/*
=============================================================================
 Obsidium 1.2.5.0 - script for collecting imports, "code 2"
=============================================================================

This script helps to collect 90% imports in Obsidium 1.2.5.0 protector.
Script works for basic import protection (CRC32 hash decrypting) for
type of imports "code 2". More info find in tutorial.

haggar, BIW reversing
=============================================================================
*/


var addr
var pointer
var thunk
var temp

mov addr,404000

LABEL_01:
find addr,#FF15????4000#     //Signature for call/jump, needs to be changed.
cmp $RESULT,0
je END_01

mov addr,$RESULT
mov eip,addr
mov pointer,$RESULT
add pointer,2
mov pointer,[pointer]
mov thunk,[pointer]
mov temp,thunk
and temp,0FFFF0000
cmp temp, 00B00000       //Address - pointer check, needs to be changed.
    je OK_01
       add addr,6
       jmp LABEL_01
    OK_01:

sti
mov temp,[eip]
and temp,0FFFFFF
cmp temp,0BE6660         //Obsidium jump type check, maybe needs to be changed too.
    je OK_02
       add addr,6
       add esp,4
       jmp LABEL_01
    OK_02:

log addr
log pointer
log thunk
esto

mov temp,edi
add temp,4
mov temp,[temp]
cmp temp,0FFFFFFFF
    je OK_03
       add esp,24
       add addr,6
       jmp LABEL_01
    OK_03:

esto
cmp eax,2
    je OK_04
       add esp,24
       add addr,6
       jmp LABEL_01
    OK_04:

esto
mov [pointer],eax
log eax
log " "
add addr,6
add esp,24



jmp LABEL_01



END_01:




ret
ERROR:
msg "Some error occured in this script."
ret












