forked from JonathanSalwan/Tigress_protection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sample1-virt-nested-vm-2.py
283 lines (279 loc) · 12.1 KB
/
sample1-virt-nested-vm-2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
#!/usr/bin/env python2
## -*- coding: utf-8 -*-
import sys
def sx(bits, value):
sign_bit = 1 << (bits - 1)
return (value & (sign_bit - 1)) - (value & sign_bit)
SymVar_0 = int(sys.argv[1])
ref_264 = SymVar_0
ref_279 = ref_264 # MOV operation
ref_95704 = ref_279 # MOV operation
ref_95772 = ref_95704 # MOV operation
ref_104013 = ref_95772 # MOV operation
ref_104073 = ref_104013 # MOV operation
ref_104087 = (ref_104073 >> (0x7 & 0x3F)) # SHR operation
ref_104180 = ref_104087 # MOV operation
ref_187339 = ref_279 # MOV operation
ref_187407 = ref_187339 # MOV operation
ref_193966 = ref_187407 # MOV operation
ref_195716 = ref_193966 # MOV operation
ref_195724 = ((ref_195716 << (0x39 & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_195731 = ref_195724 # MOV operation
ref_195819 = ref_195731 # MOV operation
ref_204398 = ref_104180 # MOV operation
ref_206080 = ref_195819 # MOV operation
ref_206148 = ref_204398 # MOV operation
ref_206152 = ref_206080 # MOV operation
ref_206154 = (ref_206152 | ref_206148) # OR operation
ref_206247 = ref_206154 # MOV operation
ref_287345 = ref_206247 # MOV operation
ref_287413 = ref_287345 # MOV operation
ref_370572 = ref_279 # MOV operation
ref_370640 = ref_370572 # MOV operation
ref_378881 = ref_370640 # MOV operation
ref_378941 = ref_378881 # MOV operation
ref_378955 = (ref_378941 >> (0xB & 0x3F)) # SHR operation
ref_379048 = ref_378955 # MOV operation
ref_462207 = ref_279 # MOV operation
ref_462275 = ref_462207 # MOV operation
ref_468834 = ref_462275 # MOV operation
ref_470584 = ref_468834 # MOV operation
ref_470592 = ((ref_470584 << (0x35 & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_470599 = ref_470592 # MOV operation
ref_470687 = ref_470599 # MOV operation
ref_479266 = ref_379048 # MOV operation
ref_480948 = ref_470687 # MOV operation
ref_481016 = ref_479266 # MOV operation
ref_481020 = ref_480948 # MOV operation
ref_481022 = (ref_481020 | ref_481016) # OR operation
ref_481115 = ref_481022 # MOV operation
ref_581959 = ref_287413 # MOV operation
ref_582027 = ref_581959 # MOV operation
ref_590268 = ref_582027 # MOV operation
ref_590340 = ref_590268 # MOV operation
ref_590342 = ((ref_590340 + 0x2D4AF89B) & 0xFFFFFFFFFFFFFFFF) # ADD operation
ref_590436 = ref_590342 # MOV operation
ref_600697 = ref_590436 # MOV operation
ref_600769 = ref_600697 # MOV operation
ref_600771 = (ref_600769 & 0x1D5ABF66) # AND operation
ref_600864 = ref_600771 # MOV operation
ref_609443 = ref_481115 # MOV operation
ref_611125 = ref_600864 # MOV operation
ref_611193 = ref_609443 # MOV operation
ref_611197 = ref_611125 # MOV operation
ref_611199 = ((ref_611193 - ref_611197) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_611207 = ref_611199 # MOV operation
ref_611295 = ref_611207 # MOV operation
ref_692393 = ref_611295 # MOV operation
ref_692461 = ref_692393 # MOV operation
ref_765747 = ref_279 # MOV operation
ref_765815 = ref_765747 # MOV operation
ref_782247 = ref_765815 # MOV operation
