def jmp_parser(instruction_data, opcode_id, capstone_instance, d, pc): if not u_li32(instruction_data[5:9]): handler = idaapi.get_imagebase() + u_li32(instruction_data[9:13]) jmp_id = Instruction64.parse_handler(handler, capstone_instance) vm_offset = d.find_instruction_by_id(jmp_id) if jmp_id and not (vm_offset is None): mnemonic = "vcall" operand1 = InsOperand(vm_offset, is_vm_offset=True, mode=64) operand2 = None i = Instruction64(opcode_id, instruction_data, operand1, operand2, mnemonic, is_call=True, is_virtual_call=True, call_handler=handler, virtual_call_id=jmp_id) return i mnemonic = "jmp" offset = (pc + u_li32(instruction_data[5:9])) & 0xFFFFFFFF operand1 = InsOperand(offset, is_vm_offset=True, mode=64) operand2 = None i = Instruction64(opcode_id, instruction_data, operand1, operand2, mnemonic, is_branch=True, branch_target=offset) return i
def shlr0imm8(instruction_data, opcode_id, capstone_instance, d, pc): imm8 = u_li32(instruction_data[4:8]) & 0xff mnem = "shl" operand1 = InsOperand(0, is_tmp_reg=True) operand2 = InsOperand(imm8, is_const=True) i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem) return i
def addr0imm32_parser(instruction_data, opcode_id, capstone_instance, d, pc): mnem = "add" operand1 = InsOperand(0, is_tmp_reg=True) operand2 = InsOperand(u_li32(instruction_data[4:8]), is_const=True) i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem, is_data_transfer=True) return i
def movr0reg_parser(instruction_data, opcode_id, capstone_instance, d, pc): mnem = "mov" operand1 = InsOperand(0, is_tmp_reg=True) r_index = u_li32(instruction_data[4:8]) operand2 = InsOperand(r_index, is_reg=True) i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem, is_data_transfer=True) return i
def movregrefr0_parser(instruction_data, opcode_id, capstone_instance, d, pc): mnem = "mov" r_index = u_li32(instruction_data[4:8]) / 8 operand1 = InsOperand(r_index, is_reg=True, mode=64) operand2 = InsOperand(0, is_ref_tmp_reg=True, mode=64) i = Instruction64(opcode_id, instruction_data, operand1, operand2, mnem, is_data_transfer=True) return i
def jge_parser(instruction_data, opcode_id, capstone_instance, d, pc): mnem = "rmf.jge" offset = (pc + u_li32(instruction_data[5:9])) & 0xFFFFFFFF operand1 = InsOperand(offset, is_vm_offset=True) operand2 = None i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem, is_branch=True, branch_target=offset) return i
def jmp_parser(instruction_data, opcode_id, capstone_instance, d, pc): offset = u_li32(instruction_data[5:9]) if offset: mnem = "jmp" operand1 = InsOperand((offset + pc) & 0xFFFFFFFF, is_vm_offset=True) operand2 = None i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem, is_branch=True, branch_target=(offset + pc) & 0xFFFFFFFF) return i else: imm32 = u_li32(instruction_data[9:13]) mnem = "cmovnae" operand2 = InsOperand(0, is_reg=True) operand1 = InsOperand(imm32, is_const=True) i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem) return i
def call_parser(instruction_data, opcode_id, capstone_instance, d, pc): handler = idaapi.get_imagebase() + u_li32(instruction_data[8:12]) handler_name = idc.Name(handler) if handler_name: mnem = "mcall" operand1 = InsOperand(handler_name, is_mf_name=True) operand2 = None i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem, is_call=True, call_handler=handler) return i if idc.GetMnem(handler) in Instruction32.branching_mnemonics and idc.GetOpType(handler, 0) == idc.o_mem \ and idc.Name(idc.GetOperandValue(handler, 0)): handler_name = idc.Name(idc.GetOperandValue(handler, 0)) mnem = "mcall" operand1 = InsOperand(handler_name, is_mf_name=True) operand2 = None i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem, is_call=True, call_handler=handler) return i jmp_id = Instruction32.parse_handler(handler, capstone_instance) vm_offset = d.find_instruction_by_id(jmp_id) if jmp_id and not (vm_offset is None): mnem = "vcall" operand1 = InsOperand(vm_offset, is_vm_offset=True) operand2 = None i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem, is_call=True, call_handler=handler, is_virtual_call=True, virtual_call_id=jmp_id) return i mnem = "(d|ic; Handler: %s)jmp" % (hex(handler)) operand1 = InsOperand("<unparesd>", is_clean_str=True) operand2 = None i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem, is_bad_instruction=True) return i