/*

===============================================================

   SafeCast/Disc 2.xx-3.xx - IAT decryptor script (by haggar)

===============================================================

Instructions:



This script WILL NOT FIX IMPORTS!!! This script will decrypt

import table, but pointers will be incorrect! But, table will

hold ALL IMPORTS that are used in protected file. As described

in my tutorial, then you binary copy-paste that tablle to new

section (that you have added to protected file), undo changes

done by this script, and use script for redirecting pointers

to that new table. Read my tutorial for more information.



Script is tested on VC++ program. All values are hardcoded

and you must modify it for your file.



haggar

===============================================================

*/





var iat      //Variable that points to thunks.

var pointer  //Variable to take DWORD that is in thunk.

var stack    //Variable just used to place hardware breakpoint.

var oep      //To return EIP to initial value.



mov iat,12ef6000        //Start address of thunks in IAT.

mov oep,eip



LABEL_01:

 cmp iat,12ef62c8       //Check is it end of thunks.

je END_01

 mov pointer,[iat]

 and pointer,0ff000000

 cmp pointer, 13000000  //Check destination in thunk to redirected one.

 add iat,4

jne LABEL_01

 sub iat,4              //If thunk holds some 13xxxxxx (in my case)

 mov pointer,[iat]      //then find import.

 mov eip,pointer

 sti

 sti

 mov stack,esp

 bphws stack,"r"

 esto

 sti

 bphwc stack

 mov [iat],eip          //Place import in thunk.

jmp LABEL_01

END_01:



mov eip,oep

ret