pespin 0.3 - 1.0 stolen bytes & oep finder.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

/*
10h24 PM Tuesday 11 January 2005
PESpin 0.3 - 1.0 Stolen Bytes and OEP Finder
Tested with PESpin 0.3 & PESpin 1.0
with a some program , you must know use this script for fix IAT
Author : dqtln
Email : dqtlncrk@gmail.com
OS : WinXP Pro SP1 , OllyDbg 1.10 , OllyScript 0.92
Website : www.phudu.com
For opinions & bugreport send me a email
Thank you very much
*/

msgyn "Please check Options/Exceptions/INT3 breaks"
cmp $RESULT,0
je dqtln3
var x
sto
sto
bphws esp,"r"
mov x,esp
run

dqtln1:
esto
cmp eax,FF
jne dqtln1
je dqtln2

dqtln2:
esto
bphwc x
cmt eip,"Stolen Bytes start here - Found by dqtln"
msg "See EB?? code - Jump to Stolen Bytes"

ask "See E9???????? code - Jump to OEP - Enter new EIP"
cmp $RESULT,0
je dqtln3
mov eip,$RESULT
sto
msg "Please press No if have a question"
an eip
cmt eip,"This is the OEP - Found by dqtln"
msg "Dump and fix IAT now - Good day"
ret

dqtln3:
msg "Script Abort"
ret