[求助]求Ricostruire_IAT_utilizzo_IAT脚本-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
linhanshi 雪币： 107455 活跃值： (202504) 能力值： (RANK：10 ) 在线值：发帖 9316 回帖 28046 粉丝 488 关注私信	linhanshi 2 楼 Ricostruire_IAT_utilizzo_IAT // ----------- ExeCryptor 2.2.50 - for VC++ IAT ------------------ var oep var thunk var pointer var ref_esp var temp mov oep,eip mov thunk,0040A000 // INDIRIZZO IAT RICERCARE CON FF 25 VEDI JUMP [00406A00] ETC. LABEL_01: //Examne thunks label. cmp thunk,0040B000 //Is it end of IAT? Then finish. je END_01 cmp [thunk],0 //Is thunk empty? Then go to next. add thunk,4 je LABEL_01 sub thunk,4 cmp [thunk],10000000 //Does thunk holds API? Go to next again. add thunk,4 ja LABEL_01 sub thunk,4 //Thunk holds redirected import. mov pointer,[thunk] mov eip,pointer mov ref_esp,esp //Stack reference (start ESP value). mov temp,0 LABEL_02: //Trace untill return ESP value is decrypted. sti add temp,1 cmp temp,30 //Trace first 30 opcodes. jne LABEL_02 mov temp,esp LABEL_03: //Find referenced stack value. add temp,4 cmp temp,ref_esp jne LABEL_03 sub temp,4 mov temp,[temp] //Get "Magic return address". bp temp esto bc eip cmp eax,10000000 //Is EAX<10000000 (EAX<IMPORT) ? add thunk,4 jb LABEL_01 //Then it is self-fixed import. sub thunk,4 //If not self-fix, fix it! mov [thunk],eax add thunk,4 jmp LABEL_01 END_01: mov eip,oep //Restore OEP. ret //------------------------ End of script ------------------------------ 2008-8-24 07:25 0
聆听海声雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	聆听海声 3 楼谢谢老大,你辛苦啦! 2008-8-24 08:52 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)

linhanshi

雪币： 107455

活跃值： (202504)

能力值：

(RANK：10 )

在线值：

发帖

9316

回帖

28046

粉丝

488

关注

私信

linhanshi: 2 楼

Ricostruire_IAT_utilizzo_IAT

// ----------- ExeCryptor 2.2.50 - for VC++ IAT ------------------
var oep
var thunk
var pointer
var ref_esp
var temp

mov oep,eip
mov thunk,0040A000      // INDIRIZZO IAT RICERCARE CON FF 25 VEDI JUMP [00406A00] ETC.

LABEL_01:                //Examne thunks label.
 cmp thunk,0040B000      //Is it end of IAT? Then finish.
je END_01
 cmp [thunk],0           //Is thunk empty? Then go to next.
 add thunk,4
je LABEL_01
 sub thunk,4
 cmp [thunk],10000000    //Does thunk holds API? Go to next again.
 add thunk,4
ja LABEL_01
 sub thunk,4             //Thunk holds redirected import.
 mov pointer,[thunk]
 
 mov eip,pointer
 mov ref_esp,esp         //Stack reference (start ESP value).
 mov temp,0
 LABEL_02:               //Trace untill return ESP value is decrypted.
  sti
  add temp,1
  cmp temp,30            //Trace first 30 opcodes.
 jne LABEL_02

 mov temp,esp
 LABEL_03:              //Find referenced stack value.
  add temp,4
  cmp temp,ref_esp
 jne LABEL_03
  sub temp,4

 mov temp,[temp]        //Get "Magic return address".
 bp temp
 esto
 bc eip

 cmp eax,10000000       //Is EAX<10000000 (EAX<IMPORT) ?
 add thunk,4
jb LABEL_01             //Then it is self-fixed import.

 sub thunk,4            //If not self-fix, fix it!
 mov [thunk],eax
 add thunk,4

jmp LABEL_01

END_01:
mov eip,oep        //Restore OEP.
ret
//------------------------ End of script ------------------------------

2008-8-24 07:25