From 36b16d987a914078d967d918a9edbaede9479674 Mon Sep 17 00:00:00 2001
From: ergrelet <ergrelet@users.noreply.github.com>
Date: Tue, 9 Jul 2024 00:31:17 +0200
Subject: [PATCH] Scan all basic blocks for potential obfuscated code entries

---
 src/themida.rs | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/themida.rs b/src/themida.rs
index b218916..1c2229f 100644
--- a/src/themida.rs
+++ b/src/themida.rs
@@ -56,12 +56,12 @@ fn search_for_themida_code_entries(
     }
 
     let llil_func = func.low_level_il().ok()?;
-    // TODO(ergrelet): search any basic block, not just the first one, as
-    // functions might be only partially obfuscated
-    if let Some(first_block) = llil_func.basic_blocks().iter().next() {
-        if let Some(first_inst) = first_block.iter().next() {
+    // Iterate over all basic blocks
+    for llil_bb in llil_func.basic_blocks().iter() {
+        // Check only the last instruction as we're looking for a JMP
+        if let Some(llil_inst) = llil_bb.iter().last() {
             // Match `jmp imm` instruction
-            if let llil::InstrInfo::TailCall(op) = first_inst.info() {
+            if let llil::InstrInfo::TailCall(op) = llil_inst.info() {
                 if let llil::ExprInfo::ConstPtr(const_operation) = op.target().info() {
                     let jmp_destination = const_operation.value();
                     // Check if jmp destination is inside of Themida's section
@@ -86,7 +86,7 @@ fn search_for_themida_code_entries(
                             op.address(),
                             func.symbol().full_name(),
                         );
-                        return Some(CodeEntryDescription::MUTEnter(first_inst.address()));
+                        return Some(CodeEntryDescription::MUTEnter(llil_inst.address()));
                     }
                 }
             }