├── .DS_Store ├── README.md ├── example_app ├── llvm_fla_cracker_simple.py ├── testcode1.txt ├── testcode2.txt ├── testcode3.txt ├── testcode4.txt └── testcode5.txt /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/moliam/llvm-fla-cracker/b0f619cd843e03f9e067338d1b6fe2dc6c877d00/.DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # llvm-fla-cracker 2 | ## Introduction 3 | The goal of the llvm-fla-cracker is to retrieve the normal execution program flow from its disorderd form which is made by the llvm obfuscator with compling option "-fla" (https://github.com/obfuscator-llvm/obfuscator ). There are also other two sorts of obfuscation in the llvm obfuscator with compling option "-sub" and "-bcf". But temporarily these two are not within my interest. 4 | 5 | ## How to use 6 | <1> Use IDA to get the pseudocode. Save the pseudocode in a file (note: please use ctrl + A to copy the pseudocode, and don't modify it. `All the numbers appeared in the comparasion should be in decimal. `. Because temporarily the python script relies on the code text format extremely.). The pseudocode may look like the 5 given testcodes.
7 | <2> Let's roll by using "python llvm_fla_cracker_simple.py inputfile outputfile", where inputfile and outputfile can be freely defined. For example, use "python llvm_fla_cracker_simple.py testcode3.txt 3.txt" you will get a "neat" code of testcode3.txt in file "3.txt". 8 | 9 | 10 | -------------------------------------------------------------------------------- /example_app: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/moliam/llvm-fla-cracker/b0f619cd843e03f9e067338d1b6fe2dc6c877d00/example_app -------------------------------------------------------------------------------- /llvm_fla_cracker_simple.py: -------------------------------------------------------------------------------- 1 | import os 2 | import copy 3 | import sys 4 | 5 | # the input file's format should be exact the form of the pseudocode generated by IDA. What's more, all the number appeared in the comparision should be in decimal. 6 | # For example, "if ( v1 > 0x20 )" won't work and it should be "if ( v1 > 32 )" 7 | 8 | 9 | 10 | #-------------------------Some constants that are intended to help remember the array. 11 | 12 | 13 | #general 14 | LINE_IDX = 1 15 | VAR_VAL = 0 16 | CTRL_VAL = 0 17 | 18 | #used to parse the result from WordScan() 19 | LEFT_ALL = 2 20 | LEFT_RELATION = 2 21 | LEFT_RELVALUE = 3 22 | LEFT_VARNAME = 1 23 | 24 | 25 | #used during build relation 26 | VALUE_IN = 0 27 | VALUE_OUT = 1 28 | USE = 2 29 | 30 | 31 | #----trace property. the cracker records the property of every line it simulates. 32 | TP_SIMOUT = "SimOut" 33 | TP_CTRLVAR_DECL = "" 34 | TP_CTRLVAR_SET = "" 35 | TP_CTRL = "Ctrl" 36 | TP_LB_L = "" 37 | TP_LB_R = "" 38 | TP_LBL_OUT = "LOut" # "{" 39 | TP_LBR_OUT = "ROut" # "}" 40 | TP_NEW_BR = "NEW_Br" # new branch 41 | 42 | #---- the info of the result of WordScan 43 | SCANTYPE_CTRL = "ctrl" 44 | SCANTYPE_NORMAL = "Normal" 45 | SCANTYPE_DECL = "decl" 46 | SCANTYPE_VALUESET = "valueset" 47 | SCANTYPE_NONE = "None" 48 | 49 | SCAN_WHILE = "while" 50 | SCAN_IF = "if" 51 | SCAN_ELSE = "else" 52 | SCAN_ELSEIF = "else if" 53 | SCAN_SWITCH = "switch" 54 | SCAN_CASE = "case" 55 | SCAN_DO = "do" 56 | SCAN_BREAK = "break" 57 | SCAN_GOTO = "goto" 58 | 59 | #----------ctrl stack (the stack structure used during simulating the code) 60 | CONTROL_NAME = 0 61 | #---- the type of the items in control stack 62 | CSTK_DO = "do" 63 | CSTK_WHILE = "while" 64 | CSTK_GOTO = "goto" 65 | CSTK_IF = "if" 66 | CSTK_SWITCH = "switch" 67 | CSTK_LBL = "{" 68 | CSTK_LBR = "}" 69 | 70 | 71 | 72 | 73 | #***************************************** 74 | 75 | #------------------------- some global variables 76 | GlobalBranchId = 0 # for labeling the if else branch. 77 | GlobalLoopId = 0 #for labeling the found loop 78 | 79 | #enable logging 80 | log = 1 81 | 82 | 83 | class PROG_STAT: 84 | CtrlStack = [] 85 | VarSet = [] 86 | VarVal = [] 87 | Trace = [] 88 | TraceProp = [] 89 | LIdx = 0 90 | SimOut = [] 91 | def __init__(self, argCtrlStack, argVarSet, argVarVal, argSimOut, argTrace, argTraceProp, argLIdx): 92 | self.CtrlStack = copy.deepcopy(argCtrlStack) 93 | self.VarSet = copy.deepcopy(argVarSet) 94 | self.VarVal = copy.deepcopy(argVarVal) 95 | self.Trace = copy.deepcopy(argTrace) 96 | self.TraceProp = copy.deepcopy(argTraceProp) 97 | self.SimOut = argSimOut 98 | self.LIdx = argLIdx 99 | 100 | def Logging(warning): 101 | if log == 1: 102 | print "Log: %s" % warning 103 | 104 | 105 | def ShortenLine(line): # skip space and tab before a line 106 | RetStr = "" 107 | SpaceStarted = 0 108 | LineStarted = 0 109 | for i in range(len(line)): 110 | if LineStarted == 1: 111 | if line[i] == " ": 112 | if SpaceStarted == 1: 113 | continue 114 | else: 115 | RetStr += " " 116 | SpaceStarted = 1 117 | continue 118 | else: 119 | SpaceStarted = 0 120 | if line[i] == "\n" or line[i] == "\r": 121 | continue 122 | RetStr += line[i] 123 | else: 124 | if line[i] == " " or line[i] == "\t": 125 | continue 126 | else: 127 | LineStarted = 1 128 | RetStr += line[i] 129 | return RetStr 130 | 131 | def ChopLine(line): # chop a line into elements, for example: "a = 12;" --> ["a", "=", "12"] 132 | line = ShortenLine(line) 133 | words = [] 134 | tmp = "" 135 | StringCtrl = 0 136 | start = 0 137 | for c in line: 138 | if c == '"': 139 | StringCtrl = 1 - StringCtrl 140 | tmp += '"' 141 | continue 142 | elif StringCtrl == 1: 143 | tmp += c 144 | elif (c == " " or c == "\t") and tmp != "": 145 | words.append(tmp) 146 | tmp = "" 147 | else: 148 | if c != ";" and c != "\r" and c != "\n": 149 | tmp += c 150 | else: 151 | break 152 | if tmp != "": 153 | words.append(tmp) 154 | return words 155 | 156 | def StrToValue(word): 157 | validnum = "-0123456789" 158 | for c in word: 159 | if c not in validnum: 160 | return "" 161 | return int(word) 162 | 163 | def WordScan(Arg_Str): # scan a line 164 | if not isinstance(Arg_Str, str): 165 | print "too many lines for WordScan" 