﻿/*
调试环境 : OllyDbg 1.1(修改版), ODBGScript 1.52, HideOD V0.17, WINXP
调试选项 : 设置 OllyDbg 除了 INT 3 异常选项, 忽略所有异常选项 .

*/

var codeseg
var tmp1
var tmp2
var tmp3
var tmp4
var tmp5
var tmp6
var tmp7
var tmp8
var tmp9
var imgbase
var signVA
var 1stsecsize
var 1stsecbase
var lastsecbase
var lastsecsize
var rangeaddr
var range
var SizeofImage
var fs30
var LoaderData
var ESP_EP
var EPAddr
var codeloc
var hOEP
var Delphi10
var RTaddr
var CTpatch
var kfreeloc
var RPMpatch
var ZCpatch
var newZCaddr
var config1
var noncrypted
var caller

//IAT fix
var _esp
var iat_start
var iat_end
var iat_cur
var addr
var iatsecsize
var iend
var mbase
var msize
var iatcrypted
var v22x

//VM
var dataloc
var vpcount

cmp $VERSION, "1.52"
jb odbgver
BPHWCALL
mov tmp1, eax
mov tmp2, eip
gpa "IsDebuggerPresent", "kernel32.dll"
mov tmp3, $RESULT
cmp tmp3, 0
je @error
mov eip, tmp3
sti
sti
mov fs30, eax        //PEB
sti
mov eip, tmp2
mov eax, tmp1
mov LoaderData, [fs30+0c]
mov tmp2, [fs30+8]     //PEB+8 ImageBaseAddress
mov imgbase, tmp2
log imgbase
mov tmp1, [imgbase+3C]    //40003C
add tmp1, imgbase         //tmp1=signature VA
mov signVA, tmp1
mov tmp2, [signVA+28]
add tmp2, imgbase
mov EPAddr, tmp2
log EPAddr                  //EP
gmemi EPAddr,MEMORYBASE
mov codeseg,$RESULT
mov SizeofImage, [signVA+50]
log SizeofImage
mov 1stsecsize, [signVA+100]
log 1stsecsize
mov 1stsecbase, [signVA+104]
mov [signVA+2c], 1stsecbase
add 1stsecbase, imgbase
log 1stsecbase
mov tmp1, signVA
add tmp1, f8             //1st section
mov tmp2, [signVA+6], 2

last:
cmp tmp2, 1
je lastfound
add tmp1, 28
sub tmp2, 1
jmp last

lastfound:
add tmp1, 8
mov lastsecsize, [tmp1]
add tmp1, 4
mov tmp3, [tmp1]
add tmp3, imgbase
mov lastsecbase, tmp3

mov tmp2, [signVA+C0]     //TLS table
add tmp2, imgbase
mov tmp1, [tmp2+0C]
mov tmp3, [tmp1]
log tmp3                  //CallBackTableVA
mov tmp1, tmp3
sub tmp1, EPAddr
cmp tmp1, 10
jb lab1
mov config1, 1
   