ref_783997 = ref_782247 # MOV operation
ref_784003 = ((ref_783997 - 0xE8D4346) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_784011 = ref_784003 # MOV operation
ref_784099 = ref_784011 # MOV operation
ref_865197 = ref_784099 # MOV operation
ref_865265 = ref_865197 # MOV operation
ref_938551 = ref_279 # MOV operation
ref_938619 = ref_938551 # MOV operation
ref_1017697 = ref_287413 # MOV operation
ref_1017765 = ref_1017697 # MOV operation
ref_1034197 = ref_1017765 # MOV operation
ref_1035947 = ref_1034197 # MOV operation
ref_1035953 = ((0x20453EE3 + ref_1035947) & 0xFFFFFFFFFFFFFFFF) # ADD operation
ref_1036047 = ref_1035953 # MOV operation
ref_1044626 = ref_938619 # MOV operation
ref_1046308 = ref_1036047 # MOV operation
ref_1046376 = ref_1044626 # MOV operation
ref_1046380 = ref_1046308 # MOV operation
ref_1046382 = ((ref_1046376 - ref_1046380) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_1046390 = ref_1046382 # MOV operation
ref_1046478 = ref_1046390 # MOV operation
ref_1127576 = ref_1046478 # MOV operation
ref_1127644 = ref_1127576 # MOV operation
ref_1300227 = ref_287413 # MOV operation
ref_1300295 = ref_1300227 # MOV operation
ref_1417413 = ref_865265 # MOV operation
ref_1417481 = ref_1417413 # MOV operation
ref_1504424 = ref_287413 # MOV operation
ref_1504492 = ref_1504424 # MOV operation
ref_1511051 = ref_1417481 # MOV operation
ref_1512733 = ref_1504492 # MOV operation
ref_1512801 = ref_1511051 # MOV operation
ref_1512805 = ref_1512733 # MOV operation
ref_1512807 = (ref_1512805 | ref_1512801) # OR operation
ref_1512900 = ref_1512807 # MOV operation
ref_1531352 = ref_1512900 # MOV operation
ref_1533102 = ref_1531352 # MOV operation
ref_1533108 = (0x3F & ref_1533102) # AND operation
ref_1533201 = ref_1533108 # MOV operation
ref_1541780 = ref_1533201 # MOV operation
ref_1543530 = ref_1541780 # MOV operation
ref_1543538 = ((ref_1543530 << (0x4 & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_1543545 = ref_1543538 # MOV operation
ref_1543633 = ref_1543545 # MOV operation
ref_1552212 = ref_1300295 # MOV operation
ref_1553894 = ref_1543633 # MOV operation
ref_1553962 = ref_1552212 # MOV operation
ref_1553966 = ref_1553894 # MOV operation
ref_1553968 = (ref_1553966 | ref_1553962) # OR operation
ref_1554061 = ref_1553968 # MOV operation
ref_1643024 = ref_1554061 # MOV operation
ref_1643092 = ref_1643024 # MOV operation
ref_1741928 = ref_1643092 # MOV operation
ref_1741996 = ref_1741928 # MOV operation
ref_1750237 = ref_1741996 # MOV operation
ref_1750297 = ref_1750237 # MOV operation
ref_1750311 = (ref_1750297 >> (0x1 & 0x3F)) # SHR operation
ref_1750404 = ref_1750311 # MOV operation
ref_1768856 = ref_1750404 # MOV operation
ref_1770606 = ref_1768856 # MOV operation
ref_1770612 = (0xF & ref_1770606) # AND operation
ref_1770705 = ref_1770612 # MOV operation
ref_1789157 = ref_1770705 # MOV operation
ref_1790907 = ref_1789157 # MOV operation
ref_1790913 = (0x1 | ref_1790907) # OR operation
ref_1791006 = ref_1790913 # MOV operation
ref_1872104 = ref_692461 # MOV operation
ref_1872172 = ref_1872104 # MOV operation
ref_1878731 = ref_1791006 # MOV operation
ref_1880413 = ref_1872172 # MOV operation
