//copyright by Pnluck 20005 pnluck@virgilio.it

//if u use this script for write a tutorial, u can put  me in thankses :D

//i must to thanks MaRKuS-DJM and KaGra for their info at http://forum.exetools.com/showthread.php?t=7545



var x_addr     //addr originale

var x_LoadLib  //addr LoadLibraryA

var x_AddrApi

var data_sect

var end_data

var x_eax

var go

var xvar

var str

var x

var str_eax

var str_edi

var save_data

var end_addr



var sav_eax

var sav_ecx

var sav_edx

var sav_ebx

var sav_esp

var sav_ebp

var sav_esi

var sav_edi





//salvo i registri

//mov sav_eax,eax

//mov sav_ecx,ecx

//mov sav_edx,edx

//mov sav_ebx,ebx

//mov sav_esp,esp

//mov sav_ebp,ebp

//mov sav_esi,esi

//mov sav_edi,edi



//chiedo l'addr della .data section

ask "Enter the address of data section."

cmp $RESULT,0

je exit

mov data_sect,$RESULT

mov save_data,$RESULT

mov end_data,$RESULT

ask "Enter the size of data section."

cmp $RESULT,0

je exit

add end_data,$RESULT

//domando che call devo analizzare

ask "Enter the start address of calls to analize:"

cmp $RESULT,0

je exit

mov x_addr,$RESULT 

mov start_addr,x_addr

ask "Enter the end address of calls to analize:"

cmp $RESULT,0

je exit

mov end_addr,$RESULT 

start_proc:

mov eip,x_addr

GPA "LoadLibraryA","kernel32.dll"

cmp $RESULT,0

je exit

mov x_LoadLib,$RESULT

add x_LoadLib,b

bp x_LoadLib  //setto bp al je di LoadLibraryA

run

bc x_LoadLib

//al bp

mov x_eax,eax

mov str,""

mov go,1



//inizio della proc hex->ascii

analize:

mov xvar,[x_eax]

shl xvar,8

shl xvar,8

shl xvar,8

shr xvar,8

shr xvar,8

shr xvar,8//prelevo il primo byte





cmp xvar,0

je fin_an



cmp xvar,2e

jne prox_0

mov x,"."

jmp add



prox_0:

cmp xvar,30

jne prox_1

mov x,"0"

jmp add



prox_1:

cmp xvar,31

jne prox_2

mov x,"1"

jmp add



prox_2:

cmp xvar,32

jne prox_3

mov x,"2"

jmp add



prox_3:

cmp xvar,33

jne prox_4

mov x,"3"

jmp add



prox_4:

cmp xvar,34

jne prox_5

mov x,"4"

jmp add



prox_5:

cmp xvar,35

jne prox_6

mov x,"5"

jmp add



prox_6:

cmp xvar,36

jne prox_7

mov x,"6"

jmp add



prox_7:

cmp xvar,37

jne prox_8

mov x,"7"

jmp add



prox_8:

cmp xvar,38

jne prox_9

mov x,"8"

jmp add



prox_9:

cmp xvar,39

jne prox_A

mov x,"9"

jmp add



prox_A:

cmp xvar,41

jne prox_B

mov x,"A"

jmp add



prox_B:

cmp xvar,42

jne prox_C

mov x,"B"

jmp add



prox_C:

cmp xvar,43

jne prox_D

mov x,"C"

jmp add



prox_D:

cmp xvar,44

jne prox_E

mov x,"D"

jmp add



prox_E:

cmp xvar,45

jne prox_F

mov x,"E"

jmp add



prox_F:

cmp xvar,46

jne prox_G

mov x,"F"

jmp add



prox_G:

cmp xvar,47

jne prox_H

mov x,"G"

jmp add



prox_H:

cmp xvar,48

jne prox_I

mov x,"H"

jmp add



prox_I:

cmp xvar,49

jne prox_J

mov x,"I"

jmp add



prox_J:

cmp xvar,4A

jne prox_K

mov x,"J"

jmp add



prox_K:

cmp xvar,4B

jne prox_L

mov x,"K"

jmp add



prox_L:

cmp xvar,4C

jne prox_M

mov x,"L"

jmp add



prox_M:

cmp xvar,4D

jne prox_N

mov x,"M"

jmp add



prox_N:

cmp xvar,4E

jne prox_O

mov x,"N"

jmp add



prox_O:

cmp xvar,4F

jne prox_P

mov x,"O"

jmp add



prox_P:

cmp xvar,50

jne prox_Q

mov x,"P"

