Lets say I got this for example (from java obfuscation) with a highly overflowed shift value
x = buffer[count + -3] << 0x8f553768 & 0xff00
From trying I figured this out..
8 = 0x ff 00
16 = 0x ff 00 00
24 = 0x ff 00 00 00
pretty much I am deobfuscatating to look like this.
x = ((buffer[coint - 3] << 8) & 0xff)
I got most of it working like flipping the [+ -]
to [- +]
all this is easy to fix..
But these shifts are really giving me a hard time.
I found a technique of using AND on the value like
0x8f553768 & 31
which gives the proper answer of 8
etc..
Then I would convert 0xff00
to the equivalent of unsigned byte.. which is 0xff
My question is how do I lower the bitmasks to it's proper values.. say this example
i1 << 0xf7c13d2a & 0xfc00 /开发者_运维知识库/Aka 0xf7c13d2a & 31 == 10
which I got down to..
i1 << 10 & 0xfc00
how do I lower the 0xfc00
to it's proper value?
I took a guess
should look like this
i1 << 10 & 0x3f
but whats the formula to lower AND
values?
Haha solved my brain did the calculation in its head..
damn why do answers come so hard for me..
i1 << 10 & 0xfc00
then you do
0xfc00 >> 10
which gives you 0x3f
精彩评论