//copyright by Pnluck 20005 pnluck@virgilio.it //if u use this script for write a tutorial, u can put me in thankses :D //i must to thanks MaRKuS-DJM and KaGra for their info at http://forum.exetools.com/showthread.php?t=7545 var x_addr //addr originale var x_LoadLib //addr LoadLibraryA var x_AddrApi var data_sect var end_data var x_eax var go var xvar var str var x var str_eax var str_edi var save_data var end_addr var sav_eax var sav_ecx var sav_edx var sav_ebx var sav_esp var sav_ebp var sav_esi var sav_edi //salvo i registri //mov sav_eax,eax //mov sav_ecx,ecx //mov sav_edx,edx //mov sav_ebx,ebx //mov sav_esp,esp //mov sav_ebp,ebp //mov sav_esi,esi //mov sav_edi,edi //chiedo l'addr della .data section ask "Enter the address of data section." cmp $RESULT,0 je exit mov data_sect,$RESULT mov save_data,$RESULT mov end_data,$RESULT ask "Enter the size of data section." cmp $RESULT,0 je exit add end_data,$RESULT //domando che call devo analizzare ask "Enter the start address of calls to analize:" cmp $RESULT,0 je exit mov x_addr,$RESULT mov start_addr,x_addr ask "Enter the end address of calls to analize:" cmp $RESULT,0 je exit mov end_addr,$RESULT start_proc: mov eip,x_addr GPA "LoadLibraryA","kernel32.dll" cmp $RESULT,0 je exit mov x_LoadLib,$RESULT add x_LoadLib,b bp x_LoadLib //setto bp al je di LoadLibraryA run bc x_LoadLib //al bp mov x_eax,eax mov str,"" mov go,1 //inizio della proc hex->ascii analize: mov xvar,[x_eax] shl xvar,8 shl xvar,8 shl xvar,8 shr xvar,8 shr xvar,8 shr xvar,8//prelevo il primo byte cmp xvar,0 je fin_an cmp xvar,2e jne prox_0 mov x,"." jmp add prox_0: cmp xvar,30 jne prox_1 mov x,"0" jmp add prox_1: cmp xvar,31 jne prox_2 mov x,"1" jmp add prox_2: cmp xvar,32 jne prox_3 mov x,"2" jmp add prox_3: cmp xvar,33 jne prox_4 mov x,"3" jmp add prox_4: cmp xvar,34 jne prox_5 mov x,"4" jmp add prox_5: cmp xvar,35 jne prox_6 mov x,"5" jmp add prox_6: cmp xvar,36 jne prox_7 mov x,"6" jmp add prox_7: cmp xvar,37 jne prox_8 mov x,"7" jmp add prox_8: cmp xvar,38 jne prox_9 mov x,"8" jmp add prox_9: cmp xvar,39 jne prox_A mov x,"9" jmp add prox_A: cmp xvar,41 jne prox_B mov x,"A" jmp add prox_B: cmp xvar,42 jne prox_C mov x,"B" jmp add prox_C: cmp xvar,43 jne prox_D mov x,"C" jmp add prox_D: cmp xvar,44 jne prox_E mov x,"D" jmp add prox_E: cmp xvar,45 jne prox_F mov x,"E" jmp add prox_F: cmp xvar,46 jne prox_G mov x,"F" jmp add prox_G: cmp xvar,47 jne prox_H mov x,"G" jmp add prox_H: cmp xvar,48 jne prox_I mov x,"H" jmp add prox_I: cmp xvar,49 jne prox_J mov x,"I" jmp add prox_J: cmp xvar,4A jne prox_K mov x,"J" jmp add prox_K: cmp xvar,4B jne prox_L mov x,"K" jmp add prox_L: cmp xvar,4C jne prox_M mov x,"L" jmp add prox_M: cmp xvar,4D jne prox_N mov