pespin 0.7 oep finder #2.txt

来自「700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.」· 文本 代码 · 共 98 行

// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com
/*
PESpin v0.7 OEP finder
Finds OEP for PESpinned file with maximum checked boxes in settings tab for sure
Didn't check for others :)

Author: Reverend^HTB+RAG
Contact: rev15@wp.pl
http://www.reverend.piwko.pl
*/
msgyn "Make sure no exceptions are passed to program. Uncheck all marks on exceptions tab. Ready to start ?"
cmp $RESULT,0
je cancel

var cbase
gmi eip,CODEBASE
mov cbase,$RESULT
log cbase

var csize
gmi eip,CODESIZE
mov csize,$RESULT
log csize

var count
mov count,0B
eob @1
eoe @1
var isoep
run
@1:
cob
coe
cmp count,0
je @2
esto
dec count
jmp @1
@2:
esti
bprm cbase, csize
eob @3
eoe @3
run
@3:
cob
coe
bpmc
mov isoep,[eip]
and isoep,000000FF
cmp isoep,000000E9
je oep_detected

var finder
mov finder,eip
and finder,FFFFF000
@4:
find finder,#817E10#
sub finder,1000
cmp $RESULT,0
je @4

eob @5
eoe @5
@5:
cmp eip,$RESULT
je @6
go $RESULT
@6:
cob
coe

find $RESULT,#3DFF0F00#
go $RESULT
mov eax,20
rtr
@7:
sti
mov isoep,[eip]
and isoep,000000FF
cmp isoep,000000E9
jne @7

oep_detected:
sti
cmt eip, "OEP"

msgyn "Do you want to analyze now ?"
cmp $RESULT,0
je cancel

an eip
cancel:
ret


// [BACK]