/*

OllyDbg & Fantom

*/



var psf

var OEP





gpa "GetModuleHandleA","kernel32.dll"

mov psf,$RESULT

find psf,#C20400#

cmp $RESULT,0

je quit

mov psf,$RESULT

bp psf

erun

bc psf

rtu

find eip,#8A1401#

cmp $RESULT,0

je quit

mov [$RESULT+2],#19#

gpa "GetFileSize","kernel32.dll"

mov psf,$RESULT



bp psf

erun

bc psf

rtu

find eip,#33BD2F564000#

cmp $RESULT,0

je quit

mov psf,$RESULT

mov [psf ],#33FF#

add psf,2

fill psf,4,90

find eip,#33C98A1401#

cmp $RESULT,0

je quit

mov [$RESULT+4],#19#



find eip,#8B9D07564000039D0B564000C1CB07#

cmp $RESULT,0

je quit

mov psf,$RESULT+C

bp psf

erun

bc psf

mov OEP,ebx

find eip,#618902EB19#

cmp $RESULT,0

je quit

bp $RESULT



erun

bc eip

find eip,#F7850F564000200000007445#

cmp $RESULT,0

je quit

mov [$RESULT+A],#EB#

find eip,#4083F8017402#

cmp $RESULT,0

je quit

mov psf,$RESULT+4

bp psf

erun

mov eip,OEP

bc psf

cmt eip, "OEP Faund!"



eval "file unpacked! Import fixed! Dump it & use ImpREC,OEP: {OEP}"

msg $RESULT

ret





quit:

MSG "Not CoolCryptor"

ret