Skip to content

Instantly share code, notes, and snippets.

@LordJZ

LordJZ/gist:1056730

Created June 30, 2011 17:33
Show Gist options
  • Save LordJZ/1056730 to your computer and use it in GitHub Desktop.
Save LordJZ/1056730 to your computer and use it in GitHub Desktop.
Download ZIP
4.1 packed data decoding mechanism ripper
Raw
gistfile1.c++
void decodePackedData(ea_t addr)
{
int insn_size;
ea_t regbase = 65536;
uint16 reg = 0;
qvector<int> mask;
mask.reserve(16);
qvector<int> bytes;
bytes.reserve(16);
while ((insn_size = decode_insn(addr)) != 0)
{
if (cmd.itype == NN_int3)
{
insn_size = 0;
break;
}
else if (cmd.itype == NN_cmp)
{
op_t src = cmd.Op1;
op_t op = cmd.Op2;
if (op.type == o_imm && op.value == 0 && src.type == o_displ)
{
reg = src.phrase;
regbase = min(src.addr, regbase);
mask.push_back(src.addr);
}
}
else if (cmd.itype == NN_mov)
{
op_t op = cmd.Op2;
if (op.type == o_displ && op.phrase == reg)
{
bytes.push_back(op.addr);
if (bytes.size() == mask.size())
break;
}
}
//msg("Insn at %a (size=%d) is %d\n", addr, insn_size, cmd.itype);
addr += insn_size;
}
if (insn_size == 0)
{
msg("Stepped into non-instruction\n");
return;
}
msg("mask=%d, bytes=%d\n", mask.size(), bytes.size());
msg("protected override int[] MaskSequence { get { return new int[] { ");
for (int32 i = 0; i < int32(mask.size()); i += 8)
{
for (int32 j = i + 8 - 1; j >= i; --j)
msg("%d, ", mask[j] - regbase);
}
msg("}; } }\n");
msg("protected override int[] ByteSequence { get { return new int[] { ");
for (int32 i = 0; i < int32(bytes.size()); ++i)
msg("%d, ", bytes[i] - regbase);
msg("}; } }\n");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment