var bp1

var ip1

var mem

var flag

var pcreatefile

var pvirtualalloc

var pgetmodulehandle

var mempt

var tmp

var cbase

var csize

var cend

var iats

var iate

var oep

var ptcode

var ptiat

var dire  //CALL ADDRESS IN CODE

var aux

var parche_15ff

var parche_25ff

var one

var dlls

var dlle

var len

var dllb

var tmpvar

var section

var first



bphwcall

bpmc

gmi eip,CODEBASE

mov cbase,$RESULT

gmi eip,CODESIZE

mov csize,$RESULT

mov cend, cbase

add cend, csize

mov flag, 0

mov first, 0

alloc 1000

mov mem, $RESULT

mov mempt, mem

start:

sti

mov ip1, eip

mov ip1, [ip1]

and ip1, 0ff

cmp ip1, 60

jnz start



sto

mov bp1, esp

bphws bp1, "r"

gpa "CreateFileA", "kernel32.dll"

mov pcreatefile, $RESULT

bphws pcreatefile, "x"

gpa "VirtualAlloc", "kernel32.dll"

mov pvirtualalloc, $RESULT

bphws pvirtualalloc, "x"

gpa "GetModuleHandleA", "kernel32.dll"

mov pgetmodulehandle, $RESULT

eob stop

run



stop:

cmp eip, pcreatefile

je createfile

cmp eip, pvirtualalloc

je virtualalloc

bphwcall

bpmc

mov bp1, [esp]

bphws bp1, "x"

eob oep

run



createfile:

mov flag, 1

eob stop

run



virtualalloc:

cmp flag, 0

je goon

mov tmp, esp

add tmp, 8

mov tmp, [tmp]

mov [mempt], tmp

add mempt, 4

mov tmp, esp

add tmp, 0e0

mov tmp, [tmp]

mov [mempt], tmp

add mempt, 4

rtu

mov tmp, eax

mov [mempt], tmp

add mempt, 4

mov flag, 0

eob stop

run



goon:

cmp first, 0

jnz aaa

rtu

mov section, eax

mov first, 1

aaa:

eob stop

run



oep:

bphwcall

bpmc

cmt eip,"<---OEP"

MSGYN "OEP has been found, fix the IAT?"

cmp $RESULT, 0

jnz fix

free mem

ret



fix:

ask "put in the start of iat" 

mov iats, $RESULT

ask "put in the end of iat"

mov iate, $RESULT

mov oep, eip

mov parche_15ff, 15ff

mov parche_25ff, 25ff



mov ptcode, cbase

mov ptiat, iats



ff15:

cmp ptcode, cend

jz find2

find ptcode, #FF15??????00#

cmp $RESULT,0

jz find2

mov dire, $RESULT //CALL ADDRESS ON CODE

mov aux, dire

add aux,2

//add dire,[aux]

mov dire, [aux]

cmp iats, dire

ja next15

cmp iate, dire

jb next15

mov one, [dire]

jmp step1



next15:

mov ptcode, aux

jmp ff15



find2:

mov ptcode, cbase

ff25:

cmp ptcode, cend

jz step1

find ptcode, #FF25??????00#

cmp $RESULT,0

jz step1

mov dire, $RESULT //CALL ADDRESS ON CODE

mov aux, dire

add aux,2

//add dire,[aux]

mov dire, [aux]

cmp iats, dire

ja next25

cmp iate, dire

jb next25

mov one, [dire]

jmp step1



next25:

mov ptcode, aux

jmp ff25





step1:

mov ptcode, cbase

mov ptiat, iats



loop1:

cmp ptcode, cend

jz step2

find ptcode, #E8????0?0090#

cmp $RESULT,0

jz step2



mov dire, $RESULT //CALL ADDRESS ON CODE

mov aux, dire

add aux,1

add dire,[aux]

add dire,5 //CALCULATE WHERE CALL GOES

//log dire



busco:

cmp ptiat, iate

je finiat

cmp [ptiat],dire

je parcheo

add ptiat,4

jmp busco



parcheo:

sub aux,1

mov [aux], parche_15ff

add aux, 2

mov [aux], ptiat

mov ptiat, iats

mov ptcode, aux

jmp loop1





finiat:

log dire

mov ptiat, iats

inc aux

mov ptcode, aux

jmp loop1



step2:

mov eip, oep

mov ptcode, cbase

mov ptiat, iats



loop2:

cmp ptcode, cend

jz step3

find ptcode, #E9????0?0090#

cmp $RESULT,0

jz step3



mov dire, $RESULT //CALL ADDRESS ON CODE

mov aux, dire

add aux,1

add dire,[aux]

add dire,5 //CALCULATE WHERE CALL GOES

//log dire



busco2:

