//      :
// call 0BA0000 ;Call CreateFileA
//  :
// call [Real_addr_in_IAT]
//  AlterWind Log Analyzer Professional 3.0.0.1
//  , . by BiT-H@ck in 26.08.2005 3:42:)
var calladdr
var aftercalladdr
var filesecend
var startscan
var endscan
var VirtualAllocExAddr
var realfunction
var iatcell
var iatstart
var iatstarttemp
var temp
var endmemoryspice
var OEP
var x
var y
var is_DLL

gpa "VirtualAllocEx", "kernel32.dll"	//  VirtualAllocEx,        
mov VirtualAllocExAddr, $RESULT

mov endmemoryspice, 2CF1000 //      
mov iatstart, 00513000	//  
mov startscan, 00401000	//   ( ,   )
mov endscan, 005047E9	//   ( )
mov filesecend, 6DA000	//    

@Oep_find_by_sanniassin:	//      sanniassin,    
mov x,esp 
sub x,48
bphws x,"r"
mov y,[eip]
and y,000000FF
cmp y,60
jne zzz
mov is_DLL,1

zzz:
run
mov y,[eip]
cmp y,01B80875
jne zzz
bphwc x
find edi,#83C404010424C3#
mov x,$RESULT
add x,6
bp x
run
bc x
sto
mov x,eip

findcall:
dec x
mov y,[x]
cmp y,5B5E5F5D
jne findcall
sub x,8
go x
sti
rtr
sto
mov x,eip
and x,0000FFFF
cmp x,0
mov x,esp
cmp is_DLL,1
jne is_exe
add x,10
jmp label_9
is_exe:
add x,8
label_9:
bphws x,"r"
run
mov y,eip
dec y
mov y,[y]
and y,000000FF
cmp y,5C
jne label_9
bphwc x
cmp is_DLL,1
jne is_exe2
find eip,#8944241C61FFE0#
add $RESULT,5
bp $RESULT
run
bc $RESULT
sto
jmp msg
is_exe2:
mov x,eax
go x
msg:
msg "OEP found! OEP not stolen."

mov OEP, eip

@continue:		//   ( call`,     )
findop startscan, #E8#	// - call`
mov startscan, $RESULT	//   
inc $RESULT		//  call aspr_code,   call aspr_code+1  dword -     
mov calladdr, [$RESULT]	// -      
add $RESULT, 4		//,     (    call aspr_code).
mov aftercalladdr, $RESULT	//   
add aftercalladdr, calladdr	//  aspr_code (,    call)
cmp startscan, endscan	
jae @endscript		//     (     call`  )
cmp calladdr, endmemoryspice 
jae @continue		//,            E8
cmp aftercalladdr, filesecend
jae @reconstruct		//call      ?  -   
jmp @continue		// ,      :) by Factor 2

@reconstruct:		//       -  call aspr
mov eip, startscan		// eip  call aspr_code
bp VirtualAllocExAddr	//       ,   ,   VirtualAllocEx
run			// eip  call aspr_code,    VirtualAllocEx,  
bc VirtualAllocExAddr	//,  
mov temp, esp
add temp, 5C		// esp+5C    
mov realfunction, [temp]	//   
bphws startscan, "x"	//   call aspr_code
run
bphwc startscan		//  call aspr_code     -,       

			//..  OllyScript   ,   
mov iatstarttemp, iatstart	//      	
sub iatstarttemp, 4		//   4, ..       4,   dword    
@manual_find:		// 
add iatstarttemp, 4		//   DWORD
mov iatcell, [iatstarttemp]	// 
cmp iatcell, realfunction	//,          IAT
jne @manual_find		//?  

			//   call aspr_code,   call [IAT_cell]
mov [eip], #FF15#		//FF15 -  call [XXXXXXXX]
add eip,2			//   2,     ,      
mov [eip], iatstarttemp	//     (call [Iat_cell])
jmp @continue		// ,   ..
@endscript:
mov eip, OEP		// eip  ,   eip    ,         
ret			//  

