Накалякал тут скрипт для переименования lua функций в x64 клиенте, может кому-то пригодится:
Код:
luaFuncs = []
def DumpFunctionArray(ref, arrPtr, size, nameSpace):
if size > 0 and arrPtr > 1000:
for i in xrange(0, size):
ptr = arrPtr+(i*16)
name = GetString(Qword(ptr), -1, ASCSTR_C)
addr = Qword(ptr+8)
if name != None:
if nameSpace != None:
name = nameSpace+"."+name
#print("0x%016X 0x%016X %s" % (ptr, addr, name))
luaFuncs.append(["Script_"+name, addr])
else:
print("# Bad str ref at 0x%X and addr 0x%X" % (ref, ptr))
else:
print("# >> Bad parse at ref: 0x%X (Ptr: 0x%X, Size %i)" % (ref, arrPtr, size))
def DumpGlobalFuncs():
searchPatern = "48 89 5C 24 08 57 48 83 EC 20 48 8B ? ? ? ? ? 48 8B D9 45 33 C0"
regFunc = FindBinary(0, SEARCH_DOWN, searchPatern)
print("# !!! FrameScript::RegisterFunction = 0x%016X" % regFunc)
reference = RnextB(regFunc, 0)
while reference != BADADDR:
prev = PrevHead(reference)
opType = GetOpType(prev, 1)
opVal = GetOperandValue(prev, 0)
if opType == 2: #Memory Reference
# array has 1 function
arrPtr = GetOperandValue(prev, 1)
DumpFunctionArray(reference, arrPtr, 1, None)
elif opType == 3: #Base + Index
while (GetMnem(prev) != "lea"):
prev = PrevHead(prev)
arrPtr = GetOperandValue(prev, 1) # lea rbx, arr_adr
size = GetOperandValue(NextHead(prev), 1) # mov rdi, arr_size
DumpFunctionArray(reference, arrPtr, size, None)
else:
print("# >> ERR: Unhandled operand type at 0x%X: %u" % (reference, opType))
reference = RnextB(regFunc, reference)
def DumpNamespaceFunc():
searchPatern = "48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 48 8B 1D ? ? ? ? 8B F2"
regFunc = FindBinary(0, SEARCH_DOWN, searchPatern)
print("# !!! FrameScript::RegisterFunctionNamespaceWithCount = 0x%016X" % regFunc)
reference = RnextB(regFunc, 0)
while reference != BADADDR:
# find first lea r8, namespace_ptr
lea_r8 = PrevHead(reference)
while (GetMnem(lea_r8) != "lea" or GetOperandValue(lea_r8, 0) != 8 or GetOpType(lea_r8, 0) != 1):
lea_r8 = PrevHead(lea_r8)
# find first lea rcx, table_ptr
lea_rcx = PrevHead(reference)
while (GetMnem(lea_rcx) != "lea" or GetOperandValue(lea_rcx, 0) != 1 or GetOpType(lea_rcx, 0) != 1):
lea_rcx = PrevHead(lea_rcx)
#find first mov edx, rec_count
mov_edx = PrevHead(reference)
while (GetMnem(mov_edx) != "mov" or GetOperandValue(mov_edx, 0) != 2 or GetOpType(mov_edx, 0) != 1):
mov_edx = PrevHead(mov_edx)
#print("lea_r8 = %X, lea_rcx = %X, mov_edx = %X" % (lea_r8,lea_rcx,mov_edx))
size = GetOperandValue(mov_edx, 1)
table = GetOperandValue(lea_rcx, 1)
ns = GetOperandValue(lea_r8, 1)
namesp= GetString(ns, -1, ASCSTR_C)
DumpFunctionArray(reference, table, size, namesp)
reference = RnextB(regFunc, reference)
DumpNamespaceFunc();
DumpGlobalFuncs();
luaFuncs.sort()
for i in xrange(0, len(luaFuncs)):
print("MakeNameEx(0x%X, \"%s\", SN_NOWARN)" % (luaFuncs[i][1], luaFuncs[i][0]))
MakeNameEx(luaFuncs[i][1], luaFuncs[i][0], SN_NOWARN)