166 | exit() 167 | 168 | DeclKeyWords = ["unsigned int", "signed int", "unsigned char", "signed char", "byte", "DWORD", "int", "char"] 169 | CtrlKeyWords = [SCAN_DO, SCAN_WHILE, SCAN_ELSEIF, SCAN_SWITCH, SCAN_ELSE, SCAN_IF, SCAN_GOTO, SCAN_CASE, SCAN_BREAK] 170 | 171 | words = ChopLine(Arg_Str) 172 | ScanInfo = [] 173 | if words != []: 174 | if words[0] in DeclKeyWords or (len(words) > 1 and (words[0] + " " + words[1]) in DeclKeyWords): 175 | ScanInfo.append(SCANTYPE_DECL) 176 | ScanInfo.append(words[-1]) 177 | elif words[0] in CtrlKeyWords: 178 | ctrlidx = 1 179 | ctrl_name = words[0] 180 | if len(words) > 1: 181 | if (words[0] +" "+ words[1]) in CtrlKeyWords: 182 | ctrl_name = words[0] + " " + words[1] 183 | ctrlidx = 2 184 | ScanInfo.append(SCANTYPE_CTRL) 185 | ScanInfo.append(ctrl_name) 186 | ScanInfo.append(words[ctrlidx:]) 187 | elif len(words) > 1 and words[1] == "=": 188 | ScanInfo.append(SCANTYPE_VALUESET) 189 | ScanInfo.append(words[0]) #dst 190 | ScanInfo.append(words[2:]) # src 191 | else: 192 | ScanInfo.append(SCANTYPE_NORMAL) 193 | ScanInfo.append(words) 194 | if ScanInfo == []: 195 | ScanInfo.append(SCANTYPE_NONE) 196 | return ScanInfo 197 | 198 | def IsNameLett(str): 199 | ValidSet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_1234567890" 200 | for c in str: 201 | if c not in ValidSet: 202 | return False 203 | if ValidSet.find(str[0]) < ValidSet.find("1"): 204 | return True 205 | else: 206 | return False 207 | 208 | def BuildRelation(LineBuf): #scan the whole codetext, find the relations between the variables in the text. 209 | VarNameSet = [] 210 | VarRelation = [] 211 | for line in LineBuf: 212 | line = ShortenLine(line) 213 | if line == "": 214 | continue 215 | ScanInfo = WordScan(line) 216 | 217 | if ScanInfo == []: 218 | continue 219 | 220 | HeadType = ScanInfo[0] 221 | if HeadType == SCANTYPE_DECL: 222 | 223 | VarNameSet.append(ScanInfo[1]) 224 | VarRelation.append([[],[],0]) 225 | if HeadType == SCANTYPE_VALUESET: 226 | src = ScanInfo[2] 227 | dst = ScanInfo[1] 228 | if IsNameLett(dst) and dst not in VarNameSet: 229 | VarNameSet.append(dst) 230 | VarRelation.append([[], [], 0]) 231 | if len(src) == 1: 232 | src = src[0] 233 | if IsNameLett(src) and src not in VarNameSet: 234 | VarNameSet.append(src) 235 | VarRelation.append([[], [], 0]) 236 | 237 | if dst in VarNameSet: 238 | IdxDst = VarNameSet.index(dst) 239 | if src in VarNameSet: 240 | if src not in VarRelation[IdxDst][VALUE_IN]: 241 | IdxSrc = VarNameSet.index(src) 242 | VarRelation[IdxSrc][VALUE_OUT].append(dst) 243 | VarRelation[IdxDst][VALUE_IN].append(src) 244 | elif StrToValue(src) != "": 245 | VarRelation[IdxDst][VALUE_IN].append(0) #zero represents imm value 246 | if HeadType == SCANTYPE_CTRL: 247 | if "(" in ScanInfo[2]: 248 | idx = ScanInfo[2].index("(") 249 | if idx != -1: 250 | var = ScanInfo[2][idx + 1] 251 | if var in VarNameSet: 252 | VarRelation[VarNameSet.index(var)][USE] += 1 253 | CtrlVar = [] 254 | 255 | for i in range(len(VarNameSet)): 256 | if VarRelation[i][VALUE_OUT] == []: 257 | if VarRelation[i][VALUE_IN] != [] and 0 in VarRelation[i][VALUE_IN] and VarRelation[i][USE] > 0: 258 | CtrlVar.append(VarNameSet[i]) 259 | 260 | Logging("build relation completed...") 261 | 262 | return VarNameSet, VarRelation, CtrlVar 263 | 264 | def GetSimulationVarSet(RelationResult): # get the variable that controls the flow and related vars to it. 265 | SensitiveVars = [] 266 | VarNameSet = RelationResult[0] 267 | VarRelation = RelationResult[1] 268 | CtrlVar = RelationResult[2] 269 | 270 | if len(CtrlVar) == 0: 271 | Logging("no control variable found... exit") 272 | exit() 273 | 274 | tmpCtrlVar = CtrlVar[0] 275 | if len(CtrlVar) > 1: 276 | print "more than one control variable: %s exit" % CtrlVar 277 | user_define = raw_input("manually input the ctrl var( or just enter to try your luck ) >>> ") 278 | if user_define == "": 279 | max_ref = 0 280 | RefIdx = 0 281 | for c in CtrlVar: 282 | t = VarRelation[VarNameSet.index(c)][USE] 283 | if t > max_ref: 284 | max_ref = t 285 | RefIdx = CtrlVar.index(c) 286 | tmpCtrlVar = CtrlVar[RefIdx] 287 | else: 288 | if user_define in CtrlVar: 289 | tmpCtrlVar = user_define 290 | else: 291 | Logging("wrong input...") 292 | exit() 293 | 294 | CtrlVar = tmpCtrlVar 295 | 296 | SensitiveVars.append(CtrlVar) 297 | CtrlVarRelation = VarRelation[VarNameSet.index(CtrlVar)] 298 | for item in CtrlVarRelation[VALUE_IN]: 299 | if item != 0: 300 | SensitiveVars.append(item) 301 | Logging("control var is: %s" % CtrlVar) 302 | Logging("get simulation varset completed...") 303 | Logging("sensitive vars : %s" % SensitiveVars) 304 | return SensitiveVars 305 | 306 | def ReadByLineAndFormat(arg_str): #read the file line by line 307 | f = open(arg_str, "r") 308 | LineBuf = [] 309 | while 1: 310 | line = f.readline() 311 | if not line: 312 | break 313 | if line != "": 314 | LineBuf.append(line) 315 | f.close() 316 | return LineBuf 317 | 318 | def VarMatchCondition(value, relation, relvalue): 319 | relvalue = StrToValue(relvalue) 320 | if "" == relvalue: 321 | Logging("wrong relation format, in VarMatchCondition...") 322 | return "" 323 | if relation == "==": 324 | if value == relvalue: 325 | return 1 326 | if relation == "!