/////////////////////////////////////////////////////////////

// this script does a cruicial job, it finds all the correct API's corresponding 

// to the HIGHMEM calls. like i said before, the log-HIGHMEM-calls-BIN.txt 

// file will contain all the highmem call address ready to be BINARY-PASTED 

// in olly (just a little fix needed as mentioned above) 

//

// to use this script what you need to do is to know 

//

// 1. where to binary paste all the values from log-HIGHMEM-calls-BIN.txt 

// 2. the address where the script should put hardware bp and log the eax values 

//

// the first job is easy, normaly with the targets i worked ADATA section 

// contained all places you need , filled up all with zero. but u can chose any 

// non-destructive place to put them, as u want. just set the address to 

// the variable binary_paste in the script 

//

// the second job is a little tough, u gotta find the right addr where to set the 

// hardware bp ... okey, follow the instructions 

//

// load the app 

// F9 once ... now you r in ASPR code 

//

// binary search for binary search of : 8945FCA1??????008B008B15??????008B1233028B15??????002B02 

// you will land in some place like this : 

//

// D73409 MOV DWORD PTR SS:[EBP-4],EAX 

// D7340C MOV EAX,DWORD PTR DS:[D77824] 

// D73411 MOV EAX,DWORD PTR DS:[EAX] 

// D73413 MOV EDX,DWORD PTR DS:[D77824] 

// D73419 MOV EDX,DWORD PTR DS:[EDX] 

// D7341B XOR EAX,DWORD PTR DS:[EDX] 

// D7341D MOV EDX,DWORD PTR DS:[D77680] 

// D73423 SUB EAX,DWORD PTR DS:[EDX] 

//

// so, D73409 will be addr_hwbp in the script 

/////////////////////////////////////////////////////////////

/*

********************

     nick_name

 TEAM RESSURRECTiON

********************

*/





/**/

/**/



DEFINE_BEFORE_EXECUTION:



//mov addr_hwbp,00D950A7

//mov addr_hwbp,00EF4376

mov binary_paste,491000

mov addr_hwbp,00A850A7

												

/**/

/**/



SCRIPT_START:



mov path1,".\log-RESOLVE calls.txt"

mov path2,".\log-RESOLVE calls-BIN.txt"





mov manual,0



msgyn "MANUAL process ??"

cmp $RESULT,1

jne ANALYZE_CALLS

mov manual,1



ANALYZE_CALLS:

	

		lc

		bphws addr_hwbp,"x"





LOOP:



		exec

			pushad

			pushfd

		ende

		

		mov save_ebp,ebp

		mov save_esp,esp



		cmp manual,1

		je LBL

		mov eip,[binary_paste]	

		mov call_addr,[binary_paste]

		jmp COMMON





//.......................................[MANUAL PROCESS]		



LBL:

		ask "set EIP :-"

		cmp $RESULT,"`"

		je END

		cmp $RESULT,0

		jbe LBL



		mov eip, $RESULT

		mov call_addr,$RESULT



//.......................................



COMMON:

		run

		cmp eip,addr_hwbp

		je LOG

		jmp ERR



LOG:

		mov tmp, esp

		add tmp,20

		mov tmp2,[tmp]

		gn eax

		eval "{tmp2} :: {eax}={$RESULT}"

		log $RESULT, ""

		wrta path1, $RESULT

		wrta path1, "\r\n"



		rev tmp2

		

		wrta path2, $RESULT

		wrta path2, " "



		mov tmp_eax, eax

		rev tmp_eax

		

		wrta path2, $RESULT

		wrta path2, "\r\n"

		

		add binary_paste,4

		

		mov ebp,save_ebp

		mov esp,save_esp

		

		exec

			popfd

			popad

		ende



		cmp manual,1

		je LOOP	//................................jump back for another input [MANUAL]

				

		cmp [binary_paste],00000000

		jne LOOP //...............................jump when 481000 place dont have anymore inputs [AUTOMATIC]

		

		jmp END



ERR:

		mov tempo,[binary_paste]

		log tempo

		eval "{tempo} : EIP does'nt match with HWBP-EIP"

		msg $RESULT

		

		mov ebp, save_ebp

		mov esp, save_esp

		exec

			popfd

			popad

		ende



END:

		bphwc addr_hwbp

		ret



