void __cdecl UnhookFunc(char *pHookFunctionAddr, char enableLogging){ char

1. void __cdecl UnhookFunc(char *pHookFunctionAddr, char enableLogging)
2. {
3.   char *v3; // esi
4.   char *v4; // ecx
5.   int *v5; // eax
6.   SIZE_T v6; // edi
7.   HANDLE v7; // eax
8.   _BYTE *v8; // esi
9.   SIZE_T v9; // ebx
10.   LPCVOID v10; // ST408_4
11.   char v11; // bl
12.   struct _SYSTEM_INFO SystemInfo; // [esp+4h] [ebp-A4h]
13.   struct _MEMORY_BASIC_INFORMATION Buffer; // [esp+28h] [ebp-80h]
14.   LPCVOID lpAddress; // [esp+44h] [ebp-64h]
15.   char v15; // [esp+48h] [ebp-60h]
16.   LPCVOID lpBaseAddress; // [esp+4Ch] [ebp-5Ch]
17.   SIZE_T dwSize; // [esp+50h] [ebp-58h]
18.   char v18; // [esp+54h] [ebp-54h]
19.   HANDLE hProcess; // [esp+84h] [ebp-24h]
20.   DWORD flNewProtect; // [esp+88h] [ebp-20h]
21.   LPVOID v21; // [esp+8Ch] [ebp-1Ch]
22.   DWORD v22; // [esp+90h] [ebp-18h]
23.   DWORD flOldProtect; // [esp+94h] [ebp-14h]
24.   __int16 v24; // [esp+98h] [ebp-10h]
25.   int v25; // [esp+A4h] [ebp-4h]
26.  
27.   v3 = pHookFunctionAddr;
28.   if ( pHookFunctionAddr )
29.   {
30.     v21 = &stru_100F1060;
31.     EnterCriticalSection(&stru_100F1060);
32.     v4 = (char *)pRealFunctionAddr;
33.     v25 = 0;
34.     v5 = (int *)*((_DWORD *)pRealFunctionAddr + 1);
35.     if ( *((_BYTE *)v5 + 13) )
36.       goto LABEL_48;
37.     do
38.     {
39.       if ( v5[4] >= (unsigned int)v3 )
40.       {
41.         v4 = (char *)v5;
42.         v5 = (int *)*v5;
43.       }
44.       else
45.       {
46.         v5 = (int *)v5[2];
47.       }
48.     }
49.     while ( !*((_BYTE *)v5 + 13) );
50.     if ( v4 == pRealFunctionAddr || (pHookFunctionAddr = v4, (unsigned int)v3 < *((_DWORD *)v4 + 4)) )
51. LABEL_48:
52.       pHookFunctionAddr = (char *)pRealFunctionAddr;
53.     if ( pHookFunctionAddr == pRealFunctionAddr )
54.     {
55.       if ( enableLogging )
56.         fancyPrintf("Aborting UnhookFunc because pRealFunctionAddr is not hooked\n");
57.       LeaveCriticalSection(&stru_100F1060);
58.     }
59.     else
60.     {
61.       qmemcpy(&lpAddress, pHookFunctionAddr + 20, 0x40u);
62.       sub_1005F0E0(&pHookFunctionAddr, pHookFunctionAddr);
63.       v25 = -1;
64.       LeaveCriticalSection(&stru_100F1060);
65.       v6 = ::dwSize;
66.       if ( !::dwSize )
67.       {
68.         GetSystemInfo(&SystemInfo);
69.         ::dwSize = SystemInfo.dwPageSize;
70.         fancyPrintf("System page size: %u\n", SystemInfo.dwPageSize);
71.         v6 = ::dwSize;
72.       }
73.       v7 = GetCurrentProcess();
74.       v8 = lpAddress;
75.       v9 = dwSize;
76.       hProcess = v7;
77.       LOBYTE(v24) = -21;
78.       v21 = (char *)lpAddress + dwSize - 1;
79.       HIBYTE(pHookFunctionAddr) = (unsigned int)lpAddress / v6 != ((unsigned int)lpAddress + dwSize - 1) / v6;
80.       HIBYTE(v24) = v15 - (_BYTE)lpBaseAddress - 2;
81.       v10 = lpBaseAddress;
82.       *(_WORD *)lpBaseAddress = v24;
83.       FlushInstructionCache(v7, v10, 2u);
84.       if ( VirtualQuery(v8, &Buffer, 0x1Cu) && Buffer.State == 4096 )
85.       {
86.         if ( *v8 == -23 )
87.         {
88.           if ( &v8[*(_DWORD *)(v8 + 1) + 5] == lpBaseAddress )
89.           {
90.             flOldProtect = 0;
91.             flNewProtect = 0;
92.             if ( VirtualProtect(v8, v9, 0x40u, &flOldProtect) )
93.             {
94.               if ( !HIBYTE(pHookFunctionAddr) || VirtualProtect(&v8[v9 - 1], 1u, 0x40u, &flNewProtect) )
95.               {
96.                 memmove(v8, &v18, v9);
97.                 FlushInstructionCache(hProcess, v8, v9);
98.                 v11 = enableLogging;
99.                 if ( HIBYTE(pHookFunctionAddr)
100.                   && flNewProtect != 64
101.                   && flNewProtect != 128
102.                   && !VirtualProtect(v21, 1u, flNewProtect, &v22)
103.                   && v11 )
104.                 {
105.                   fancyPrintf("Warning: VirtualProtect (2) call failed to restore protection flags during unhook\n");
106.                 }
107.                 if ( flOldProtect != 64 && flOldProtect != 128 && !VirtualProtect(v8, 1u, flOldProtect, &v22) && v11 )
108.                   fancyPrintf("Warning: VirtualProtect call failed to restore protection flags during unhook\n");
109.               }
110.               else
111.               {
112.                 VirtualProtect(v8, 1u, flOldProtect, &v22);
113.                 if ( enableLogging )
114.                   fancyPrintf("Warning: VirtualProtect (2) call failed during unhook\n");
115.               }
116.             }
117.             else if ( enableLogging )
118.             {
119.               fancyPrintf("Warning: VirtualProtect call failed during unhook\n");
120.             }
121.           }
122.           else if ( enableLogging )
123.           {
124.             fancyPrintf("UnhookFunc not restoring original bytes - jump target has changed\n");
125.           }
126.         }
127.         else if ( enableLogging )
128.         {
129.           fancyPrintf("UnhookFunc not restoring original bytes - jump instruction not found\n");
130.         }
131.       }
132.       else if ( enableLogging )
133.       {
134.         fancyPrintf("UnhookFunc not restoring original bytes - function is unmapped\n");
135.       }
136.     }
137.   }
138.   else if ( enableLogging )
139.   {
140.     fancyPrintf("Aborting UnhookFunc because pRealFunctionAddr is null\n");
141.   }
142. }