Skip to content

Instantly share code, notes, and snippets.

@hshrzd

hshrzd/main.cpp Secret

Created Mar 30, 2021
Embed
What would you like to do?
Decoder for SaintStealer strings (sha1=19cac454edb76d7e879598d8c7e8e032f9d006d2) - libPeConv-based
#include <Windows.h>
#include <iostream>
#include <sstream>
#include <peconv.h> // include libPeConv header
wchar_t* (__cdecl *decode_wstring_with_shift)(wchar_t *enc_str, int shift_pos) = nullptr;
char* (__cdecl *decode_string)(wchar_t *enc_str) = nullptr;
/*
4c0c,decode_string
4e2c,decode_wstring_with_shift
*/
size_t g_PESize = 0;
BYTE *g_PE = nullptr;
BYTE* load_pe(LPCSTR pe_path)
{
// manually load the PE file using libPeConv:
#ifdef LOAD_FROM_PATH
//if the PE is dropped on the disk, you can load it from the file:
BYTE* my_pe = peconv::load_pe_executable(pe_path, v_size);
#else
size_t bufsize = 0;
BYTE *buffer = peconv::load_file(pe_path, bufsize);
// if the file is NOT dropped on the disk, you can load it directly from a memory buffer:
g_PE = peconv::load_pe_executable(buffer, bufsize, g_PESize);
#endif
if (!g_PE) {
return NULL;
}
// if the loaded PE needs to access resources, you may need to connect it to the PEB:
peconv::set_main_module_in_peb((HMODULE)g_PE);
decode_wstring_with_shift = (wchar_t* (__cdecl *)(wchar_t *enc_str, int shift_pos))(0x4e2c + (ULONG_PTR)g_PE);
decode_string = (char* (__cdecl *)(wchar_t *enc_str))(0x4c0c + (ULONG_PTR)g_PE);
return g_PE;
}
int loadInt(const std::string &str)
{
int intVal = 0;
std::stringstream ss;
ss << std::hex << str;
ss >> intVal;
return intVal;
}
int main(int argc, char *argv[])
{
if (argc < 2) {
std::cout << "Args: <string RVA>" << std::endl;
return 0;
}
int offset = loadInt(argv[1]);
const LPCSTR pe_path = "payl1.exe"; //sha1=19cac454edb76d7e879598d8c7e8e032f9d006d2
if (!load_pe(pe_path)) {
std::cout << "[ERROR] Loading failed!\n";
return -1;
}
wchar_t* str = (wchar_t*)(offset + (ULONG_PTR)g_PE);
char *dec = decode_string(str);
if (dec) {
std::cout << std::hex << offset << ",\'" << dec << "\'\n";
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment