In win-capture, I got the code as below:
#define LOWER_HALFBYTE(x) ((x) & 0xF)
#define UPPER_HALFBYTE(x) (((x) >> 4) & 0xF)
static inline HMODULE kernel32(void)
{
static HMODULE kernel32_handle = NULL;
if (!kernel32_handle)
kernel32_handle = GetModuleHandleW(L"kernel32");
return kernel32_handle;
}
void deobfuscate_str(char *str, uint64_t val)
{
uint8_t *dec_val = (uint8_t*)&val;
int i = 0;
char* p = str;
while (*str != 0) {
int pos = i / 2;
bool bottom = (i % 2) == 0;
uint8_t *ch = (uint8_t*)str;
uint8_t b = bottom ?
LOWER_HALFBYTE(dec_val[pos]) :
UPPER_HALFBYTE(dec_val[pos]);
*ch ^= b;
if (++i == sizeof(uint64_t) * 2)
i = 0;
str++;
}
int j = 0;
}
void *get_obfuscated_func(HMODULE module, const char *str, uint64_t val)
{
char new_name[128];
strcpy_s(new_name, str);
deobfuscate_str(new_name, val);
return GetProcAddress(module, new_name);
}
get_obfuscated_func(kernel32(), "NuagUykjcxr", 0x1B694B59451ULL);
The code above, deobfuscate_str just makes new_name as "openprocess", why use " 'NuagUykjcxr', 0x1B694B59451ULL" to produce it?
#define LOWER_HALFBYTE(x) ((x) & 0xF)
#define UPPER_HALFBYTE(x) (((x) >> 4) & 0xF)
static inline HMODULE kernel32(void)
{
static HMODULE kernel32_handle = NULL;
if (!kernel32_handle)
kernel32_handle = GetModuleHandleW(L"kernel32");
return kernel32_handle;
}
void deobfuscate_str(char *str, uint64_t val)
{
uint8_t *dec_val = (uint8_t*)&val;
int i = 0;
char* p = str;
while (*str != 0) {
int pos = i / 2;
bool bottom = (i % 2) == 0;
uint8_t *ch = (uint8_t*)str;
uint8_t b = bottom ?
LOWER_HALFBYTE(dec_val[pos]) :
UPPER_HALFBYTE(dec_val[pos]);
*ch ^= b;
if (++i == sizeof(uint64_t) * 2)
i = 0;
str++;
}
int j = 0;
}
void *get_obfuscated_func(HMODULE module, const char *str, uint64_t val)
{
char new_name[128];
strcpy_s(new_name, str);
deobfuscate_str(new_name, val);
return GetProcAddress(module, new_name);
}
get_obfuscated_func(kernel32(), "NuagUykjcxr", 0x1B694B59451ULL);
The code above, deobfuscate_str just makes new_name as "openprocess", why use " 'NuagUykjcxr', 0x1B694B59451ULL" to produce it?