HASP HL Envelope IAT Fixer

Hmily

/*************************************************
HASP HL Envelope IAT Fixer

Author: light.phoenix
Homepage: reaonline.net

History:
+ v0.0.1: November 08, 2008.

Tools: WinXP SP2, OllyICE, OllyDbg Script 1.64.3
Notes:
- Use this script after stop at OEP.
- Some emulated functions need to be resolved manually:
GetCommandLineA
GetProcAddress
GetCurrentProcess
GetStartupInfoA
GetCurrentProcessId
**************************************************/

 /*************************************************
HASP HL Envelope IAT Fixer
  
Author: light.phoenix
Homepage: reaonline.net

History:
    + v0.0.1: November 08, 2008.
  
Tools: WinXP SP2, OllyICE, OllyDbg Script 1.64.3
Notes:
- Use this script after stop at OEP.
- Some emulated functions need to be resolved manually:
    GetCommandLineA
    GetProcAddress
    GetCurrentProcess
    GetStartupInfoA
    GetCurrentProcessId
**************************************************/

var saveEIP
var modulebase
var addrGetTickCount
var numCallGTC          
var iatStart
var iatSize
var iatEnd
var iatEntry
var addrBP
var addrAPIEntry
var protectSectionBase
var addr
var opcode

mov saveEIP, eip

gpa "GetTickCount", "kernel32.dll"
mov addrGetTickCount, $RESULT

gmi eip, MODULEBASE
mov modulebase, $RESULT

ask "Enter RVA of IAT"
cmp $RESULT, 0
je @exit
mov iatStart, $RESULT
add iatStart, modulebase

ask "IAT Size"
cmp $RESULT, 0
je @exit
mov iatSize, $RESULT

ask "Start address of `.protect` section"
cmp $RESULT, 0
je @exit
mov protectSectionBase, $RESULT

find protectSectionBase, #668BC087D387DA558BEC#
cmp  $RESULT, 0
je @signature_not_found
mov addrAPIEntry, $RESULT
mov addrBP, addrAPIEntry
sub addrBP, 20
mov opcode, [addrBP]
and opcode, FFFF
cmp opcode, C35D                          // POP EBP, RETN opcodes
jne @signature_not_found
inc addrBP                           // point to retn opcode

log addrBP
log addrAPIEntry

mov iatEnd, iatStart
add iatEnd, iatSize

mov iatEntry, iatStart

@search:
cmp iatEntry, iatEnd
jae @exit
cmp [iatEntry], 00000000
je @next

mov addr, [iatEntry]
mov opcode, [addr]
and opcode, 0FF
cmp opcode, E8
jne @next

inc addr
mov offset, [addr]
add offset, addr
add offset, 4
cmp offset, addrAPIEntry
jne @next

bphws addrBP, "x"
mov eip, [iatEntry]

mov numCallGTC, 0
@run:
run
sti
cmp numCallGTC, 1
je @fix
cmp eip, addrGetTickCount
jne @next
inc numCallGTC
jmp @run

@fix:
mov numCallGTC, 0
eval "[{iatEntry}] <- {eip}"
log $RESULT
mov [iatEntry], eip

@next:
bphwc addrBP
add iatEntry, 4
jmp @search

@signature_not_found:
msg "Signature's not found!"
jmp @exit

@exit:
bphwc
mov eip, saveEIP
an eip
pause
ret

server@qq.com

老大搞点中文说明出来看不明白

wuqing1501

回复 1# Hmily


    是1.x版本的吗？ 用FLY的方法好像可以不用修复的 不知道你这个是否和那个版本一样