HASP HL Envelope IAT Fixer
 mfeng <mfengol gmail com> |
Sunday, November 9 2008 22:36.56 CST |
/*************************************************
HASP HL Envelope IAT Fixer
Author: mfeng
Email: [email protected]
Homepage: hvaonline.net
History:
+ v0.0.1: November 08, 2008.
Tools: WinXP SP2, OllyICE, OllyDbg Script 1.64.3
Notes:
- Use this script after stop at OEP.
- Some emulated functions need to be resolved manually:
GetCommandLineA
GetProcAddress
GetCurrentProcess
GetStartupInfoA
GetCurrentProcessId
GetCurrentThreadId
**************************************************/
var saveEIP
var modulebase
var addrGetTickCount
var numCallGTC
var iatStart
var iatSize
var iatEnd
var iatEntry
var addrBP
var addrAPIEntry
var protectSectionBase
var addr
var opcode
mov saveEIP, eip
gpa "GetTickCount", "kernel32.dll"
mov addrGetTickCount, $RESULT
gmi eip, MODULEBASE
mov modulebase, $RESULT
ask "Enter RVA of IAT"
cmp $RESULT, 0
je @exit
mov iatStart, $RESULT
add iatStart, modulebase
ask "IAT Size"
cmp $RESULT, 0
je @exit
mov iatSize, $RESULT
ask "Start address of `.protect` section"
cmp $RESULT, 0
je @exit
mov protectSectionBase, $RESULT
find protectSectionBase, #668BC087D387DA558BEC#
cmp $RESULT, 0
je @signature_not_found
mov addrAPIEntry, $RESULT
mov addrBP, addrAPIEntry
sub addrBP, 20
mov opcode, [addrBP]
and opcode, FFFF
cmp opcode, C35D // POP EBP, RETN opcodes
jne @signature_not_found
inc addrBP // point to retn opcode
log addrBP
log addrAPIEntry
mov iatEnd, iatStart
add iatEnd, iatSize
mov iatEntry, iatStart
@search:
cmp iatEntry, iatEnd
jae @exit
cmp [iatEntry], 00000000
je @next
mov addr, [iatEntry]
mov opcode, [addr]
and opcode, 0FF
cmp opcode, E8
jne @next
inc addr
mov offset, [addr]
add offset, addr
add offset, 4
cmp offset, addrAPIEntry
jne @next
bphws addrBP, "x"
mov eip, [iatEntry]
mov numCallGTC, 0
@run:
run
sti
cmp numCallGTC, 1
je @fix
cmp eip, addrGetTickCount
jne @next
inc numCallGTC
jmp @run
@fix:
mov numCallGTC, 0
eval "[{iatEntry}] <- {eip}"
log $RESULT
mov [iatEntry], eip
@next:
bphwc addrBP
add iatEntry, 4
jmp @search
@signature_not_found:
msg "Signature's not found!"
jmp @exit
@exit:
bphwc
mov eip, saveEIP
an eip
pause
ret
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |