OpenRCE: Blog http://www.openrce.org/rss/feeds/blog OpenRCE: The Open Reverse Code Engineering Community HASP HL Envelope IAT Fixer Sun, 09 Nov 2008 22:36:56 -0600 https://www.openrce.org/blog/view/1304/HASP_HL_Envelope_IAT_Fixer mfeng <email-suppressed@example.com> /*************************************************<br /> HASP HL Envelope IAT Fixer<br /> &nbsp;&nbsp; <br /> Author: mfeng<br /> Email: mfengol@gmail.com<br /> Homepage: hvaonline.net<br /> <br /> History:<br /> &nbsp;&nbsp;&nbsp;&nbsp;+ v0.0.1: November 08, 2008.<br /> &nbsp;&nbsp; <br /> Tools: WinXP SP2, OllyICE, OllyDbg Script 1.64.3<br /> Notes:<br /> - Use this script after stop at OEP.<br /> - Some emulated functions need to be resolved manually:<br /> &nbsp;&nbsp;&nbsp;&nbsp;GetCommandLineA<br /> &nbsp;&nbsp;&nbsp;&nbsp;GetProcAddress<br /> &nbsp;&nbsp;&nbsp;&nbsp;GetCurrentProcess<br /> &nbsp;&nbsp;&nbsp;&nbsp;GetStartupInfoA<br /> &nbsp;&nbsp;&nbsp;&nbsp;GetCurrentProcessId<br /> &nbsp;&nbsp;&nbsp;&nbsp;GetCurrentThreadId<br /> **************************************************/<br /> <br /> var saveEIP<br /> var modulebase<br /> var addrGetTickCount<br /> var numCallGTC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br /> var iatStart<br /> var iatSize<br /> var iatEnd<br /> var iatEntry<br /> var addrBP<br /> var addrAPIEntry<br /> var protectSectionBase<br /> var addr<br /> var opcode<br /> <br /> mov saveEIP, eip<br /> <br /> gpa &quot;GetTickCount&quot;, &quot;kernel32.dll&quot;<br /> mov addrGetTickCount, $RESULT<br /> <br /> gmi eip, MODULEBASE<br /> mov modulebase, $RESULT<br /> <br /> ask &quot;Enter RVA of IAT&quot;<br /> cmp $RESULT, 0<br /> je @exit<br /> mov iatStart, $RESULT<br /> add iatStart, modulebase<br /> <br /> ask &quot;IAT Size&quot;<br /> cmp $RESULT, 0<br /> je @exit<br /> mov iatSize, $RESULT<br /> <br /> ask &quot;Start address of `.protect` section&quot;<br /> cmp $RESULT, 0<br /> je @exit<br /> mov protectSectionBase, $RESULT<br /> <br /> find protectSectionBase, #668BC087D387DA558BEC#<br /> cmp&nbsp;&nbsp;$RESULT, 0<br /> je @signature_not_found<br /> mov addrAPIEntry, $RESULT<br /> mov addrBP, addrAPIEntry<br /> sub addrBP, 20<br /> mov opcode, [addrBP]<br /> and opcode, FFFF<br /> cmp opcode, C35D&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// POP EBP, RETN opcodes<br /> jne @signature_not_found<br /> inc addrBP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // point to retn opcode<br /> <br /> log addrBP<br /> log addrAPIEntry<br /> <br /> mov iatEnd, iatStart<br /> add iatEnd, iatSize<br /> <br /> mov iatEntry, iatStart<br /> <br /> @search:<br /> cmp iatEntry, iatEnd<br /> jae @exit<br /> cmp [iatEntry], 00000000<br /> je @next<br /> <br /> mov addr, [iatEntry]<br /> mov opcode, [addr]<br /> and opcode, 0FF<br /> cmp opcode, E8<br /> jne @next<br /> <br /> inc addr<br /> mov offset, [addr]<br /> add offset, addr<br /> add offset, 4<br /> cmp offset, addrAPIEntry<br /> jne @next<br /> <br /> bphws addrBP, &quot;x&quot;<br /> mov eip, [iatEntry]<br /> <br /> mov numCallGTC, 0<br /> @run:<br /> run<br /> sti<br /> cmp numCallGTC, 1<br /> je @fix<br /> cmp eip, addrGetTickCount<br /> jne @next<br /> inc numCallGTC<br /> jmp @run<br /> <br /> @fix:<br /> mov numCallGTC, 0<br /> eval &quot;[{iatEntry}] &lt;- {eip}&quot;<br /> log $RESULT<br /> mov [iatEntry], eip<br /> <br /> @next:<br /> bphwc addrBP<br /> add iatEntry, 4<br /> jmp @search<br /> <br /> @signature_not_found:<br /> msg &quot;Signature's not found!&quot;<br /> jmp @exit<br /> <br /> @exit:<br /> bphwc<br /> mov eip, saveEIP<br /> an eip<br /> pause<br /> ret<br />