//      :
// call 0BA0000 ;Call CreateFileA
//  :
// call [Real_addr_in_IAT]
//  AlterWind Log Analyzer Professional 3.0.0.1
//  , . by BiT-H@ck in 26.08.2005 3:42:)
#log
var calladdr
var aftercalladdr
var filesecend
var startscan
var endscan
var VirtualAllocExAddr
var realfunction
var iatcell
var temp
var endmemoryspice
var OEP
var x
var y
var IATend

gpa "VirtualAllocEx", "kernel32.dll"	//  VirtualAllocEx,        
mov VirtualAllocExAddr, $RESULT

mov endmemoryspice, 0F21000 //      
mov IATend, 005321BC
mov startscan, 00401000 //   ( ,   )
mov endscan, 00448BB1 //   ( )
mov filesecend, 5E0000	//    

mov OEP, eip

		
jmp @finder
@continue2:	//   ( call`,     )
mov startscan, $RESULT	//   
inc $RESULT		//  call aspr_code,   call aspr_code+1  dword -     
mov calladdr, [$RESULT]	// -      
add $RESULT, 4		//,     (    call aspr_code).
mov aftercalladdr, $RESULT	//   
add aftercalladdr, calladdr	//  aspr_code (,    call)
mov calladdr, aftercalladdr
and calladdr, FF000000
cmp calladdr, 0
jne @finder

cmp startscan, endscan	
ja @endscript		//     (     call`  )
cmp calladdr, endmemoryspice 
jae @finder		//,            E8
cmp aftercalladdr, endmemoryspice
jae @finder

cmp aftercalladdr, filesecend
jae @reconstruct		//call      ?  -   
jmp @finder		// ,      :) by Factor 2

@reconstruct:		//       -  call aspr
mov eip, startscan		// eip  call aspr_code
bp VirtualAllocExAddr	//       ,   ,   VirtualAllocEx
run			// eip  call aspr_code,    VirtualAllocEx,  
bc VirtualAllocExAddr	//,  
mov temp, esp
add temp, 5C		// esp+5C    
mov realfunction, [temp]	//   
bphws startscan, "x"	//   call aspr_code
run
bphwc startscan		//  call aspr_code     -,       

@IAT_write:
mov [IATend], realfunction
			//   call aspr_code,   call [IAT_cell]
mov [eip], #FF25#		//FF15 -  call [XXXXXXXX]
add eip,2			//   2,     ,      
mov [eip], IATend
add IATend, 4		//     (call [Iat_cell])
jmp @finder		// ,   ..
@endscript:
mov eip, OEP		// eip  ,   eip    ,         
ret			//  


@finder:
mov $RESULT, startscan
@manual_find:		//      :(
add $RESULT, 1
mov iatcell, [$RESULT]
and iatcell, 000000FF
cmp iatcell, 000000E8
jne @manual_find
add $RESULT, 1
mov iatcell, [$RESULT]
and iatcell, FF000000
cmp iatcell, 00000000
jne @manual_find
sub $RESULT, 1
log $RESULT
jmp @continue2