lab1:
log config1
BPHWS tmp3, "x"
run
BPHWC tmp3
gpa "CreateThread", "kernel32.dll"
mov tmp1, $RESULT
GMEMI tmp1, MEMORYBASE
mov tmp2, $RESULT
GMEMI tmp1, MEMORYSIZE
mov tmp3, $RESULT
mov tmp4, tmp3
sub tmp4, 1000
add tmp4, tmp2
find tmp4, #00000000000000000000000000000000#
mov tmp2, $RESULT
cmp tmp2, 0
je @error
and tmp2, 0FFFFFFF0
add tmp2, 30
mov kfreeloc, tmp2
find tmp1, #FF751C#
mov CTpatch, $RESULT
cmp CTpatch, 0
je @error
eval "push {kfreeloc}"
asm CTpatch, $RESULT
mov tmp1, CTpatch
add tmp1, 5
mov [tmp1], #C3#
mov [tmp2], #FF751CC7451804000000FF7518#
add tmp2, 0D
add tmp1, 1
eval "push {tmp1}"
asm tmp2, $RESULT
add tmp2, 5
mov [tmp2], #C3#
gpa "ReadProcessMemory", "kernel32.dll"
mov tmp1, $RESULT
cmp tmp1, 0
je @error
find tmp1, #FF7510FF750C#
mov RPMpatch, $RESULT
cmp RPMpatch, 0
je @error
mov tmp4, kfreeloc
add tmp4, 30
eval "push {tmp4}"
asm RPMpatch, $RESULT
mov tmp2, RPMpatch
add tmp2, 5
mov [tmp2], #C3#
mov [tmp4], #C7450C00004000FF7510FF750C#
mov tmp1, tmp4
add tmp1, 3
mov [tmp1], imgbase
add tmp1, 0A
add tmp2, 1
eval "push {tmp2}"
asm tmp1, $RESULT
add tmp1, 5
mov [tmp1], #C3#
gpa "ResumeThread", "kernel32.dll"
mov RTaddr, $RESULT
cmp RTaddr, 0
je @error
mov [RTaddr], #C20400#
gpa "ZwClose", "ntdll.dll"
mov ZCpatch, $RESULT
GMEMI ZCpatch, MEMORYBASE
mov tmp2, $RESULT
GMEMI ZCpatch, MEMORYSIZE
mov tmp3, $RESULT
mov tmp4, tmp3
sub tmp4, 1000
add tmp4, tmp2
find tmp4, #00000000000000000000000000000000#
mov tmp1, $RESULT
cmp tmp1, 0
je @error
and tmp1, 0FFFFFFF0
add tmp1, 30
mov newZCaddr, tmp1
log newZCaddr
mov [newZCaddr], #817C2404001000007203C20400#
find ZCpatch, #C20400#
mov tmp3, $RESULT
cmp tmp3, 0
je @error
sub tmp3, ZCpatch      //bytes to copy
mov tmp1, newZCaddr
add tmp1, 0D
mov tmp2, ZCpatch

loop2:
cmp tmp3, 0
je lab2
mov tmp4, [tmp2], 1
mov [tmp1], tmp4
add tmp1, 1
add tmp2, 1
sub tmp3, 1
jmp loop2

lab2:
eval "push {newZCaddr}"
asm ZCpatch, $RESULT
mov tmp2, ZCpatch
add tmp2, 5
mov [tmp2], #C3#
log tmp1
mov [tmp1], #C20400#
gpa "LdrLoadDll", "ntdll.dll"
mov tmp5, $RESULT
log tmp5
bc EPAddr
cmp config1, 1
jne lab3
find 1stsecbase, #558BEC#
mov tmp1, $RESULT
cmp tmp1, 0
jne lab2_1
find 1stsecbase, #33C0#
mov tmp1, $RESULT
cmp tmp1, 0
je lab3

lab2_1:
mov noncrypted, 1
jmp lab7

lab3:
bp tmp5
eoe lab4
eob lab4
esto

lab4:
cmp eip, tmp5
je lab5
mov tmp1, eip
sub tmp1, 1
mov tmp1, [tmp1]
and tmp1, FF
cmp tmp1, CC
je lab4_1
esto

lab4_1:
BPHWCALL
esto

lab5:
bc tmp5
BPHWCALL
gpa "ZwTerminateProcess", "ntdll.dll"
mov tmp1, $RESULT
cmp tmp1, 0
je @error
mov tmp2, esp
add tmp2, 2C
mov tmp3, 4

loop3:
cmp tmp3, 0
je lab7
mov tmp4, [tmp2]
cmp tmp1, tmp4
je lab6
add tmp2, 4
sub tmp3, 1
jmp loop3

lab6:
msg "OD 被发现了!"
pause
jmp end

lab7:
cmp eip, EPAddr
je lab9
bp EPAddr
eoe lab8
eob lab8
esto

lab8:
cmp eip, EPAddr
je lab9
esto

lab9:
mov ESP_EP, esp
log ESP_EP
BPHWCALL
bc EPAddr
GMEMI eip, MEMORYBASE
mov codeseg, $RESULT
mov tmp1, 1stsecsize
add tmp1, 1stsecbase
add tmp1, 1
find tmp1, #558bec#
mov tmp2, $RESULT
cmp tmp2, 0
je lab9_1
mov Delphi10, 1

lab9_1:
cmp noncrypted, 1
je lab16
mov tmp1, codeseg
sub tmp1, 1
GMEMI tmp1, MEMORYBASE
mov rangeaddr, $RESULT
GMEMI tmp1, MEMORYSIZE
mov range, $RESULT
bprm rangeaddr, range
eob lab10
eoe lab11
esto