x,"M" jmp add prox_N: cmp xvar,4E jne prox_O mov x,"N" jmp add prox_O: cmp xvar,4F jne prox_P mov x,"O" jmp add prox_P: cmp xvar,50 jne prox_Q mov x,"P" jmp add prox_Q: cmp xvar,51 jne prox_R mov x,"Q" jmp add prox_R: cmp xvar,52 jne prox_S mov x,"R" jmp add prox_S: cmp xvar,53 jne prox_T mov x,"S" jmp add prox_T: cmp xvar,54 jne prox_U mov x,"T" jmp add prox_U: cmp xvar,55 jne prox_V mov x,"U" jmp add prox_V: cmp xvar,56 jne prox_W mov x,"V" jmp add prox_W: cmp xvar,57 jne prox_X mov x,"W" jmp add prox_X: cmp xvar,58 jne prox_Y mov x,"X" jmp add prox_Y: cmp xvar,59 jne prox_Z mov x,"Y" jmp add prox_Z: cmp xvar,5A jne prox_a mov x,"Z" jmp add prox_a: cmp xvar,61 jne prox_b mov x,"a" jmp add prox_b: cmp xvar,62 jne prox_c mov x,"b" jmp add prox_c: cmp xvar,63 jne prox_d mov x,"c" jmp add prox_d: cmp xvar,64 jne prox_e mov x,"d" jmp add prox_e: cmp xvar,65 jne prox_f mov x,"e" jmp add prox_f: cmp xvar,66 jne prox_g mov x,"f" jmp add prox_g: cmp xvar,67 jne prox_h mov x,"g" jmp add prox_h: cmp xvar,68 jne prox_i mov x,"h" jmp add prox_i: cmp xvar,69 jne prox_j mov x,"i" jmp add prox_j: cmp xvar,6A jne prox_k mov x,"j" jmp add prox_k: cmp xvar,6B jne prox_l mov x,"k" jmp add prox_l: cmp xvar,6C jne prox_m mov x,"l" jmp add prox_m: cmp xvar,6D jne prox_n mov x,"m" jmp add prox_n: cmp xvar,6E jne prox_o mov x,"n" jmp add prox_o: cmp xvar,6F jne prox_p mov x,"o" jmp add prox_p: cmp xvar,70 jne prox_q mov x,"p" jmp add prox_q: cmp xvar,71 jne prox_r mov x,"q" jmp add prox_r: cmp xvar,72 jne prox_s mov x,"r" jmp add prox_s: cmp xvar,73 jne prox_t mov x,"s" jmp add prox_t: cmp xvar,74 jne prox_u mov x,"t" jmp add prox_u: cmp xvar,75 jne prox_v mov x,"u" jmp add prox_v: cmp xvar,76 jne prox_w mov x,"v" jmp add prox_w: cmp xvar,77 jne prox_x mov x,"w" jmp add prox_x: cmp xvar,78 jne prox_y mov x,"x" jmp add prox_y: cmp xvar,79 jne prox_z mov x,"y" jmp add prox_z: cmp xvar,7A jne exit mov x,"z" jmp add add: eval "{str}{x}" mov str,$RESULT inc x_eax jmp analize fin_an: cmp go,1 je ana_edi jne fin_str_cov ana_edi: mov str_eax,str mov str,"" mov x_eax,edi inc go jmp analize //fine proc hex->ascii fin_str_cov: //trovo l'addr mov str_edi,str GPA str_edi,str_eax cmp $RESULT,0 je exit mov x,$RESULT //inizio la ricerca start_trovo: mov xvar,[data_sect] cmp x,xvar je trovato add data_sect,4 cmp data_sect,end_data je exit jmp start_trovo trovato: eval "jmp dword ptr [{data_sect}]" asm x_addr,$RESULT //mov eax,sav_eax //mov ecx,sav_ecx //mov edx,sav_edx, //mov ebx,sav_ebx //mov esp,sav_esp //mov ebp,sav_ebp //mov esi,sav_esi //mov edi,sav_edi mov eip,x_addr cmp end_addr,start_addr je fine add start_addr,8 mov x_addr,start_addr mov data_sect,save_data jmp start_proc fine: ret exit: MSG "Error" ret