/*

 OllyDbg & Phantom 

*/



var j

var nt

var fn

var srh

var seax

var jw

var ftn

var pbase

var oep

var gmh

var iatrva

var iatb

var iatsz

var iallocib

var espval

var counter

var ImageBase



mov counter,0

gmi eip,MODULEBASE

mov ImageBase,$RESULT



gpa "GetModuleHandleA","kernel32.dll"

mov  gmh,$RESULT

bphws gmh,"x"

sti

mov espval,esp+8

erun

erun

mov iatrva,esi

GMEMI iatrva,MEMORYBASE

mov iatb,$RESULT

GMEMI iatb,MEMORYSIZE

mov iatsz,$RESULT

alloc iatsz

mov iallocib,$RESULT

MEMCPY iallocib,iatb,iatsz

bphwc gmh

bphws espval,"r"

erun

bphwc espval

find eip,#FFE0#

cmp $RESULT,0

je quit

bp $RESULT

erun

bc eip

sti

mov oep,eip

GMI eip,ENTRY

mov pbase,$RESULT

GMEMI pbase, MEMORYBASE

mov pbase,$RESULT

find pbase,#53515256E8000000005B81EB??????0081C3??????008BC833D283C8FFBE0400#

cmp $RESULT,0

je quit

mov fn,$RESULT

find pbase,#????????????4?80????????????4?80????????????4?80????????????4?80#

cmp $RESULT,0

je quit

mov nt,$RESULT



mov srh,401000



loop:

find srh,#CC90??600C45# //#FF2556FE4700#

cmp $RESULT,0

je goep

mov srh,$RESULT

mov j,$RESULT

mov jw,$RESULT+2

mov eip,fn



mov eax,j-400000



rtr

mov seax,eax

buf seax

find nt,seax

mov ftn,$RESULT+4

mov ftn,[ftn]

and ftn,0FFFFFF 

mov [j],#FF25#

mov [jw],ftn

jmp loop

goep:

mov eip,oep

MEMCPY iatb,iallocib,iatsz

sub oep,ImageBase

sub iatrva,ImageBase

mov counter,ImageBase

add counter,3C

mov counter,[counter]

add counter,ImageBase

add counter,28

mov [counter],oep

add counter,58

mov [counter],iatrva

dpe "dump.exe", eip

eval "The file is completely unpacked!"

msg $RESULT

ret



quit:

ret