var adr var table var api VAR case var c var d var e VAR x VAR y VAR count var z LOG "/////////////////////////////////////////////////////////////////////////" LOG " ROR PACKER 0.3 API CALLS SCRIPT BY absolutzero" LOG "/////////////////////////////////////////////////////////////////////////" MOV count,0 LOG "Repairing api calls..." CALL apicalls call hex2dec eval "Resolved {count} api calls." log $RESULT ret /////////////////////////////////////////////////////////////////////////////// apicalls: MOV table,[441e3b] //base of 2. TLS callback funciton memory area + 4 ADD table,3560 //pointer to api calls table address mov table,[table] //address of api calls table apicalls1: MOV adr,[table] CMP adr,0 JE endapi SUB adr,5 //address of api call MOV api,[table+4] //address of api in IAT finding: MOV case,[table+8] CMP case,3 JE thruret CMP case,1C JE thruebx CMP case,3C JE thruedi CMP case,34 JE thruesi CMP case,2 JE thruret1 CMP case,2C JE thruebp CMP case,14 JE thruedx CMP case,0C JE thruecx thrueax: mov [adr],A1 mov [adr+1],api JMP nexttable thruret: mov [adr],0FF mov [adr+1],15 MOV [adr+2],api JMP nexttable thruret1: mov [adr],0FF mov [adr+1],25 MOV [adr+2],api JMP nexttable thruebx: mov [adr],8B mov [adr+1],1D MOV [adr+2],api JMP nexttable thruedi: mov [adr],8B mov [adr+1],3D MOV [adr+2],api JMP nexttable thruesi: mov [adr],8B mov [adr+1],35 MOV [adr+2],api JMP nexttable thruebp: mov [adr],8B mov [adr+1],2D MOV [adr+2],api JMP nexttable thruedx: mov [adr],8B mov [adr+1],15 MOV [adr+2],api JMP nexttable thruecx: mov [adr],8B mov [adr+1],0D MOV [adr+2],api nexttable: INC count //count of api calls ADD table,0c JMP apicalls1 endapi: RET hex2dec: mov cnt,count mov e,0a div count,e cmp count,0 je endhex2dec mov z,count mul z,e sub cnt,z mov y,cnt inc c div: mov cnt,count div count,e mov z,count mul z,e sub cnt,z mov d,c mul d,4 shl cnt,d or y,cnt inc c cmp count,0 jne div mov count,y ret endhex2dec: mov count,cnt ret