broly7 Advanced Cheater Reputation: 0
Joined: 13 Aug 2015 Posts: 60
|
Posted: Wed Apr 01, 2020 10:18 am Post subject: Find 5Byte length Jumps/Calls to address |
|
|
Hi, i made this guetto 0.5min Lua code to find jumps to an address.
Reasons:
-Find assembler CE function is slow as fuk.
-Find assembler CE function sometimes missaligns instructions so the jmp is never catched.
-Rise of obfuscators and virtualizers that make jmp,jns,je,jne everythwere in the code, so i want to find the function who called the address i need.
Just replace the modulename 'PEX.exe' and the variable ADD and hit execute.
It's a code to be improved, like it takes the whole module size so would be suitable to skip non-execute pages but i lack of time/knowledge.
DOesn't take longer or shorter jmp/call than 5 byte length, that could be improved as well.
Code: | --FIND LE "POSIBOL" JUMPS PLS
local NAME='PE.exe';
local mod=getAddress(NAME);
if mod==0 then return;end;
local ADD=0x00519E51;
local siz=getModuleSize(NAME);
local i=0;
print(string.format('%02X',siz));--siz=0x20000;
for i=1,siz do
a=readInteger(mod+i);
b=mod+i-1;c=readBytes(b);b=b+5+a;
if c==0xE8 or c==0xE9 or (c>=0x71 and c<=0x7f) then
if b==ADD then
print(NAME..'+'..string.format('%02X',i-1));
end;
end;
end;
|
|
|