; #########################################################################
; tELock.asm : Plugin for ImpREC to find tELock0.92x real API in its wrapped code
;
; Very quick and simple example to get all values in "push [API]; ... garbage ... ;ret"
; Note that this example is not a tracer but just an opcode checker.
; #########################################################################

.386
.model flat, stdcall
option casemap :none

include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib

.code

LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
    ret
LibMain Endp

; ##########################################################################
; Parameters for Exported function:
; 
; <hFileMap> : HANDLE of the mapped file ; <dwSizeMap> : Size of that mapped file ; <dwTimeOut> : TimeOut of ImpREC in Options ; <dwToTrace> : Pointer to trace (in VA) ; <dwExactCall> : EIP of the exact call (in VA) ; ; Returned value (in eax): ;
; Use a value greater or equal to 200. It will be shown by ImpREC if no output were created ; ########################################################################## Trace proc hFileMap:DWORD, dwSizeMap:DWORD, dwTimeOut:DWORD, dwToTrace:DWORD, dwExactCall:DWORD LOCAL dwPtrOutput : DWORD LOCAL dwErrorCode : DWORD push ebx ; save ebx before we start invoke MapViewOfFile,hFileMap,FILE_MAP_READ + FILE_MAP_WRITE,0,0,0 test eax,eax ; if API returns zero... jnz map_ok mov eax,201 ; ...can't map view so put error code 201 in eax... pop ebx ; ...restore ebx... ret ; and return map_ok: mov dwPtrOutput,eax ; if successful get pointer to file view in dwPtrOutput cmp dwSizeMap,4 ; ensure size of view >=4 jae map_ok2 mov dwErrorCode,203 ; otherwise Invalid map size so put error code 203 in eax... jmp end2 ; ...and jump to close handles and return map_ok2: mov ebx,dwToTrace ; put Pointer to trace in ebx invoke IsBadReadPtr,ebx,4 ; check if the pointer is a valid address test eax,eax ; test if result is zero (valid) or non-zero (invalid) jz ptr_ok1 mov dwErrorCode,205 ; if Invalid pointer put error code 205 in eax jmp end2 ; and jump to close handles and return ptr_ok1: cmp byte ptr[ebx],0FFh ; if pointer OK then check if bytes pointed at include 0FFh... jnz end_ok cmp byte ptr[ebx+1],035h ; ...and 035h (opcodes for push [XXXXXXXX]) jnz end_ok mov ebx,[ebx+2] ; Get this [XXXXXXXX] API address in ebx invoke IsBadReadPtr,ebx,4 ; Check if address is valid test eax,eax jz ptr_ok2 mov dwErrorCode,205 ; If not, put Invalid pointer error code in eax... jmp end2 ; ...and jmp to close handles and return ptr_ok2: ; If API address valid then write the found pointer into the mapped file mov ebx,[ebx] ; swap the memory address in ebx for the value at that address mov eax,dwPtrOutput ; put pointer to file view in eax mov [eax],ebx ; write bytes in ebx into file view (pointed at by eax) end_ok: mov dwErrorCode, 200 ; If all is well then put success code in eax and proceed to close handles... end2: invoke UnmapViewOfFile,dwPtrOutput ; Unmap the view invoke CloseHandle,hFileMap; ; Close the handle of the mapped file mov eax,dwErrorCode ; Set error code as returned value pop ebx ret Trace endp End LibMain