lab10:
mov tmp1, eip
sub tmp1, 1
mov tmp2, [tmp1], 1
cmp tmp2, CC
je lab11
mov tmp1, rangeaddr
add tmp1, range
cmp eip, tmp1
ja lab11
cmp eip, rangeaddr
jb lab11
jmp lab12

lab11:
find eip, #8B12F62A3CA4#   //search "mov edx,[edx],"imul byte [edx]", "cmp al, A4"
mov tmp1, $RESULT
esto

lab12:
cmp ecx, edx
jne lab12_5
cmp ecx, eip
je lab12_3
mov tmp1, ecx
mov tmp3, [tmp1], 1
cmp tmp3, 0E8
jne lab12_2
mov tmp2, ecx
add tmp2, 5
mov tmp3, [esp]
cmp tmp2, tmp3
je lab12_1
mov tmp3, [esp+4] 
cmp tmp2, tmp3
jne lab12_5
add esp, 8
mov eip, ecx
jmp lab12_3

lab12_1:
add esp, 4
mov eip, ecx
jmp lab12_3

lab12_2:
cmp tmp3, 0E9
jne lab12_4
mov tmp2, [tmp1+1]
add tmp1, tmp2
add tmp1, 5
cmp tmp1, eip
jne lab12_5
cmp ESP_EP, esp
jne lab12_5
cmp ecx, 1stsecbase
jb lab12_5
mov tmp2, 1stsecbase 
add tmp2, 1stsecsize
cmp ecx, tmp2
ja lab12_5
mov hOEP, eip
jmp lab17

lab12_3:
mov hOEP, ecx
jmp lab17

lab12_4:
findop ecx, #E9#
mov tmp1, $RESULT
cmp tmp1, 0
je lab12_5
mov tmp2, [tmp1+1]
add tmp2, tmp1
add tmp2, 5
cmp tmp2, eip
jne lab12_5
mov eip, ecx
mov esp, ESP_EP
mov hOEP, ecx
jmp lab17

lab12_5:
eob lab10
eoe lab11
esto

lab16:
mov hOEP, EPAddr

lab17:
mov tmp1, LoaderData
add tmp1, 60
mov [tmp1], SizeofImage     //correct Size of image
bpmc
mov range, 1stsecsize
cmp Delphi10, 1
jne lab17_1
mov tmp1, 1stsecsize
add tmp1, 1stsecbase
add tmp1, 1
GMEMI tmp1, MEMORYSIZE
add range, $RESULT

lab17_1:
mov tmp6, eip
alloc 10000
mov codeloc, $RESULT
mov tmp1, codeloc
mov [tmp1], #609C33C0B0E9B900600000BF00104000F2AE8B1703D783C20481FAE5FB4000740F83F90075EA9D61686E614E00C30000#
add tmp1, 30
mov [tmp1], #C70550003F0001000000893D54003F00EBE40000000000000000000000000000#
mov tmp1, codeloc
add tmp1, 7     //7
mov [tmp1], range
add tmp1, 5     //C
mov [tmp1], 1stsecbase
add tmp1, 0F    //1B
mov [tmp1], hOEP
add tmp1, 0E    //29
mov [tmp1], tmp6
mov tmp2, codeloc 
add tmp2, 50    //50
mov tmp3, tmp2
add tmp3, 4     //54
add tmp1, 09    //32
mov [tmp1], tmp2
add tmp1, 0A    //3C
mov [tmp1], tmp3
mov eip, codeloc
bp tmp6
eob lab17_2
eoe lab17_2
run

lab17_2:
cmp eip, tmp6
je lab18
esto

lab18:
bc tmp6
mov tmp1, [tmp2]
cmp tmp1, 1
je lab22
mov tmp4, 0
bprm 1stsecbase, range
eob lab19
eoe lab19
esto

lab19:
mov tmp1, esp
cmp ESP_EP, tmp1
je lab21
cmp tmp4, 8
je lab19_1
add tmp4, 1
esto

lab19_1:
bpmc
mov tmp3, ESP_EP
sub tmp3, 4
bphws tmp3, "r"
eob lab20
eoe lab20
esto

lab20:
cmp ESP_EP, esp
je lab20_1
esto

lab20_1:
mov tmp1, eip
cmp tmp1, 1stsecbase
jb lab20_2
mov tmp2, 1stsecbase
add tmp2, range
cmp tmp1, tmp2
jb lab21

lab20_2:
bphwc tmp3
bprm 1stsecbase, range
mov tmp4, 0
eob lab19
eoe lab19
esto

lab21:
bpmc
BPHWCALL
mov hOEP, eip
cmp noncrypted, 1
je lab21_1
msg "这儿是 OEP ?"
jmp lab21_3

lab21_1:
MSGYN "这儿是 OEP ? 程序代码没加密, 按 YES 将继续进行修复 IAT."
cmp $RESULT, 1
jne end
cmp lastsecsize, 1000
je lab21_2
mov codeseg, lastsecbase
jmp lab21_3

lab21_2:
mov tmp1, lastsecbase
sub tmp1, 1
gmemi tmp1,MEMORYBASE
mov codeseg,$RESULT

lab21_3:
mov tmp6, eip
jmp start

lab22:
mov tmp1, [tmp3]
sub tmp1, 1
mov hOEP, tmp1
eval "OEP == {tmp1}"
cmt eip, $RESULT
cmp noncrypted, 1
je lab22_1
eval "这儿是伪 OEP, OEP == {hOEP}."
msg $RESULT
jmp lab22_3

lab22_1:
eval "这儿是伪 OEP, OEP == {hOEP}, 程序代码没加密, 按 YES 将继续进行修复 IAT."
MSGYN $RESULT
cmp $RESULT, 1
jne end
cmp lastsecsize, 1000
je lab22_2
mov codeseg, lastsecbase
jmp lab22_3

lab22_2:
mov tmp1, lastsecbase
sub tmp1, 1
gmemi tmp1,MEMORYBASE
mov codeseg,$RESULT

lab22_3:
mov tmp6, eip

start:
cob
coe
mov iend, SizeofImage
add iend, imgbase
mov count,0
mov iatbase,0

lab25:
mov tmp1, codeloc
mov [tmp1], #609CBD0003B000B8FF000000B9FC5F0000BF0010400033F6F2AE803F157421803F25741C83F90075EF90909D61000000#
add tmp1, 30
mov [tmp1], #000000000000000000000000000000908B5F0181FB0010400072CD81FB00B0420077C5895D0083FE10740683C5044675#
add tmp1, 30    //60
mov [tmp1], #B733DB8B45002500F0FFFF83FB0075048BD8EB043BD875184E83FE0074AB83ED04EBE00000000000000000000000009090909D61#
mov tmp1, codeloc
mov tmp2, tmp1
add tmp1, 3    //3
add tmp2, 300   //codeloc+300
mov [tmp1], tmp2
add tmp1, 0A   //0D
mov tmp2, SizeofImage
sub tmp2, 1004
mov [tmp1], tmp2
add tmp1, 5   //12
mov [tmp1], 1stsecbase
add tmp1, 33  //45
mov [tmp1], 1stsecbase
add tmp1, 8   //4D
mov tmp2, SizeofImage
add tmp2, imgbase
mov [tmp1], tmp2
mov tmp3, codeloc
mov tmp4, tmp3
add tmp3, 29    //end point
bp tmp3
add tmp4, 90    //error point
bp tmp4
mov tmp6, eip
mov eip, codeloc
eob lab26
eoe lab26
run

lab26:
cmp eip, tmp3
je lab27
cmp eip, tmp4
je lab28
jmp @error

lab27:
cob
coe
bc tmp3
bc tmp4
mov iatbase, ebx
sti
sti
sti
sti
mov eip, tmp6
fill codeloc, 400, 00
jmp lab29

lab28:
msg "无法找到输入表区段!"
jmp @error

//chk IAT start, IAT end
lab29:
gmemi iatbase,MEMORYSIZE
mov iatsecsize,$RESULT
mov tmp1, codeloc
mov [tmp1], #609CBD0003D100BF00B05A00B9FC3F00008B0783F800752883E90483C70483F90077EE9090909D619000000000000000#
add tmp1, 30
mov [tmp1], #00000000000000000000000000000090609C8BC78BDFBF00104000B9FC9F380066F2AF83F90074483947FE75F366817F#
add tmp1, 30    //60
mov [tmp1], #FCFF15740866817FFCFF2575E3837D04007503894504894508C7450C000000008B003D00104000720E3D003045007707#
add tmp1, 30    //90
mov [tmp1], #C74500010000009D61E97AFFFFFF0000837D0400740D837D0C080F8473FFFFFFFF450C9D61E95EFFFFFF000000000000#
mov tmp1, codeloc
mov tmp2, tmp1
add tmp1, 3    //3
add tmp2, 300   //codeloc+300
mov [tmp1], tmp2
add tmp1, 5    //8
mov [tmp1], iatbase
add tmp1, 05   //0D
mov tmp2, iatsecsize
sub tmp2, 4
mov [tmp1], tmp2
add tmp1, 3A   //47
mov [tmp1], 1stsecbase
add tmp1, 5    //4C
mov tmp2, SizeofImage
sub tmp2, 1004
shr tmp2, 1
mov [tmp1], tmp2
add tmp1, 37   //83
mov [tmp1], 1stsecbase
add tmp1, 7    //8A
mov tmp2, SizeofImage
add tmp2, imgbase
mov [tmp1], tmp2
mov tmp6, eip
mov eip, codeloc
mov tmp4, codeloc
add tmp4, 23    //endpoint
bp tmp4
eob lab30
eoe lab30
run

lab30:
cmp eip, tmp4
je lab31
jmp @error

lab31:
cob
coe
bc tmp4
mov tmp1, codeloc
add tmp1, 300
mov iatcrypted, [tmp1]
mov iat_start, [tmp1+4]
mov iat_end, [tmp1+8]
sti
sti
sti
sti
sti
mov eip, tmp6
fill codeloc, 400, 00
mov tmp1, iat_end
mov tmp4, 2

lab32:
cmp tmp4, 0
je lab34
mov tmp2, [tmp1]
cmp tmp2, 0
je lab33
gn tmp2
mov tmp3, $RESULT_2
cmp tmp3, 0
je lab34
mov iat_end, tmp1
add tmp1, 4
mov tmp4, 2
jmp lab32

lab33:
add tmp1, 4
sub tmp4, 1
jmp lab32

lab34:
cmp iatcrypted, 1
je lab50
jmp iatskip

lab50:
log iat_start
log iat_end
mov tmp6, eip
mov tmp1, codeloc
mov [tmp1], #60B889000000BD000FE200B9FCFF3000BF00104000BE000EE200F2AE83F90074178B1781E2FFFF000081FA45F4000074#
add tmp1, 30       //30
mov [tmp1], #0FEBE790909090909061909090909090508BD783C202895504895508C74514000000008B5D088B0325FFFFFF003D8B45#
add tmp1, 30       //60
mov [tmp1], #F400741CE897010000837D10007402EBE258EBA6909090909090909090909090C7451000000000C74514000000008B45#
add tmp1, 30       //90
mov [tmp1], #0883C303895D088B5D088B0325FFFFFF003D3B45EC007428E853010000837D10007402EBE258E95FFFFFFF0000000000#
add tmp1, 30       //C0
mov [tmp1], #000000000000000000000000000000908BC783E80189065883C604E93AFFFFFF#
add tmp1, 140      //200
mov [tmp1], #608B5D088B0325FF00FFF03D87002450743E3D8900245074373CE874633C680F84AB0000003CE90F84F30000008B0325#
add tmp1, 30       //230
mov [tmp1], #FFF000003D0F8000000F842101000090C745100000000061C3000000000000908BCB83C104C7451001000000C7451400#
add tmp1, 30       //260
mov [tmp1], #000000894D0861C3000000000000000000000000000000000000000000000000837D1401742A8B4B0103CB83C105E81D#
add tmp1, 30       //290
mov [tmp1], #01000085C07419C7451001000000C7451401000000894D0861C3000000009090C745100000000061C300000000000000#
add tmp1, 30       //2C0
mov [tmp1], #00000000000000000000000000000090837D1401742A807B05E975248B4B01E8CC00000085C07418894D08C745100100#
add tmp1, 30       //2F0
mov [tmp1], #000061C3000000000000000000000000C745100000000061C300000000000000# 
add tmp1, 30       //320
mov [tmp1], #837D1401742A8B4B0103CB83C105E87D00000085C07419894D08C745100100000061C300000000000000000000000090#
add tmp1, 30       //350
mov [tmp1], #C745100000000061C300000000000090837D1401742A8B4B0203CB83C106E83D00000085C07419894D08C74510010000#
add tmp1, 30       //380
mov [tmp1], #0061C300000000000000000000000090C745100000000061C300000000000000#
add tmp1, 30       //3B0
mov [tmp1], #33C081F900104000720981F9FF1F7100770140C3000000000000000000000000#
mov tmp1, codeloc
mov tmp2, tmp1
mov tmp3, tmp1
add tmp2, 0f00     //codeloc+0f00
add tmp3, 0e00     //codeloc+0e00
add tmp1, 7        //7
mov [tmp1], tmp2
add tmp1, 5        //0c
mov tmp2, SizeofImage
sub tmp2, 1004
mov [tmp1], tmp2
add tmp1, 5        //11
mov [tmp1], 1stsecbase
add tmp1, 5        //16
mov [tmp1], tmp3
add tmp1, 39E      //3B4
mov [tmp1], 1stsecbase
add tmp1, 8        //3BC
mov tmp2, lastsecbase
add tmp2, lastsecsize
mov [tmp1], tmp2
mov tmp5, codeloc
add tmp5, 38       //end point
bp tmp5
mov eip, codeloc
eob lab50_2
eoe lab50_2
run