cmp ptiat, iate

je finiat2

cmp [ptiat],dire

je parcheo2

add ptiat,4

jmp busco2



parcheo2:

sub aux,1

mov [aux], parche_25ff

add aux, 2

mov [aux], ptiat

mov ptiat, iats

mov ptcode, aux

jmp loop2





finiat2:

log dire

mov ptiat, iats

inc aux

mov ptcode, aux

jmp loop2





step3:

mov eip, oep

mov ptcode, cbase

mov ptiat, iats

find section, #81f988130000#

mov section, $RESULT

add section, 2

mov [section], 7fffffff



loop3:

cmp ptiat, iate

je fin

cmp [ptiat], one //SKIP THIS ENTRY TO REPAIR MANUALLY

je fixone

cmp [ptiat],0

je pasamos

mov eip, [ptiat]

find60:

sti

mov ip1, eip

mov ip1, [ip1]

and ip1, 0ff

cmp ip1, 60

jnz find60

sti

mov tmp, esp

bphws tmp, "r"

eob corre

run



corre:

bphwc tmp

mov vartmp, [esp]

mov mempt, mem



loop4:

cmp [mempt], 0

jz loop3

mov tmp, mempt

add tmp, 4

mov dllb, [tmp]

add tmp, 4

mov len, [mempt]

mov dlls, [tmp]

mov dlle, dlls

add dlle, len

cmp dlls, vartmp

ja out

cmp dlle, vartmp

jb out

sub vartmp, dlls

add vartmp, dllb

mov [ptiat], vartmp

add esp, 4

add ptiat,4

jmp loop3



out:

add mempt, 0c

jmp loop4



pasamos:

add ptiat,4

jmp loop3



fixone:

mov [ptiat], pgetmodulehandle

add ptiat,4

jmp loop3



fin:

mov eip,oep

mov ptcode, cbase

mov ptiat, iats



step4:

cmp ptcode, cend

je fin2



find ptcode, #E8????0?0090#

cmp $RESULT,0

je fin2



mov dire, $RESULT

mov aux, dire

mov eip, aux

find60_2:

sti

mov ip1, eip

mov ip1, [ip1]

and ip1, 0ff

cmp ip1, 60

jnz find60_2

sti

mov tmp, esp

bphws tmp, "r"

eob corre22

run



corre22:

bphwc tmp

mov vartmp, [esp]

mov mempt, mem



loop5:

cmp [mempt], 0

jz finiat2

mov tmp, mempt

add tmp, 4

mov dllb, [tmp]

add tmp, 4

mov len, [mempt]

mov dlls, [tmp]

mov dlle, dlls

add dlle, len

cmp dlls, vartmp

ja out2

cmp dlle, vartmp

jb out2

sub vartmp, dlls

add vartmp, dllb

mov ptiat, iats

jmp busco22



out2:

add mempt, 0c

jmp loop5



busco22:

cmp ptiat, iate

je finiat2

cmp [ptiat], vartmp

je parcheo22

add ptiat,4

jmp busco22



parcheo22:



mov [aux], parche_15ff

add aux, 2

mov [aux], ptiat

mov ptiat, iats

add aux,1



finiat2:

mov ptcode, aux

add esp, 4

add ptcode, 1

jmp step4



fin2:

mov eip,oep

mov ptcode, cbase

mov ptiat, iats



step5:

cmp ptcode, cend

je nomascall22



find ptcode, #E9????0?0090#

cmp $RESULT,0

je nomascall22



mov dire, $RESULT

mov aux, dire

mov eip, aux

find60_22:

sti

mov ip1, eip

mov ip1, [ip1]

and ip1, 0ff

cmp ip1, 60

jnz find60_22

sti

mov tmp, esp

bphws tmp, "r"

eob corre222

run



corre222:

bphwc tmp

mov vartmp, [esp]

mov mempt, mem



loop6:

cmp [mempt], 0

jz finiat3

mov tmp, mempt

add tmp, 4

mov dllb, [tmp]

add tmp, 4

mov len, [mempt]

mov dlls, [tmp]

mov dlle, dlls

add dlle, len

cmp dlls, vartmp

ja out3

cmp dlle, vartmp

jb out3

sub vartmp, dlls

add vartmp, dllb

mov ptiat, iats

jmp busco222



out3:

add mempt, 0c

jmp loop6



busco222:

cmp ptiat, iate

je finiat2

cmp [ptiat], vartmp

je parcheo222

add ptiat,4

jmp busco222



parcheo222:



mov [aux], parche_25ff

add aux, 2

mov [aux], ptiat

mov ptiat, iats

add aux,1



finiat3:

mov ptcode, aux

add esp, 4

add ptcode, 1

jmp step5



nomascall22:

mov eip,oep

free mem

ret