=": 327 | if value != relvalue: 328 | return 1 329 | if relation == ">=": 330 | if value >= relvalue: 331 | return 1 332 | if relation == ">": 333 | if value > relvalue: 334 | return 1 335 | if relation == "<": 336 | if value < relvalue: 337 | return 1 338 | if relation == "<=": 339 | if value <= relvalue: 340 | return 1 341 | return 0 342 | 343 | def FindNextBlock(LineBuf, lineidx): #find next code BBL 344 | tmplineidx = lineidx + 1 345 | largeB = 0 346 | while 1: 347 | words = ChopLine(LineBuf[tmplineidx]) 348 | tmplineidx += 1 349 | if words != []: 350 | if len(words) == 1: 351 | if words[0] == "{": 352 | largeB += 1 353 | elif words[0] == "}": 354 | largeB -= 1 355 | if largeB == 0: 356 | break 357 | while 1: 358 | words = ChopLine(LineBuf[tmplineidx]) 359 | if words != []: 360 | break 361 | tmplineidx += 1 362 | 363 | return tmplineidx 364 | 365 | def FindMatchingCase(LineBuf, lineidx, CmpVal): #find the matching case of a switch 366 | largeB = 0 367 | endlineidx = FindNextBlock(LineBuf, lineidx) 368 | for idx in range(lineidx + 1, endlineidx): 369 | ScanInfo = WordScan(LineBuf[idx]) 370 | if ScanInfo[0] == SCANTYPE_CTRL and ScanInfo[1] == SCAN_CASE: 371 | valuestr = ScanInfo[2][0][:-1] 372 | 373 | v = StrToValue(valuestr) 374 | if CmpVal == v and largeB < 2: 375 | return idx 376 | if ScanInfo[0] == SCANTYPE_NORMAL: 377 | if len(ScanInfo[1]) == 1: 378 | if ScanInfo[1][0] == "{": 379 | largeB += 1 380 | elif ScanInfo[1][0] == "}": 381 | largeB -= 1 382 | return "" 383 | 384 | def SkipIf(LineBuf, lineidx): #skip the if structure 385 | tmplineidx = lineidx 386 | while 1: 387 | tmplineidx = FindNextBlock(LineBuf, tmplineidx) 388 | words = ChopLine(LineBuf[tmplineidx]) 389 | #Logging("tmp skip %d " % (tmplineidx)) 390 | if words == [] or words[0] != "else": 391 | Logging("skipif to line @ %d" % (tmplineidx)) 392 | return tmplineidx 393 | 394 | def SensVarRelatedinIf(LineBuf, lineidx, VarSet): # whether the sensitive variables are involved in the "if" structure. 395 | startidx = lineidx 396 | endidx = SkipIf(LineBuf, lineidx) 397 | sensi = False 398 | for i in range(startidx, endidx): 399 | words = ChopLine(LineBuf[i]) 400 | for var in VarSet: 401 | if var in words: 402 | sensi = True 403 | break 404 | return sensi 405 | 406 | 407 | def CplxSimulation(LineBuf, ProgInitStat): 408 | global GlobalLoopId, GlobalBranchId 409 | 410 | #CtrlStack = copy.deepcopy(ProgInitStat.CtrlStack) # ["do", XXX], ["while", XXX], ["if", XXX], ["switch", XXX], ["{", xxx] 411 | #VarSet = copy.deepcopy(ProgInitStat.VarSet) 412 | VarVal = copy.deepcopy(ProgInitStat.VarVal) 413 | #Trace = copy.deepcopy(ProgInitStat.Trace) # [ val, lineidx], [ xxx, xxx] 414 | #TraceProp = copy.deepcopy(ProgInitStat.TraceProp) # ["SimOut", ""] 415 | 416 | VarSet = ProgInitStat.VarSet 417 | CtrlStack = ProgInitStat.CtrlStack 418 | Trace = ProgInitStat.Trace 419 | TraceProp = ProgInitStat.TraceProp 420 | CtrlVar = VarSet[CTRL_VAL] 421 | 422 | Loop = [] 423 | #BranchStack = [] # [[varvalstat, ctrlstack, xxx], [varvalstat, controlstack, xxx], ] when branch, 0 first 1 next 424 | #SimOut = [] #[line, lineidx] 425 | SimOut = ProgInitStat.SimOut 426 | lineidx = ProgInitStat.LIdx 427 | 428 | MaxIdx = len(LineBuf) 429 | preidx = -1 430 | 431 | ThisBranchId = GlobalBranchId 432 | 433 | Trace.append("Br %d started..." % ThisBranchId) 434 | TraceProp.append(TP_NEW_BR) 435 | 436 | while lineidx < MaxIdx: 437 | if preidx == lineidx: 438 | Logging("processing stuck...") 439 | return SimOut, Loop 440 | 441 | preidx = lineidx 442 | Logging("------------------") 443 | Logging("line:" + str(lineidx)) 444 | line = ShortenLine(LineBuf[lineidx]) 445 | Stat = [VarVal[CTRL_VAL], lineidx] 446 | # Logging("trace before: " + str(Trace[-1])) 447 | Logging("ctrl stack:" + str(CtrlStack)) 448 | #-----------------------------------------------check loop 449 | if Stat in Trace: # a loop found 450 | Logging("loop found, stat:" + str(Stat)) 451 | TmpTraceProp = copy.deepcopy(TraceProp) 452 | fromLineIdx = 0 453 | toLineIdx = 0 454 | while 1: # the idx loop goes from 455 | if TmpTraceProp != []: 456 | label = TmpTraceProp.pop() 457 | else: 458 | Logging("wrong identified loop...") 459 | exit() 460 | if label == TP_SIMOUT: 461 | fromLineIdx = Trace[len(TmpTraceProp)][LINE_IDX] 462 | break 463 | 464 | loopidx = Trace.index(Stat) 465 | for i in range(loopidx, len(TraceProp)): # the idx loop goes to 466 | if TraceProp[i] == TP_SIMOUT: 467 | toLineIdx = Trace[i][LINE_IDX] 468 | break 469 | 470 | LoopId = "Loop_" + str(GlobalLoopId) 471 | GlobalLoopId += 1 472 | 473 | for j in range(len(SimOut), 0, -1): 474 | i = j - 1 475 | if SimOut[i][LINE_IDX] == toLineIdx and SimOut[i][2] == VarVal[CTRL_VAL]: 476 | SimOut.insert(i, [LoopId + ":", -1, VarVal[CTRL_VAL]]) 477 | Logging("insert: %s" % str(SimOut[i])) 478 | break 479 | 480 | SimOut.append(["goto " + LoopId + ";", -1, VarVal[CTRL_VAL]]) 481 | 482 | Loop.append(["Loop_" + LoopId, fromLineIdx, toLineIdx]) 483 | 484 | Logging("loop found: line %d ---> line %d" %(fromLineIdx, toLineIdx)) 485 | break #loop found, quit simulating... 486 | #******************* 487 | ScanInfo = WordScan(line) 488 | 489 | if ScanInfo[0] == SCANTYPE_NONE: 490 | lineidx += 1 491 | continue 492 | 493 | HeadType = ScanInfo[0] 494 | Logging(HeadType +", " + line) 495 | if SCANTYPE_DECL == HeadType: 496 | if ScanInfo[1] in VarSet: 497 | Logging("skip declaration... %s " % ScanInfo[1]) 498 | Trace.append([VarVal[CTRL_VAL], lineidx]) 499 | TraceProp.append(TP_CTRLVAR_DECL) 500 | else: 501 | Trace.append([VarVal[CTRL_VAL], lineidx]) 502 | TraceProp.append(TP_SIMOUT) 503 | SimOut.append([line, lineidx, VarVal[CTRL_VAL]]) 504 | lineidx += 1 505 | 506 | if SCANTYPE_VALUESET == HeadType: #if var is in sensitive var set then simulate, if not, output it. 507 | dst = ScanInfo[1] 508 | if dst in VarSet: 509 | Trace.append([VarVal[CTRL_VAL], lineidx]) 510 | TraceProp.append(TP_CTRLVAR_SET) 511 | src = ScanInfo[2] 512 | if len(src) == 1: 513 | val = StrToValue(src[0]) 514 | if val != "": 515 | VarVal[VarSet.index(dst)] = val #imm set 516 | elif src[0] in VarSet: 517 | VarVal[VarSet.index(dst)] = VarVal[VarSet.index(src[0])] #var set 518 | else: 519 | print "var not resolved: %s" % line 520 | else: 521 | Trace.append([VarVal[CTRL_VAL], lineidx]) 522 | TraceProp.append(TP_SIMOUT) 523 | SimOut.append([line, lineidx, VarVal[CTRL_VAL]]) 524 | lineidx += 1 525 | 526 | if SCANTYPE_CTRL == HeadType: 527 | if ScanInfo[1] == SCAN_IF or ScanInfo[1] == SCAN_ELSEIF: 528 | var = ScanInfo[LEFT_ALL][LEFT_VARNAME] 529 | if var in VarSet: # condition can be resolved. 530 | Trace.append([VarVal[CTRL_VAL], lineidx]) 531 | TraceProp.append(TP_CTRL) 532 | vv = VarVal[VarSet.index(var)] 533 | if vv != "": 534 | if VarMatchCondition(vv, ScanInfo[LEFT_ALL][LEFT_RELATION], ScanInfo[LEFT_ALL][LEFT_RELVALUE]) == 1: 535 | Logging("if matched : %d %s %s" % (vv, ScanInfo[LEFT_ALL][LEFT_RELATION], ScanInfo[LEFT_ALL][LEFT_RELVALUE])) 536 | CtrlStack.append([CSTK_IF, lineidx]) 537 | lineidx += 1 538 | else: 539 | lineidx = FindNextBlock(LineBuf, lineidx) 540 | Logging("try next if branch.. @ %d" % (lineidx) ) 541 | else: 542 | print "use %s before initialization. " % var 543 | exit() 544 | else: # cannot be resolved. ASSUME: all if is related with sensitive vars 545 | if ScanInfo[1] == SCAN_IF and not SensVarRelatedinIf(LineBuf, lineidx, VarSet): 546 | Logging("if branch not sensitive... @ line %d" % lineidx) 547 | if_endidx = SkipIf(LineBuf, lineidx) 548 | for i in range(lineidx, if_endidx): 549 | Trace.append([VarVal[CTRL_VAL], i]) 550 | TraceProp.append(TP_SIMOUT) 551 | SimOut.append([ShortenLine(LineBuf[i]), i, VarVal[CTRL_VAL]]) 552 | lineidx = if_endidx 553 | else: 554 | Logging("UNRESOLVED BRANCH!!!!!! @line %d" % (lineidx)) 555 | 556 | Trace.append([VarVal[CTRL_VAL], lineidx]) 557 | TraceProp.append(TP_SIMOUT) 558 | SimOut.append([line[ line.find("if"): ], lineidx, VarVal[CTRL_VAL]]) 559 | SimOut.append(["{", -1, VarVal[CTRL_VAL]]) 560 | 561 | 562 | # @@@@@@@@@@@@@@@@@ RECURSIVELY simulate the rest of the code. 563 | 564 | GlobalBranchId += 1 565 | TmpProgStat = PROG_STAT(CtrlStack, VarSet, VarVal, SimOut, Trace, TraceProp, lineidx + 1)#argCtrlStack, argVarSet, argVarVal, argTrace, argTraceProp, argLayerId 566 | SubSimOut, SubLoop = CplxSimulation(LineBuf, TmpProgStat) 567 | #SimOut += SubSimOut 568 | Loop += SubLoop 569 | 570 | SimOut.append(["}", -1, VarVal[CTRL_VAL]]) 571 | SimOut.append(["else", -1, VarVal[CTRL_VAL]]) 572 | SimOut.append(["{", -1, VarVal[CTRL_VAL]]) 573 | 574 | lineidx = FindNextBlock(LineBuf, lineidx) 575 | 576 | GlobalBranchId += 1 577 | TmpProgStat = PROG_STAT(CtrlStack, VarSet, VarVal, SimOut, Trace, TraceProp, lineidx)#argCtrlStack, argVarSet, argVarVal, argTrace, argTraceProp, argLayerId 578 | SubSimOut, SubLoop = CplxSimulation(LineBuf, TmpProgStat) 579 | #SimOut += SubSimOut 580 | Loop += SubLoop 581 | 582 | SimOut.append(["}", -1, VarVal[CTRL_VAL]]) 583 | 584 | Logging("UNRESOLVED BRANCH COMPLETED") 585 | break 586 | #lineidx = SkipCtrl(lineidx) 587 | if ScanInfo[1] == SCAN_ELSE: 588 | Trace.append([VarVal[0], lineidx]) 589 | TraceProp.append(TP_CTRL) 590 | lineidx += 1 591 | 592 | if ScanInfo[1] == SCAN_SWITCH: 593 | Trace.append([VarVal[CTRL_VAL], lineidx]) 594 | TraceProp.append(TP_CTRL) 595 | 596 | 597 | var = ScanInfo[LEFT_ALL][LEFT_VARNAME] 598 | if var in VarSet: # ASSUME: var is in VarSet 599 | CmpVal = VarVal[VarSet.index(var)] 600 | tmplineidx = FindMatchingCase(LineBuf, lineidx, CmpVal) 601 | if tmplineidx == "": 602 | Logging("no matching %d @ line %d" % (CmpVal, lineidx)) 603 | lineidx = FindNextBlock(LineBuf, lineidx) 604 | else: 605 | CtrlStack.append([CSTK_SWITCH, lineidx]) 606 | CtrlStack.append([CSTK_LBL, lineidx + 1]) 607 | lineidx = tmplineidx 608 | Logging("switch matched %d @ line %d" % (CmpVal, lineidx)) 609 | 610 | else: 611 | Logging("*****************switch unkown var encountered... @line %d" % lineidx) 612 | exit() 613 | if ScanInfo[1] == SCAN_CASE: 614 | lineidx += 1 615 | if ScanInfo[1] == SCAN_WHILE: 616 | var = ScanInfo[LEFT_ALL][LEFT_VARNAME] 617 | Trace.append([ VarVal[CTRL_VAL], lineidx ]) 618 | TraceProp.append(TP_CTRL) 619 | if var in VarSet: 620 | vv = VarVal[VarSet.index(var)] 621 | if VarMatchCondition(vv, ScanInfo[LEFT_ALL][LEFT_RELATION], ScanInfo[LEFT_ALL][LEFT_RELVALUE]) == 1: 622 | CtrlStack.append([CSTK_WHILE, lineidx]) 623 | lineidx += 1 624 | else: 625 | lineidx = FindNextBlock(LineBuf, lineidx) 626 | elif var == "1": 627 | CtrlStack.append([CSTK_WHILE, lineidx]) 628 | lineidx += 1 629 | 630 | if ScanInfo[1] == SCAN_DO: 631 | Trace.append([VarVal[CTRL_VAL], lineidx]) 632 | TraceProp.append(TP_CTRL) 633 | CtrlStack.append([CSTK_DO, lineidx]) 634 | lineidx += 1 635 | if ScanInfo[1] == SCAN_GOTO: 636 | Logging("*********************goto encountered. %d" % lineidx) 637 | exit() 638 | if ScanInfo[1] == SCAN_BREAK: 639 | Trace.append([VarVal[CTRL_VAL], lineidx]) 640 | TraceProp.append(TP_CTRL) 641 | while 1: 642 | if CtrlStack == []: 643 | Logging("wrong 'break'... @ %d" % lineidx) 644 | exit() 645 | CtrlLabel = CtrlStack.pop() 646 | if CtrlLabel[CONTROL_NAME] == CSTK_WHILE or CtrlLabel[CONTROL_NAME] == CSTK_SWITCH or CtrlLabel[CONTROL_NAME] == CSTK_DO: 647 | lineidx = FindNextBlock(LineBuf, CtrlLabel[LINE_IDX]) 648 | if CtrlLabel[CONTROL_NAME] == CSTK_DO: 649 | lineidx += 1 650 | break 651 | elif SCANTYPE_NORMAL == HeadType: 652 | #------------ check "{" and "}" 653 | if "{" == ScanInfo[1][0]: 654 | CtrlStack.append([CSTK_LBL, lineidx]) 655 | elif "}" == ScanInfo[1][0]: 656 | if CtrlStack == [] or CtrlStack[-1][0] != CSTK_LBL: 657 | Logging("bracelet not matached...") 658 | exit() 659 | else: 660 | CtrlStack.pop() 661 | #******************* 662 | else: 663 | SimOut.append([line, lineidx, VarVal[CTRL_VAL]]) 664 | Trace.append([VarVal[CTRL_VAL], lineidx]) 665 | TraceProp.append(TP_SIMOUT) 666 | lineidx += 1 667 | 668 | if HeadType != SCANTYPE_CTRL and CtrlStack != []: 669 | if CtrlStack[-1][CONTROL_NAME] == CSTK_IF: 670 | lineidx = SkipIf(LineBuf, CtrlStack[-1][LINE_IDX]) 671 | CtrlStack.pop() 672 | elif CtrlStack[-1][CONTROL_NAME] == CSTK_WHILE: 673 | lineidx = CtrlStack[-1][LINE_IDX] # repeat 674 | CtrlStack.pop() 675 | elif CtrlStack[-1][CONTROL_NAME] == CSTK_SWITCH: 676 | lineidx = FindNextBlock(LineBuf, CtrlStack[-1][LINE_IDX]) 677 | CtrlStack.pop() 678 | elif CtrlStack[-1][CONTROL_NAME] == CSTK_DO: 679 | do_lineidx = CtrlStack[-1][LINE_IDX] 680 | CtrlStack.pop() 681 | lineidx = FindNextBlock(LineBuf, do_lineidx) 682 | ScanInfo = WordScan(ShortenLine(LineBuf[lineidx])) 683 | if ScanInfo[0] == SCANTYPE_CTRL and ScanInfo[1] == SCAN_WHILE: 684 | var = ScanInfo[LEFT_ALL][LEFT_VARNAME] 685 | if var in VarSet: 686 | Trace.append([VarVal[CTRL_VAL], lineidx]) 687 | TraceProp.append("") 688 | vv = VarVal[VarSet.index(var)] 689 | if VarMatchCondition(vv, ScanInfo[LEFT_ALL][LEFT_RELATION], ScanInfo[LEFT_ALL][LEFT_RELVALUE]) == 1: 690 | lineidx = do_lineidx + 1 691 | else: 692 | lineidx += 1 693 | elif var == "1": 694 | lineidx = do_lineidx + 1 695 | else: 696 | print "unknown while type...