activemark 5.xx level 2 ep finder.txt

来自「700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.」· 文本 代码 · 共 38 行

/*
ActiveMark 5.xx 2nd layer EP finder
Made by: GaBoR {RES}
Thanks to:
	-CondZero for the great tuts on Activemark!
	-Lunar_Dust for the overlay method!
Instructions:
	-hide Olly with OllyAdvanced plugin;
*/

var x
gpa "GetModuleHandleA","kernel32.dll"
mov x,$RESULT
add x,9
bpcnd x, "[ESP+08]==0"
run
run
run
run
run
run
run
run
bc x
mov x,esp
add x,4
bp [x]
run
bc [x]
sto
sto
sto
sto
sto
cmt eip,"2nd layer EP found by GaBoR {RES}"
msg "Dump, fix IAT & add overlay!"
ret