maybe it's gonna be goated?

iat.py

@@ -0,0 +1,30 @@
+import json
+
+import lief
+
+# wave to parse
+with open("rsc/wave-0001.dump", "rb") as f:
+    pe = lief.parse(f)
+    assert isinstance(pe, lief.PE.Binary)
+
+with open("rsc/upx-hostname.exe.bin_iat_wave1.json", "r") as iat_json_input:
+    iat_data = json.load(iat_json_input)
+calls:list[dict[str,str]] = iat_data["calls"]
+wave_entry = int(iat_data["entry"],16)
+
+# print(pe.rich_header)
+
+# for section in pe.sections:
+#     print(section.name, len(section.content))
+
+# patch entrypoint
+entrypoint_format = int(hex(wave_entry)[-4:],16)
+pe.optional_header.addressof_entrypoint = entrypoint_format
+
+# create new iat section
+section = lief.PE.Section(".patchiat")
+section.content = [0xCC] * 0x100
+pe.add_section(section)
+
+# write result
+pe.write("patched.exe")

rsc/upx-hostname.exe.bin_iat_wave1.json

@@ -0,0 +1 @@
+{"entry": "0x10011d7", "calls": [{"adress": "0x10011e6", "name": "KERNEL32.DLL!GetModuleHandleA"}, {"adress": "0x1001243", "name": "MSVCRT.DLL!__set_app_type"}, {"adress": "0x1001258", "name": "MSVCRT.DLL!__p__fmode"}, {"adress": "0x1001266", "name": "MSVCRT.DLL!__p__commode"}, {"adress": "0x10013be", "name": "MSVCRT.DLL!_controlfp"}, {"adress": "0x1001358", "name": "MSVCRT.DLL!_initterm"}, {"adress": "0x10012cb", "name": "MSVCRT.DLL!__getmainargs"}, {"adress": "0x10010f2", "name": "WS2_32.DLL!WSAStartup"}, {"adress": "0x1001160", "name": "WS2_32.DLL!gethostname"}, {"adress": "0x10011ba", "name": "USER32.DLL!CharToOemBuffA"}, {"adress": "0x10011c7", "name": "MSVCRT.DLL!puts"}, {"adress": "0x10011d0", "name": "MSVCRT.DLL!exit"}]}