pespin 1.3 oep finder + stolen code finder + fix iat + junk code v0.1.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

/*
////////////////////////////////////////////////////////////////////

PESpin v1.3 Unpacker script v0.1
Author: KuNgBiM
Email : kungbim@163.com
OS    : WinXP sp1,Ollydbg 1.1,OllyScript v0.92
Date  : 2006-1-3
Action: Auto fix IAT,Remove Junk code,Found stolen code
Config: Ignore ALL exceptions
Note  : If you have one or more question, email me please,thank you!

////////////////////////////////////////////////////////////////////
*/

var x
var A
var B
var C

msg "Script runs on Win XP only. Ignore ALL exceptions!"

//Break on GetTickCount
gpa "GetTickCount","kernel32.dll"
findop $RESULT,#C3#
bp $RESULT
esto
bc eip
rtu

//Find that code around timer call and just place bp.
mov A,eip
sub A,0F80
find A,#F?723F8D850F6E271E2D8417E71DFFD0EB02#
add $RESULT,1
bp $RESULT

//Now find place where is IAT redirection jump.
mov A,eip
sub A,1058
findop A,#FF6424FC#
bp $RESULT
esto
bc eip
mov A,$RESULT
//Find good call and NOP all bytes between.
find eip,#E8??????FFE803000000#
mov B,$RESULT
noping:
fill A,1,90
inc A
cmp A,B
jne noping
esto

//Timer place noping:
bc eip
fill eip,0F,90

//Go to byte before POPAD and NOP it.

mov A,eip
add A,221
fill A,1,90
add A,2
bp A
esto
bc eip
cmt eip,"Here starts stolen OEP.Find by KuNgBiM[DFCG][BCG][SLT][NCPH]"

//Code fixing:

var addr
var Redir
var buffer
var temp
var Value
mov addr,401000

search:
findop addr,#E???????FF#        //Find posible CALL/JMP to PEheader.
cmp $RESULT,0
je exit
mov addr,$RESULT
mov buffer,addr
add addr,1

mov Redir,[addr]                //Check does it realy jumps to PEheader.
add Redir,addr
and Redir,4FF000
cmp Redir,400000
jne search

mov Redir,[addr]                //Find that redirected address.
add Redir,addr
add Redir,4
mov Value,[Redir]               //Check is there JMP (E9) opcode.
and Value,0FF
cmp Value,0E9
je JumpsCalls                   //If not, just copy all bytes. If yes, goto Jumps fixing.

add Redir,1                     //Copy bytes, PUSH opcodes.
mov Value,[Redir]
sub addr,1
//cmt addr,"Fixed PUSH opcode."
fill addr,1,68
add addr,1
mov [addr],Value
mov addr,buffer
jmp search

JumpsCalls:                         //Fix jumps/calls.
sub addr,1
//cmt addr,"Fixed JMP or CALL opcode."
mov temp,[addr]
cmp temp,0E9
je Jump
fill addr,1,0E8
jmp Call
Jump:
fill addr,1,0E9
Call:
add Redir,1
add addr,1
mov Value,[Redir]
add Value,Redir
add Value,4
sub Value,addr
sub Value,4
mov [addr],Value
mov addr,buffer
jmp search


exit:
ret

// END