├── .gitignore
├── README.md
├── api_deobfuscator.lua
└── images
    ├── jmptable_after.png
    ├── jmptable_before.png
    ├── result.png
    ├── startup_after.png
    └── startup_before.png


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Compiled Lua sources
 2 | luac.out
 3 | 
 4 | # luarocks build files
 5 | *.src.rock
 6 | *.zip
 7 | *.tar.gz
 8 | 
 9 | # Object files
10 | *.o
11 | *.os
12 | *.ko
13 | *.obj
14 | *.elf
15 | 
16 | # Precompiled Headers
17 | *.gch
18 | *.pch
19 | 
20 | # Libraries
21 | *.lib
22 | *.a
23 | *.la
24 | *.lo
25 | *.def
26 | *.exp
27 | 
28 | # Shared objects (inc. Windows DLLs)
29 | *.dll
30 | *.so
31 | *.so.*
32 | *.dylib
33 | 
34 | # Executables
35 | *.exe
36 | *.out
37 | *.app
38 | *.i*86
39 | *.x86_64
40 | *.hex
41 | 
42 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # api-deobfuscator
 2 | Fix API against Themida `API Redirection/Jump Trick` with Cheat Engine Lua Script 
 3 | 
 4 | 
 5 | ## Usage
 6 | `Cheat Engine` - `Attach Process` - `Memory View` - `Lua Engine (Ctrl+L)` - `Paste` - `Execute` 
 7 | 
 8 | Then, Use your `API/IAT Fixer tool`.
 9 | 
10 | This tool is just API Jump Tricked deobfuscator.
11 | 
12 | Enjoy.
13 | 
14 | ##### TODO
15 | `call dword ptr fs:[000000C0]`
16 | 
17 | ## Features
18 | ### before
19 |  <img src="https://raw.githubusercontent.com/push0ebp/api-deobfuscator/master/images/startup_before.png" width="600">
20 | 
21 | ### after
22 |  <img src="https://raw.githubusercontent.com/push0ebp/api-deobfuscator/master/images/startup_after.png" width="600">
23 | 
24 | ### before
25 |  <img src="https://raw.githubusercontent.com/push0ebp/api-deobfuscator/master/images/jmptable_before.png" width="600">
26 | 
27 | ### after
28 |  <img src="https://raw.githubusercontent.com/push0ebp/api-deobfuscator/master/images/jmptable_after.png" width="600">
29 | 
30 | 
31 | ## Result
32 |  <img src="https://raw.githubusercontent.com/push0ebp/api-deobfuscator/master/images/result.png" width="500">
33 | 


