/*
Is modified from PESpin for ASProtect so don't be confused with notes. It works!
=======================================================================
Quick script for rebuilding thunks at VC++ apps protected with PESpin
=======================================================================
*/

var addr
var pointer
var thunk
var new
mov new,4040C0  //Points to start of PESpin section.

//This algo will find all calls that point in table with imports:
mov addr,401000
LABEL1:
find addr,#FF15????????#    //Find CALL DWORD PTR:[constant].
cmp $RESULT,0
je END1

add $RESULT,2
mov addr,$RESULT
mov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.

cmp pointer,500000
jb LABEL1

mov [$RESULT],new
mov pointer,[pointer]
mov [new],pointer
add new,8

jmp LABEL1
END1:

//This algo will find all jumps that point in table with imports:
mov addr,401000
LABEL2:
find addr,#FF25????????#    //Find JMP DWORD PTR:[constant].
cmp $RESULT,0
je END2

add $RESULT,2
mov addr,$RESULT
mov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.

cmp pointer,500000
jb LABEL2

mov [$RESULT],new
mov pointer,[pointer]
mov [new],pointer
add new,8

jmp LABEL2
END2:

// ================================================================================
==
//Fixing MOV EBP,API:
mov addr,401000
LABEL3:
find addr,#8B2D????????#
cmp $RESULT,0
je END3

add $RESULT,2
mov addr,$RESULT
mov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.

cmp pointer,500000
jb LABEL3

mov [$RESULT],new
mov pointer,[pointer]
mov [new],pointer
add new,8

jmp LABEL3
END3:

//Fixing MOV EDI,API:
mov addr,401000
LABEL4:
find addr,#8B3D????????#
cmp $RESULT,0
je END4

add $RESULT,2
mov addr,$RESULT
mov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.

cmp pointer,500000
jb LABEL4

mov [$RESULT],new
mov pointer,[pointer]
mov [new],pointer
add new,8

jmp LABEL4
END4:

//Fixing MOV EBX,API:
mov addr,401000
LABEL5:
find addr,#8B1D????????#
cmp $RESULT,0
je END5

add $RESULT,2
mov addr,$RESULT
mov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.

cmp pointer,500000
jb LABEL5

mov [$RESULT],new
mov pointer,[pointer]
mov [new],pointer
add new,8

jmp LABEL5
END5:

//Fixing MOV ECX,API:
mov addr,401000
LABEL6:
find addr,#8B0D????????#
cmp $RESULT,0
je END6

add $RESULT,2
mov addr,$RESULT
mov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.

cmp pointer,500000
jb LABEL6

mov [$RESULT],new
mov pointer,[pointer]
mov [new],pointer
add new,8

jmp LABEL6
END6:

//Fixing MOV EDX,API:
mov addr,401000
LABEL7:
find addr,#8B15????????#
cmp $RESULT,0
je END7

add $RESULT,2
mov addr,$RESULT
mov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.

cmp pointer,500000
jb LABEL7

mov [$RESULT],new
mov pointer,[pointer]
mov [new],pointer
add new,8

jmp LABEL7
END7:

//Fixing MOV ESI,API:
mov addr,401000
LABEL8:
find addr,#8B35????????#
cmp $RESULT,0
je END8

add $RESULT,2
mov addr,$RESULT
mov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.

cmp pointer,500000
jb LABEL8

mov [$RESULT],new
mov pointer,[pointer]
mov [new],pointer
add new,8

jmp LABEL8
END8:

ret