//copyright by Pnluck 20005 pnluck@virgilio.it
//if u use this script for write a tutorial, u can put  me in thankses :D
//i must to thanks MaRKuS-DJM and KaGra for their info at http://forum.exetools.com/showthread.php?t=7545

var x_addr     //addr originale
var x_LoadLib  //addr LoadLibraryA
var x_AddrApi
var data_sect
var x_eax
var go
var xvar
var str
var x
var str_eax
var str_edi
var confronta
var iat_section
var save_dll

var save_iats
var save_iate

//chiedo l'addr della .data section
ask "Enter the address of section where is the IAT:"
cmp $RESULT,0
je exit
mov iat_section,$RESULT
mov xvar,$RESULT
ask "Enter the size of same section: "
cmp $RESULT,0
je exit
mov str,$RESULT


//find the start of iat
inizio:
mov x,[iat_section]
cmp x,0
je do_jmp
gn x
cmp $RESULT_1,0
jne trovato1
mov [iat_section],0
do_jmp:
add iat_section,4
jmp inizio

trovato1:
mov save_iats,iat_section
eval "The iat start at {iat_section}"
MSG $RESULT


//find the end of iat
mov iat_section,str
add iat_section,xvar
inizio1:
mov x,[iat_section]
cmp x,0
je do_jmp1
gn x
cmp $RESULT_1,0
jne pre_start
mov [iat_section],0
do_jmp1:
sub iat_section,4
jmp inizio1

pre_start:
mov save_iate,iat_section
add iat_section,4
mov data_sect,iat_section

//ora cancello dall'iat gli addr errati
erase_garbage:
mov x,[save_iats]
gn x
cmp $RESULT_1,0
jne add_addr
mov [save_iats],0
add_addr:
cmp save_iats,save_iate
je start_proc
add save_iats,4
jmp erase_garbage


start_proc:
//domando che call devo analizzare
ask "Enter the address of call to analize:"
cmp $RESULT,0
je exit
mov x_addr,$RESULT 
mov eip,$RESULT
GPA "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je exit
mov x_LoadLib,$RESULT
add x_LoadLib,b
bp x_LoadLib  //setto bp al je di LoadLibraryA
run
bc x_LoadLib
//al bp
//verifico secon i egistri  tutto a posto
cmp eax,0
je vuoi_usci
cmp edi,0
je vuoi_usci
mov x_eax,eax
mov str,""
mov go,1

//inizio della proc hex->ascii
analize:
mov xvar,[x_eax]
shl xvar,8
shl xvar,8
shl xvar,8
shr xvar,8
shr xvar,8
shr xvar,8//prelevo il primo byte