--------------------------------------------------------------------------------
/api_deobfuscator.lua:
--------------------------------------------------------------------------------
  1 | 
  2 | function disas(addr)
  3 |   local disassStr = disassemble(addr)
  4 |   local extraField, opcode, bytes, address = splitDisassembledString(disassStr)
  5 |   return address, opcode
  6 | end
  7 | 
  8 | function getDestAddr(addr, jmp)
  9 |   local address, opcode = disas(addr)
 10 |   local destAddr = nil
 11 |   if (jmp and string.match(opcode, '^j%a+%s+')) or
 12 |     (string.find(opcode, "call") and not string.find(opcode, " ptr"))then
 13 |     local addr = string.match(opcode, '%s+%[?(%x+)%]?$')
 14 |     if addr then
 15 |       destAddr = tonumber(addr, 16)
 16 |       if string.find(opcode, 'word ptr') then
 17 |          destAddr = readPointer(addr)
 18 |       end
 19 |     end
 20 |   end
 21 |   return destAddr
 22 | end
 23 | 
 24 | 
 25 | function follows(addr)
 26 |   local CNT = 0x300
 27 |   local pc = addr
 28 |   for i = 0, CNT do
 29 |     local destAddr = getDestAddr(pc, true)
 30 |     if destAddr then
 31 |       pc = destAddr
 32 |     else
 33 |       pc = pc + getInstructionSize(pc)
 34 |     end
 35 |     if inSystemModule(pc) then
 36 |       return pc
 37 |     end
 38 |   end
 39 |   return nil
 40 | end
 41 | 
 42 | function getApiAddr(addr)
 43 |   local apiAddr = follows(addr)
 44 |   if apiAddr then
 45 |     apiAddr = getNameFromAddress(apiAddr)
 46 |     apiAddr = string.gsub(apiAddr, '%+(%x+)$', "")
 47 |     apiAddr = getAddress(apiAddr)
 48 |     return apiAddr
 49 |   end
 50 |   return nil
 51 | end
 52 | 
 53 | function fix_api(addr)
 54 |   local funcAddr = getDestAddr(addr, true)
 55 |   local apiAddr = getApiAddr(funcAddr)
 56 |   if apiAddr then
 57 |     local scriptStr = [==[
 58 |         %x:
 59 |         %s
 60 |     ]==]
 61 |     local address, opcode = disas(addr)
 62 |     local ins = string.match(opcode, '^%a+%s+')
 63 |     local insStr = string.format("%s %x", ins, apiAddr)
 64 |     scriptStr = string.format(scriptStr, addr, insStr)
 65 |     autoAssemble(scriptStr)
 66 |   end
 67 |   return apiAddr
 68 | end
 69 | 
 70 | function fixs(from, to)
 71 |   local pc = from
 72 |   local allCnt = 0
 73 |   local cnt = 0
 74 |   while pc < to do
 75 |     local destAddr = getDestAddr(pc, true)
 76 |     if destAddr and getAddressSafe(destAddr) and not inModule(destAddr) then
 77 |       local apiAddr = fix_api(pc)
 78 |       allCnt = allCnt + 1
 79 |       if apiAddr then
 80 |         cnt = cnt + 1
 81 |         print(string.format("(%d) %x[%s] - %s", cnt, pc, getNameFromAddress(pc), getNameFromAddress(apiAddr)))
 82 |       else
 83 |         print(string.format("(%d) failed %x[%s]", allCnt, pc, getNameFromAddress(pc)))
 84 |       end
 85 |     end
 86 |     pc = pc + getInstructionSize(pc)
 87 |   end
 88 |   print("Finished")
 89 |   return cnt, allCnt
 90 | end
 91 | 
 92 | local base = getAddress("PROCESS NAME")
 93 | 
 94 | local lfanew = readInteger(base + 0x3C)
 95 | local peHeader = base + lfanew
 96 | local sizeOfCode = readInteger(peHeader + 0x1c)
 97 | local baseOfCode = readInteger(peHeader + 0x2c)
 98 | local from = base + baseOfCode -- modify base of your module code
 99 | local size = sizeOfCode -- modify size of code
100 | local to = from + size
101 | local cnt, allCnt = fixs(from, to)
102 | print(string.format("Success %d Fail %d All %d", cnt, allCnt - cnt, allCnt))
103 | print(string.format("From %x To %x", from, to))
104 | 
105 | 


--------------------------------------------------------------------------------
/images/jmptable_after.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/push0ebp/api-deobfuscator/d26012cf84bdce112565bed6450017b302d65e97/images/jmptable_after.png


--------------------------------------------------------------------------------
/images/jmptable_before.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/push0ebp/api-deobfuscator/d26012cf84bdce112565bed6450017b302d65e97/images/jmptable_before.png


--------------------------------------------------------------------------------
/images/result.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/push0ebp/api-deobfuscator/d26012cf84bdce112565bed6450017b302d65e97/images/result.png


--------------------------------------------------------------------------------
/images/startup_after.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/push0ebp/api-deobfuscator/d26012cf84bdce112565bed6450017b302d65e97/images/startup_after.png


--------------------------------------------------------------------------------
/images/startup_before.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/push0ebp/api-deobfuscator/d26012cf84bdce112565bed6450017b302d65e97/images/startup_before.png


--------------------------------------------------------------------------------