//copyright by Pnluck 20005 pnluck@virgilio.it
//if u use this script for write a tutorial, u can put  me in thankses :D
//i must to thanks MaRKuS-DJM and KaGra for their info at http://forum.exetools.com/showthread.php?t=7545
//modified and optimized by D3XT3R for the recursive capabilities
//
//This script will ONLY run on ODBGScript v1.41 or higher. If you try to use this with any other plugin or a lower version DO NOT
//expect me to give you any support what so ever.

var $STD
var x_addr     //addr originale
var x_LoadLib  //addr LoadLibraryA
var x_AddrApi
var data_sect
var end_data
var x_eax
var go
var xvar
var str
var x
var str_eax
var str_edi
var sav_eax
var sav_ecx
var sav_edx
var sav_ebx
var sav_esp
var sav_ebp
var sav_esi
var sav_edi
var save_data
var confronta
var iat_section
var save_dll
var OEP

var save_iats
var save_iate

var prevcall
var calldest
var checkadd
var endadd
var fincall

//chiedo l'addr della .data section

reset:
mov OEP,eip
msgyn "Is the IAT of this PE corrupt?"
cmp $RESULT,0
je start_std
gmi eip,CODEBASE
mov prevcall, $RESULT
ask "Enter the address of section where is the IAT:"
mov iat_section,$RESULT
mov xvar,$RESULT
mov str,1500
eval "IAT Corrupt: Yes, Code section: {prevcall}, IAT section: {iat_section}, Is this correct?"
msgyn $RESULT
cmp $RESULT,0
je reset

//find the start of iat
inizio:
mov x,[iat_section]
cmp x,0
je do_jmp
gn x
cmp $RESULT_1,0
jne trovato1
mov [iat_section],0

do_jmp:
add iat_section,4
jmp inizio

trovato1:
mov save_iats,iat_section
eval "The iat start at {iat_section}"
MSG $RESULT


//find the end of iat
mov iat_section,str
add iat_section,xvar
inizio1:
mov x,[iat_section]
cmp x,0
je do_jmp1
gn x
cmp $RESULT_1,0
jne pre_start
mov [iat_section],0

do_jmp1:
sub iat_section,4
jmp inizio1

pre_start:
mov save_iate,iat_section
add iat_section,4
mov data_sect,iat_section

//ora cancello dall'iat gli addr errati
erase_garbage:
mov x,[save_iats]
gn x
cmp $RESULT_1,0
jne add_addr
mov [save_iats],0
add_addr:
cmp save_iats,save_iate
je getcall
add save_iats,4
jmp erase_garbage

getcall:
ask "Enter the AIP Call destination address:"
mov endadd,$RESULT
ask "Enter the address of the last call to repair:"
mov fincall,$RESULT
jmp start_procs

start_procs:
eval "AIP call destination: {endadd}, Final call: {fincall}. Is this correct?"
msgyn $RESULT
cmp $RESULT,1
jne getcall

start_proc:
//domando che call devo analizzare
add prevcall,1
cmp prevcall, fincall
ja fine
find prevcall, #e8????????#
cmp $RESULT,0
je fine
mov prevcall,$RESULT
mov x_addr,$RESULT 
mov eip,$RESULT
mov checkadd,eip
add checkadd,1
mov calldest, [checkadd]
add calldest, eip
add calldest,5
cmp calldest,endadd
jne start_proc
GPA "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je exit
mov x_LoadLib,$RESULT
add x_LoadLib,b
bp x_LoadLib  //setto bp al je di LoadLibraryA
run
bc x_LoadLib
//al bp
//verifico secon i egistri  tutto a posto
cmp eax,0
je vuoi_usci
cmp edi,0
je vuoi_usci
mov x_eax,eax
mov str,""
mov go,1

//inizio della proc hex->ascii
analize:
mov xvar,[x_eax]
and xvar,0ff


cmp xvar,0
je fin_an

GPA [edi],[eax]

mov x,$RESULT

//inizio la ricerca di un dword usabile
start_trovo:
cmp save_dll,[eax]
je trovato
add data_sect,4
mov save_dll,[eax]
jmp trovato

trovato:
mov [data_sect],x
trov:
eval "jmp dword ptr [{data_sect}]"
asm x_addr,$RESULT

mov eip,x_addr
add data_sect,4
jmp start_proc

fine:
mov eip,OEP
ret

exit:
MSG "Error" 
ret

vuoi_usci:
MSGYN "Error: eax or edi value is 0, do you want continue with analising?"
cmp $RESULT,1
jne fine
mov eip,x_addr
jmp start_proc

start_std:
mov OEP,eip
mov sav_eax,eax
mov sav_ecx,ecx
mov sav_edx,edx
mov sav_ebx,ebx
mov sav_esp,esp
mov sav_ebp,ebp
mov sav_esi,esi
mov sav_edi,edi

reset_std:
ask "Enter the address of the data section:"
mov data_sect,$RESULT
mov save_data,$RESULT
mov end_data,$RESULT
ask "Enter the size of the data section:"
add end_data,$RESULT

gmi eip,CODEBASE
mov x_addr,$RESULT
ask "Enter the AIP Call destination address:"
mov endadd,$RESULT
ask "Enter the address of the last call to repair:"
mov fincall,$RESULT
eval "IAT Corrupt: No, Code section: {x_addr}, Data section: {data_sect}, End of data section: {end_data}, AIP Calls: {endadd}, Last call: {fincall}.  Is this correct?"
msgyn $RESULT
cmp $RESULT,0
je reset_std
jmp start_proc_std

start_proc_std:
add x_addr,1
cmp x_addr, fincall
ja fine_std
find x_addr, #e8????????#
cmp $RESULT,0
je fine_std
mov x_addr,$RESULT 
mov eip,$RESULT
mov checkadd,eip
add checkadd,1
mov calldest, [checkadd]
add calldest, eip
add calldest,5
cmp calldest,endadd
jne start_proc_std
mov eip,x_addr
GPA "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je exit_std
mov x_LoadLib,$RESULT
add x_LoadLib,b
bp x_LoadLib
run
bc x_LoadLib
mov x_eax,eax
mov str,""
mov go,1

analyze:
mov xvar,[x_eax]
and xvar,0ff

cmp xvar,0
je fin_an_std

GPA [edi],[eax]
cmp $RESULT,0
je exit_std
mov x,$RESULT

start_fix:
mov xvar,[data_sect]
cmp x,xvar
je fix
add data_sect,4
cmp data_sect,end_data
je exit
jmp start_fix

fix:
eval "jmp dword ptr [{data_sect}]"
asm x_addr,$RESULT
mov eip,x_addr
mov data_sect,save_data
jmp start_proc_std

fine_std:
mov eip,OEP
ret

exit_std:
msg "Error"
ret