ref_1880473 = ref_1880413 # MOV operation
ref_1880485 = ref_1878731 # MOV operation
ref_1880487 = (ref_1880473 >> ((ref_1880485 & 0xFF) & 0x3F)) # SHR operation
ref_1880580 = ref_1880487 # MOV operation
ref_1989289 = ref_1643092 # MOV operation
ref_1989357 = ref_1989289 # MOV operation
ref_1997598 = ref_1989357 # MOV operation
ref_1997658 = ref_1997598 # MOV operation
ref_1997672 = (ref_1997658 >> (0x1 & 0x3F)) # SHR operation
ref_1997765 = ref_1997672 # MOV operation
ref_2016217 = ref_1997765 # MOV operation
ref_2017967 = ref_2016217 # MOV operation
ref_2017973 = (0xF & ref_2017967) # AND operation
ref_2018066 = ref_2017973 # MOV operation
ref_2036518 = ref_2018066 # MOV operation
ref_2038268 = ref_2036518 # MOV operation
ref_2038274 = (0x1 | ref_2038268) # OR operation
ref_2038367 = ref_2038274 # MOV operation
ref_2048628 = ref_2038367 # MOV operation
ref_2048700 = ref_2048628 # MOV operation
ref_2048702 = ((0x40 - ref_2048700) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_2048710 = ref_2048702 # MOV operation
ref_2048798 = ref_2048710 # MOV operation
ref_2129896 = ref_692461 # MOV operation
ref_2129964 = ref_2129896 # MOV operation
ref_2136523 = ref_2129964 # MOV operation
ref_2138205 = ref_2048798 # MOV operation
ref_2138273 = ref_2136523 # MOV operation
ref_2138277 = ref_2138205 # MOV operation
ref_2138279 = (ref_2138277 & 0xFFFFFFFF) # MOV operation
ref_2138281 = ((ref_2138273 << ((ref_2138279 & 0xFF) & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_2138288 = ref_2138281 # MOV operation
ref_2138376 = ref_2138288 # MOV operation
ref_2146955 = ref_1880580 # MOV operation
ref_2148637 = ref_2138376 # MOV operation
ref_2148705 = ref_2146955 # MOV operation
ref_2148709 = ref_2148637 # MOV operation
ref_2148711 = (ref_2148709 | ref_2148705) # OR operation
ref_2148804 = ref_2148711 # MOV operation
ref_2258069 = ref_2148804 # MOV operation
ref_2258137 = ref_2258069 # MOV operation
ref_2367402 = ref_2258137 # MOV operation
ref_2367470 = ref_2367402 # MOV operation
ref_2446548 = ref_1127644 # MOV operation
ref_2446616 = ref_2446548 # MOV operation
ref_2453175 = ref_2367470 # MOV operation
ref_2454857 = ref_2446616 # MOV operation
ref_2454925 = ref_2453175 # MOV operation
ref_2454929 = ref_2454857 # MOV operation
ref_2454931 = ((ref_2454925 - ref_2454929) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_2454939 = ref_2454931 # MOV operation
ref_2455027 = ref_2454939 # MOV operation
ref_2536125 = ref_2455027 # MOV operation
ref_2536193 = ref_2536125 # MOV operation
ref_2750310 = ref_2536193 # MOV operation
ref_2750378 = ref_2750310 # MOV operation
ref_2829456 = ref_1127644 # MOV operation
ref_2829524 = ref_2829456 # MOV operation
ref_2836083 = ref_2750378 # MOV operation
ref_2837765 = ref_2829524 # MOV operation
ref_2837833 = ref_2836083 # MOV operation
ref_2837837 = ref_2837765 # MOV operation
ref_2837839 = (ref_2837837 | ref_2837833) # OR operation
ref_2837932 = ref_2837839 # MOV operation
ref_2848193 = ref_2837932 # MOV operation
ref_2848253 = ref_2848193 # MOV operation
ref_2848267 = (ref_2848253 >> (0x1 & 0x3F)) # SHR operation
ref_2848360 = ref_2848267 # MOV operation
ref_2866812 = ref_2848360 # MOV operation
