//The script 2, rereorganizes ARM chaotic IAT
//comes from the Ricardo Narvaja 207 courses, makes the revision slightly

var it
var it2
var x
var y
var pit
var pit2
var dll
var dll1
var pitt
var it1_end
var base
var savecode

//Needs to establish content
mov it, 00F32B38 //chaotic IAT first site
mov it1_end, 00F338C0//chaotic at the end of IAT site
mov it2,00F32B38//waits depositing to reorganize after the IAT first site

//
mov savecode, [eip]//preserved current eip directional content
mov [eip], # EBFE #//jmp eip, because reorganizes IAT quite to be slow, uses in treating can renovate the contact surface, guards against the contact surface to play dead 

gmi eip, MODULEBASE//takes the master file base address
log $RESULT
mov base, $RESULT

INICIO:              //Initialization
mov pitt, it// the pitt direction is processing the api address presently, its front all api is processed finished
                     //pitt each turn to increase 4, after it is equal to the chaotic at the end of IAT site, then this script movement finished
COMIENZO:
add pit, it
add pit2, it2

SEGUIMOS: //WE FOLLOWED new? ¬ the link starts

add pit, x
add pit2, y
cmp pit, it1_end
log pit
log x
log y
je FIN
cmp pit, it1_end
ja FIN

gmi [pit], MODULEBASE//takes this api correspondence module base address
log $RESULT
log dll1
cmp pit, pitt
jne NOPRIMERA

cmp $RESULT, base//this address place api, whether has been processed, if has been processed then its base address primarily document base address base
je PIRULO//processes has jumped changes to next round

cmp $RESULT, dll1//these two resemble uselessly, if first 1 dll has been processed, here simply cannot jump transfers
je IGUALES
mov dll, $RESULT
log dll
jmp NOPRIMERA

NOPRIMERA:       //not first
cmp $RESULT, dll
jne NOGUARDO

//This address place api, whether has been processed, if has been processed then its base address
//for example, after processing this 005CA000 place content is 005CADD0, takes its corresponding module base address for primarily document base address base
cmp $RESULT, base
je NOGUARDO//processes has jumped changes to next round
mov [pit2],[pit]//chaotic IAT will preserve api to move in the new address? ¬ the address depositing indicator aims at new address
mov [pit], pit2
mov x, 4
mov y, 4
jmp FINLOOP

NOGUARDO:    //I do not keep
mov x, 4
mov y, 0
jmp FINLOOP

FINLOOP:      //1 turn of small? ¬ the link finished
log pit
log pit2
jmp SEGUIMOS


IGUALES: //What doesn'tEQUAL have to use?
mov x, 4
mov y, 0
jmp FINLOOP


FIN:              //1 dll processing finished
mov [pit2], 0
mov dll1, dll
sto//guards against the contact surface to play dead, to renovate od contact surface
xor x, x
xor y, y
add pitt, 4
cmp dll, base
je SALTO

add pit2,4

SALTO:          //JUMP
mov pit, pitt
cmp pitt, it1_end
je FINISH
cmp pitt, it1_end
ja FINISH
log pit
log pit2
log pitt
jmp SEGUIMOS

FINISH:            //All dll has been processed all finished
mov [eip], savecode//preserved current eip directional content
MSG “TERMINAMOS”
log pitt
ret
PIRULO:         //This address api has been processed in dll, therefore jumps over this address, makes a fresh start turn of
add pitt, 4
jmp NOPRIMERA