jmp add



prox_Q:

cmp xvar,51

jne prox_R

mov x,"Q"

jmp add



prox_R:

cmp xvar,52

jne prox_S

mov x,"R"

jmp add



prox_S:

cmp xvar,53

jne prox_T

mov x,"S"

jmp add



prox_T:

cmp xvar,54

jne prox_U

mov x,"T"

jmp add



prox_U:

cmp xvar,55

jne prox_V

mov x,"U"

jmp add



prox_V:

cmp xvar,56

jne prox_W

mov x,"V"

jmp add



prox_W:

cmp xvar,57

jne prox_X

mov x,"W"

jmp add



prox_X:

cmp xvar,58

jne prox_Y

mov x,"X"

jmp add



prox_Y:

cmp xvar,59

jne prox_Z

mov x,"Y"

jmp add



prox_Z:

cmp xvar,5A

jne prox_a

mov x,"Z"

jmp add



prox_a:

cmp xvar,61

jne prox_b

mov x,"a"

jmp add



prox_b:

cmp xvar,62

jne prox_c

mov x,"b"

jmp add



prox_c:

cmp xvar,63

jne prox_d

mov x,"c"

jmp add



prox_d:

cmp xvar,64

jne prox_e

mov x,"d"

jmp add



prox_e:

cmp xvar,65

jne prox_f

mov x,"e"

jmp add



prox_f:

cmp xvar,66

jne prox_g

mov x,"f"

jmp add



prox_g:

cmp xvar,67

jne prox_h

mov x,"g"

jmp add



prox_h:

cmp xvar,68

jne prox_i

mov x,"h"

jmp add



prox_i:

cmp xvar,69

jne prox_j

mov x,"i"

jmp add



prox_j:

cmp xvar,6A

jne prox_k

mov x,"j"

jmp add



prox_k:

cmp xvar,6B

jne prox_l

mov x,"k"

jmp add



prox_l:

cmp xvar,6C

jne prox_m

mov x,"l"

jmp add



prox_m:

cmp xvar,6D

jne prox_n

mov x,"m"

jmp add



prox_n:

cmp xvar,6E

jne prox_o

mov x,"n"

jmp add



prox_o:

cmp xvar,6F

jne prox_p

mov x,"o"

jmp add



prox_p:

cmp xvar,70

jne prox_q

mov x,"p"

jmp add



prox_q:

cmp xvar,71

jne prox_r

mov x,"q"

jmp add



prox_r:

cmp xvar,72

jne prox_s

mov x,"r"

jmp add



prox_s:

cmp xvar,73

jne prox_t

mov x,"s"

jmp add



prox_t:

cmp xvar,74

jne prox_u

mov x,"t"

jmp add



prox_u:

cmp xvar,75

jne prox_v

mov x,"u"

jmp add



prox_v:

cmp xvar,76

jne prox_w

mov x,"v"

jmp add



prox_w:

cmp xvar,77

jne prox_x

mov x,"w"

jmp add



prox_x:

cmp xvar,78

jne prox_y

mov x,"x"

jmp add



prox_y:

cmp xvar,79

jne prox_z

mov x,"y"

jmp add



prox_z:

cmp xvar,7A

jne exit

mov x,"z"

jmp add



add:

eval "{str}{x}"

mov str,$RESULT

inc x_eax

jmp analize



fin_an:

cmp go,1

je ana_edi

jne fin_str_cov





ana_edi:

mov str_eax,str

mov str,""

mov x_eax,edi

inc go

jmp analize

//fine proc hex->ascii



fin_str_cov:

//trovo l'addr

mov str_edi,str

GPA str_edi,str_eax

cmp $RESULT,0

je exit

mov x,$RESULT



//inizio la ricerca

start_trovo:

mov xvar,[data_sect]

cmp x,xvar

je trovato

add data_sect,4

cmp data_sect,end_data

je exit

jmp start_trovo



trovato:

eval "jmp dword ptr [{data_sect}]"

asm x_addr,$RESULT

//mov eax,sav_eax

//mov ecx,sav_ecx

//mov edx,sav_edx,

//mov ebx,sav_ebx

//mov esp,sav_esp

//mov ebp,sav_ebp

//mov esi,sav_esi

//mov edi,sav_edi



mov eip,x_addr

cmp end_addr,start_addr

je fine

add start_addr,8

mov x_addr,start_addr

mov data_sect,save_data

jmp start_proc

fine:

ret



exit:

MSG "Error" 

ret