lab50_2:
cmp eip, tmp5
je lab51
jmp @error

lab51:
cob
coe
bc tmp5
mov tmp4, esi
sti
sti
mov eip, tmp6
log tmp4
mov tmp1, codeloc
add tmp1, 0e00

setbk:
cmp tmp1, tmp4
je @iatinit
mov tmp2, [tmp1]
bp tmp2
inc count
add tmp1, 4
jmp setbk

@iatinit:
    cmp iatbase,0
    je @error
    cmp count,0
    je wrongver 
    
@contiat:
    mov iat_cur, iat_start
    mov _esp,esp
    mov count,0    
    jmp @imprec_1

@imprec:
    add iat_cur,4

@imprec_1:
    cmp iat_cur,iat_end
    ja @iatend
    mov addr,[iat_cur]
    cmp addr,0
    je @imprec
    cmp addr,imgbase
    jb @imprec
  
@next: 
    cmp addr,iend
    inc count
    mov tmp2,iat_cur
    ja @imprec
    cmp addr,iatbase
    jae next1
    jmp next2

next1: 
    cmp addr,iat_end
    jbe @iatend

next2:  
    mov esp,_esp
    mov eip,addr
    mov [esp],eip
    bpwm iat_cur, 4
    esto

next3:
    BPHWC iat_cur
    mov tmp1, eip
    mov tmp1, [tmp1+2]
    cmp tmp1, iat_cur
    jne next4
    sti
    jmp @imprec

next4:
    mov tmp4, count
    mov tmp1, codeloc
    add tmp1, 0e00

next5:
    cmp tmp4, 0
    je @iaterror
    mov tmp3, [tmp1]
    cmp tmp3, 0
    je @iaterror
    cmp eip, tmp3
    je next6
    add tmp1, 4
    dec tmp4
    jmp next5

next6:
    mov [iat_cur],eax    
    jmp @imprec

@iatend:
bphwcall
mov iat_end,tmp2
mov esp,_esp
mov eip,tmp6
mov tmp1, codeloc
add tmp1, 0e00

rlsbk:
mov tmp2, [tmp1]
cmp tmp2, 0
je iatfixok
bc tmp2
add tmp1, 4
jmp rlsbk

iatfixok:
log hOEP, "OEP= "
log iat_start
log iat_end
//log iatbase
eval "OEP : {hOEP} , IAT 起始地址: {iat_start} ,  IAT 结束地址: {iat_end}"
msg $RESULT
pause
jmp end    

iatskip:
log hOEP, "OEP= "
log iat_start
log iat_end
//log iatbase
eval "OEP : {hOEP} , IAT 没加密!  IAT 起始地址: {iat_start} ,  IAT 结束地址: {iat_end}."
msg $RESULT
pause
jmp end

odbgver:
msg "本脚本须配合 ODbgscript 1.52 或以上的版本"
jmp end

wrongver:
msg "本脚本不支持这版的 execryptor."
jmp end

@error:
bphwcall
msg "ERROR!"
pause
jmp end

@iaterror:
msg "修复 IAT 时出错!"
pause

end:
ret