var SectionCount var SectionVA var SectionSize var pSection var SectionEnd var ByteCode var Iterator var DelatVA var DestVA var EIPString var BitCount var EIPHashCode var HashTableIndex var HashTableEntry var DestHashCode var NopCount var dwCode var byIndex var byRegPair var byEIPBaseDelta var RegMode var ImportStart var ImportEnd var pList var pHead var Index var pPrev var pNode var pNext fill 00401B89, #C745FC00000000EB098B45FC83C0018945FC8B4D08034DFC0FBE1185D274208B45080345FC0FBE08894DF88B55F883C2368955F88B45F80345F48945F4EBCA8B45F45F5E5B83C44C3BECE8DBB801008BE55DC39090909090909090909090909090909090909090# fill 00401CA6, #C745FC00000000EB098B45FC83C0018945FC8B4D08034DFC0FBE1185D274208B45080345FC0FBE08894DF88B55F883C2368955F88B45F80345F48945F4EBCA8B45F45F5E5B83C44C3BECE8DBB801008BE55DC39090909090909090909090909090909090909090# alloc 7000 mov pList, $RESULT mov HashTableEntry, 00658C89 mov pHead, pList mov Index, 0 mov pNode, pList mov pNext, pNode add pNode, 4 add pNext, 8 InitializeListLoop: cmp Index, C9C je FinishInitLoop mov [pNode], pNext, 4 add pNext, 8 add pNode, 8 inc Index jmp InitializeListLoop FinishInitLoop: sub pNode, 8 mov [pNode], 0, 4 mov Index, 0 mov pNode, pList FillListLoop: cmp Index, C9C je FillListFinish mov [pNode], HashTableEntry, 4 add pNode, 8 add HashTableEntry, B inc Index jmp FillListLoop FillListFinish: //0065404D BF 1E7E6500 mov edi, 00657E1E //00654055 B9 B20B0000 mov ecx, 0BB2 mov ImportStart, 00657E1E mov ImportEnd, ImportStart add ImportEnd, BB2 mov pSection, 4001E0 mov SectionCount, [4000EE], 2 nextOuterLoop: cmp SectionCount, 0 je exitOuterLoop mov Iterator, pSection add Iterator, 8 mov SectionSize, [Iterator], 4 add Iterator, 4 mov SectionVA, [Iterator], 4 add SectionVA, 400000 mov SectionEnd, SectionVA add SectionEnd, SectionSize sub SectionEnd, 4 // E8 xxxxxxxx mov Iterator, SectionVA nextIteratorLoop: mov ByteCode, [Iterator], 1 cmp ByteCode, E8 je SkipCallJump cmp ByteCode, E9 je SkipCallJump cmp ByteCode, 8D // 8D C0 je InvalidInstructionFirst cmp ByteCode, FF jne nextIterator inc Iterator mov ByteCode, [Iterator], 1 dec Iterator cmp ByteCode, 25 je IAT_JumpCall_Thunk // jmp cmp ByteCode, 15 je IAT_JumpCall_Thunk // call jmp nextIterator InvalidInstructionFirst: inc Iterator mov ByteCode, [Iterator], 1 dec Iterator cmp ByteCode, C0 je InvalidInstruction jmp nextIterator SkipCallJump: inc Iterator mov DeltaVA, [Iterator], 4 add DeltaVA, Iterator add DeltaVA, 4 dec Iterator cmp DeltaVA, 4001E0 jb nextIterator cmp DeltaVA, 40041C ja nextIterator //copy 006589D0 to 004001E0 sub DeltaVA, 4001E0 add DeltaVA, 6589D0 mov ByteCode, [DeltaVA], 1 cmp ByteCode, E9 jne MoveSectionStolenCode inc Iterator inc DeltaVA mov DestVA, [DeltaVA], 4 add DeltaVA, 4001E0 sub DeltaVA, 6589D0 add DestVA, DeltaVA add DestVA, 4 sub DestVA, Iterator sub DestVA, 4 mov [Iterator], DestVA, 4 add Iterator, 3 // skip call xxxxxxxx jmp nextIterator MoveSectionStolenCode: mov [Iterator], ByteCode, 1 inc Iterator inc DeltaVA mov ByteCode, [DeltaVA], 1 cmp ByteCode, E9 jne MoveSectionStolenCode mov EIPString, DeltaVA inc EIPString mov EIPString, [EIPString], 4 add EIPString, DeltaVA add EIPString, 5 sub EIPString, 6589D0 add EIPString, 4001E0 cmp EIPString, Iterator jne MoveSectionStolenCode dec Iterator jmp nextIterator InvalidInstruction: //itoa Iterator //mov EIPString, $RESULT mov BitCount, 0 mov EIPHashCode, 0FFFFFFFF CalcHashOuterLoop: mov EIPString, Iterator shl EIPString, BitCount shr EIPString, 1C or EIPString, 30 cmp EIPString, 39 jbe SkipReValue add EIPString, 7 SkipReValue: xor EIPHashCode, EIPString mov EIPString, 8 CalcHashInnerLoop: mov DestVA, EIPHashCode shr EIPHashCode, 1 and DestVA, 1 cmp DestVA, 0 je SkipCalcXOR xor EIPHashCode, EDB88320 SkipCalcXOR: dec EIPString cmp EIPString, 0 jne CalcHashInnerLoop add BitCount, 4 cmp BitCount, 20 jne CalcHashOuterLoop mov EIPString, EIPHashCode //mov HashTableIndex, 0 //mov HashTableEntry, 00658C89 mov pPrev, 0 mov pNode, pHead FindHashTableEntryLoop: mov HashTableEntry, [pNode], 4 mov DestHashCode, [HashTableEntry], 4 cmp DestHashCode, EIPHashCode je FoundHashTableEntry mov pPrev, pNode add pNode, 4 mov pNext, [pNode], 4 mov pNode, pNext //add HashTableEntry, B //inc HashTableIndex //cmp HashTableIndex, C9C cmp pNode, 0 jne FindHashTableEntryLoop jmp SkipInvalidInstruction FoundHashTableEntry: // Modify List add pNode, 4 mov pNext, [pNode], 4 cmp pPrev, 0 je ModifyListHead add pPrev, 4 mov [pPrev], pNext, 4 jmp ModifyListFinish ModifyListHead: mov pHead, pNext cmp pHead, 0 jne ModifyListFinish log "Last IAT" ModifyListFinish: add HashTableEntry, 4 mov dwCode, [HashTableEntry], 4 add HashTableEntry, 4 mov byIndex, [HashTableEntry], 1 add HashTableEntry, 1 mov byRegPair, [HashTableEntry], 1 add HashTableEntry, 1 mov byEIPBaseDelta, [HashTableEntry], 1 cmp byEIPBaseDelta, 2 jbe SkipCheckNopCount mov NopCount, byEIPBaseDelta sub NopCount, 2 mov EIPString, Iterator add EIPString, 2 CheckNopCountLoop: cmp NopCount, 0 je SkipCheckNopCount mov ByteCode, [EIPString], 1 cmp ByteCode, 90 jne SkipInvalidInstruction inc EIPString dec NopCount jmp CheckNopCountLoop SkipCheckNopCount: //match cmp byIndex, 0 je MoveMemReg_Label cmp byIndex, 1 je RegisterOperate_Label cmp byIndex, 2 je MoveImm32_Label cmp byIndex, 3 je JumpEqual_Label cmp byIndex, 4 je JumpBelow_Label cmp byIndex, 5 je JumpMemory_Label cmp byIndex, 6 je JumpBelowOrEqual_Label jmp SkipInvalidInstruction MoveMemReg_Label: mov EIPString, Iterator mov RegMode, byRegPair and RegMode, 3F cmp byEIPBaseDelta, 3 je MoveMemReg_Label_Case3 cmp byEIPBaseDelta, 6 je MoveMemReg_Label_Case6 cmp byEIPBaseDelta, 2 jne SkipInvalidInstruction // MoveMemReg_Label_Default // default 2 MoveMemReg_Label_Case2: mov [EIPString], 8B, 1 inc EIPString //or RegMode, 00 mov [EIPString], RegMode, 1 jmp SkipInvalidInstruction MoveMemReg_Label_Case3: mov [EIPString], 8B, 1 inc EIPString or RegMode, 40 mov [EIPString], RegMode, 1 inc EIPString mov [EIPString], dwCode, 1 inc Iterator jmp SkipInvalidInstruction MoveMemReg_Label_Case6: mov [EIPString], 8B, 1 inc EIPString or RegMode, 80 mov [EIPString], RegMode, 1 inc EIPString mov [EIPString], dwCode, 4 add Iterator, 4 jmp SkipInvalidInstruction //MoveMemReg_Label_Default: RegisterOperate_Label: mov RegMode, byRegPair mov DeltaVA, byRegPair and DeltaVA, 70 shr DeltaVA, 1 and RegMode, 7 or RegMode, C0 or RegMode, DeltaVA //RegMode = ((info->byRegPair & 0x70) >> 1) | (info->byRegPair & 7) | 0xC0; mov EIPString, Iterator inc EIPString mov [EIPString], RegMode, 1 cmp dwCode, 0 je RegisterOperate_Label_OR cmp dwCode, 1 je RegisterOperate_Label_AND cmp dwCode, 2 je RegisterOperate_Label_XOR cmp dwCode, 3 je RegisterOperate_Label_ADD cmp dwCode, 4 je RegisterOperate_Label_SUB // MOV mov [Iterator], 8B, 1 jmp SkipInvalidInstruction RegisterOperate_Label_OR: mov [Iterator], 0B, 1 jmp SkipInvalidInstruction RegisterOperate_Label_AND: mov [Iterator], 23, 1 jmp SkipInvalidInstruction RegisterOperate_Label_XOR: mov [Iterator], 33, 1 jmp SkipInvalidInstruction RegisterOperate_Label_ADD: mov [Iterator], 03, 1 jmp SkipInvalidInstruction RegisterOperate_Label_SUB: mov [Iterator], 2B, 1 jmp SkipInvalidInstruction MoveImm32_Label: mov [Iterator], C7, 1 inc Iterator cmp byRegPair, 4 je MoveImm32_Label_ESP cmp byRegPair, 5 je MoveImm32_Label_EBP mov [Iterator], byRegPair, 1 inc Iterator jmp MoveImm32_Label_Final MoveImm32_Label_ESP: mov [Iterator], 04, 1 inc Iterator mov [Iterator], 24, 1 inc Iterator jmp MoveImm32_Label_Final MoveImm32_Label_EBP: mov [Iterator], 45, 1 inc Iterator mov [Iterator], 00, 1 inc Iterator MoveImm32_Label_Final: mov [Iterator], dwCode, 4 add Iterator, 3 jmp nextIterator JumpEqual_Label: mov DeltaVA, 1 cmp byRegPair, 0 jne JumpEqual_Label_NZ mov DeltaVA, 0 JumpEqual_Label_NZ: cmp byEIPBaseDelta, 6 je JumpEqual_Label_LongAddress or DeltaVA, 74 mov [Iterator], DeltaVA, 1 inc Iterator and dwCode, FF mov [Iterator], dwCode, 1 jmp nextIterator JumpEqual_Label_LongAddress: or DeltaVA, 84 mov [Iterator], 0F, 1 inc Iterator mov [Iterator], DeltaVA, 1 inc Iterator mov [Iterator], dwCode, 4 add Iterator, 3 jmp nextIterator JumpBelow_Label: mov DeltaVA, 1 cmp byRegPair, 5 jne JumpBelow_Label_NZ mov DeltaVA, 0 JumpBelow_Label_NZ: cmp byEIPBaseDelta, 6 je JumpBelow_Label_LongAddress or DeltaVA, 72 mov [Iterator], DeltaVA, 1 inc Iterator and dwCode, FF mov [Iterator], dwCode, 1 jmp nextIterator JumpBelow_Label_LongAddress: or DeltaVA, 82 mov [Iterator], 0F, 1 inc Iterator mov [Iterator], DeltaVA, 1 inc Iterator mov [Iterator], dwCode, 4 add Iterator, 3 jmp nextIterator JumpMemory_Label: mov DeltaVA, byRegPair shr DeltaVA, 4 shl DeltaVA, 6 and byRegPair, 7 shl byRegPair, 3 or byRegPair, DeltaVA or byRegPair, 5 mov [Iterator], FF, 1 inc Iterator mov [Iterator], 24, 1 inc Iterator mov [Iterator], byRegPair, 1 inc Iterator mov [Iterator], dwCode, 4 add Iterator, 3 jmp nextIterator JumpBelowOrEqual_Label: mov DeltaVA, 1 cmp byRegPair, 7 jne JumpBelowOrEqual_Label_NZ mov DeltaVA, 0 JumpBelowOrEqual_Label_NZ: cmp byEIPBaseDelta, 6 je JumpBelowOrEqual_Label_LongAddress or DeltaVA, 76 mov [Iterator], DeltaVA, 1 inc Iterator and dwCode, FF mov [Iterator], dwCode, 1 jmp nextIterator JumpBelowOrEqual_Label_LongAddress: or DeltaVA, 86 mov [Iterator], 0F, 1 inc Iterator mov [Iterator], DeltaVA, 1 inc Iterator mov [Iterator], dwCode, 4 add Iterator, 3 jmp nextIterator SkipInvalidInstruction: inc Iterator jmp nextIterator IAT_JumpCall_Thunk: add Iterator, 2 mov dwCode, [Iterator], 4 cmp dwCode, ImportStart jb Skip_IAT_JumpCall_Thunk cmp dwCode, ImportEnd jae Skip_IAT_JumpCall_Thunk mov DeltaVA, [dwCode], 4 mov [Iterator], DeltaVA, 4 add Iterator, 3 jmp nextIterator Skip_IAT_JumpCall_Thunk: dec Iterator nextIterator: inc Iterator cmp Iterator, SectionEnd jb nextIteratorLoop dec SectionCount add pSection, 28 //jmp nextOuterLoop // exitOuterLoop: free pList, 7000 ret