public static bool ShouldCheckInstruction(X86InstructionId id)
{
return(new List <X86InstructionId> {
X86InstructionId.X86_INS_CALL,
X86InstructionId.X86_INS_JAE,
X86InstructionId.X86_INS_JA,
X86InstructionId.X86_INS_JBE,
X86InstructionId.X86_INS_JB,
X86InstructionId.X86_INS_JCXZ,
X86InstructionId.X86_INS_JECXZ,
X86InstructionId.X86_INS_JE,
X86InstructionId.X86_INS_JGE,
X86InstructionId.X86_INS_JG,
X86InstructionId.X86_INS_JL,
X86InstructionId.X86_INS_JMP,
X86InstructionId.X86_INS_JNO,
X86InstructionId.X86_INS_JNP,
X86InstructionId.X86_INS_JNS,
X86InstructionId.X86_INS_JO,
X86InstructionId.X86_INS_JP,
X86InstructionId.X86_INS_JRCXZ,
X86InstructionId.X86_INS_JS,
X86InstructionId.X86_INS_PUSH,
X86InstructionId.X86_INS_PUSHAL,
X86InstructionId.X86_INS_PUSHAW,
X86InstructionId.X86_INS_PUSHF,
X86InstructionId.X86_INS_PUSHFD,
X86InstructionId.X86_INS_PUSHFQ,
X86InstructionId.X86_INS_MOV,
}.Contains(id));
}
private void ps4KernelDlSymRetrieveSymbols(Byte[] buffer)
{
using (CapstoneX86Disassembler disassembler = CapstoneDisassembler.CreateX86Disassembler(X86DisassembleMode.Bit64))
{
disassembler.EnableInstructionDetails = true;
disassembler.DisassembleSyntax = DisassembleSyntax.Intel;
//disassembler.EnableSkipDataMode = true;
X86Instruction[] instructions = disassembler.Disassemble(buffer);
int i = 0;
foreach (X86Instruction instruction in instructions)
{
i++;
X86Instruction lastInsn = (i > 1) ? instructions[i - 2] : null;
long address = instruction.Address;
X86InstructionId id = instruction.Id;
String curr_instruction = GetInstructionTxt(instruction);
String last_instruction = GetInstructionTxt(lastInsn);
//if (address == 0x14362)
// MessageBox.Show(curr_instruction);
if (!instruction.IsSkippedData)
{
String ps4KernelDlSym = GetMemoryAddress((UInt64)ps4KernelDlSym_offset).ToString("x");
//if (instruction.Operand.Contains(ps4KernelDlSym))
// MessageBox.Show("call to ps4KernelDlSym: " + curr_instruction);
//if(id == X86InstructionId.X86_INS_MOVABS)
// MessageBox.Show("moveabs: " + curr_instruction);
//MessageBox.Show(ps4KernelDlSym);
if (instruction.Operand.Contains(ps4KernelDlSym) && id == X86InstructionId.X86_INS_MOVABS)
{
String ps4KernelDlSym_call = instructions[i + 1].Operand;//instructions[i + 1].Id == X86InstructionId.X86_INS_CALL ?
string last_operand = lastInsn.Operand;
if (lastInsn.Id == X86InstructionId.X86_INS_MOVABS)
{
String symbolReg = "";
var symbolName = ParseSymbolReference(lastInsn, out symbolReg);
if (symbolName != "")
{
sympool.Add(lastInsn.Address, symbolName);//ps4KernelDlSym_Symbols.Add(symbolName);
}
// after we have got a symbol, find for near ps4KernelDlSym references
var targetReg = instructions[i].Operand;
var targetBytes = instructions[i].Bytes;
//MessageBox.Show(targetReg);
//MessageBox.Show(GetInstructionTxt(instructions[i+1]));
for (int x = i + 2; x < instructions.Count(); x++)
{
var instruct = instructions[x];
if (instruct == null || instruct.IsSkippedData || instruct.Id == X86InstructionId.X86_INS_RET || instruct.Id == X86InstructionId.X86_INS_MOVABS & instruct.Operand.Split(',')[0] == targetReg)//GetInstructionTxt(instruct).Contains("ret"))
{
break;
}
if (instruct.Id == X86InstructionId.X86_INS_CALL)// && instruct.Operand == ps4KernelDlSym_call.Split(',')[0])
{
//MessageBox.Show(GetInstructionTxt(instruct));
//MessageBox.Show(instruct.Operand + "\n\n" + ps4KernelDlSym_call);
var reg = instruct.Operand;
var prev_sym_reg = symbolReg;
if (reg == targetReg & (symbolName = ParseSymbolReference(instructions[x - 1], out symbolReg)) != "")
{
if (targetBytes.SequenceEqual(instruct.Bytes))//if ((symbolName = ParseSymbolReference(instructions[x - 1], out symbolReg)) != "")
{
if (symbolReg == prev_sym_reg)
{
sympool.Add(instructions[x - 1].Address, symbolName);
/*
* var addr = GetMemoryAddress((ulong)instructions[x - 1].Address) - 0x1000;
* Clipboard.SetText(addr.ToString("X2"));
* MessageBox.Show("Addr: " + addr.ToString("X2") + ", " + symbolName + "\n\n" + GetInstructionTxt(instructions[x-1]));
*/
}
//MessageBox.Show(last_instruction + "\n" + curr_instruction + "\n\n" + GetInstructionTxt(instructions[x-1]) + "\n" + GetInstructionTxt(instruct), "Near " + symbolName);
}
}
//MessageBox.Show(curr_instruction + "\n" + GetInstructionTxt(instruct));
}
//MessageBox.Show(last_instruction + "\n" + curr_instruction + "\n\n" + targetReg);
}
}
/*else if (id == X86InstructionId.X86_INS_CALL)
* {
* MessageBox.Show(last_instruction + "\n" + curr_instruction);
* }*/
}
}
}
}
}
