offset == -1) + break; + + data_ea = (uint32_t *) ((uint32_t)data + pattern_offset - 3); + uint32_t *as_int = (uint32_t*)data_ea; + + //LOG("found %X at offset %p\n", *as_int, data_ea); + //LOG("adding %X to data bst\n", *as_int); + add_xref_to_bst(&g_data_xref_bst, *as_int); + data_ea = (uint32_t *) (pattern_offset); + } + LOG("done\n"); + } + + // disassemble .text section and add all xrefs to BST + LOG("Disassemble .text section... "); x86_init(opt_none, NULL, NULL); unsigned int num_insn = x86_disasm_range( (unsigned char *)text, (uint32_t) buf, 0, text_size, &add_xref, NULL); - LOG("parsed %u instructions\n", num_insn); - LOG("END DISASSEMBLY\n"); + LOG("done (%u instructions)\n", num_insn); x86_cleanup(); /* instruction table is done */