; Make sure to be at the OEP
$iat_start = 0x008A4000
$iat_size = 0x2D0
$iat_end = $iat_start + $iat_size
$txt_base = mem.base(eip)
$txt_size = mem.size($txt_base)
$txt_end = $txt_base + $txt_size

$eip_org = eip
$esp_org = esp

; Find first relative call, this is used as the SecuROM stub
find $eip_org, FF15????????
$stub_addr = dword:[$RESULT + 2]
log "Stub: {p:$stub_addr}"
$stub_addr = bswap($stub_addr)

; Find all Calls
findmemall 0, "FF15{p:$stub_addr}", -1, module
$num_calls = $RESULT

; Find CALL-ID that is closest to the OEP
$call_id = 0
find_next_call:
    $call_at = ref.addr($call_id)
    cmp $call_at, $eip_org
    ja first_call_found
    $call_id += 1
    jmp find_next_call

first_call_found:
    $call_id_offset = 0
    $offset_positive = 1

loop:
    cmp $call_id_offset, $num_calls
    jae end

    cmp $offset_positive, 1
    je add_offset

subtract_offset:
    cmp $call_id_offset, $call_id
    ja next_call
    $call_id_adjusted = $call_id - $call_id_offset
    jmp get_call

add_offset:
    $call_id_adjusted = $call_id + $call_id_offset
    cmp $call_id_adjusted, $num_calls
    jae next_call

get_call:
    $call_at = ref.addr($call_id_adjusted)

    cmp $call_at, $txt_base
    jb next_call
    cmp $call_at, $txt_end
    jae next_call

    $call_to = dword:[dword:[$call_at + 2]]

    esp = $esp_org
    eip = $call_at
    call sti_safe
    call sti_safe
    $stack_top = esp
    bphws $stack_top, r, 4
    SetHardwareBreakpointSilent $stack_top
    erun
    bphwc $stack_top
    $func_addr = eax

    ; Check if we know that address already
    $thunk_check = $iat_start
find_used_thunk:
    cmp $thunk_check, $iat_end
    je find_empty_thunk_init
    cmp dword:[$thunk_check], $func_addr
    je thunk_found
    $thunk_check += 4
    jmp find_used_thunk

find_empty_thunk_init:
    $thunk_check = $iat_start
find_empty_thunk:
    cmp dword:[$thunk_check], 0
    je empty_thunk_found
    $thunk_check += 4
    jmp find_empty_thunk

empty_thunk_found:
    dword:[$thunk_check] = $func_addr
thunk_found:
    dword:[$call_at + 2] = $thunk_check
    ;log "Call at {p:$call_at} -> {p:$func_addr}"

next_call:
    ; flip
    $offset_positive = 1 - $offset_positive
    cmp $offset_positive, 0
    jne loop
    $call_id_offset += 1
    jmp loop

sti_safe:
    $eip_old = eip
perform_sti:
    sti
    cmp eip, $eip_old
    je perform_sti
    ret

end:
    eip = $eip_org
    esp = $esp_org
    log "Done ;)"