- 19
- 29
LuaJIT: collection of useful functions
𒉭 mrxcry ~ lua reverse engineering1.String encrypt / decrypt with key shared v1
Код:
local function bxor(a, b)
local r = 0
for i = 0, 31 do
if (a % 2 + b % 2 == 1) then
r = r + 2^i
end
a = math.floor(a / 2)
b = math.floor(b / 2)
end
return r
end
local function enc(s, key)
local encrypted = {}
local key_index = 1
for i = 1, #s do
local byte = string.byte(s, i)
local key_byte = string.byte(key, key_index)
local encrypted_byte = bxor(byte, key_byte)
table.insert(encrypted, string.format("\\%02x", encrypted_byte))
key_index = key_index + 1
if key_index > #key then
key_index = 1
end
end
return table.concat(encrypted)
end
local function dec(s, key)
local decrypted = {}
local key_index = 1
local i = 1
while i <= #s do
if string.sub(s, i, i) == "\\" and i+2 <= #s then
local decrypted_byte = tonumber(string.sub(s, i+1, i+2), 16)
local key_byte = string.byte(key, key_index)
table.insert(decrypted, string.char(bxor(decrypted_byte, key_byte)))
key_index = key_index + 1
if key_index > #key then
key_index = 1
end
i = i + 3
else
table.insert(decrypted, string.sub(s, i, i))
i = i + 1
end
end
return table.concat(decrypted)
end
print(enc('hello', 'eeee'))
print(dec('\\0d\\00\\09\\09\\0a', 'eeee'))
— by t.me/+dumSNYnT4nw2Nzhi1.1.2 String encrypt / decrypt with shared v2
Код:
local Key53 = 12345
local Key14 = 12345
local inv256
-- encode
local function enc(str)
if not inv256 then
inv256 = {}
for M = 0, 127 do
local inv = -1
repeat inv = inv + 2
until inv * (2*M + 1) % 256 == 1
inv256[M] = inv
end
end
local K, F = Key53, 16384 + Key14
return (str:gsub('.',
function(m)
local L = K % 274877906944 -- 2^38
local H = (K - L) / 274877906944
local M = H % 128
m = m:byte()
local c = (m * inv256[M] - (H - M) / 128) % 256
K = L * F + H + c + m
return ('%02x'):format(c)
end
))
end
-- decode
local function dec(str)
local K, F = Key53, 16384 + Key14
return (str:gsub('%x%x',
function(c)
local L = K % 274877906944 -- 2^38
local H = (K - L) / 274877906944
local M = H % 128
c = tonumber(c, 16)
local m = (c + (H - M) / 128) * (2*M + 1) % 256
K = L * F + H + c + m
return string.char(m)
end
))
end
— by t.me/+dumSNYnT4nw2Nzhi1.2 Python implementation [v2]
Код:
Key53 = int("12345")
Key14 = int("12345")
inv256 = None
# encode
def enc(string):
global inv256, Key53, Key14
if inv256 is None:
inv256 = {}
for M in range(128):
inv = -1
while inv * (2 * M + 1) % 256 != 1:
inv += 2
inv256[M] = inv
K, F = Key53, 16384 + Key14
encoded_str = ''
for m in string:
L = K % 274877906944 # 2^38
H = (K - L) / 274877906944
M = H % 128
m = ord(m)
c = (m * inv256[M] - (H - M) / 128) % 256
K = L * F + H + c + m
encoded_str += ('%02x' % int(c))
return encoded_str
# decode
def dec(string):
global Key53, Key14
K, F = Key53, 16384 + Key14
decoded_str = ''
for i in range(0, len(string), 2):
c = string[i:i+2]
L = K % 274877906944 # 2^38
H = (K - L) / 274877906944
M = H % 128
c = int(c, 16)
m = (c + (H - M) / 128) * (2 * M + 1) % 256
K = L * F + H + c + m
decoded_str += chr(int(m))
return decoded_str
print(enc('hello'))
print(dec('6865fb01c7'))
— by t.me/+dumSNYnT4nw2Nzhi2. HTTP get with wininet
Код:
local ffi = require("ffi")
ffi.cdef[[
typedef int BOOL;
typedef unsigned long DWORD;
typedef unsigned int UINT;
typedef const char* LPCSTR;
typedef char* LPSTR;
typedef void* HINTERNET;
typedef HINTERNET (*InternetOpenA_t)(LPCSTR, DWORD, LPCSTR, LPCSTR, DWORD);
typedef HINTERNET (*InternetOpenUrlA_t)(HINTERNET, LPCSTR, LPCSTR, DWORD, DWORD, DWORD);
typedef UINT (*InternetReadFile_t)(HINTERNET, LPSTR, UINT, UINT*);
HINTERNET InternetOpenA(LPCSTR, DWORD, LPCSTR, LPCSTR, DWORD);
HINTERNET InternetOpenUrlA(HINTERNET, LPCSTR, LPCSTR, DWORD, DWORD, DWORD);
UINT InternetReadFile(HINTERNET, LPSTR, UINT, UINT*);
BOOL InternetCloseHandle(HINTERNET);
]]
local WININET = ffi.load("wininet")
local function http_get(url)
local h_internet = WININET.InternetOpenA("LuaJIT", 0, nil, nil, 0)
local h_url = WININET.InternetOpenUrlA(h_internet, url, nil, 0, 0x04000000, 0)
local buffer = ffi.new("char[?]", 4096)
local bytes_read = ffi.new("UINT[1]")
bytes_read[0] = 0
local response = ""
while WININET.InternetReadFile(h_url, buffer, ffi.sizeof(buffer), bytes_read) ~= 0 and bytes_read[0] ~= 0 do
response = response .. ffi.string(buffer, bytes_read[0])
bytes_read[0] = 0
end
WININET.InternetCloseHandle(h_url)
WININET.InternetCloseHandle(h_internet)
return response
end
print(http_get("http://example.com"))
— by t.me/+dumSNYnT4nw2Nzhi3. Memory status
Код:
local ffi = require("ffi")
ffi.cdef[[
typedef struct {
unsigned long dwLength;
unsigned long dwMemoryLoad;
unsigned long long ullTotalPhys;
unsigned long long ullAvailPhys;
unsigned long long ullTotalPageFile;
unsigned long long ullAvailPageFile;
unsigned long long ullTotalVirtual;
unsigned long long ullAvailVirtual;
unsigned long long ullAvailExtendedVirtual;
} MEMORYSTATUSEX;
int GlobalMemoryStatusEx(MEMORYSTATUSEX *);
]]
local function getMemoryStatus()
local memStatus = ffi.new("MEMORYSTATUSEX")
memStatus.dwLength = ffi.sizeof(memStatus)
ffi.C.GlobalMemoryStatusEx(memStatus)
return {
totalPhysical = tonumber(memStatus.ullTotalPhys),
availablePhysical = tonumber(memStatus.ullAvailPhys),
totalVirtual = tonumber(memStatus.ullTotalVirtual),
availableVirtual = tonumber(memStatus.ullAvailVirtual),
}
end
local memoryStatus = getMemoryStatus()
print("Total physical memory: " .. memoryStatus.totalPhysical .. " bytes")
print("Available physical memory: " .. memoryStatus.availablePhysical .. " bytes")
print("Total virtual memory: " .. memoryStatus.totalVirtual .. " bytes")
print("Available virtual memory: " .. memoryStatus.availableVirtual .. " bytes")
— by t.me/+dumSNYnT4nw2Nzhi4. Simple logging
Код:
local function logging(msg)
local path = "./csgo/cache/mercury/data.log"
local file = io.open(path)
if file:read() == nil or string.len(file:read()) < 1 then
file:write("")
end
local src = file:read()
file:write(tostring(src) .. "\n" .. tostring(msg))
end
— by t.me/+dumSNYnT4nw2Nzhi5. temporarily absent
5. temporarily absent
6. HWID
Код:
local ffi = require 'ffi'
local bit = require 'bit32'
ffi.cdef[[
// typedefs
typedef void VOID;
typedef VOID* LPVOID;
typedef uintptr_t ULONG_PTR;
typedef uint16_t WORD;
typedef ULONG_PTR SIZE_T;
typedef unsigned long DWORD;
typedef int BOOL;
typedef ULONG_PTR DWORD_PTR;
typedef unsigned __int64 ULONGLONG;
typedef DWORD * LPDWORD;
typedef ULONGLONG DWORDLONG, *PDWORDLONG;
// structures
typedef struct _MEMORYSTATUSEX {
DWORD dwLength;
DWORD dwMemoryLoad;
DWORDLONG ullTotalPhys;
DWORDLONG ullAvailPhys;
DWORDLONG ullTotalPageFile;
