/*Acprotect unpacker 

To find the oep and fix the IAT

  by zpunpack

*/



var eipaddr1 

var esiadd   

var ebxadd   

var cbase

var csize

var imgbase 

var iatrva

var add1



GMI eip, MODULEBASE 

cmp $RESULT,0

je lblabort

mov imgbase,$RESULT



gmi eip,CODEBASE     //Get code base

cmp $RESULT,0

je lblabort

mov cbase,$RESULT

gmemi cbase,MEMORYsize

cmp $RESULT,0 

je lblabort

mov csize,$RESULT



gpa "GetModuleHandleA","kernel32.dll"

cmp $RESULT,0

je lblabort

mov add1,$RESULT

bprm add1,ff 

esto 

bpmc

rtu 

findop eip,#F3AA# //rep stos byte ptr es:[edi]

cmp $RESULT,0

je lblabort   

repl $RESULT,#F3AA#,#9090#,2 

bp $RESULT

run

bc $RESULT

sto 

sto 

sto



bprm add1,ff

esto

bpmc

rtu

mov eipaddr1,eip

mov eipaddr1,eipaddr1-30

mov esiadd,esi+0c 

mov ebxadd,ebx-imgbase

mov [esiadd],ebxadd

mov iatrva,esi-imgbase

findop eipaddr1,#83660c00# //and dword ptr ds:[esi+C],0

cmp $RESULT,0

je lblabort

repl $RESULT,#83660C00#,#90909090#,4

find eipaddr1,#880343# //find:mov byte ptr ds:[ebx],al and inc ebx

cmp $RESULT,0

je lblabort

repl $RESULT,#8803#,#9090#,2

find eipaddr1,#880343#

cmp $RESULT,0

je lblabort

repl $RESULT,#8803#,#9090#,2

find eipaddr1,#80BD16564100007457# //Magic Jump

je lblabort

repl $RESULT,#80BD16564100007457#,#80BD1656410000eb57#,9 //jmp

find eipaddr1,#89078385#      //mov dword ptr ds:[edi],eax

cmp $RESULT,0

je lblabort

repl $RESULT,#8907#,#9090#,2

find eipaddr1,#8DBDEBEC400033c0#

cmp $RESULT,0

je lblabort

bp $RESULT

esto

bc $RESULT

bpmc

bprm cbase,csize

esto

cmt eip,"OEP found!please dumped it!"

eval "OEP found!please dump it and fix IAT RVA:{iatrva}!"

msg $RESULT

ret



lblabort:

msg "Script abort !"

ret