/////////////////////////////////////////////////////////////
// this script does a cruicial job, it finds all the correct API's corresponding 
// to the HIGHMEM calls. like i said before, the log-HIGHMEM-calls-BIN.txt 
// file will contain all the highmem call address ready to be BINARY-PASTED 
// in olly (just a little fix needed as mentioned above) 
//
// to use this script what you need to do is to know 
//
// 1. where to binary paste all the values from log-HIGHMEM-calls-BIN.txt 
// 2. the address where the script should put hardware bp and log the eax values 
//
// the first job is easy, normaly with the targets i worked ADATA section 
// contained all places you need , filled up all with zero. but u can chose any 
// non-destructive place to put them, as u want. just set the address to 
// the variable binary_paste in the script 
//
// the second job is a little tough, u gotta find the right addr where to set the 
// hardware bp ... okey, follow the instructions 
//
// load the app 
// F9 once ... now you r in ASPR code 
//
// binary search for binary search of : 8945FCA1??????008B008B15??????008B1233028B15??????002B02 
// you will land in some place like this : 
//
// D73409 MOV DWORD PTR SS:[EBP-4],EAX 
// D7340C MOV EAX,DWORD PTR DS:[D77824] 
// D73411 MOV EAX,DWORD PTR DS:[EAX] 
// D73413 MOV EDX,DWORD PTR DS:[D77824] 
// D73419 MOV EDX,DWORD PTR DS:[EDX] 
// D7341B XOR EAX,DWORD PTR DS:[EDX] 
// D7341D MOV EDX,DWORD PTR DS:[D77680] 
// D73423 SUB EAX,DWORD PTR DS:[EDX] 
//
// so, D73409 will be addr_hwbp in the script 
/////////////////////////////////////////////////////////////
/*
********************
     nick_name
 TEAM RESSURRECTiON
********************
*/


/**/
/**/

DEFINE_BEFORE_EXECUTION:

//mov addr_hwbp,00D950A7
//mov addr_hwbp,00EF4376
mov binary_paste,491000
mov addr_hwbp,00A850A7
												
/**/
/**/

SCRIPT_START:

mov path1,".\log-RESOLVE calls.txt"
mov path2,".\log-RESOLVE calls-BIN.txt"


mov manual,0

msgyn "MANUAL process ??"
cmp $RESULT,1
jne ANALYZE_CALLS
mov manual,1

ANALYZE_CALLS:
	
		lc
		bphws addr_hwbp,"x"


LOOP:

		exec
			pushad
			pushfd
		ende
		
		mov save_ebp,ebp
		mov save_esp,esp

		cmp manual,1
		je LBL
		mov eip,[binary_paste]	
		mov call_addr,[binary_paste]
		jmp COMMON


//.......................................[MANUAL PROCESS]		

LBL:
		ask "set EIP :-"
		cmp $RESULT,"`"
		je END
		cmp $RESULT,0
		jbe LBL

		mov eip, $RESULT
		mov call_addr,$RESULT

//.......................................

COMMON:
		run
		cmp eip,addr_hwbp
		je LOG
		jmp ERR

LOG:
		mov tmp, esp
		add tmp,20
		mov tmp2,[tmp]
		gn eax
		eval "{tmp2} :: {eax}={$RESULT}"
		log $RESULT, ""
		wrta path1, $RESULT
		wrta path1, "\r\n"

		rev tmp2
		
		wrta path2, $RESULT
		wrta path2, " "

		mov tmp_eax, eax
		rev tmp_eax
		
		wrta path2, $RESULT
		wrta path2, "\r\n"
		
		add binary_paste,4
		
		mov ebp,save_ebp
		mov esp,save_esp
		
		exec
			popfd
			popad
		ende

		cmp manual,1
		je LOOP	//................................jump back for another input [MANUAL]
				
		cmp [binary_paste],00000000
		jne LOOP //...............................jump when 481000 place dont have anymore inputs [AUTOMATIC]
		
		jmp END

ERR:
		mov tempo,[binary_paste]
		log tempo
		eval "{tempo} : EIP does'nt match with HWBP-EIP"
		msg $RESULT
		
		mov ebp, save_ebp
		mov esp, save_esp
		exec
			popfd
			popad
		ende

END:
		bphwc addr_hwbp
		ret

