At this stage, we'd have to reverse engineer the VMDispatcher to understand how the bytecode is encoded but I instead decided to cheat and look at the source code of the virtualizer (lol).
The bytecode follows this simple format :
| Mnemonic (1 byte) | Size of the data (1 byte) | Argument (1 byte or more) |
|---|---|---|
| 0x16 (Vmctx) | 0x08 (Qword) | None |
| 0x00 (Const) | 0x08 (Qword) | 0x20 (Rdx) |
Following this example, we can retrieve the first instructions of our function !
Using this simple logic and by looking at the existing code of Guardian-rs I could write a disassembler (code here ).
It gave me the following code :
+At this stage, we'd have to reverse engineer the VMDispatcher to understand how the bytecode is encoded but I instead decided to cheat and look at the source code of the virtualizer (lol).
The bytecode follows this simple format :
| Mnemonic (1 byte) | Size of the data (1 byte) | Argument (1 byte or more) |
|---|---|---|
| 0x16 (Vmctx) | 0x08 (Qword) | None |
| 0x00 (Const) | 0x08 (Qword) | 0x20 (Rdx) |
Following this example, we can retrieve the first instructions of our function !
Using this simple logic and by looking at the existing code of Guardian-rs I could write a disassembler (code here ).
It gave me the following code (only showing a sample because it's long) :