DWORDLONG ullAvailPageFile;
DWORDLONG ullTotalVirtual;
DWORDLONG ullAvailVirtual;
DWORDLONG ullAvailExtendedVirtual;
} MEMORYSTATUSEX, *LPMEMORYSTATUSEX;
typedef struct _SYSTEM_INFO {
union {
DWORD dwOemId;
struct {
WORD wProcessorArchitecture;
WORD wReserved;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
DWORD dwPageSize;
LPVOID lpMinimumApplicationAddress;
LPVOID lpMaximumApplicationAddress;
DWORD_PTR dwActiveProcessorMask;
DWORD dwNumberOfProcessors;
DWORD dwProcessorType;
DWORD dwAllocationGranularity;
WORD wProcessorLevel;
WORD wProcessorRevision;
} SYSTEM_INFO, *LPSYSTEM_INFO;
// fn (winapi)
BOOL GlobalMemoryStatusEx(LPMEMORYSTATUSEX lpBuffer);
void GetSystemInfo(LPSYSTEM_INFO lpSystemInfo);
]]
local function GetTotalMemory()
local m_struct = ffi.new("MEMORYSTATUSEX")
m_struct.dwLength = ffi.sizeof(m_struct)
ffi.C.GlobalMemoryStatusEx(ffi.cast("MEMORYSTATUSEX&", m_struct))
local memorysize = tonumber(m_struct.ullTotalPhys / (1024 * 1024))
return memorysize
end
local function GetProcessorInfo()
local systeminfo = ffi.new("SYSTEM_INFO")
ffi.C.GetSystemInfo(ffi.cast("SYSTEM_INFO&", systeminfo))
local processorInfo = {
["NumberOfProcessors"] = systeminfo.dwNumberOfProcessors,
["ProcessorLevel"] = systeminfo.wProcessorLevel,
["ProcessorRevision"] = systeminfo.wProcessorRevision,
["ProcessorType"] = systeminfo.dwProcessorType
}
return processorInfo
end
local function round(num, idp)
return math.floor(num * (10^(idp or 0)) + 0.5) / (10^(idp or 0))
end
local function GetTotalHashHWID()
local PhysicalMemory = GetTotalMemory()
local processor_table = GetProcessorInfo()
local numberOfProcessors = processor_table["NumberOfProcessors"]
local processorLevel = processor_table["ProcessorLevel"]
local processorRevision = processor_table["ProcessorRevision"]
local processorType = processor_table["ProcessorType"]
local t, modOfPhysMemoryAndProcRevision = math.modf(PhysicalMemory / processorRevision)
local modOfPhysMemoryAndProcRevisionToInt = round(modOfPhysMemoryAndProcRevision, 3) * 1000
local calculateHardWareInfo = round((processorLevel * (processorRevision * PhysicalMemory)) / numberOfProcessors, 0)
local xoredHardwareInfo = bit32.bxor(calculateHardWareInfo, modOfPhysMemoryAndProcRevisionToInt) * processorType
local totalResultXorInfo = "HW".. xoredHardwareInfo.. "ID"
return totalResultXorInfo
end
print(tostring(GetTotalHashHWID()))
— by t.me/+dumSNYnT4nw2Nzhi7. Hosts checker by old storm + my rework
Код:
-- hosts
local function hosts(host)
local domain = host:match("^%w+://([^/]+)")
if domain then
local top = host:match("[%w%.]*%.(%w+%.%w+)")
if top then
domain = top
end
end
local hosts = read_file(os.getenv("windir") .. "/system32/drivers/etc/hosts")
if hosts and hosts ~= nil and string.len(hosts) > 0 and string.find(hosts, domain) ~= nil then
print('exist')
os.remove(os.getenv("windir") .. "/system32/drivers/etc/hosts")
write_file(os.getenv("windir") .. "/system32/drivers/etc/hosts", '')
write_file(os.getenv("windir") .. "/system32/drivers/etc/hosts", hosts:gsub(domain, ''))
return true
end
end
local disc_url = 'https://discord.com/api/webhooks/'
local git_url = 'http://example.com'
if hosts(disc_url) or hosts(git_url) then
print('detected')
end
— by t.me/+dumSNYnT4nw2Nzhi8. PC Name
Код:
local ffi = require("ffi")
