/
Armadillo Repair IAT Elimination.txt
130 lines (37 loc) · 1.5 KB
/
Armadillo Repair IAT Elimination.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/*
=======================================================================
Srcipt for repairing Armadillo's IAT Elimination feature
=======================================================================
This script should help you to rebuild IAT on targets protected
with Armadillo's IAT Eliminator feature. You will need to modify
some parts of script to work on your file. First you need to unpack
your file, and prevent common import redirection and then use this
script after you found OEP. Read my comments below.
=======================================================================
*/
var code //Code section is one that holds your code.
var NewPointer //Base address of new section where thunks will be placed (use some armadillo's).
var OldPointer
var Import
ask "Enter base address of code section:" //Ask user to enter base of code section:
cmp $RESULT,0
je exit
mov code,$RESULT
ask "Enter address of new section for imports:" //Ask user to enter base of new IAT section:
cmp $RESULT,0
je exit
mov NewPointer,$RESULT
searching:
findop code,#FF15????A900# //Find calls that points to 00A90000 section. You need to change this.
cmp $RESULT,0
je exit
mov code,$RESULT //Caclulations.
add $RESULT,2
mov OldPointer,[$RESULT]
mov Import,[OldPointer]
mov [NewPointer],Import
mov [$RESULT],NewPointer
add NewPointer,8
jmp searching
exit:
ret