﻿// execriptor v1+iat
//  by Apuromafo        
//  iat solutions exist as 3 form
//  this change simply whit jump most easy--
//  other form is in change..0046B669   8947 04          MOV DWORD PTR DS:[EDI+4],EAX
//  other is 0046B669   8947 04          MOV DWORD PTR DS:[EDI+4],EAX
//  0046B66C   8902             MOV DWORD PTR DS:[EDX],EAX
//  but all need
//  this line (see in script)
//  find eip, #7408#
//  fill $RESULT,1,eb
//  for the crc? or pseudo crc that have this program
//  well enjoy
//  
var addr
var error
var temp
msg "Alert"
msg "clear all hadware breackpoint"
find eip, #e2c5??#
mov temp, $RESULT
bphws temp, "x"
run
//  0046B0DF   . F8             CLC
//  0046B0E0   . 2C 39          SUB AL,39
//  0046B0E2   . AA             STOS BYTE PTR ES:[EDI]
//  0046B0E3 --->  .^E2 C5          LOOPD SHORT UnPackMe.0046B0AA
//  0046B0E5   . 39F0           CMP EAX,ESI
//  0046B0E7   . 46             INC ESI
//  0046B0E8   . 40             INC EAX
//  0046B0E9   . 3168 3E        XOR DWORD PTR DS:[EAX+3E],EBP
//  0046B0EC   . 38A1 CC188BEE  CMP BYTE PTR DS:[ECX+EE8B18CC],AH
//  0046B0F2   . 128D C804876A  ADC CL,BYTE PTR SS:[EBP+6A8704C8]
//  
//msg temp
bphwc temp
add temp,2
//  
//  0046B0E3   .^E2 C5          LOOPD SHORT UnPackMe.0046B0AA
//  0046B0E5--->   . 8BF0           MOV ESI,EAX
//  
bphws temp, "x"
run
//  
//  0046B0E3   .^E2 C5          LOOPD SHORT UnPackMe.0046B0AA
//  0046B0E5->>   . 8B4424 20      MOV EAX,DWORD PTR SS:[ESP+20]           ;  kernel32.7C816D4F
//  now is decoded
//  
//msg temp
bphwc temp
//  start iat change n*º1----------------------
//  0046B643   . 81FB 00000070  CMP EBX,70000000
//  0046B649     72 08          JB SHORT UnPackMe.0046B653
//  to
//  0046B643   . 81FB 00000070  CMP EBX,70000000
//  0046B649     ->eb 08        Jmp SHORT UnPackMe.0046B653
//  
var iat1
find eip, #7208#
fill $RESULT,1,eb
find eip, #83f801#
mov iat1, $RESULT
bp iat1
//now go to other way
find eip, #e841??#
//
//  
//  0046B119   > 8D85 C9274000  LEA EAX,DWORD PTR SS:[EBP+4027C9]
//  0046B11F   . B9 AC060000    MOV ECX,6AC
//  0046B124--->   . E8 41020000    CALL UnPackMe.0046B36A
//  0046B129   . 8985 D22F4000  MOV DWORD PTR SS:[EBP+402FD2],EAX
//  now bp
//  
mov temp, $RESULT
bphws temp, "x"
//msg temp
run
bphwc temp
mov addr,esp
//  
//  now in esp
//  EAX 0046B060 UnPackMe.<ModuleEntryPoint>
//  ECX 000006AC
//  EDX 7C91EB94 ntdll.KiFastSystemCallRet
//  EBX 7FFD6000
//  ESP -->0012FFA4
//  EBP 00068897
//  ESI 0046BD7B UnPackMe.0046BD7B
//  EDI 0046BD7B UnPackMe.0046BD7B
//  EIP 0046B124 UnPackMe.0046B124
//  folow in dump esp..bp access dword
//  
bphws addr,"r"
//msg addr
run
//  
//  0046B7DF-->   50               PUSH EAX                                ; UnPackMe.0046B78E
//  0046B7E0   33C0             XOR EAX,EAX
//  0046B7E2   64:FF30          PUSH DWORD PTR FS:[EAX]
//  0046B7E5   64:8920          MOV DWORD PTR FS:[EAX],ESP
//  0046B7E8   EB 01            JMP SHORT UnPackMe.0046B7EB
//  
//  push eax..
//  
//  
//  now in iat. remember
//  
bc iat1
find eip, #7408#
fill $RESULT,1,eb
run
bphwc addr
mov addr,eax
//  
//  EAX --> 0046B78E UnPackMe.0046B78E
//  ECX 0012FFB0
//  EDX 7C91EB94 ntdll.KiFastSystemCallRet
//  EBX 600084E3
//  ESP 0012FFC4
//  EBP 0012FFF0
//  ESI FFFFFFFF
//  EDI 7C920738 ntdll.7C920738
//  EIP 0046B7DF UnPackMe.0046B7DF
//  
bphws addr,"x"
run
bphwc addr
//  
//  0046B78E   55               PUSH EBP
//  0046B78F   8BEC             MOV EBP,ESP
//  0046B791   57               PUSH EDI
//  0046B792   8B45 10          MOV EAX,DWORD PTR SS:[EBP+10]
//  0046B795   8BB8 C4000000    MOV EDI,DWORD PTR DS:[EAX+C4]
//  0046B79B   FF37             PUSH DWORD PTR DS:[EDI]
//  0046B79D   33FF             XOR EDI,EDI
//  0046B79F   64:8F07          POP DWORD PTR FS:[EDI]
//  0046B7A2   8380 C4000000 08 ADD DWORD PTR DS:[EAX+C4],8
//  0046B7A9   8BB8 A4000000    MOV EDI,DWORD PTR DS:[EAX+A4]
//  0046B7AF   C1C7 07          ROL EDI,7
//  0046B7B2  >edi have mi oep here is 0 and change to oep-> 89B8 B8000000    MOV DWORD PTR DS:[EAX+B8],EDI
//  0046B7B8  >edi have oep now is ok> B8 00000000      MOV EAX,0
//  0046B7BD   5F               POP EDI
//  0046B7BE   C9               LEAVE
//  0046B7BF   C3               RETN
//  
sti
sti
sti
sti
sti
sti
sti
sti
sti
sti
sti
sti
//
mov addr,edi
//  
//  0046B7B8 edi reach my oep
//  
bp addr
//msg "the oep is"
//msg addr
run
bc addr
an eip
cmt eip,"<- this is the OEP, dump and fix the iat(iat is resolved..)"
ret