pespin 1.0 unpacker.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

/*
=====================================================================
   PESpin v1.0 unpacker script for OllyScript plugin (by SHaG)
=====================================================================

    Script requires Windows XP.
    Script works good only with ASM and BC++ programs. Delphi
    and VC++ will not be properly fixed using OllyDump plugin.
    For those programs check my other scripts and read tutorial.
    Script will fix IAT redirection, code redirection and find
    stolen OEP code. Before use, ignore ALL exceptions!

    [ haggar ]
=====================================================================
*/


var x
var A
var B
var C

msg "Script runs on Win XP only. Ignore ALL exceptions!"

//Break on GetTickCount
gpa "GetTickCount","kernel32.dll"
findop $RESULT,#C3#
bp $RESULT
esto
bc eip
rtu


//Find killer timer - last thing in packer
mov A,eip
sub A,0D00

find A,#F?720D8D850660271E2D8417E71DFFD0EB01#
add $RESULT,1
bp $RESULT

//Find IAT redirection jump
mov B,$RESULT
sub B,127
findop B,#FF6424FC#
bp $RESULT
esto
bc eip
findop eip,#E8?????FFF#
mov B,eip
sub $RESULT,1

noping:
fill B,1,90
cmp B,$RESULT
inc B
jne noping

esto

bc eip
mov A,eip
add A,2
fill A,0D,90


add A,16D
bp A
esto
bc eip
sto
cmt eip,"Start of stolen OEP mixed with junk."



//Finding and fixing redirected code
var addr
var Redir
var buffer
var temp
var Value
mov addr,401000


search:
findop addr,#E???????FF#        //Find posible CALL/JMP to PEheader.
cmp $RESULT,0
je exit
mov addr,$RESULT
mov buffer,addr
add addr,1

mov Redir,[addr]                //Check does it realy jumps to PEheader.
add Redir,addr
and Redir,4FF000
cmp Redir,400000
jne search

mov Redir,[addr]                //Find that redirected address.
add Redir,addr
add Redir,4
mov Value,[Redir]               //Check is there JMP (E9) opcode.
and Value,0FF
cmp Value,0E9
je JumpsCalls                   //If not, just copy all bytes. If yes, goto Jumps fixing.

add Redir,1                     //Copy bytes, PUSH opcodes.
mov Value,[Redir]
sub addr,1
fill addr,1,68
add addr,1
mov [addr],Value
mov addr,buffer
jmp search

JumpsCalls:                         //Fix jumps/calls.
sub addr,1
mov temp,[addr]
cmp temp,0E9
je Jump
fill addr,1,0E8
jmp Call
Jump:
fill addr,1,0E9
Call:
add Redir,1
add addr,1
mov Value,[Redir]
add Value,Redir
add Value,4
sub Value,addr
sub Value,4
mov [addr],Value
mov addr,buffer
jmp search


exit:
ret