@ line %d" % lineidx 697 | return SimOut, Loop 698 | else: 699 | Logging( "no 'while' to match 'do' on line %d..." % do_lineidx) 700 | exit() 701 | Logging("trace: " + str(Trace[-1])) 702 | Logging("next: " + str(lineidx)) 703 | Trace.append("Br %d completed..." % ThisBranchId) 704 | TraceProp.append(TP_NEW_BR) 705 | return SimOut, Loop 706 | 707 | def FormatOutput(SimOut): 708 | Logging("formatting code...") 709 | tabnum = 0 710 | Output = [] 711 | AddTab = 0 712 | for item in SimOut: 713 | if item[0] == "}": 714 | tabnum -= 1 715 | Output.append(tabnum * "\t" + item[0] + "\n") 716 | 717 | if item[0] == "{": 718 | tabnum += 1 719 | 720 | for i in range(len(Output)): 721 | item = Output[i] 722 | ScanInfo = WordScan(item) 723 | if ScanInfo[0] == SCANTYPE_CTRL and ScanInfo[1] != SCAN_GOTO and ShortenLine(Output[i + 1]) != "{": 724 | Output[i + 1] = "\t" + Output[i + 1] 725 | 726 | Logging("formatting completed.") 727 | return Output 728 | 729 | def NormCode(lines): 730 | pass 731 | 732 | def CodeSimulation(FileName): #simulate the code, extract the original flow 733 | lines = ReadByLineAndFormat(FileName) #Normalized code 734 | 735 | SimRet = BuildRelation(lines) 736 | SimVars = GetSimulationVarSet(SimRet) 737 | InitVarVals = [] 738 | for i in range(len(SimVars)): 739 | InitVarVals.append("") 740 | 741 | InitStat = PROG_STAT([],SimVars, InitVarVals,[],[],[], 0) 742 | 743 | SimOut, Loop = CplxSimulation(lines, InitStat) 744 | Logging("Loop: %s" % str(Loop)) 745 | return FormatOutput(SimOut) 746 | 747 | #--------------------------------***************************************** 748 | 749 | output = CodeSimulation(sys.argv[1]) 750 | 751 | Logging("-----------------------*************************") 752 | 753 | outputfile = sys.argv[2] 754 | fileout = open(outputfile, "w") 755 | 756 | for c in output: 757 | fileout.write(c) 758 | 759 | fileout.close() 760 | Logging("output to %s finished. \n\n" % outputfile) 761 | 762 | 763 | -------------------------------------------------------------------------------- /testcode1.txt: -------------------------------------------------------------------------------- 1 | int __cdecl main(int argc, const char **argv, const char **envp) 2 | { 3 | signed int v3; // eax@9 4 | signed int v5; // [sp+2Ch] [bp-24h]@1 5 | signed int v6; // [sp+30h] [bp-20h]@1 6 | char v7; // [sp+35h] [bp-1Bh]@1 7 | char v8[10]; // [sp+36h] [bp-1Ah]@1 8 | int v9; // [sp+40h] [bp-10h]@1 9 | int v10; // [sp+44h] [bp-Ch]@1 10 | __int64 v11; // [sp+48h] [bp-8h]@1 11 | 12 | v11 = *(_QWORD *)__stack_chk_guard_ptr; 13 | v10 = 0; 14 | v9 = 0; 15 | v7 = 0; 16 | v6 = 0; 17 | v5 = 1750278172; 18 | scanf("%s", v8, envp); 19 | do 20 | { 21 | while ( 1 ) 22 | { 23 | while ( 1 ) 24 | { 25 | while ( v5 <= -1249842835 ) 26 | { 27 | if ( v5 == -1777239285 ) 28 | { 29 | ++v6; 30 | v5 = 1750278172; 31 | } 32 | } 33 | if ( v5 != -1249842834 ) 34 | break; 35 | v7 += v8[v6]; 36 | v5 = -1777239285; 37 | } 38 | if ( v5 != 1750278172 ) 39 | break; 40 | v3 = -1249842834; 41 | if ( v6 >= 10 ) 42 | v3 = 1798774915; 43 | v5 = v3; 44 | } 45 | } 46 | while ( v5 != 1798774915 ); 47 | printf("%c\n", (unsigned int)v7); 48 | if ( *(_QWORD *)__stack_chk_guard_ptr != v11 ) 49 | JUMPOUT(__stack_chk_fail); 50 | return 1; 51 | } -------------------------------------------------------------------------------- /testcode2.txt: -------------------------------------------------------------------------------- 1 | int __cdecl main(int argc, const char **argv, const char **envp) 2 | { 3 | signed int v3; // eax@24 4 | signed int v4; // eax@28 5 | bool v5; // zf@31 6 | signed int v6; // eax@31 7 | __int64 v7; // rax@38 8 | signed int v9; // [sp+6Ch] [bp-24h]@1 9 | char v10; // [sp+72h] [bp-1Eh]@1 10 | char v11; // [sp+73h] [bp-1Dh]@28 11 | int v12; // [sp+74h] [bp-1Ch]@31 12 | int v13; // [sp+7Ch] [bp-14h]@1 13 | int v14; // [sp+80h] [bp-10h]@1 14 | int v15; // [sp+84h] [bp-Ch]@1 15 | __int64 v16; // [sp+88h] [bp-8h]@1 16 | 17 | v16 = *(_QWORD *)__stack_chk_guard_ptr; 18 | v14 = 0; 19 | v13 = 0; 20 | scanf("%s", &v10, envp); 21 | v15 = v10; 22 | v9 = -1356555336; 23 | do 24 | { 25 | while ( 1 ) 26 | { 27 | while ( 1 ) 28 | { 29 | while ( 1 ) 30 | { 31 | while ( v9 <= -1383250769 ) 32 | { 33 | if ( v9 == -1607633251 ) 34 | { 35 | printf("fail 2"); 36 | v14 = 1; 37 | v9 = 1388580787; 38 | } 39 | } 40 | if ( v9 <= 2053611315 ) 41 | break; 42 | if ( v9 == 2053611316 ) 43 | { 44 | printf("succeed!"); 45 | v14 = 1; 46 | v9 = 1388580787; 47 | } 48 | } 49 | if ( v9 <= 1866034826 ) 50 | break; 51 | if ( v9 == 1866034827 ) 52 | { 53 | v5 = strcmp((const char *)&v12, "RIGHT") == 0; 54 | v6 = 1021668429; 55 | if ( v5 ) 56 | v6 = -179927636; 57 | v9 = v6; 58 | } 59 | } 60 | if ( v9 > 1388580786 ) 61 | break; 62 | if ( v9 > 1021668428 ) 63 | { 64 | if ( v9 == 1021668429 ) 65 | { 66 | v9 = -179927636; 67 | printf("pass 2"); 68 | } 69 | } 70 | else if ( v9 > -179927637 ) 71 | { 72 | if ( v9 == -179927636 ) 73 | v9 = 2053611316; 74 | } 75 | else 76 | { 77 | switch ( v9 ) 78 | { 79 | case -1383250768: 80 | v9 = -1161188143; 81 | printf("fail at 1"); 82 | break; 83 | case -1356555336: 84 | printf("hello") 85 | v3 = -1383250768; 86 | 87 | if ( v15 == 120 ) 88 | v3 = -1161188143; 89 | v9 = v3; 90 | break; 91 | case -1161188143: 92 | v4 = 1866034827; 93 | if ( v11 != 100 ) 94 | v4 = -1607633251; 95 | v9 = v4; 96 | break; 97 | } 98 | } 99 | } 100 | } 101 | while ( v9 != 1388580787 ); 102 | v7 = *(_QWORD *)__stack_chk_guard_ptr; 103 | if ( *(_QWORD *)__stack_chk_guard_ptr == v16 ) 104 | LODWORD(v7) = v14; 105 | return v7; 106 | } -------------------------------------------------------------------------------- /testcode3.txt: -------------------------------------------------------------------------------- 1 | int __cdecl main(int argc, const char **argv, const char **envp) 2 | { 3 | signed int v3; // eax@27 4 | signed int v4; // ecx@32 5 | signed int v5; // eax@35 6 | signed int v7; // [sp+6Ch] [bp-24h]@1 7 | char v8; // [sp+72h] [bp-1Eh]@1 8 | char v9; // [sp+73h] [bp-1Dh]@32 9 | int v10; // [sp+7Ch] [bp-14h]@1 10 | int v11; // [sp+80h] [bp-10h]@1 11 | int v12; // [sp+84h] [bp-Ch]@1 12 | __int64 v13; // [sp+88h] [bp-8h]@1 13 | 14 | v13 = *(_QWORD *)__stack_chk_guard_ptr; 15 | v11 = 0; 16 | v10 = 0; 17 | scanf("%s", &v8, envp); 18 | v12 = v8; 19 | v7 = 541363751; 20 | do 21 | { 22 | while ( v7 <= 1670821026 ) 23 | { 24 | if ( v7 > -1389122065 ) 25 | { 26 | if ( v7 > -1118978952 ) 27 | { 28 | if ( v7 > -960398201 ) 29 | { 30 | if ( v7 > -874827660 ) 31 | { 32 | if ( v7 > 319377743 ) 33 | { 34 | if ( v7 > 541363750 ) 35 | { 36 | switch ( v7 ) 37 | { 38 | case 541363751: 39 | v3 = 869007499; 40 | if ( v12 == 120 ) 41 | v3 = 811542728; 42 | v7 = v3; 43 | break; 44 | case 811542728: 45 | v7 = 319377744; 46 | printf("branch2"); 47 | break; 48 | case 869007499: 49 | v7 = 319377744; 50 | printf("branch1"); 51 | break; 52 | } 53 | } 54 | else if ( v7 == 319377744 ) 55 | { 56 | printf("common branch 1"); 57 | v4 = -1118978951; 58 | if ( v9 == 120 ) 59 | v4 = -874827659; 60 | v7 = v4; 61 | } 62 | } 63 | else if ( v7 == -874827659 ) 64 | { 65 | v7 = 1670821027; 66 | printf("branch4"); 67 | } 68 | } 69 | else if ( v7 == -960398200 ) 70 | { 71 | v7 = -1389122064; 72 | printf("branch31"); 73 | } 74 | } 75 | else if ( v7 == -1118978951 ) 76 | { 77 | v5 = -960398200; 78 | if ( v8 != 120 ) 79 | v5 = -1763383388; 80 | v7 = v5; 81 | } 82 | } 83 | else if ( v7 == -1389122064 ) 84 | { 85 | v7 = 1670821027; 86 | } 87 | } 88 | else if ( v7 == -1763383388 ) 89 | { 90 | v7 = -1389122064; 91 | printf("branch32"); 92 | } 93 | } 94 | } 95 | while ( v7 != 1670821027 ); 96 | printf("common branch 2"); 97 | if ( *(_QWORD *)__stack_chk_guard_ptr != v13 ) 98 | JUMPOUT(__stack_chk_fail); 99 | return 1; 100 | } -------------------------------------------------------------------------------- /testcode4.txt: -------------------------------------------------------------------------------- 1 | int __cdecl main(int argc, const char **argv, const char **envp) 2 | { 3 | signed int v3; // eax@24 4 | signed int v4; // eax@28 5 | signed int v5; // eax@33 6 | signed int v7; // [sp+54h] [bp-2Ch]@1 7 | signed int v8; // [sp+58h] [bp-28h]@1 8 | int v9; // [sp+5Ch] [bp-24h]@1 9 | char v10[10]; // [sp+6Ah] [bp-16h]@1 10 | int v11; // [sp+74h] [bp-Ch]@1 11 | __int64 v12; // [sp+78h] [bp-8h]@1 12 | 13 | v12 = *(_QWORD *)__stack_chk_guard_ptr; 14 | v11 = 0; 15 | v9 = 0; 16 | v8 = 1; 17 | v7 = 2121906003; 18 | scanf("%s", v10, envp); 19 | do 20 | { 21 | while ( 1 ) 22 | { 23 | while ( 1 ) 24 | { 25 | while ( 1 ) 26 | { 27 | while ( 1 ) 28 | { 29 | while ( v7 > 2121906002 ) 30 | { 31 | if ( v7 == 2121906003 ) 32 | { 33 | v3 = 1481278115; 34 | if ( v10[v9] == aAbcde[(signed __int64)v9] ) 35 | v3 = 932135874; 36 | v7 = v3; 37 | } 38 | } 39 | if ( v7 <= 1799243694 ) 40 | break; 41 | if ( v7 == 1799243695 ) 42 | { 43 | v5 = -1087168299; 44 | if ( !v8 ) 45 | v5 = 1282886374; 46 | v7 = v5; 47 | } 48 | } 49 | if ( v7 <= 1481278114 ) 50 | break; 51 | if ( v7 == 1481278115 ) 52 | { 53 | v8 = 0; 54 | v7 = 1799243695; 55 | } 56 | } 57 | if ( v7 <= 1282886373 ) 58 | break; 59 | if ( v7 == 1282886374 ) 60 | { 61 | v7 = 1101622353; 62 | printf("different"); 63 | } 64 | } 65 | if ( v7 > 1101622352 ) 66 | break; 67 | if ( v7 > 932135873 ) 68 | { 69 | if ( v7 == 932135874 ) 70 | { 71 | v4 = -373421366; 72 | if ( aAbcde[(signed __int64)v9] ) 73 | v4 = -1118148654; 74 | v7 = v4; 75 | } 76 | } 77 | else 78 | { 79 | switch ( v7 ) 80 | { 81 | case -1118148654: 82 | ++v9; 83 | v7 = 2121906003; 84 | break; 85 | case -1087168299: 86 | v7 = 1101622353; 87 | printf("same"); 88 | break; 89 | case -373421366: 90 | v7 = 1799243695; 91 | break; 92 | } 93 | } 94 | } 95 | } 96 | while ( v7 != 1101622353 ); 97 | if ( *(_QWORD *)__stack_chk_guard_ptr != v12 ) 98 | JUMPOUT(__stack_chk_fail); 99 | return 1; 100 | } -------------------------------------------------------------------------------- /testcode5.txt: -------------------------------------------------------------------------------- 1 | __int64 __fastcall main(__int64 a1, char **a2, char **a3) 2 | { 3 | signed __int64 v3; // rsi@1 4 | signed int v4; // eax@147 5 | signed int v5; // eax@151 6 | signed int v6; // eax@155 7 | signed int v7; // eax@159 8 | int v8; // edx@159 9 | signed int v9; // eax@163 10 | int v10; // edx@163 11 | signed int v11; // eax@167 12 | signed int v12; // eax@171 13 | int v13; // edx@171 14 | signed int v14; // eax@175 15 | int v15; // edx@175 16 | signed int v16; // eax@179 17 | signed int v17; // eax@183 18 | signed int v18; // eax@187 19 | int v19; // edx@187 20 | signed int v20; // eax@191 21 | int v21; // edx@191 22 | signed int v22; // eax@195 23 | int v23; // edx@195 24 | signed int v24; // eax@199 25 | int v25; // edx@199 26 | signed int v26; // eax@203 27 | int v27; // edx@203 28 | signed int v28; // eax@207 29 | int v29; // edx@207 30 | signed int v30; // eax@211 31 | signed int v31; // eax@215 32 | int v32; // edx@215 33 | signed int v33; // eax@219 34 | int v34; // edx@219 35 | signed int v35; // eax@223 36 | signed int v36; // eax@227 37 | signed int v37; // eax@231 38 | int v38; // edx@231 39 | signed int v39; // eax@235 40 | signed int v40; // eax@239 41 | int v41; // edx@239 42 | signed int v43; // [sp+1F8h] [bp-98h]@1 43 | int v44; // [sp+1FCh] [bp-94h]@1 44 | char s[136]; // [sp+200h] [bp-90h]@1 45 | unsigned int v46; // [sp+288h] [bp-8h]@1 46 | int v47; // [sp+28Ch] [bp-4h]@1 47 | 48 | v46 = 0; 49 | fgets(s, 128, stdin); 50 | v3 = 0xFFFFFFFFLL; 51 | v44 = 1; 52 | v47 = s[0]; 53 | v43 = -2041854395; 54 | do 55 | { 56 | while ( 1 ) 57 | { 58 | while ( 1 ) 59 | { 60 | while ( 1 ) 61 | { 62 | while ( 1 ) 63 | { 64 | while ( 1 ) 65 | { 66 | while ( 1 ) 67 | { 68 | while ( 1 ) 69 | { 70 | while ( 1 ) 71 | { 72 | while ( 1 ) 73 | { 74 | while ( 1 ) 75 | { 76 | while ( 1 ) 77 | { 78 | while ( 1 ) 79 | { 80 | while ( 1 ) 81 | { 82 | while ( 1 ) 83 | { 84 | while ( 1 ) 85 | { 86 | while ( 1 ) 87 | { 88 | while ( 1 ) 89 | { 90 | while ( 1 ) 91 | { 92 | while ( 1 ) 93 | { 94 | while ( 1 ) 95 | { 96 | while ( 1 ) 97 | { 98 | while ( 1 ) 99 | { 100 | while ( 1 ) 101 | { 102 | while ( 1 ) 103 | { 104 | while ( 1 ) 105 | { 106 | while ( 1 ) 107 | { 108 | while ( 1 ) 109 | { 110 | while ( 1 ) 111 | { 112 | while ( 1 ) 113 | { 114 | while ( 1 ) 115 | { 116 | while ( v43 <= -2041854396 ) 117 | { 118 | if ( v43 == -2132436122 ) 119 | { 120 | v3 = (signed __int64)*(&off_602CF0 + v44); 121 | printf("%s", v3); 122 | v46 = 101; 123 | v43 = -784309006; 124 | } 125 | } 126 | if ( v43 <= 2085583475 ) 127 | break; 128 | if ( v43 == 2085583476 ) 129 | { 130 | v3 = (signed __int64)*(&off_602CF0 + v44); 131 | printf("%s", v3); 132 | v46 = 119; 133 | v43 = -784309006; 134 | } 135 | } 136 | if ( v43 <= 2079428296 ) 137 | break; 138 | if ( v43 == 2079428297 ) 139 | { 140 | v3 = (signed __int64)*(&off_602CF0 + v44); 141 | printf("%s", v3); 142 | v46 = 121; 143 | v43 = -784309006; 144 | } 145 | } 146 | if ( v43 <= 1931512544 ) 147 | break; 148 | if ( v43 == 1931512545 ) 149 | { 150 | v28 = -1026118068; 151 | v29 = v44; 152 | v3 = (unsigned int)(v44 - 37966238 + 37966239); 153 | v44 = v44 - 37966238 + 37966239; 154 | if ( s[v29] != 97 ) 155 | v28 = -165628765; 156 | v43 = v28; 157 | } 158 | } 159 | if ( v43 <= 1798849643 ) 160 | break; 161 | if ( v43 == 1798849644 ) 162 | { 163 | v3 = (signed __int64)*(&off_602CF0 + v44); 164 | printf("%s", v3); 165 | v46 = 97; 166 | v43 = -784309006; 167 | } 168 | } 169 | if ( v43 <= 1592511622 ) 170 | break; 171 | if ( v43 == 1592511623 ) 172 | { 173 | v9 = -190208306; 174 | v10 = v44; 175 | v3 = (unsigned int)(v44 - 1959366910 + 1959366911); 176 | v44 = v44 - 1959366910 + 1959366911; 177 | if ( s[v10] != 84 ) 178 | v9 = 835038511; 179 | v43 = v9; 180 | } 181 | } 182 | if ( v43 <= 1504977451 ) 183 | break; 184 | if ( v43 == 1504977452 ) 185 | { 186 | printf("Wooooohoooo!\n", v3, 1734437990LL); 187 | v46 = 0; 188 | v43 = -784309006; 189 | } 190 | } 191 | if ( v43 <= 1434525136 ) 192 | break; 193 | if ( v43 == 1434525137 ) 194 | { 195 | v3 = (signed __int64)*(&off_602CF0 + v44); 196 | printf("%s", v3); 197 | v46 = 103; 198 | v43 = -784309006; 199 | } 200 | } 201 | if ( v43 <= 1250442350 ) 202 | break; 203 | if ( v43 == 1250442351 ) 204 | { 205 | v3 = (signed __int64)*(&off_602CF0 + v44); 206 | printf("%s", v3); 207 | v46 = 111; 208 | v43 = -784309006; 209 | } 210 | } 211 | if ( v43 <= 1152580445 ) 212 | break; 213 | if ( v43 == 1152580446 ) 214 | { 215 | v5 = -263150253; 216 | v3 = (unsigned int)v44++; 217 | if ( s[(signed int)v3] != 99 ) 218 | v5 = 692885154; 219 | v43 = v5; 220 | } 221 | } 222 | if ( v43 <= 1117225811 ) 223 | break; 224 | if ( v43 == 1117225812 ) 225 | { 226 | v3 = (signed __int64)*(&off_602CF0 + v44); 227 | printf("%s", v3); 228 | v46 = 78; 229 | v43 = -784309006; 230 | } 231 | } 232 | if ( v43 <= 994119881 ) 233 | break; 234 | if ( v43 == 994119882 ) 235 | { 236 | v18 = 17246759; 237 | v19 = v44; 238 | v3 = (unsigned int)(v44++ + 1); 239 | if ( s[v19] != 95 ) 240 | v18 = 1798849644; 241 | v43 = v18; 242 | } 243 | } 244 | if ( v43 <= 872947977 ) 245 | break; 246 | if ( v43 == 872947978 ) 247 | { 248 | v3 = (signed __int64)*(&off_602CF0 + v44); 249 | printf("%s", v3); 250 | v46 = 119; 251 | v43 = -784309006; 252 | } 253 | } 254 | if ( v43 <= 867882972 ) 255 | break; 256 | if ( v43 == 867882973 ) 257 | { 258 | v22 = -2040282790; 259 | v23 = v44; 260 | v3 = (unsigned int)(v44 - 1836227694 + 1836227695); 261 | v44 = v44 - 1836227694 + 1836227695; 262 | if ( s[v23] != 110 ) 263 | v22 = -742236439; 264 | v43 = v22; 265 | } 266 | } 267 | if ( v43 <= 835038510 ) 268 | break; 269 | if ( v43 == 835038511 ) 270 | { 271 | v3 = (signed __int64)*(&off_602CF0 + v44); 272 | printf("%s", v3); 273 | v46 = 116; 274 | v43 = -784309006; 275 | } 276 | } 277 | if ( v43 <= 692885153 ) 278 | break; 279 | if ( v43 == 692885154 ) 280 | { 281 | v3 = (signed __int64)*(&off_602CF0 + v44); 282 | printf("%s", v3); 283 | v46 = 111; 284 | v43 = -784309006; 285 | } 286 | } 287 | if ( v43 <= 248652361 ) 288 | break; 289 | if ( v43 == 248652362 ) 290 | { 291 | v33 = -569978687; 292 | v34 = v44; 293 | v3 = (unsigned int)(v44++ + 1); 294 | if ( s[v34] != 95 ) 295 | v33 = -1702876116; 296 | v43 = v33; 297 | } 298 | } 299 | if ( v43 <= 208393407 ) 300 | break; 301 | if ( v43 == 208393408 ) 302 | { 303 | v3 = (signed __int64)*(&off_602CF0 + v44); 304 | printf("%s", v3); 305 | v46 = 119; 306 | v43 = -784309006; 307 | } 308 | } 309 | if ( v43 <= 17246758 ) 310 | break; 311 | if ( v43 == 17246759 ) 312 | { 313 | v20 = 867882973; 314 | v21 = v44; 315 | v3 = (unsigned int)(v44 - 1920345590 + 1920345591); 316 | v44 = v44 - 1920345590 + 1920345591; 317 | if ( s[v21] != 105 ) 318 | v20 = 1434525137; 319 | v43 = v20; 320 | } 321 | } 322 | if ( v43 <= -165628766 ) 323 | break; 324 | if ( v43 == -165628765 ) 325 | { 326 | v3 = (signed __int64)*(&off_602CF0 + v44); 327 | printf("%s", v3); 328 | v46 = 119; 329 | v43 = -784309006; 330 | } 331 | } 332 | if ( v43 <= -175831435 ) 333 | break; 334 | if ( v43 == -175831434 ) 335 | { 336 | v37 = -1286457186; 337 | v38 = v44; 338 | v3 = (unsigned int)(v44 - 586298664 + 586298665); 339 | v44 = v44 - 586298664 + 586298665; 340 | if ( s[v38] != 103 ) 341 | v37 = 208393408; 342 | v43 = v37; 343 | } 344 | } 345 | if ( v43 <= -190208307 ) 346 | break; 347 | if ( v43 == -190208306 ) 348 | { 349 | v11 = -603386866; 350 | v3 = (unsigned int)v44++; 351 | if ( s[(signed int)v3] != 70 ) 352 | v11 = -1081271751; 353 | v43 = v11; 354 | } 355 | } 356 | if ( v43 <= -238934456 ) 357 | break; 358 | if ( v43 == -238934455 ) 359 | { 360 | v3 = (signed __int64)*(&off_602CF0 + v44); 361 | printf("%s", v3); 362 | v46 = 95; 363 | v43 = -784309006; 364 | } 365 | } 366 | if ( v43 <= -263150254 ) 367 | break; 368 | if ( v43 == -263150253 ) 369 | { 370 | v6 = -1853302667; 371 | v3 = (unsigned int)v44; 372 | v44 = -(-v44 - 1); 373 | if ( s[(signed int)v3] != 101 ) 374 | v6 = -1050118208; 375 | v43 = v6; 376 | } 377 | } 378 | if ( v43 <= -396100309 ) 379 | break; 380 | if ( v43 == -396100308 ) 381 | { 382 | v3 = (signed __int64)*(&off_602CF0 + v44); 383 | printf("%s", v3); 384 | v46 = 115; 385 | v43 = -784309006; 386 | } 387 | } 388 | if ( v43 <= -455647466 ) 389 | break; 390 | if ( v43 == -455647465 ) 391 | { 392 | v3 = (signed __int64)*(&off_602CF0 + v44); 393 | printf("%s", v3); 394 | v46 = 102; 395 | v43 = -784309006; 396 | } 397 | } 398 | if ( v43 <= -500243642 ) 399 | break; 400 | if ( v43 == -500243641 ) 401 | { 402 | v3 = (signed __int64)*(&off_602CF0 + v44); 403 | printf("%s", v3); 404 | v46 = 108; 405 | v43 = -784309006; 406 | } 407 | } 408 | if ( v43 <= -569978688 ) 409 | break; 410 | if ( v43 == -569978687 ) 411 | { 412 | v35 = -1428761711; 413 | v3 = (unsigned int)v44++; 414 | if ( s[(signed int)v3] != 97 ) 415 | v35 = -1458131018; 416 | v43 = v35; 417 | } 418 | } 419 | if ( v43 <= -603386867 ) 420 | break; 421 | if ( v43 == -603386866 ) 422 | { 423 | v12 = -1853536523; 424 | v13 = v44; 425 | v3 = (unsigned int)(v44++ + 1); 426 | if ( s[v13] != 123 ) 427 | v12 = -2132436122; 428 | v43 = v12; 429 | } 430 | } 431 | if ( v43 <= -742236440 ) 432 | break; 433 | if ( v43 == -742236439 ) 434 | { 435 | v3 = (signed __int64)*(&off_602CF0 + v44); 436 | printf("%s", v3); 437 | v46 = 95; 438 | v43 = -784309006; 439 | } 440 | } 441 | if ( v43 > -784309007 ) 442 | break; 443 | if ( v43 > -928456967 ) 444 | { 445 | if ( v43 == -928456966 ) 446 | { 447 | v16 = -1874496460; 448 | v3 = (unsigned int)v44++; 449 | if ( s[(signed int)v3] != 105 ) 450 | v16 = -455647465; 451 | v43 = v16; 452 | } 453 | } 454 | else if ( v43 > -1026118069 ) 455 | { 456 | if ( v43 == -1026118068 ) 457 | { 458 | v30 = -1754102698; 459 | v3 = (unsigned int)v44; 460 | v44 = -(-v44 - 1); 461 | if ( s[(signed int)v3] != 108 ) 462 | v30 = 872947978; 463 | v43 = v30; 464 | } 465 | } 466 | else if ( v43 > -1050118209 ) 467 | { 468 | if ( v43 == -1050118208 ) 469 | { 470 | v3 = (signed __int64)*(&off_602CF0 + v44); 471 | printf("%s", v3); 472 | v46 = 116; 473 | v43 = -784309006; 474 | } 475 | } 476 | else if ( v43 > -1081271752 ) 477 | { 478 | if ( v43 == -1081271751 ) 479 | { 480 | v3 = (signed __int64)*(&off_602CF0 + v44); 481 | printf("%s", v3); 482 | v46 = 104; 483 | v43 = -784309006; 484 | } 485 | } 486 | else if ( v43 > -1216289449 ) 487 | { 488 | if ( v43 == -1216289448 ) 489 | { 490 | v3 = (signed __int64)*(&off_602CF0 + v44); 491 | printf("%s", v3); 492 | v46 = 33; 493 | v43 = -784309006; 494 | } 495 | } 496 | else if ( v43 > -1286457187 ) 497 | { 498 | if ( v43 == -1286457186 ) 499 | { 500 | v39 = -1936044279; 501 | v3 = (unsigned int)v44++; 502 | if ( s[(signed int)v3] != 114 ) 503 | v39 = 2079428297; 504 | v43 = v39; 505 | } 506 | } 507 | else if ( v43 > -1368516165 ) 508 | { 509 | if ( v43 == -1368516164 ) 510 | { 511 | v26 = 1931512545; 512 | v27 = v44; 513 | v3 = (unsigned int)(v44 - 1875687347 + 1875687348); 514 | v44 = v44 - 1875687347 + 1875687348; 515 | if ( s[v27] != 116 ) 516 | v26 = 1250442351; 517 | v43 = v26; 518 | } 519 | } 520 | else if ( v43 > -1428761712 ) 521 | { 522 | if ( v43 == -1428761711 ) 523 | { 524 | v36 = -175831434; 525 | v3 = (unsigned int)v44; 526 | v44 = -(-v44 - 1); 527 | if ( s[(signed int)v3] != 110 ) 528 | v36 = -1729313284; 529 | v43 = v36; 530 | } 531 | } 532 | else if ( v43 > -1458131019 ) 533 | { 534 | if ( v43 == -1458131018 ) 535 | { 536 | v3 = (signed __int64)*(&off_602CF0 + v44); 537 | printf("%s", v3); 538 | v46 = 119; 539 | v43 = -784309006; 540 | } 541 | } 542 | else if ( v43 > -1702876117 ) 543 | { 544 | if ( v43 == -1702876116 ) 545 | { 546 | v3 = (signed __int64)*(&off_602CF0 + v44); 547 | printf("%s", v3); 548 | v46 = 119; 549 | v43 = -784309006; 550 | } 551 | } 552 | else if ( v43 > -1729313285 ) 553 | { 554 | if ( v43 == -1729313284 ) 555 | { 556 | v3 = (signed __int64)*(&off_602CF0 + v44); 557 | printf("%s", v3); 558 | v46 = 119; 559 | v43 = -784309006; 560 | } 561 | } 562 | else if ( v43 > -1754102699 ) 563 | { 564 | if ( v43 == -1754102698 ) 565 | { 566 | v31 = 248652362; 567 | v32 = v44; 568 | v3 = (unsigned int)(v44++ + 1); 569 | if ( s[v32] != 108 ) 570 | v31 = 2085583476; 571 | v43 = v31; 572 | } 573 | } 574 | else if ( v43 > -2040282791 ) 575 | { 576 | if ( v43 > -1936044280 ) 577 | { 578 | if ( v43 > -1891272129 ) 579 | { 580 | if ( v43 > -1874496461 ) 581 | { 582 | switch ( v43 ) 583 | { 584 | case -1874496460: 585 | v17 = 994119882; 586 | v3 = (unsigned int)v44++; 587 | if ( s[(signed int)v3] != 112 ) 588 | v17 = -500243641; 589 | v43 = v17; 590 | break; 591 | case -1853536523: 592 | v14 = -928456966; 593 | v15 = v44; 594 | v3 = (unsigned int)(v44++ + 1); 595 | if ( s[v15] != 112 ) 596 | v14 = -1891272128; 597 | v43 = v14; 598 | break; 599 | case -1853302667: 600 | v7 = 1592511623; 601 | v8 = v44; 602 | v3 = (unsigned int)(v44++ + 1); 603 | if ( s[v8] != 67 ) 604 | v7 = -238934455; 605 | v43 = v7; 606 | break; 607 | } 608 | } 609 | else if ( v43 == -1891272128 ) 610 | { 611 | v3 = (signed __int64)*(&off_602CF0 + v44); 612 | printf("%s", v3); 613 | v46 = 95; 614 | v43 = -784309006; 615 | } 616 | } 617 | else if ( v43 == -1936044279 ) 618 | { 619 | v40 = 1504977452; 620 | v41 = v44; 621 | v3 = (unsigned int)(v44++ + 1); 622 | if ( s[v41] != 125 ) 623 | v40 = -1216289448; 624 | v43 = v40; 625 | } 626 | } 627 | else if ( v43 == -2040282790 ) 628 | { 629 | v24 = -1368516164; 630 | v25 = v44; 631 | v3 = (unsigned int)(v44++ + 1); 632 | if ( s[v25] != 115 ) 633 | v24 = -396100308; 634 | v43 = v24; 635 | } 636 | } 637 | else if ( v43 == -2041854395 ) 638 | { 639 | v4 = 1152580446; 640 | if ( v47 != 73 ) 641 | v4 = 1117225812; 642 | v43 = v4; 643 | } 644 | } 645 | } 646 | while ( v43 != -784309006 ); 647 | return v46; 648 | } --------------------------------------------------------------------------------