Decoder for SaintStealer strings (sha1=19cac454edb76d7e879598d8c7e8e032f9d006d2) - libPeConv-based

main.cpp

#include <Windows.h>
#include <iostream>
#include <sstream>

#include <peconv.h> // include libPeConv header

wchar_t* (__cdecl *decode_wstring_with_shift)(wchar_t *enc_str, int shift_pos) = nullptr;
char* (__cdecl *decode_string)(wchar_t *enc_str) = nullptr;
/*
4c0c,decode_string
4e2c,decode_wstring_with_shift
*/

size_t g_PESize = 0;
BYTE *g_PE = nullptr;

BYTE* load_pe(LPCSTR pe_path)
{
	// manually load the PE file using libPeConv:

#ifdef LOAD_FROM_PATH
	//if the PE is dropped on the disk, you can load it from the file:
	BYTE* my_pe = peconv::load_pe_executable(pe_path, v_size);
#else
	size_t bufsize = 0;
	BYTE *buffer = peconv::load_file(pe_path, bufsize);

	// if the file is NOT dropped on the disk, you can load it directly from a memory buffer:
	g_PE = peconv::load_pe_executable(buffer, bufsize, g_PESize);
#endif
	if (!g_PE) {
		return NULL;
	}

	// if the loaded PE needs to access resources, you may need to connect it to the PEB:
	peconv::set_main_module_in_peb((HMODULE)g_PE);

	decode_wstring_with_shift = (wchar_t* (__cdecl *)(wchar_t *enc_str, int shift_pos))(0x4e2c + (ULONG_PTR)g_PE);
	decode_string = (char* (__cdecl *)(wchar_t *enc_str))(0x4c0c + (ULONG_PTR)g_PE);

	return g_PE;
}

int loadInt(const std::string &str)
{
	int intVal = 0;

	std::stringstream ss;
	ss << std::hex << str;
	ss >> intVal;

	return intVal;
}

int main(int argc, char *argv[])
{
	if (argc < 2) {
		std::cout << "Args: <string RVA>" << std::endl;
		return 0;
	}
	int offset = loadInt(argv[1]);

	const LPCSTR pe_path = "payl1.exe"; //sha1=19cac454edb76d7e879598d8c7e8e032f9d006d2
	if (!load_pe(pe_path)) {
		std::cout << "[ERROR] Loading failed!\n";
		return -1;
	}
	wchar_t* str = (wchar_t*)(offset + (ULONG_PTR)g_PE);
	char *dec = decode_string(str);
	if (dec) {
		std::cout << std::hex << offset << ",\'" << dec << "\'\n";
	}
	return 0;
}