//The script 1, goes directly to OEP, while convenient processes magicjump and antidump

var NewIatHead

var NewSplitCodeHead

var SetIatHead

var SetSplitCodeHead

var IatOver

var MagicJmp

var OEP



var bSplitCodeOver

var bIatOver

var pTempAddr



var VirtualAlloc





//Needs to fill in information content

mov NewIatHead, 5CA000

mov NewSplitCodeHead, 674000

mov MagicJmp, 00DC973B

mov SetIatHead, 00DE453B

mov IatOver, 00DE498E

mov SetSplitCodeHead, 00DE2653

mov OEP, 004E8850





//Variable initialization

mov bIatOver, 0

mov bSplitCodeOver, 0



//Obtains the VirtualAlloc first address

gpa "VirtualAlloc", "kernel32.dll" 

mov VirtualAlloc, $RESULT



bphws VirtualAlloc, "x"

run

bphwc VirtualAlloc



//This time, the shell memory code has assigned

//Starts to suppose the break point

bphws MagicJmp, x//magicjump place

//bphws 00994704, x reads in when the memory

bphws SetIatHead, x//writes down input table first address time

bphws IatOver, x//processes all dll

bphws SetSplitCodeHead, x//application top digit memory place, must change returns to eax is section of low positions memories 



eoe _Exception

eob _Break

run 



//Meets the exception to continue to carry out

_Exception: 

esto



//Processes the break point severance

_Break:

cmp eip, SetIatHead

je _SetIatHead

cmp eip, MagicJmp

je _MagicJmp

cmp eip, IatOver

je _IATOver

cmp eip, SetSplitCodeHead

je _SetSplitCodeHead

jmp _InvalidBreak





//Establishes the new IAT first address

/*

00DE453B 8B8D F0E6FFFF MOV ECX, DWORD PTR SS:[EBP-1910]//preserves IAT the first address

00DE 45,418 D0481 LEA EAX, DWORD PTR DS:[ECX+EAX * 4]

00DE 454,489,851 CE8FFFF MOV DWORD PTR SS:[EBP-17E4], EAX//current IAT indicator

*/

_SetIatHead:

mov pTempAddr, ebp

sub pTempAddr, 1910//has a liking for scolds to one's face according to

mov [pTempAddr], NewIatHead

log NewIatHead

bphwc SetIatHead

run 



//Revises magicjump, obtains primitive IAT

_MagicJmp:

mov!ZF, 1//revises magicjump

run 



The//maigcjump processing finished

_IATOver:

bphwc MagicJmp

bphwc IatOver

mov bIatOver, 1

cmp bSplitCodeOver, 1

je _FixOver

run 



//Establishes the new preserved CodeSplit code the first address

/*

00DE263A 6A 40 PUSH 40

00DE263C 6,800,100,000 PUSH 1000

00DE2641 FFB 570 E6FFFF PUSH DWORD PTR SS:[EBP-1990]

00DE2647 FF 353,092 DF00 PUSH DWORD PTR DS:[DF9230]

00DE264D FF15 A0B1DE00 CALL DWORD PTR DS:[DEB1A0]; 



kernel32.VirtualAlloc

00DE 2,653,898,578 E6FFFF MOV DWORD PTR SS:[EBP-1988], EAX//preserves the antidump first address

00DE 265,983 BD 78E6FFFF 0>CMP DWORD PTR SS:[EBP-1988], 0

00DE 2,660,740 B JE SHORT 00DE266D

*/

_SetSplitCodeHead:

mov eax, NewSplitCodeHead

mov bSplitCodeOver, 1

bphwc SetSplitCodeHead

cmp bIatOver, 1

je _FixOver

run 



//Other raw sewage break point

_InvalidBreak:

log eip

msg Invalid Break

ret







//IAT, the AntiDump processing finished

//The preparation jumps toward OEP

_FixOver:

eoe _Continue

eob _End

bphws OEP, x

run



_Continue: 

esto 



_End:

bphwc OEP

msg Success!

ret

 

