Good script for IAT resolving for HASP envelop(cracklab.ru)
KTOTO (ktoto) <ledo2004 mail ru> |
Friday, July 18 2008 09:22.34 CDT |
/*
/////////////////////////////////////////////////////////////////////////////////
HASP_HL Envelop 1.2x/1.3x import resolver script v0.1a
Author: s0cpy
Email : [email protected]
OS : WinXP SP2, Ollydbg 1.1, ODbgScript 1.65.4
Date : 2008-01-12
Action: Fix IAT, but not fix emulated functions.
Config: Ignore all exceptions, start from OEP.
/////////////////////////////////////////////////////////////////////////////////
*/
var prtc_sec
var iat_cell
var ss
var es
var gtc
var endp
var iatstart
var iatend
var gtc_c
var sysmod
gpa "GetTickCount", "kernel32.dll"
mov gtc, $RESULT
ask "Enter start code section address"
cmp $RESULT, 0
je @halt
mov ss, $RESULT
mov es, $RESULT
ask "Enter start address of IAT"
cmp $RESULT, 0
je @halt
mov iatstart, $RESULT
ask "Enter end address of IAT"
cmp $RESULT, 0
je @halt
mov iatend, $RESULT
ask "Enter start address of `.protect` section"
cmp $RESULT, 0
je @halt
mov prtc_sec, $RESULT
ask "Enter start address of system modules memory"
cmp $RESULT, 0
je @halt
mov sysmod, $RESULT
@end_point:
find prtc_sec, #FFFF82D18BE55DC3#
mov endp, $RESULT
add endp, 4
bphws endp, "x"
@search:
cmp iat_cell, iatend
je @halt
mov iat_cell, iatstart
cmp [iatstart], 00000000
add iatstart, 4
je @search
cmp [iat_cell], sysmod
ja @search
@scan:
mov eip, [iat_cell]
jmp @run
@count:
inc gtc_c
cmp gtc_c, 2
je @fix
@run:
run
sti
sti
sti
cmp eip, gtc
je @count
cmp gtc_c, 0
je @search
@zero_c:
mov gtc_c, 0
@fix:
mov [iat_cell], eip
cmp iat_cell, iatend
je @halt
jmp @search
@halt:
bphwc endp
mov eip, oep
an eip
pause
ret
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |