1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
| {$lua}
function myfunction(param)
print("called")
local keypointer = readInteger(param+16)
local len = readInteger(param+20)
local bytes = readBytes(keypointer,len,true)
local key=''
for i=1,len do
key = key..string.char(bytes[i])
end
print("key :" .. key)
print(string.format("len:%d",len))
end
{$asm}
loadlibrary(luaclient-i386.dll)
luacall(openLuaServer('CELUASERVER'))
globalalloc(luainit, 128)
globalalloc(LuaFunctionCall, 128)
label(luainit_exit)
globalalloc(luaserverinitialized, 4)
globalalloc(luaservername, 12)
luaservername:
db 'CELUASERVER',0
luainit:
cmp [luaserverinitialized],0
jne luainit_exit
push luaservername //初次调用则会加载lua的dll
call CELUA_Initialize //this function is defined in the luaclient dll
mov [luaserverinitialized],eax
luainit_exit:
ret
LuaFunctionCall:
push ebp
mov ebp,esp
call luainit
push [ebp+c]
push [ebp+8]
call CELUA_ExecuteFunction
pop ebp
ret 8
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
myluascript:
db 'myfunction(parameter)',0
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push ebp //ebp保存
mov ebp,esp //ebp初始化
push eax //eax环境保存
push ebp //此处将ebp作为参数传入
push myluascript //函数名称
call LuaFunctionCall //lua调用
pop eax //eax恢复
mov esp,ebp //esp还原
pop ebp //ebp恢复
originalcode:
push esi
push [esp+0C]
exit:
jmp returnhere
"liblark.dll"+761B9A0:
jmp newmem
returnhere:
|