arm iat elimination.txt

来自「700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.」· 文本 代码 · 共 37 行

//The script 2, rereorganizes ARM chaotic IAT
//comes from the Ricardo Narvaja 207 courses, makes the revision slightly

var it
var it2
var x
var y
var pit
var pit2
var dll
var dll1
var pitt
var it1_end
var base
var savecode

//Needs to establish content
mov it, 00F32B38 //chaotic IAT first site
mov it1_end, 00F338C0//chaotic at the end of IAT site
mov it2,00F32B38//waits depositing to reorganize after the IAT first site

//
mov savecode, [eip]//preserved current eip directional content
mov [eip], # EBFE #//jmp eip, because reorganizes IAT quite to be slow, uses in treating can renovate the contact surface, guards against the contact surface to play dead 

gmi eip, MODULEBASE//takes the master file base address
log $RESULT
mov base, $RESULT

INICIO:              //Initialization
mov pitt, it// the pitt direction is processing the api address presently, its front all api is processed finished
                     //pitt each turn to increase 4, after it is equal to the chaotic at the end of IAT site, then this script movement finished
COMIENZO:
add pit, it
add pit2, it2

SEGUIMOS: //WE FOLLOWED new?