/*

==================================================================

    SafeCast 2.xx-3.xx - Script for finding correct imports

==================================================================

Instructions:



This is second script for finding imports. This one will find and

decrypt all CALL references to IAT and decrypt imports. Then it

will redirect them to new IAT in new section. For jumps you need

to change script a little bit, but in VC++ files you can fix jumps

manually.



haggar

===================================================================

*/







var oep       //Just to take OEP (current EIP) for restore it after.

var addr 

var pointer

var import    //Found import.

var stack     //For placing harware bp.

var iat       //Pointer to new IAT.





//================ Finding and decrypting all calls =================

mov oep,eip

mov addr,12ec1000

LABEL_01:

 find addr,#ff15????ef12#   //Find all calls that point to IAT.

 cmp $RESULT,0

je END_01

 mov addr,$RESULT

 add addr,2

 mov pointer,[addr]

 mov pointer,[pointer]

 and pointer,0ff000000

 cmp pointer, 13000000       //Check pointer.

jne NEXT_01                  //If it is not redirected.

 sub addr,2                  //If it is, then find import.

 mov eip,addr

 sti

 sti

 sti

 mov stack,esp

 bphws stack,"r"

 esto

 bphwc stack

 sti

 mov import,eip

 add addr,2

 add esp,4                 //Ignore this if you search for JMP.



     NEXT_02:

     //==================    //Now, find that import in new IAT.

     mov iat,12f1f000        //Hardcoded pointer to new IAT.

     LABEL_02:

      cmp iat,12f1f2c8       //End of new IAT.

     je MISSING:

      cmp [iat],import

      add iat,4

     jne LABEL_02

      sub iat,4

     //==================

 mov [addr],iat              //Redirect pointer.

jmp LABEL_01

END_01:



mov eip,oep



ret



NEXT_01:

 mov import,[addr]

 mov import,[import]

jmp NEXT_02







MISSING:

msg "It seams that one import is missing ?!?"

ret