... aspr IAT redirection code is all here... of course the memory address will be diff but i am sure you can figure out how to get there based on relative offset
Code:
0041555B next: ; CODE XREF: RedirectIATptr+C8�j
0041555B ; RedirectIATptr+14A�j
0041555B ; RedirectIATptr+254�j
0041555B ; RedirectIATptr+25F�j
0041555B ; RedirectIATptr+319�j
0041555B ; RedirectIATptr+38B�j
0041555B ; RedirectIATptr+3FE�j
0041555B ; RedirectIATptr+41E�j
0041555B ; RedirectIATptr+453�j
0041555B ; RedirectIATptr+49A�j
0041555B ; RedirectIATptr+4AC�j
0041555B mov eax, [ebx+8]
0041555E mov esi, [eax]
00415560 add dword ptr [ebx+8], 4
00415564 mov eax, [ebx+8]
00415567 mov al, [eax]
00415569 mov [esp+struct.RedirectionType], al
0041556D inc dword ptr [ebx+8]
00415570 test esi, esi
00415572 jnz short loc_415592 ; get RVA of IAT_ptr
00415574 jmp short loc_415577
00415577 loc_415577: ; CODE XREF: RedirectIATptr+E4�j
00415577 mov eax, edi
00415579 call @System@@FreeMem$qqrv ; System::__linkproc__ FreeMem(void)
0041557E mov byte ptr [ebx+38h], 0
00415582 mov al, 1
00415584 jmp end
00415592
00415592 loc_415592: ; CODE XREF: RedirectIATptr+E2�j
00415592 xor esi, [esp+struct.XOR_key] ; get RVA of IAT_ptr
00415596 add esi, [ebx+40h] ; add Image Base
00415599 mov eax, [ebx+8]
0041559C mov al, [eax]
0041559E inc dword ptr [ebx+8] ; get Dll Number
004155A1 xor edx, edx
004155A3 mov dl, al
004155A5 mov eax, edi ; edi => dll base table
004155A7 call GetDwordInTable ; Get Imported DLL base
004155AC mov [esp+struct.DLL_base], eax
004155B0 mov eax, [ebx+8]
004155B3 mov al, [eax]
004155B5 inc dword ptr [ebx+8]
004155B8 test al, al
004155BA jnz short loc_4155DF
004155BC
004155BC type_0:
004155BC push offset sub_414FF0
004155C1 push offset ????pGetProcAddress ; GetProcAddress
004155C6 push offset MemAlloc ; Decrypt
004155CB push esi ; IAT_ptr
004155CC lea eax, [ebx+8]
004155CF push eax ; API_ptr
004155D0 mov eax, [esp+(struct.DLL_base+14h)]
004155D4 push eax ; Dll_handle
004155D5 call sub_415018
004155DA jmp next
004155DF
004155DF loc_4155DF: ; CODE XREF: RedirectIATptr+12A�j
004155DF cmp al, 2
004155E1 jnz loc_4156F4
004155E7
004155E7 type_2: ; RIP API code into Aspr shell
004155E7 xor eax, eax
004155E9 mov [esp+struct.field_20], eax
004155ED mov eax, [ebx+8]
004155F0 mov al, [eax]
004155F2 inc dword ptr [ebx+8]
004155F5 jmp short loc_4155F8
004155F8
004155F8 loc_4155F8: ; CODE XREF: RedirectIATptr+165�j
004155F8 sub al, 1
004155FA jnb short type_2_1
004155FC
004155FC type_2_0:
004155FC mov eax, [ebx+8]
004155FF movzx eax, byte ptr [eax]
00415602 inc dword ptr [ebx+8]
00415605 mov edx, [ebx+8]
00415608 mov edx, [edx]
0041560A add dword ptr [ebx+8], 4
0041560E lea ecx, [esp+struct.field_24]
00415612 push ecx
00415613 mov cl, [esp+(struct.RedirectionType+4)]
00415617 push ecx
00415618 mov ecx, edx
0041561A mov edx, ebx
0041561C xchg eax, edx
0041561D call sub_414E20
00415622 mov [esp+struct.field_20], eax
00415626 jmp short type_2_1
00415626
00415629 type_2_1: ; CODE XREF: RedirectIATptr+16A�j
00415629 ; RedirectIATptr+196�j
00415629 mov eax, [ebx+8]
0041562C mov ebp, [eax]
0041562E add dword ptr [ebx+8], 4
00415632 mov eax, [esp+struct.field_10]
00415636 call @System@@GetMem$qqrv ; System::__linkproc__ GetMem(void)
0041563B mov [esp+struct.RippedAPIcodePtr], eax
0041563F mov edx, ebp
00415641 mov eax, [esp+struct.DLL_base]
00415645 call GetProcAddress_ ; eax == DLL_base
00415645 ; edx == API_hash
0041564A mov ebp, eax
0041564C test ebp, ebp
0041564E jnz short loc_41565A
00415650 push offset _str_10__.Text
00415655 call ErrMsg???
