var espv var iat_st var pf var xloc var oep var img_base gmi eip,MODULEBASE mov img_base,$RESULT mov espv,esp-4 GMEMI eip,MEMORYBASE mov xloc,$RESULT gpa "VirtualAlloc", "kernel32.Dll" bphws $RESULT,"x" erun bphwc eip rtu cmt eip,"if Show Nag push try:)" find eip,#83C6048BFE8BD033C0AD85C0740B3385????????33C2ABEBF0# cmp $RESULT,0 je quit mov pf,$RESULT bphws pf,"x" erun bphwc pf mov iat_st,esi add pf,14 fill pf,2,90 bphws espv,"r" cmt pf,"Go to OEP Waiting :)" erun bphwc espv sti sti sti cmt eip, "<---OEP" msgyn " Fix Import?" cmp $RESULT,0 je quit var srh var vz var if var fn var nc var pntf var code_st var oep find xloc,#9C50538B5C24??5383EB0668????????68????????C3# cmp $RESULT,0 je quit mov pntf,$RESULT+11 mov pntf,[pntf] find pntf,#35????????50# mov pntf,$RESULT mov oep,eip gmi eip,CODEBASE mov srh,$RESULT mov code_st,$RESULT bp pntf var FF25_t find xloc,#9C50538B5C240C53# cmp $RESULT,0 je quit mov FF25_t,$RESULT buf FF25_t find xloc,FF25_t cmp $RESULT,0 je quit mov FF25_t,$RESULT buf FF25_t mov srh,code_st loop: find srh,FF25_t cmp $RESULT,0 je call_to_Call mov addr,$RESULT-2 mov vz,$RESULT+4 mov nc,$RESULT mov eip,addr erun mov if,eax buf if find iat_st,if mov fn,$RESULT mov [addr],#FF25# mov [nc],fn mov srh,vz jmp loop call_to_Call: mov srh,code_st var FF15_t find xloc,#6A009C50538B5C241053# cmp $RESULT,0 je quit mov FF15_t,$RESULT buf FF15_t find xloc,FF15_t cmp $RESULT,0 je quit mov FF15_t,$RESULT buf FF15_t loop2: find srh,FF15_t cmp $RESULT,0 je call_to_R32 mov addr,$RESULT-2 mov vz,$RESULT+4 mov nc,$RESULT mov eip,addr erun mov if,eax buf if find iat_st,if mov fn,$RESULT mov [addr],#FF15# mov [nc],fn mov srh,vz jmp loop2 call_to_R32: var chek_r32 //pause var fE8 var ch_fE8 var df find xloc,#E9????0000E9????0000E9????0000E9????0000# cmp $RESULT,0 je quit mov fE8,$RESULT+5 mov srh,code_st loop3: find srh,#E8??????????# cmp $RESULT,0 je end next: mov ch_fE8,$RESULT+5 mov df,$RESULT+1 mov addr,$RESULT mov vz,$RESULT+6 mov nc,$RESULT+2 mov chek_r32,$RESULT+5 mov df,[df] add df,ch_fE8 cmp fE8,df //pause je r32_t mov srh,chek_r32 jmp loop3 r32_t: var mem_call var s_call //pause mov s_call,vz mov eip,addr last_call: findop s_call,#FFD?# cmp mem_call,$RESULT je nexts mov chek_r32,$RESULT+1 mov mem_call,$RESULT mov chek_r32,[chek_r32] and chek_r32,0000000F erun mov if,eax buf if find iat_st,if mov fn,$RESULT cmp chek_r32,1 je m_ecx cmp chek_r32,2 je m_edx cmp chek_r32,3 je m_ebx cmp chek_r32,5 je m_ebp cmp chek_r32,6 je m_esi m_edi: mov [addr],#8B3D# jmp Wr_r m_edx: mov [addr],#8B15# jmp Wr_r m_ebx: mov [addr],#8B1D# jmp Wr_r m_ecx: mov [addr],#8B0D# jmp Wr_r m_esi: mov [addr],#8B35# jmp Wr_r m_ebp: mov [addr],#8B2D# jmp Wr_r Wr_r: mov [nc],fn mov srh,vz jmp loop3 end: bc pntf mov eip,oep sub iat_st,img_base eval "import is already restored!, IAT Start: {iat_st}" msg $RESULT ret nexts: mov s_call,mem_call add s_call,2 jmp last_call quit: msg "No SoftWrap file :)" ret