// INT3 Call Table Writer by quosego/snd

// Start at oep/ep of unpacked exe. 



gmi eip, MODULEBASE

mov base, $RESULT    

add base, 1000

find base, #CCFBE9????????CCFBE9????????#



mov addr, $RESULT 



ask "Please input the location of the correct call table here, copied from the kernel to the program."

mov table, $RESULT 						//Table location retrieved from the kernel. Copy it yourself to some location

										//in the program.

LABEL_01:

cmp [addr], 0000, 2

je LABEL_02

mov [addr], #9090#, 2					//Nop int3 and sti.

mov temp, [addr+4], 2

mov eax, temp

mov temp, table

add temp, 8

mov ecx, [temp]							// Nicely ripped from the driver.. 

xor edx,edx

exec

div ecx 

mov eax, edx

mov ecx, {table}

mov eax, [ecx+eax*4+14]

ende

eval "jmp {eax}"						//Assemble jump to correct call address.

mov temp, addr

add temp,2

asm temp, $RESULT

add addr,7

jmp LABEL_01



LABEL_02:

ret