Hi everybody, i made an ollyscript who it allows the rebuilding of calls to api, protected with this type of IT protection.
You only must put the address in memory of original data section(2nd section without name) e the address of call to analize [img]http://woodmann.com/forum/images/smilies/biggrin.gif[/img]
Only exe protect with Advanced import!!!!!
hxxp://pnluck.altervista.org/source.html
I hope this is profit [img]http://woodmann.com/forum/images/smilies/biggrin.gif[/img]
//copyright by Pnluck 20005 pnluck@virgilio.it
//if u use this script for write a tutorial, u can put me in thankses :D
//i must to thanks MaRKuS-DJM and KaGra for their info at http://forum.exetools.com/showthread.php?t=7545
var x_addr //addr originale
var x_LoadLib //addr LoadLibraryA
var x_AddrApi
var data_sect
var end_data
var x_eax
var go
var xvar
var str
var x
var str_eax
var str_edi
var save_data
var sav_eax
var sav_ecx
var sav_edx
var sav_ebx
var sav_esp
var sav_ebp
var sav_esi
var sav_edi
//chiedo l'addr della .data section
ask "Enter the address of data section."
cmp $RESULT,0
je exit
mov data_sect,$RESULT
mov save_data,$RESULT
mov end_data,$RESULT
ask "Enter the size of data section."
cmp $RESULT,0
je exit
add end_data,$RESULT
start_proc:
//domando che call devo analizzare
ask "Enter the address of call to analize:"
cmp $RESULT,0
je exit
mov x_addr,$RESULT
mov eip,$RESULT
GPA "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je exit
mov x_LoadLib,$RESULT
add x_LoadLib,b
bp x_LoadLib //setto bp al je di LoadLibraryA
run
bc x_LoadLib
//al bp
mov x_eax,eax
mov str,""
mov go,1
//inizio della proc hex->ascii
analize:
mov xvar,[x_eax]
shl xvar,8
shl xvar,8
shl xvar,8
shr xvar,8
shr xvar,8
shr xvar,8//prelevo il primo byte