-
Notifications
You must be signed in to change notification settings - Fork 144
/
sample1-virt-anti-branch-analysis-branchFuns.py
157 lines (153 loc) · 6.71 KB
/
sample1-virt-anti-branch-analysis-branchFuns.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
#!/usr/bin/env python2
## -*- coding: utf-8 -*-
import sys
def sx(bits, value):
sign_bit = 1 << (bits - 1)
return (value & (sign_bit - 1)) - (value & sign_bit)
SymVar_0 = int(sys.argv[1])
ref_264 = SymVar_0
ref_279 = ref_264 # MOV operation
ref_21098 = ref_279 # MOV operation
ref_22230 = ref_21098 # MOV operation
ref_22238 = (ref_22230 >> (0x7 & 0x3F)) # SHR operation
ref_22245 = ref_22238 # MOV operation
ref_27573 = ref_279 # MOV operation
ref_28146 = ref_27573 # MOV operation
ref_28160 = ((ref_28146 << (0x39 & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_28687 = ref_22245 # MOV operation
ref_28691 = ref_28160 # MOV operation
ref_28693 = (ref_28691 | ref_28687) # OR operation
ref_33297 = ref_28693 # MOV operation
ref_38483 = ref_33297 # MOV operation
ref_39037 = ref_38483 # MOV operation
ref_39039 = ((ref_39037 + 0x2D4AF89B) & 0xFFFFFFFFFFFFFFFF) # ADD operation
ref_40200 = ref_39039 # MOV operation
ref_40202 = (ref_40200 & 0x1D5ABF66) # AND operation
ref_44948 = ref_279 # MOV operation
ref_46080 = ref_44948 # MOV operation
ref_46088 = (ref_46080 >> (0xB & 0x3F)) # SHR operation
ref_46095 = ref_46088 # MOV operation
ref_51423 = ref_279 # MOV operation
ref_51996 = ref_51423 # MOV operation
ref_52010 = ((ref_51996 << (0x35 & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_52537 = ref_46095 # MOV operation
ref_52541 = ref_52010 # MOV operation
ref_52543 = (ref_52541 | ref_52537) # OR operation
ref_53101 = ref_52543 # MOV operation
ref_53113 = ref_40202 # MOV operation
ref_53115 = ((ref_53101 - ref_53113) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_53123 = ref_53115 # MOV operation
ref_57681 = ref_53123 # MOV operation
ref_63009 = ref_279 # MOV operation
ref_63545 = ref_63009 # MOV operation
ref_63559 = ((ref_63545 - 0xE8D4346) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_63567 = ref_63559 # MOV operation
ref_68125 = ref_63567 # MOV operation
ref_72722 = ref_33297 # MOV operation
ref_73861 = ref_72722 # MOV operation
ref_73867 = ((0x20453EE3 + ref_73861) & 0xFFFFFFFFFFFFFFFF) # ADD operation
ref_78645 = ref_279 # MOV operation
ref_79181 = ref_78645 # MOV operation
ref_79193 = ref_73867 # MOV operation
ref_79195 = ((ref_79181 - ref_79193) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_79203 = ref_79195 # MOV operation
ref_83761 = ref_79203 # MOV operation
ref_94354 = ref_33297 # MOV operation
ref_101905 = ref_68125 # MOV operation
ref_107107 = ref_33297 # MOV operation
ref_107642 = ref_101905 # MOV operation
ref_107646 = ref_107107 # MOV operation
ref_107648 = (ref_107646 | ref_107642) # OR operation
ref_108204 = ref_107648 # MOV operation
ref_108218 = (0x3F & ref_108204) # AND operation
ref_108785 = ref_108218 # MOV operation
ref_108799 = ((ref_108785 << (0x4 & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_109326 = ref_94354 # MOV operation
ref_109330 = ref_108799 # MOV operation
ref_109332 = (ref_109330 | ref_109326) # OR operation
ref_114528 = ref_109332 # MOV operation
ref_119125 = ref_57681 # MOV operation
ref_124916 = ref_114528 # MOV operation
ref_126048 = ref_124916 # MOV operation
ref_126056 = (ref_126048 >> (0x1 & 0x3F)) # SHR operation
ref_126063 = ref_126056 # MOV operation
ref_126584 = ref_126063 # MOV operation
ref_126598 = (0xF & ref_126584) # AND operation
ref_127716 = ref_126598 # MOV operation
ref_127722 = (0x1 | ref_127716) # OR operation
