-
Notifications
You must be signed in to change notification settings - Fork 10
/
api_deobfuscator.lua
104 lines (94 loc) · 2.69 KB
/
api_deobfuscator.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
function disas(addr)
local disassStr = disassemble(addr)
local extraField, opcode, bytes, address = splitDisassembledString(disassStr)
return address, opcode
end
function getDestAddr(addr, jmp)
local address, opcode = disas(addr)
local destAddr = nil
if (jmp and string.match(opcode, '^j%a+%s+')) or
(string.find(opcode, "call") and not string.find(opcode, " ptr"))then
local addr = string.match(opcode, '%s+%[?(%x+)%]?$')
if addr then
destAddr = tonumber(addr, 16)
if string.find(opcode, 'word ptr') then
destAddr = readPointer(addr)
end
end
end
return destAddr
end
function follows(addr)
local CNT = 0x300
local pc = addr
for i = 0, CNT do
local destAddr = getDestAddr(pc, true)
if destAddr then
pc = destAddr
else
pc = pc + getInstructionSize(pc)
end
if inSystemModule(pc) then
return pc
end
end
return nil
end
function getApiAddr(addr)
local apiAddr = follows(addr)
if apiAddr then
apiAddr = getNameFromAddress(apiAddr)
apiAddr = string.gsub(apiAddr, '%+(%x+)$', "")
apiAddr = getAddress(apiAddr)
return apiAddr
end
return nil
end
function fix_api(addr)
local funcAddr = getDestAddr(addr, true)
local apiAddr = getApiAddr(funcAddr)
if apiAddr then
local scriptStr = [==[
%x:
%s
]==]
local address, opcode = disas(addr)
local ins = string.match(opcode, '^%a+%s+')
local insStr = string.format("%s %x", ins, apiAddr)
scriptStr = string.format(scriptStr, addr, insStr)
autoAssemble(scriptStr)
end
return apiAddr
end
function fixs(from, to)
local pc = from
local allCnt = 0
local cnt = 0
while pc < to do
local destAddr = getDestAddr(pc, true)
if destAddr and getAddressSafe(destAddr) and not inModule(destAddr) then
local apiAddr = fix_api(pc)
allCnt = allCnt + 1
if apiAddr then
cnt = cnt + 1
print(string.format("(%d) %x[%s] - %s", cnt, pc, getNameFromAddress(pc), getNameFromAddress(apiAddr)))
else
print(string.format("(%d) failed %x[%s]", allCnt, pc, getNameFromAddress(pc)))
end
end
pc = pc + getInstructionSize(pc)
end
print("Finished")
return cnt, allCnt
end
local base = getAddress("PROCESS NAME")
local lfanew = readInteger(base + 0x3C)
local peHeader = base + lfanew
local sizeOfCode = readInteger(peHeader + 0x1c)
local baseOfCode = readInteger(peHeader + 0x2c)
local from = base + baseOfCode -- modify base of your module code
local size = sizeOfCode -- modify size of code
local to = from + size
local cnt, allCnt = fixs(from, to)
print(string.format("Success %d Fail %d All %d", cnt, allCnt - cnt, allCnt))
print(string.format("From %x To %x", from, to))