//copyright by Pnluck 20005 pnluck@virgilio.it
//if u use this script for write a tutorial, u can put me in thankses :D
//i must to thanks MaRKuS-DJM and KaGra for their info at http://forum.exetools.com/showthread.php?t=7545
var x_addr //addr originale
var x_LoadLib //addr LoadLibraryA
var x_AddrApi
var data_sect
var x_eax
var go
var xvar
var str
var x
var str_eax
var str_edi
var confronta
var iat_section
var save_dll
var save_iats
var save_iate
//chiedo l'addr della .data section
ask "Enter the address of section where is the IAT:"
cmp $RESULT,0
je exit
mov iat_section,$RESULT
mov xvar,$RESULT
ask "Enter the size of same section: "
cmp $RESULT,0
je exit
mov str,$RESULT
//find the start of iat
inizio:
mov x,[iat_section]
cmp x,0
je do_jmp
gn x
cmp $RESULT_1,0
jne trovato1
mov [iat_section],0
do_jmp:
add iat_section,4
jmp inizio
trovato1:
mov save_iats,iat_section
eval "The iat start at {iat_section}"
MSG $RESULT
//find the end of iat
mov iat_section,str
add iat_section,xvar
inizio1:
mov x,[iat_section]
cmp x,0
je do_jmp1
gn x
cmp $RESULT_1,0
jne pre_start
mov [iat_section],0
do_jmp1:
sub iat_section,4
jmp inizio1
pre_start:
mov save_iate,iat_section
add iat_section,4
mov data_sect,iat_section
//ora cancello dall'iat gli addr errati
erase_garbage:
mov x,[save_iats]
gn x
cmp $RESULT_1,0
jne add_addr
mov [save_iats],0
add_addr:
cmp save_iats,save_iate
je start_proc
add save_iats,4
jmp erase_garbage
start_proc:
//domando che call devo analizzare
ask "Enter the address of call to analize:"
cmp $RESULT,0
je exit
mov x_addr,$RESULT
mov eip,$RESULT
GPA "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je exit
mov x_LoadLib,$RESULT
add x_LoadLib,b
bp x_LoadLib //setto bp al je di LoadLibraryA
run
bc x_LoadLib
//al bp
//verifico secon i egistri
