//      :

// call 0BA0000 ;Call CreateFileA

//  :

// call [Real_addr_in_IAT]

//  AlterWind Log Analyzer Professional 3.0.0.1

//  , . by BiT-H@ck in 26.08.2005 3:42:)

#log

var calladdr

var aftercalladdr

var filesecend

var startscan

var endscan

var VirtualAllocExAddr

var realfunction

var iatcell

var temp

var endmemoryspice

var OEP

var x

var y

var IATend



gpa "VirtualAllocEx", "kernel32.dll"	//  VirtualAllocEx,        

mov VirtualAllocExAddr, $RESULT



mov endmemoryspice, 0F21000 //      

mov IATend, 005321BC

mov startscan, 00401000 //   ( ,   )

mov endscan, 00448BB1 //   ( )

mov filesecend, 5E0000	//    



mov OEP, eip



		

jmp @finder

@continue2:	//   ( call`,     )

mov startscan, $RESULT	//   

inc $RESULT		//  call aspr_code,   call aspr_code+1  dword -     

mov calladdr, [$RESULT]	// -      

add $RESULT, 4		//,     (    call aspr_code).

mov aftercalladdr, $RESULT	//   

add aftercalladdr, calladdr	//  aspr_code (,    call)

mov calladdr, aftercalladdr

and calladdr, FF000000

cmp calladdr, 0

jne @finder



cmp startscan, endscan	

ja @endscript		//     (     call`  )

cmp calladdr, endmemoryspice 

jae @finder		//,            E8

cmp aftercalladdr, endmemoryspice

jae @finder



cmp aftercalladdr, filesecend

jae @reconstruct		//call      ?  -   

jmp @finder		// ,      :) by Factor 2



@reconstruct:		//       -  call aspr

mov eip, startscan		// eip  call aspr_code

bp VirtualAllocExAddr	//       ,   ,   VirtualAllocEx

run			// eip  call aspr_code,    VirtualAllocEx,  

bc VirtualAllocExAddr	//,  

mov temp, esp

add temp, 5C		// esp+5C    

mov realfunction, [temp]	//   

bphws startscan, "x"	//   call aspr_code

run

bphwc startscan		//  call aspr_code     -,       



@IAT_write:

mov [IATend], realfunction

			//   call aspr_code,   call [IAT_cell]

mov [eip], #FF25#		//FF15 -  call [XXXXXXXX]

add eip,2			//   2,     ,      

mov [eip], IATend

add IATend, 4		//     (call [Iat_cell])

jmp @finder		// ,   ..

@endscript:

mov eip, OEP		// eip  ,   eip    ,         

ret			//  





@finder:

mov $RESULT, startscan

@manual_find:		//      :(

add $RESULT, 1

mov iatcell, [$RESULT]

and iatcell, 000000FF

cmp iatcell, 000000E8

jne @manual_find

add $RESULT, 1

mov iatcell, [$RESULT]

and iatcell, FF000000

cmp iatcell, 00000000

jne @manual_find

sub $RESULT, 1

log $RESULT

jmp @continue2