0041565A
0041565A loc_41565A: ; CODE XREF: RedirectIATptr+1BE�j
0041565A cmp [esp+struct.field_20], 0
0041565F jz short loc_4156A5
00415661 mov eax, [esp+struct.RippedAPIcodePtr]
00415665 mov edx, [esp+struct.field_20]
00415669 mov [eax], edx
0041566B mov eax, [esp+struct.field_20]
0041566F add eax, [esp+struct.field_24]
00415673 mov byte ptr [eax], 68h ; set up a Push
00415676 push 0
00415678 push offset pCheckBPX
0041567D lea ecx, [esp+(struct.field_18+8)]
00415681 mov edx, ebp
00415683 mov eax, ebx
00415685 call RipCodeFromAPI ; edx== original address of API
0041568A mov edx, [esp+struct.field_20]
0041568E add edx, [esp+struct.field_24]
00415692 inc edx
00415693 mov [edx], eax
00415695 mov eax, [esp+struct.field_20]
00415699 add eax, [esp+struct.field_24]
0041569D add eax, 5
004156A0 mov byte ptr [eax], 0C3h
004156A3 jmp short loc_4156CE
004156A5
004156A5 loc_4156A5: ; CODE XREF: RedirectIATptr+1CF�j
004156A5 push 0
004156A7 push offset pCheckBPX
004156AC lea ecx, [esp+(struct.field_18+8)]
004156B0 mov edx, ebp
004156B2 mov eax, ebx
004156B4 call RipCodeFromAPI ; edx== original address of API
004156B9 mov edx, [esp+struct.RippedAPIcodePtr]
004156BD mov [edx], eax
004156BF lea ecx, [esp+struct.RippedAPIcodePtr]
004156C3 mov dl, [esp+struct.RedirectionType]
004156C7 mov eax, ebx
004156C9 call ???GenerateRandomRetCode
004156CE
004156CE loc_4156CE: ; CODE XREF: RedirectIATptr+213�j
004156CE mov eax, esi
004156D0 sub eax, 2
004156D3 cmp word ptr [eax], 0
004156D7 jnz short loc_4156E9
004156D9 mov edx, [esp+struct.RippedAPIcodePtr]
004156DD mov edx, [edx]
004156DF call Patch_IAT_Call_ptr
004156E4 jmp next
004156E9
004156E9 loc_4156E9: ; CODE XREF: RedirectIATptr+247�j
004156E9 mov eax, [esp+struct.RippedAPIcodePtr]
004156ED mov [esi], eax
004156EF jmp next
004156F4
004156F4 loc_4156F4: ; CODE XREF: RedirectIATptr+151�j
004156F4 cmp al, 1
004156F6 jnz loc_4157AE
004156FC jmp short type_1
004156FF
004156FF type_1: ; CODE XREF: RedirectIATptr+26C�j
004156FF mov eax, [ebx+8]
00415702 mov eax, [eax]
00415704 mov [esp+struct.field_0], eax
00415707 add dword ptr [ebx+8], 4
0041570B cmp dword ptr [ebx+44h], 0
0041570F jz short loc_41571A
00415711 mov eax, [esp+struct.field_0]
00415714 call dword ptr [ebx+44h]
00415717 mov [esp+struct.field_0], eax
0041571A
0041571A loc_41571A: ; CODE XREF: RedirectIATptr+27F�j
0041571A mov eax, [ebx+8]
0041571D mov ax, [eax]
00415720 mov word ptr [esp+struct.API_name_length], ax
00415725 add dword ptr [ebx+8], 2
00415729 cmp [esp+struct.field_1C], 0
0041572E jz short loc_41573B
00415730 mov eax, [esp+struct.XOR_key]
00415734 mov [esp+struct.field_1C], 0
00415739 jmp short loc_415741
0041573B
0041573B loc_41573B: ; CODE XREF: RedirectIATptr+29E�j
0041573B mov eax, [esp+struct.field_18]
0041573F mov eax, [eax]
00415741
00415741 loc_415741: ; CODE XREF: RedirectIATptr+2A9�j
00415741 mov ecx, eax
00415743 mov dx, word ptr [esp+struct.API_name_length]
00415748 mov eax, [ebx+8]
0041574B call DecryptBuffer ; eax == Buffer Address
0041574B ; dx == Buffer Size
0041574B ; ecx == Key
00415750 mov eax, [esp+struct.field_10]
00415754 call @System@@GetMem$qqrv ; System::__linkproc__ GetMem(void)
00415759 mov [esp+struct.RippedAPIcodePtr], eax
0041575D mov eax, [ebx+8]
00415760 push eax
00415761 mov eax, [esp+(struct.DLL_base+4)]
00415765 push eax
00415766 mov eax, ds:oGetProcAddress???
0041576B mov eax, [eax]
0041576D call eax
0041576F mov ebp, eax
00415771 test ebp, ebp
00415773 jnz short loc_41577F
00415775 push offset _str_11__.Text
0041577A call ErrMsg???
0041577F
0041577F loc_41577F: ; CODE XREF: RedirectIATptr+2E3�j
0041577F mov eax, [esp+struct.field_0]
00415782 push eax
00415783 push offset pCheckBPX
00415788 lea ecx, [esp+(struct.field_18+8)]
0041578C mov edx, ebp
0041578E mov eax, ebx
00415790 call RipCodeFromAPI ; edx== original address of API
00415795 mov edx, [esp+struct.RippedAPIcodePtr]
00415799 mov [edx], eax
0041579B mov eax, [esp+struct.RippedAPIcodePtr]
0041579F mov [esi], eax
004157A1 movzx eax, word ptr [esp+struct.API_name_length]
004157A6 add [ebx+8], eax
004157A9 jmp next
004157AE
004157AE loc_4157AE: ; CODE XREF: RedirectIATptr+266�j
004157AE cmp al, 4
004157B0 jnz loc_415893
004157B6 jmp short type_4