//copyright by Pnluck 20005 pnluck@virgilio.it //if u use this script for write a tutorial, u can put me in thankses :D //i must to thanks MaRKuS-DJM and KaGra for their info at http://forum.exetools.com/showthread.php?t=7545 //modified and optimized by D3XT3R for the recursive capabilities // //This script will ONLY run on ODBGScript v1.41 or higher. If you try to use this with any other plugin or a lower version DO NOT //expect me to give you any support what so ever. var $STD var x_addr //addr originale var x_LoadLib //addr LoadLibraryA var x_AddrApi var data_sect var end_data var x_eax var go var xvar var str var x var str_eax var str_edi var sav_eax var sav_ecx var sav_edx var sav_ebx var sav_esp var sav_ebp var sav_esi var sav_edi var save_data var confronta var iat_section var save_dll var OEP var save_iats var save_iate var prevcall var calldest var checkadd var endadd var fincall var Call_Jump //chiedo l'addr della .data section reset: mov OEP,eip msgyn "Is the IAT of this PE corrupt?" cmp $RESULT,0 je start_std gmi eip,CODEBASE mov prevcall, $RESULT ask "Enter the address of section where is the IAT:" mov iat_section,$RESULT mov xvar,$RESULT mov str,1500 eval "IAT Corrupt: Yes, Code section: {prevcall}, IAT section: {iat_section}, Is this correct?" msgyn $RESULT cmp $RESULT,0 je reset msgyn "Is it CALL to CALL?" cmp $RESULT,0 je inizio mov Call_Jump,1 //find the start of iat inizio: mov x,[iat_section] cmp x,0 je do_jmp gn x cmp $RESULT_1,0 jne trovato1 mov [iat_section],0 do_jmp: add iat_section,4 jmp inizio trovato1: mov save_iats,iat_section eval "The iat start at {iat_section}" MSG $RESULT //find the end of iat mov iat_section,str add iat_section,xvar inizio1: mov x,[iat_section] cmp x,0 je do_jmp1 gn x cmp $RESULT_1,0 jne pre_start mov [iat_section],0 do_jmp1: sub iat_section,4 jmp inizio1 pre_start: mov save_iate,iat_section add iat_section,4 mov data_sect,iat_section //ora cancello dall'iat gli addr errati erase_garbage: mov x,[save_iats] gn x cmp $RESULT_1,0 jne add_addr mov [save_iats],0 add_addr: cmp save_iats,save_iate je getcall add save_iats,4 jmp erase_garbage getcall: ask "Enter the AIP Call destination address:" mov endadd,$RESULT ask "Enter the address of the last call to repair:" mov fincall,$RESULT jmp start_procs start_procs: eval "AIP call destination: {endadd}, Final call: {fincall}. Is this correct?" msgyn $RESULT cmp $RESULT,1 jne getcall start_proc: //domando che call devo analizzare add prevcall,1 cmp prevcall, fincall ja fine find prevcall, #e8????????# cmp $RESULT,0 je fine mov prevcall,$RESULT mov x_addr,$RESULT mov eip,$RESULT mov checkadd,eip add checkadd,1 mov calldest, [checkadd] add calldest, eip add calldest,5 cmp calldest,endadd jne start_proc GPA "LoadLibraryA","kernel32.dll" cmp $RESULT,0 je exit mov x_LoadLib,$RESULT add x_LoadLib,b bp x_LoadLib //setto bp al je di LoadLibraryA run bc x_LoadLib //al bp //verifico secon i egistri è tutto a posto cmp eax,0 je vuoi_usci cmp edi,0 je vuoi_usci mov x_eax,eax mov str,"" mov go,1 //inizio della proc hex->ascii analize: mov xvar,[x_eax] and xvar,0ff cmp xvar,0 je fin_an GPA [edi],[eax] mov x,$RESULT //inizio la ricerca di un dword usabile start_trovo: cmp save_dll,[eax] je trovato add data_sect,4 mov save_dll,[eax] jmp trovato trovato: mov [data_sect],x trov: eval "jmp dword ptr [{data_sect}]" asm x_addr,$RESULT mov eip,x_addr add data_sect,4 jmp start_proc fine: mov eip,OEP ret exit: MSG "Error" ret vuoi_usci: MSGYN "Error: eax or edi value is 0, do you want continue with analising?" cmp $RESULT,1 jne fine mov eip,x_addr jmp start_proc start_std: mov OEP,eip mov sav_eax,eax mov sav_ecx,ecx mov sav_edx,edx mov sav_ebx,ebx mov sav_esp,esp mov sav_ebp,ebp mov sav_esi,esi mov sav_edi,edi reset_std: msgyn "Is it CALL to CALL?" cmp $RESULT,0 je IAT_INFO mov Call_Jump,1 IAT_INFO: ask "Enter the address of the data section:" mov data_sect,$RESULT mov save_data,$RESULT mov end_data,$RESULT ask "Enter the size of the data section:" add end_data,$RESULT gmi eip,CODEBASE mov x_addr,$RESULT ask "Enter the AIP Call destination address:" mov endadd,$RESULT ask "Enter the address of the last call to repair:" mov fincall,$RESULT eval "IAT Corrupt: No, Code section: {x_addr}, Data section: {data_sect}, End of data section: {end_data}, AIP Calls: {endadd}, Last call: {fincall}. Is this correct?" msgyn $RESULT cmp $RESULT,0 je reset_std jmp start_proc_std start_proc_std: add x_addr,1 cmp x_addr, fincall ja fine_std find x_addr, #e8????????# cmp $RESULT,0 je fine_std mov x_addr,$RESULT mov eip,$RESULT mov checkadd,eip add checkadd,1 mov calldest, [checkadd] add calldest, eip add calldest,5 cmp calldest,endadd jne start_proc_std mov eip,x_addr GPA "LoadLibraryA","kernel32.dll" cmp $RESULT,0 je exit_std mov x_LoadLib,$RESULT add x_LoadLib,b bp x_LoadLib run bc x_LoadLib mov x_eax,eax mov str,"" mov go,1 analyze: mov xvar,[x_eax] and xvar,0ff cmp xvar,0 je fin_an_std GPA [edi],[eax] cmp $RESULT,0 je exit_std mov x,$RESULT start_fix: mov xvar,[data_sect] cmp x,xvar je fix add data_sect,4 cmp data_sect,end_data je exit jmp start_fix fix: cmp Call_Jump,0 jne fix2 eval "jmp dword ptr [{data_sect}]" asm x_addr,$RESULT mov eip,x_addr mov data_sect,save_data jmp start_proc_std fix2: eval "Call dword ptr [{data_sect}]" asm x_addr,$RESULT mov eip,x_addr mov data_sect,save_data jmp start_proc_std fine_std: mov eip,OEP ret exit_std: msg "Error" ret