ref_2868562 = ref_2866812 # MOV operation
ref_2868568 = (0x7 & ref_2868562) # AND operation
ref_2868661 = ref_2868568 # MOV operation
ref_2887113 = ref_2868661 # MOV operation
ref_2888863 = ref_2887113 # MOV operation
ref_2888869 = (0x1 | ref_2888863) # OR operation
ref_2888962 = ref_2888869 # MOV operation
ref_2970060 = ref_692461 # MOV operation
ref_2970128 = ref_2970060 # MOV operation
ref_2986560 = ref_2970128 # MOV operation
ref_2988310 = ref_2986560 # MOV operation
ref_2988316 = (0xF & ref_2988310) # AND operation
ref_2988409 = ref_2988316 # MOV operation
ref_3006861 = ref_2988409 # MOV operation
ref_3008611 = ref_3006861 # MOV operation
ref_3008617 = (0x1 | ref_3008611) # OR operation
ref_3008710 = ref_3008617 # MOV operation
ref_3089808 = ref_1643092 # MOV operation
ref_3089876 = ref_3089808 # MOV operation
ref_3096435 = ref_3008710 # MOV operation
ref_3098117 = ref_3089876 # MOV operation
ref_3098177 = ref_3098117 # MOV operation
ref_3098189 = ref_3096435 # MOV operation
ref_3098191 = (ref_3098177 >> ((ref_3098189 & 0xFF) & 0x3F)) # SHR operation
ref_3098284 = ref_3098191 # MOV operation
ref_3189255 = ref_692461 # MOV operation
ref_3189323 = ref_3189255 # MOV operation
ref_3205755 = ref_3189323 # MOV operation
ref_3207505 = ref_3205755 # MOV operation
ref_3207511 = (0xF & ref_3207505) # AND operation
ref_3207604 = ref_3207511 # MOV operation
ref_3226056 = ref_3207604 # MOV operation
ref_3227806 = ref_3226056 # MOV operation
ref_3227812 = (0x1 | ref_3227806) # OR operation
ref_3227905 = ref_3227812 # MOV operation
ref_3238166 = ref_3227905 # MOV operation
ref_3238238 = ref_3238166 # MOV operation
ref_3238240 = ((0x40 - ref_3238238) & 0xFFFFFFFFFFFFFFFF) # SUB operation
ref_3238248 = ref_3238240 # MOV operation
ref_3238336 = ref_3238248 # MOV operation
ref_3319434 = ref_1643092 # MOV operation
ref_3319502 = ref_3319434 # MOV operation
ref_3326061 = ref_3319502 # MOV operation
ref_3327743 = ref_3238336 # MOV operation
ref_3327811 = ref_3326061 # MOV operation
ref_3327815 = ref_3327743 # MOV operation
ref_3327817 = (ref_3327815 & 0xFFFFFFFF) # MOV operation
ref_3327819 = ((ref_3327811 << ((ref_3327817 & 0xFF) & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_3327826 = ref_3327819 # MOV operation
ref_3327914 = ref_3327826 # MOV operation
ref_3336493 = ref_3098284 # MOV operation
ref_3338175 = ref_3327914 # MOV operation
ref_3338243 = ref_3336493 # MOV operation
ref_3338247 = ref_3338175 # MOV operation
ref_3338249 = (ref_3338247 | ref_3338243) # OR operation
ref_3338342 = ref_3338249 # MOV operation
ref_3346921 = ref_3338342 # MOV operation
ref_3348603 = ref_2888962 # MOV operation
ref_3348671 = ref_3346921 # MOV operation
ref_3348675 = ref_3348603 # MOV operation
ref_3348677 = (ref_3348675 & 0xFFFFFFFF) # MOV operation
ref_3348679 = ((ref_3348671 << ((ref_3348677 & 0xFF) & 0x3F)) & 0xFFFFFFFFFFFFFFFF) # SHL operation
ref_3348686 = ref_3348679 # MOV operation
ref_3348774 = ref_3348686 # MOV operation
ref_3422069 = ref_3348774 # MOV operation
ref_3422137 = ref_3422069 # MOV operation
ref_3433682 = ref_3422137 # MOV operation
ref_3433684 = ref_3433682 # MOV operation
print ref_3433684 & 0xffffffffffffffff