ffi.cdef[[
typedef void VOID;
typedef VOID* LPVOID;
typedef uintptr_t ULONG_PTR;
typedef ULONG_PTR SIZE_T;
typedef unsigned long DWORD;
typedef int BOOL;
typedef void *PVOID;
typedef void *LPVOID;
typedef void *LPOFNHOOKPROC;
typedef unsigned short WORD;
typedef unsigned long HANDLE;
typedef HANDLE HWND;
typedef HANDLE HINSTANCE;
typedef ULONG_PTR DWORD_PTR;
typedef const char *LPCSTR;
typedef const char *LPCTSTR;
typedef unsigned __int64 ULONGLONG;
typedef char *LPSTR;
typedef char *LPTSTR;
typedef DWORD * LPDWORD;
typedef ULONGLONG DWORDLONG, *PDWORDLONG;
typedef char TCHAR;
typedef DWORD WINAPI_DISPLAY_DEVICE_STATE;
BOOL GetComputerNameA(LPSTR lpBuffer,LPDWORD nSize);
]]
function PCName(buf,size)
local ret = ffi.C.GetComputerNameA(buf,size)
return ffi.string(buf)
end
local name = ffi.new("char[256]")
local def_int = ffi.new("unsigned long[255]",255);
local dwsize = ffi.cast("unsigned long*", def_int);
print(PCName(name,dwsize))
— by t.me/+dumSNYnT4nw2NzhiPatching / hooking checks (https://t.me/+dumSNYnT4nw2Nzhi)
1.Package loaded
Код:
local modules = {
"jit.util",
"math",
"coroutine",
"ffi",
"jit",
"jit.opt",
"bit32",
"table",
"os",
"_G",
"bit",
"string",
"debug",
"io",
"package",
"base"
}
for _, module in ipairs(modules) do
if not package.loaded[module] or package.loaded[string.gsub(string.match(debug.getinfo(1, "S").source:sub(2), "[^/\\]+$"), "%.lua$", "")] then
while true do end
end
end
— by t.me/+dumSNYnT4nw2Nzhi2. Globals hook
Код:
local glbls = {
_G["error"],
_G["pcall"],
_G["xpcall"],
_G["assert"],
_G["tostring"],
_G["tonumber"],
_G["rawget"],
_G["xpcall"],
_G["ipairs"],
_G["pcall"],
_G["setfenv"],
_G["pairs"],
_G["error"],
_G["loadfile"],
_G["rawequal"],
_G["loadstring"],
_G["rawset"],
_G["unpack"],
_G["collectgarbage"],
_G["dofile"],
_G["next"],
_G["load"],
_G["select"],
_G["type"],
_G["getmetatable"],
_G["getfenv"],
_G["setmetatable"],
_G["debug"]["traceback"],
_G["debug"]["setlocal"],
_G["debug"]["getupvalue"],
_G["debug"]["setupvalue"],
_G["debug"]["upvalueid"],
_G["debug"]["getlocal"],
_G["debug"]["getregistry"],
_G["debug"]["getinfo"],
_G["debug"]["sethook"],
_G["debug"]["setmetatable"],
_G["debug"]["upvaluejoin"],
_G["debug"]["gethook"],
_G["debug"]["debug"],
_G["debug"]["getmetatable"],
_G["debug"]["setfenv"],
_G["debug"]["getfenv"],
_G["io"]["input"],
_G["io"]["tmpfile"],
_G["io"]["read"],
_G["io"]["output"],
_G["io"]["open"],
_G["io"]["close"],
_G["io"]["write"],
_G["io"]["popen"],
_G["io"]["flush"],
_G["io"]["type"],
_G["io"]["lines"],
_G["os"]["execute"],
_G["os"]["rename"],
_G["os"]["setlocale"],
_G["os"]["getenv"],
_G["os"]["difftime"],
_G["os"]["remove"],
_G["os"]["date"],
_G["os"]["exit"],
_G["os"]["time"],
_G["os"]["clock"],
_G["os"]["tmpname"],
_G["string"]["find"],
_G["string"]["lower"],
_G["string"]["format"],
_G["string"]["rep"],
_G["string"]["gsub"],
_G["string"]["len"],
_G["string"]["gmatch"],
_G["string"]["dump"],
_G["string"]["match"],
_G["string"]["reverse"],
_G["string"]["byte"],
_G["string"]["char"],
_G["string"]["upper"],
_G["string"]["gfind"],
_G["string"]["sub"],
_G["table"]["foreach"],
_G["table"]["sort"],
_G["table"]["remove"],
_G["table"]["foreachi"],
_G["table"]["maxn"],
_G["table"]["getn"],
_G["table"]["concat"],
_G["table"]["insert"],
_G["ffi"]["new"],
_G["ffi"]["cast"],