ref_128287 = ref_119125 # MOV operation
ref_128291 = ref_127722 # MOV operation
ref_128293 = (ref_128291 & 0xFFFFFFFF) # MOV operation
ref_128295 = (ref_128287 >> ((ref_128293 & 0xFF) & 0x3F)) # SHR operation
ref_128302 = ref_128295 # MOV operation
ref_134080 = ref_114528 # MOV operation
ref_135212 = ref_134080 # MOV operation
ref_135220 = (ref_135212 >> (0x1 & 0x3F)) # SHR operation
ref_135227 = ref_135220 # MOV operation
ref_135748 = ref_135227 # MOV operation
ref_135762 = (0xF & ref_135748) # AND operation
ref_136880 = ref_135762 # MOV operation
ref_136886 = (0x1 | ref_136880) # OR operation
ref_138045 = ref_136886 # MOV operation
ref_138047 = ((0x40 - ref_138045) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_138055 = ref_138047 # MOV operation
ref_142641 = ref_57681 # MOV operation
ref_143214 = ref_142641 # MOV operation
ref_143226 = ref_138055 # MOV operation
ref_143228 = ((ref_143214 << ((ref_143226 & 0xFF) & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_143755 = ref_128302 # MOV operation
ref_143759 = ref_143228 # MOV operation
ref_143761 = (ref_143759 | ref_143755) # OR operation
ref_150128 = ref_143761 # MOV operation
ref_154725 = ref_83761 # MOV operation
ref_161098 = ref_150128 # MOV operation
ref_161634 = ref_161098 # MOV operation
ref_161646 = ref_154725 # MOV operation
ref_161648 = ((ref_161634 - ref_161646) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_161656 = ref_161648 # MOV operation
ref_166214 = ref_161656 # MOV operation
ref_179569 = ref_166214 # MOV operation
ref_184179 = ref_83761 # MOV operation
ref_184714 = ref_179569 # MOV operation
ref_184718 = ref_184179 # MOV operation
ref_184720 = (ref_184718 | ref_184714) # OR operation
ref_185874 = ref_184720 # MOV operation
ref_185882 = (ref_185874 >> (0x1 & 0x3F)) # SHR operation
ref_185889 = ref_185882 # MOV operation
ref_186410 = ref_185889 # MOV operation
ref_186424 = (0x7 & ref_186410) # AND operation
ref_187542 = ref_186424 # MOV operation
ref_187548 = (0x1 | ref_187542) # OR operation
ref_192180 = ref_114528 # MOV operation
ref_197379 = ref_57681 # MOV operation
ref_197913 = ref_197379 # MOV operation
ref_197927 = (0xF & ref_197913) # AND operation
ref_199045 = ref_197927 # MOV operation
ref_199051 = (0x1 | ref_199045) # OR operation
ref_199616 = ref_192180 # MOV operation
ref_199620 = ref_199051 # MOV operation
ref_199622 = (ref_199620 & 0xFFFFFFFF) # MOV operation
ref_199624 = (ref_199616 >> ((ref_199622 & 0xFF) & 0x3F)) # SHR operation
ref_199631 = ref_199624 # MOV operation
ref_204817 = ref_57681 # MOV operation
ref_205351 = ref_204817 # MOV operation
ref_205365 = (0xF & ref_205351) # AND operation
ref_206483 = ref_205365 # MOV operation
ref_206489 = (0x1 | ref_206483) # OR operation
ref_207648 = ref_206489 # MOV operation
ref_207650 = ((0x40 - ref_207648) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_207658 = ref_207650 # MOV operation
ref_212244 = ref_114528 # MOV operation
ref_212817 = ref_212244 # MOV operation
ref_212829 = ref_207658 # MOV operation
ref_212831 = ((ref_212817 << ((ref_212829 & 0xFF) & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_213358 = ref_199631 # MOV operation
ref_213362 = ref_212831 # MOV operation
ref_213364 = (ref_213362 | ref_213358) # OR operation
ref_213959 = ref_213364 # MOV operation
ref_213971 = ref_187548 # MOV operation
ref_213973 = ((ref_213959 << ((ref_213971 & 0xFF) & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_218656 = ref_213973 # MOV operation
ref_219770 = ref_218656 # MOV operation
ref_219772 = ref_219770 # MOV operation
print ref_219772 & 0xffffffffffffffff