Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- void __cdecl UnhookFunc(char *pHookFunctionAddr, char enableLogging)
- {
- char *v3; // esi
- char *v4; // ecx
- int *v5; // eax
- SIZE_T v6; // edi
- HANDLE v7; // eax
- _BYTE *v8; // esi
- SIZE_T v9; // ebx
- LPCVOID v10; // ST408_4
- char v11; // bl
- struct _SYSTEM_INFO SystemInfo; // [esp+4h] [ebp-A4h]
- struct _MEMORY_BASIC_INFORMATION Buffer; // [esp+28h] [ebp-80h]
- LPCVOID lpAddress; // [esp+44h] [ebp-64h]
- char v15; // [esp+48h] [ebp-60h]
- LPCVOID lpBaseAddress; // [esp+4Ch] [ebp-5Ch]
- SIZE_T dwSize; // [esp+50h] [ebp-58h]
- char v18; // [esp+54h] [ebp-54h]
- HANDLE hProcess; // [esp+84h] [ebp-24h]
- DWORD flNewProtect; // [esp+88h] [ebp-20h]
- LPVOID v21; // [esp+8Ch] [ebp-1Ch]
- DWORD v22; // [esp+90h] [ebp-18h]
- DWORD flOldProtect; // [esp+94h] [ebp-14h]
- __int16 v24; // [esp+98h] [ebp-10h]
- int v25; // [esp+A4h] [ebp-4h]
- v3 = pHookFunctionAddr;
- if ( pHookFunctionAddr )
- {
- v21 = &stru_100F1060;
- EnterCriticalSection(&stru_100F1060);
- v4 = (char *)pRealFunctionAddr;
- v25 = 0;
- v5 = (int *)*((_DWORD *)pRealFunctionAddr + 1);
- if ( *((_BYTE *)v5 + 13) )
- goto LABEL_48;
- do
- {
- if ( v5[4] >= (unsigned int)v3 )
- {
- v4 = (char *)v5;
- v5 = (int *)*v5;
- }
- else
- {
- v5 = (int *)v5[2];
- }
- }
- while ( !*((_BYTE *)v5 + 13) );
- if ( v4 == pRealFunctionAddr || (pHookFunctionAddr = v4, (unsigned int)v3 < *((_DWORD *)v4 + 4)) )
- LABEL_48:
- pHookFunctionAddr = (char *)pRealFunctionAddr;
- if ( pHookFunctionAddr == pRealFunctionAddr )
- {
- if ( enableLogging )
- fancyPrintf("Aborting UnhookFunc because pRealFunctionAddr is not hooked\n");
- LeaveCriticalSection(&stru_100F1060);
- }
- else
- {
- qmemcpy(&lpAddress, pHookFunctionAddr + 20, 0x40u);
- sub_1005F0E0(&pHookFunctionAddr, pHookFunctionAddr);
- v25 = -1;
- LeaveCriticalSection(&stru_100F1060);
- v6 = ::dwSize;
- if ( !::dwSize )
- {
- GetSystemInfo(&SystemInfo);
- ::dwSize = SystemInfo.dwPageSize;
- fancyPrintf("System page size: %u\n", SystemInfo.dwPageSize);
- v6 = ::dwSize;
- }
- v7 = GetCurrentProcess();
- v8 = lpAddress;
- v9 = dwSize;
- hProcess = v7;
- LOBYTE(v24) = -21;
- v21 = (char *)lpAddress + dwSize - 1;
- HIBYTE(pHookFunctionAddr) = (unsigned int)lpAddress / v6 != ((unsigned int)lpAddress + dwSize - 1) / v6;
- HIBYTE(v24) = v15 - (_BYTE)lpBaseAddress - 2;
- v10 = lpBaseAddress;
- *(_WORD *)lpBaseAddress = v24;
- FlushInstructionCache(v7, v10, 2u);
- if ( VirtualQuery(v8, &Buffer, 0x1Cu) && Buffer.State == 4096 )
- {
- if ( *v8 == -23 )
- {
- if ( &v8[*(_DWORD *)(v8 + 1) + 5] == lpBaseAddress )
- {
- flOldProtect = 0;
- flNewProtect = 0;
- if ( VirtualProtect(v8, v9, 0x40u, &flOldProtect) )
- {
- if ( !HIBYTE(pHookFunctionAddr) || VirtualProtect(&v8[v9 - 1], 1u, 0x40u, &flNewProtect) )
- {
- memmove(v8, &v18, v9);
- FlushInstructionCache(hProcess, v8, v9);
- v11 = enableLogging;
- if ( HIBYTE(pHookFunctionAddr)
- && flNewProtect != 64
- && flNewProtect != 128
- && !VirtualProtect(v21, 1u, flNewProtect, &v22)
- && v11 )
- {
- fancyPrintf("Warning: VirtualProtect (2) call failed to restore protection flags during unhook\n");
- }
- if ( flOldProtect != 64 && flOldProtect != 128 && !VirtualProtect(v8, 1u, flOldProtect, &v22) && v11 )
- fancyPrintf("Warning: VirtualProtect call failed to restore protection flags during unhook\n");
- }
- else
- {
- VirtualProtect(v8, 1u, flOldProtect, &v22);
- if ( enableLogging )
- fancyPrintf("Warning: VirtualProtect (2) call failed during unhook\n");
- }
- }
- else if ( enableLogging )
- {
- fancyPrintf("Warning: VirtualProtect call failed during unhook\n");
- }
- }
- else if ( enableLogging )
- {
- fancyPrintf("UnhookFunc not restoring original bytes - jump target has changed\n");
- }
- }
- else if ( enableLogging )
- {
- fancyPrintf("UnhookFunc not restoring original bytes - jump instruction not found\n");
- }
- }
- else if ( enableLogging )
- {
- fancyPrintf("UnhookFunc not restoring original bytes - function is unmapped\n");
- }
- }
- }
- else if ( enableLogging )
- {
- fancyPrintf("Aborting UnhookFunc because pRealFunctionAddr is null\n");
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement