lucian
January 7th, 2005, 02:42
Hy
Dose somebody have this script?
Dose somebody have this script?
View Full Version : ollyscript gathering iat info script.
garryw
January 7th, 2005, 19:19
// For Gathering IAT infomation
// Start This at App.OEP
// Made By OrionOnion
//
// OllyDBG LogData Window Open
// Set LogToFile and Run Script
// 0x401000 is Code Image Base
//
// In my case, Virtual IAT address started at 0x003D????
var mem0
var mem1
var mem2
var mem3
var s_addr
var s_par
dbh
log "CALL ds:[0x003d????]"
mov s_addr,401000
l_call_begin:
findop s_addr, #FF15????3D00#
mov mem0,$RESULT
cmp mem0,0
jE l_call_end
mov s_addr,mem0
inc s_addr
mov mem1,mem0
ADD mem1,2
log mem1
mov mem2,[mem1]
log mem2
log [mem2]
jmp l_call_begin
l_call_end:
log "JMP [0x003d????]"
mov s_addr,401000
l_jmp:
findop s_addr, #FF25????3D00#
mov mem0,$RESULT
cmp mem0,0
je l_jmp_end
mov s_addr,mem0
inc s_addr
log mem0
mov mem1,mem0
ADD mem1,2
log mem1
log [mem1]
jmp l_jmp
l_jmp_end:
log " MOV R32,[0x003D????]"
mov s_par,0
l_mov_begin:
mov s_addr,401000
cmp s_par,0
JNE l_mov_ebx
//log "MOV EAX,[0x003D????]"
l_mov_eax_begin:
findop s_addr,#A1????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_ebx:
cmp s_par,1
jne l_mov_ecx
//log "MOV EBX,[0x003D????]"
l_mov_ebx_begin:
findop s_addr,#8B1D????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_ecx:
cmp s_par,2
jne l_mov_edx
//log "MOV ECX,[0x003D????]"
l_mov_ecx_begin:
findop s_addr,#8B0D????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_edx:
cmp s_par,3
jne l_mov_esi
//log "MOV EDX,[0x003D????]"
l_mov_edx_begin:
findop s_addr,#8B15????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_esi:
cmp s_par,4
jne l_mov_edi
//log "MOV ESI,[0x003D????]"
l_mov_esi_begin:
findop s_addr,#8B35????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_edi:
cmp s_par,5
jne l_mov_ebp
//log "MOV EDI,[0x003D????]"
l_mov_edi_begin:
findop s_addr,#8B3D????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_ebp:
cmp s_par,6
jne l_mov_end
//log "MOV EBP,[0x003D????]"
l_mov_ebp_begin:
findop s_addr,#8B2D????3D00#
mov mem0,$RESULT
jmp find_main
find_main:
cmp mem0,0
je l_find_end
mov s_addr,mem0
inc s_addr
mov mem1,mem0
cmp s_par,0
je l_main2
INC mem1
l_main2:
INC mem1
log mem1
mov mem2,[mem1]
log mem2
log [mem2]
cmp s_par,0
JE l_mov_eax_begin
cmp s_par,1
JE l_mov_ebx_begin
cmp s_par,2
JE l_mov_ecx_begin
cmp s_par,3
JE l_mov_edx_begin
cmp s_par,4
JE l_mov_esi_begin
cmp s_par,5
JE l_mov_edi_begin
cmp s_par,6
JE l_mov_ebp_begin
l_find_end:
inc s_par
jmp l_mov_begin
l_mov_end:
MSG "Gathering Done!"
ret
// Start This at App.OEP
// Made By OrionOnion
//
// OllyDBG LogData Window Open
// Set LogToFile and Run Script
// 0x401000 is Code Image Base
//
// In my case, Virtual IAT address started at 0x003D????
var mem0
var mem1
var mem2
var mem3
var s_addr
var s_par
dbh
log "CALL ds:[0x003d????]"
mov s_addr,401000
l_call_begin:
findop s_addr, #FF15????3D00#
mov mem0,$RESULT
cmp mem0,0
jE l_call_end
mov s_addr,mem0
inc s_addr
mov mem1,mem0
ADD mem1,2
log mem1
mov mem2,[mem1]
log mem2
log [mem2]
jmp l_call_begin
l_call_end:
log "JMP [0x003d????]"
mov s_addr,401000
l_jmp:
findop s_addr, #FF25????3D00#
mov mem0,$RESULT
cmp mem0,0
je l_jmp_end
mov s_addr,mem0
inc s_addr
log mem0
mov mem1,mem0
ADD mem1,2
log mem1
log [mem1]
jmp l_jmp
l_jmp_end:
log " MOV R32,[0x003D????]"
mov s_par,0
l_mov_begin:
mov s_addr,401000
cmp s_par,0
JNE l_mov_ebx
//log "MOV EAX,[0x003D????]"
l_mov_eax_begin:
findop s_addr,#A1????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_ebx:
cmp s_par,1
jne l_mov_ecx
//log "MOV EBX,[0x003D????]"
l_mov_ebx_begin:
findop s_addr,#8B1D????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_ecx:
cmp s_par,2
jne l_mov_edx
//log "MOV ECX,[0x003D????]"
l_mov_ecx_begin:
findop s_addr,#8B0D????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_edx:
cmp s_par,3
jne l_mov_esi
//log "MOV EDX,[0x003D????]"
l_mov_edx_begin:
findop s_addr,#8B15????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_esi:
cmp s_par,4
jne l_mov_edi
//log "MOV ESI,[0x003D????]"
l_mov_esi_begin:
findop s_addr,#8B35????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_edi:
cmp s_par,5
jne l_mov_ebp
//log "MOV EDI,[0x003D????]"
l_mov_edi_begin:
findop s_addr,#8B3D????3D00#
mov mem0,$RESULT
jmp find_main
l_mov_ebp:
cmp s_par,6
jne l_mov_end
//log "MOV EBP,[0x003D????]"
l_mov_ebp_begin:
findop s_addr,#8B2D????3D00#
mov mem0,$RESULT
jmp find_main
find_main:
cmp mem0,0
je l_find_end
mov s_addr,mem0
inc s_addr
mov mem1,mem0
cmp s_par,0
je l_main2
INC mem1
l_main2:
INC mem1
log mem1
mov mem2,[mem1]
log mem2
log [mem2]
cmp s_par,0
JE l_mov_eax_begin
cmp s_par,1
JE l_mov_ebx_begin
cmp s_par,2
JE l_mov_ecx_begin
cmp s_par,3
JE l_mov_edx_begin
cmp s_par,4
JE l_mov_esi_begin
cmp s_par,5
JE l_mov_edi_begin
cmp s_par,6
JE l_mov_ebp_begin
l_find_end:
inc s_par
jmp l_mov_begin
l_mov_end:
MSG "Gathering Done!"
ret
lucian
January 10th, 2005, 00:08
thanks very mutch m8.
Powered by vBulletin® Version 4.2.2 Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.