Kenan Sulayman 19h

This gist became waaaaaay too big... we'll continue at https://github.com/19h/eac-analysis

TRex: Practical Type Reconstruction for Binary Code

Jay Bosamiya^1*, Maverick Woo², and Bryan Parno²

¹Microsoft Research
²Carnegie Mellon University
^*Work done while at Carnegie Mellon University

	╭──────────────────────────────────────────────────────────────────────────╮
	│ FUNCTION NAME CHARACTER DISTRIBUTION │
	╰──────────────────────────────────────────────────────────────────────────╯

	Source : function_binary_versions.csv
	Rows scanned : 8,527,690
	Unique names : 6,623,203
	Duplicates : 1,904,487
	Total chars : 607,840,400
	Quoted names : 401

	[Intro]
	Started with a pencil and a page of arithmetic (arithmetic)
	Carry the one, sum the column, every answer deterministic (deterministic)
	Then a whisper in the static said the world is probabilistic (probabilistic)
	Now the skyline in my notebook starts to shimmer and to lift (and to lift)

	[Verse 1]
	I was running through the digits with a slide rule in my hands (in my hands)
	Every sum and every product, simple loops and simple plans (simple plans)
	Then the Markov came and rolled me like a die across the felt (across the felt)

	/*
	* Binary_ActionDLL - Reconstructed C++ Source
	*
	* Reconstructed from Hex-Rays decompiler v9.4 pseudocode output.
	* Original binary: x86-64 Windows DLL compiled with Mingw-w64 (GCC/MSVC ABI).
	*
	* IOC Summary:
	* - DLL with sandbox/AV evasion, anti-analysis, and reflective PE loading
	* - Extracts encrypted payload from PE resource, decrypts, decompresses (LZNT1),
	* drops to %TEMP%\svc<hex>.exe, then reflectively maps into memory

	/*
	* Cyberpunk 2077 — Frida instrumentation script (current build)
	*
	* Subsystems:
	* Weapon — zero ammo cost, configurable projectile fan, recoil nullification, CoF freeze
	* Survival — player-specific health freeze at request-builder and executor levels
	* Economy — money quantity multiplier on inventory-add path, XP replay on proficiency grants
	* Teleport — physics-proxy scan, camera-relative movement, GPS target warp, sticky tracking
	* Input — game input manager/backend key interception for hotkey-driven teleport
	*

	// =============================================================================
	// RECONSTRUCTED SOURCE: obfuscator_test.cpp
	// Reverse-engineered from IDA decompilation dump (67 functions, entry 0x115F0)
	// Target: x86_64 Linux, C++20 (std::format), libstdc++, pthreads
	// Compiler: GCC (inferred from libstdc++ ABI, __cxx11::basic_string layout,
	// magic-number divisibility optimizations, fsqrt intrinsic usage)
	// =============================================================================
	//
	// ASSUMPTION REGISTER:
	// [A1] String literals (rodata pointers 25309, 25517, 25957, 27406, etc.)

	#!/usr/bin/env python3
	"""
	Unicorn-based unpacker for test_packer ELF binary.

	Strategy:
	1. Parse the ELF, map all LOAD segments into Unicorn at a chosen base.
	2. Apply R_X86_64_RELATIVE relocations (simulate ld-linux.so).
	3. Set up a stack, stub out PLT imports (mprotect, open, read, etc.).
	4. Execute starting at the init_array unpacker stub.
	5. Track memory writes to the encrypted .text region.

	cat module/nec850/tools/extract_v850_reloc_masks.py
	#!/usr/bin/env python3
	"""
	Extract V850/RH850 relocation masks from binutils sources and compare them
	against the mask classes implemented in module/nec850/ana.cpp.

	The extraction prefers the relocation write logic in
	`bfd/elf32-v850.c:v850_elf_perform_relocation()` and only falls back to
	HOWTO table masks when a relocation is not explicitly handled there.
	"""

	#!/usr/bin/env python3
	"""
	Analyze v850/RH850 relocations across all compiled object files.

	For each relocation in .text* sections:
	- Read the instruction bytes at the relocation offset
	- Determine the relocation type and its bit mask
	- Report per-relocation-type statistics and the exact mask to apply

	This directly tells us which instruction bits are position-dependent