cmp xvar,0
je fin_an

cmp xvar,2e
jne prox_0
mov x,"."
jmp add

prox_0:
cmp xvar,30
jne prox_1
mov x,"0"
jmp add

prox_1:
cmp xvar,31
jne prox_2
mov x,"1"
jmp add

prox_2:
cmp xvar,32
jne prox_3
mov x,"2"
jmp add

prox_3:
cmp xvar,33
jne prox_4
mov x,"3"
jmp add

prox_4:
cmp xvar,34
jne prox_5
mov x,"4"
jmp add

prox_5:
cmp xvar,35
jne prox_6
mov x,"5"
jmp add

prox_6:
cmp xvar,36
jne prox_7
mov x,"6"
jmp add

prox_7:
cmp xvar,37
jne prox_8
mov x,"7"
jmp add

prox_8:
cmp xvar,38
jne prox_9
mov x,"8"
jmp add

prox_9:
cmp xvar,39
jne prox_A
mov x,"9"
jmp add

prox_A:
cmp xvar,41
jne prox_B
mov x,"A"
jmp add

prox_B:
cmp xvar,42
jne prox_C
mov x,"B"
jmp add

prox_C:
cmp xvar,43
jne prox_D
mov x,"C"
jmp add

prox_D:
cmp xvar,44
jne prox_E
mov x,"D"
jmp add

prox_E:
cmp xvar,45
jne prox_F
mov x,"E"
jmp add

prox_F:
cmp xvar,46
jne prox_G
mov x,"F"
jmp add

prox_G:
cmp xvar,47
jne prox_H
mov x,"G"
jmp add

prox_H:
cmp xvar,48
jne prox_I
mov x,"H"
jmp add

prox_I:
cmp xvar,49
jne prox_J
mov x,"I"
jmp add

prox_J:
cmp xvar,4A
jne prox_K
mov x,"J"
jmp add

prox_K:
cmp xvar,4B
jne prox_L
mov x,"K"
jmp add

prox_L:
cmp xvar,4C
jne prox_M
mov x,"L"
jmp add

prox_M:
cmp xvar,4D
jne prox_N
mov x,"M"
jmp add

prox_N:
cmp xvar,4E
jne prox_O
mov x,"N"
jmp add

prox_O:
cmp xvar,4F
jne prox_P
mov x,"O"
jmp add

prox_P:
cmp xvar,50
jne prox_Q
mov x,"P"
jmp add

prox_Q:
cmp xvar,51
jne prox_R
mov x,"Q"
jmp add

prox_R:
cmp xvar,52
jne prox_S
mov x,"R"
jmp add

prox_S:
cmp xvar,53
jne prox_T
mov x,"S"
jmp add

prox_T:
cmp xvar,54
jne prox_U
mov x,"T"
jmp add

prox_U:
cmp xvar,55
jne prox_V
mov x,"U"
jmp add

prox_V:
cmp xvar,56
jne prox_W
mov x,"V"
jmp add

prox_W:
cmp xvar,57
jne prox_X
mov x,"W"
jmp add

prox_X:
cmp xvar,58
jne prox_Y
mov x,"X"
jmp add

prox_Y:
cmp xvar,59
jne prox_Z
mov x,"Y"
jmp add

prox_Z:
cmp xvar,5A
jne prox_a
mov x,"Z"
jmp add

prox_a:
cmp xvar,61
jne prox_b
mov x,"a"
jmp add

prox_b:
cmp xvar,62
jne prox_c
mov x,"b"
jmp add

prox_c:
cmp xvar,63
jne prox_d
mov x,"c"
jmp add

prox_d:
cmp xvar,64
jne prox_e
mov x,"d"
jmp add

prox_e:
cmp xvar,65
jne prox_f
mov x,"e"
jmp add

prox_f:
cmp xvar,66
jne prox_g
mov x,"f"
jmp add

prox_g:
cmp xvar,67
jne prox_h
mov x,"g"
jmp add

prox_h:
cmp xvar,68
jne prox_i
mov x,"h"
jmp add

prox_i:
cmp xvar,69
jne prox_j
mov x,"i"
jmp add

prox_j:
cmp xvar,6A
jne prox_k
mov x,"j"
jmp add

prox_k:
cmp xvar,6B
jne prox_l
mov x,"k"
jmp add

prox_l:
cmp xvar,6C
jne prox_m
mov x,"l"
jmp add

prox_m:
cmp xvar,6D
jne prox_n
mov x,"m"
jmp add

prox_n:
cmp xvar,6E
jne prox_o
mov x,"n"
jmp add

prox_o:
cmp xvar,6F
jne prox_p
mov x,"o"
jmp add

prox_p:
cmp xvar,70
jne prox_q
mov x,"p"
jmp add

prox_q:
cmp xvar,71
jne prox_r
mov x,"q"
jmp add

prox_r:
cmp xvar,72
jne prox_s
mov x,"r"
jmp add

prox_s:
cmp xvar,73
jne prox_t
mov x,"s"
jmp add

prox_t:
cmp xvar,74
jne prox_u
mov x,"t"
jmp add

prox_u:
cmp xvar,75
jne prox_v
mov x,"u"
jmp add

prox_v:
cmp xvar,76
jne prox_w
mov x,"v"
jmp add

prox_w:
cmp xvar,77
jne prox_x
mov x,"w"
jmp add

prox_x:
cmp xvar,78
jne prox_y
mov x,"x"
jmp add

prox_y:
cmp xvar,79
jne prox_z
mov x,"y"
jmp add

prox_z:
cmp xvar,7A
jne exit
mov x,"z"
jmp add

add:
eval "{str}{x}"
mov str,$RESULT
inc x_eax
jmp analize

fin_an:
cmp go,1
je ana_edi
jne fin_str_cov


ana_edi:
mov str_eax,str
mov str,""
mov x_eax,edi
inc go
jmp analize
//fine proc hex->ascii

fin_str_cov:
//trovo l'addr
mov str_edi,str
GPA str_edi,str_eax
cmp $RESULT,0
je exit
mov x,$RESULT

//inizio la ricerca di un dword usabile
start_trovo:
cmp save_dll,str_eax
je trovato
add data_sect,4
mov save_dll,str_eax

trovato:
mov [data_sect],x
trov:
eval "jmp dword ptr [{data_sect}]"
asm x_addr,$RESULT


mov eip,x_addr
MSGYN "Rebuild another call?"
cmp $RESULT,1
jne fine
add data_sect,4
jmp start_proc

fine:
ret

exit:
MSG "Error" 
ret

vuoi_usci:
MSGYN "Error: eax or edi value is 0, do you want continue with analising?"
cmp $RESULT,1
jne fine
mov eip,x_addr
jmp start_proc