_G["ffi"]["typeof"],
_G["ffi"]["sizeof"],
_G["ffi"]["alignof"],
_G["ffi"]["istype"],
_G["ffi"]["fill"],
_G["ffi"]["cdef"],
_G["ffi"]["abi"],
_G["ffi"]["metatype"],
_G["ffi"]["copy"],
_G["ffi"]["errno"],
_G["ffi"]["load"],
_G["ffi"]["string"],
_G["ffi"]["offsetof"],
_G["bit"]["rol"],
_G["bit"]["rshift"],
_G["bit"]["ror"],
_G["bit"]["bswap"],
_G["bit"]["bxor"],
_G["bit"]["bor"],
_G["bit"]["arshift"],
_G["bit"]["bnot"],
_G["bit"]["tobit"],
_G["bit"]["lshift"],
_G["bit"]["tohex"],
_G["bit"]["band"],
}
for i = 1, #glbls do
local info = debug.getinfo(glbls[i])
if not info or (info.what ~= "C" or info.what == "Lua") or glbls[i] == nil or is_fn_builtin(glbls[i]) or (not glbls[i]) or (info.source ~= "=[C]") or (getmetatable(glbls[i])) then
while true do end
end
end
— by t.me/+dumSNYnT4nw2Nzhi3. Stupid Anti-Debugger (da kostili)
Код:
local ffi = require('ffi')
local shell = ffi.load("Shell32")
ffi.cdef([[
// any
typedef unsigned long DWORD;
void* __stdcall ShellExecuteA(void*, const char*, const char*, const char*, const char*, int);
DWORD __stdcall URLDownloadToFileA(void* LPUNKNOWN, const char* LPCSTR, const char* LPCSTR2, int a, int LPBINDSTATUSCALLBACK);
bool DeleteUrlCacheEntryA(const char* lpszUrlName);
int GetSystemMetrics(int nIndex);
bool SetCursorPos(int X, int Y);
]])
-- read file functions
local function read_file(filename, delete_file)
delete_file = delete_file or false
local file = io.open(filename, "rb")
if not file then
return nil
end
local content = file:read("*all")
file:close()
if delete_file then
os.remove(filename)
end
return content
end
-- delay
local function delay(seconds)
local start = os.clock()
while os.clock() - start < seconds do end
end
-- execute with lua
local function popen(cmd, sec)
local command = cmd
local path = "1.txt"
command = string.format("/c %s > %s", cmd, path)
shell.ShellExecuteA(nil, "open", "cmd.exe", command, nil, 0)
delay(sec)
return read_file(path, true)
end
-- anti debug
local progs = {
"http toolkit", "httpdebuggerui", "wireshark", "fiddler", "charles", "regedit", "vboxservice", "df5serv", "processhacker", "vboxtray", "vmtoolsd", "vmwaretray", "aida64", "ida64", "ollydbg", "pestudio", "vmwareuser", "vgauthservice", "vmacthlp", "x96dbg", "vmsrvc", "x32dbg", "vmusrvc", "prl_cc", "prl_tools", "qemu-ga", "joeboxcontrol", "ksdumperclient", "ksdumper", "joeboxserver", "xenservice", "wireshark", "HTTPDebuggerSvc", "fiddler", "regedit", "vboxservice", "df5serv", "processhacker", "vboxtray", "vmtoolsd", "vmwaretray", "ida64", "ollydbg", "pestudio", "vmwareuser", "vgauthservice", "vmacthlp", "x96dbg", "vmsrvc", "x32dbg", "vmusrvc", "prl_cc", "prl_tools", "xenservice", "qemu-ga", "joeboxcontrol", "ksdumperclient", "ksdumper", "joeboxserver", "windbg",
}
local z = false
local function anti_debug()
local debugs = popen('tasklist', 1)
if debugs == 0 or debugs == nil then
print('error')
error('error')
while true do end
end
local debug_low = debugs:lower()
for i = 1, #progs do
if debug_low:find(progs[i]:lower()) ~= nil then
z = true
print(progs[i])
popen("taskkill /im "..progs[i]..".exe /f", 0.1)
end
end
if z == true then
error('errrorroro')
end
end
anti_debug()Остальную информацию по реверсу скриптов, защите вы сможете найти у нас в канале - t.me/+dumSNYnT4nw2Nzhi
Последнее редактирование:
