//      :

// call 0BA0000 ;Call CreateFileA

//  :

// call [Real_addr_in_IAT]

//  AlterWind Log Analyzer Professional 3.0.0.1

//  , . by BiT-H@ck in 26.08.2005 3:42:)

var calladdr

var aftercalladdr

var filesecend

var startscan

var endscan

var VirtualAllocExAddr

var realfunction

var iatcell

var iatstart

var iatstarttemp

var temp

var endmemoryspice

var OEP

var x

var y

var is_DLL



gpa "VirtualAllocEx", "kernel32.dll"	//  VirtualAllocEx,        

mov VirtualAllocExAddr, $RESULT



mov endmemoryspice, 2CF1000 //      

mov iatstart, 00513000	//  

mov startscan, 00401000	//   ( ,   )

mov endscan, 005047E9	//   ( )

mov filesecend, 6DA000	//    



@Oep_find_by_sanniassin:	//      sanniassin,    

mov x,esp 

sub x,48

bphws x,"r"

mov y,[eip]

and y,000000FF

cmp y,60

jne zzz

mov is_DLL,1



zzz:

run

mov y,[eip]

cmp y,01B80875

jne zzz

bphwc x

find edi,#83C404010424C3#

mov x,$RESULT

add x,6

bp x

run

bc x

sto

mov x,eip



findcall:

dec x

mov y,[x]

cmp y,5B5E5F5D

jne findcall

sub x,8

go x

sti

rtr

sto

mov x,eip

and x,0000FFFF

cmp x,0

mov x,esp

cmp is_DLL,1

jne is_exe

add x,10

jmp label_9

is_exe:

add x,8

label_9:

bphws x,"r"

run

mov y,eip

dec y

mov y,[y]

and y,000000FF

cmp y,5C

jne label_9

bphwc x

cmp is_DLL,1

jne is_exe2

find eip,#8944241C61FFE0#

add $RESULT,5

bp $RESULT

run

bc $RESULT

sto

jmp msg

is_exe2:

mov x,eax

go x

msg:

msg "OEP found! OEP not stolen."



mov OEP, eip



@continue:		//   ( call`,     )

findop startscan, #E8#	// - call`

mov startscan, $RESULT	//   

inc $RESULT		//  call aspr_code,   call aspr_code+1  dword -     

mov calladdr, [$RESULT]	// -      

add $RESULT, 4		//,     (    call aspr_code).

mov aftercalladdr, $RESULT	//   

add aftercalladdr, calladdr	//  aspr_code (,    call)

cmp startscan, endscan	

jae @endscript		//     (     call`  )

cmp calladdr, endmemoryspice 

jae @continue		//,            E8

cmp aftercalladdr, filesecend

jae @reconstruct		//call      ?  -   

jmp @continue		// ,      :) by Factor 2



@reconstruct:		//       -  call aspr

mov eip, startscan		// eip  call aspr_code

bp VirtualAllocExAddr	//       ,   ,   VirtualAllocEx

run			// eip  call aspr_code,    VirtualAllocEx,  

bc VirtualAllocExAddr	//,  

mov temp, esp

add temp, 5C		// esp+5C    

mov realfunction, [temp]	//   

bphws startscan, "x"	//   call aspr_code

run

bphwc startscan		//  call aspr_code     -,       



			//..  OllyScript   ,   

mov iatstarttemp, iatstart	//      	

sub iatstarttemp, 4		//   4, ..       4,   dword    

@manual_find:		// 

add iatstarttemp, 4		//   DWORD

mov iatcell, [iatstarttemp]	// 

cmp iatcell, realfunction	//,          IAT

jne @manual_find		//?  



			//   call aspr_code,   call [IAT_cell]

mov [eip], #FF15#		//FF15 -  call [XXXXXXXX]

add eip,2			//   2,     ,      

mov [eip], iatstarttemp	//     (call [Iat_cell])

jmp @continue		// ,   ..

@endscript:

mov eip, OEP		// eip  ,   eip    ,         

ret			//  



