/*
Script written by Joker_Italy
Script   : NTkrnl Secure Suite OEP + IAT Repair
version  : v1.00
Date     : 23-Aug-2008
Test Environment : OllyDbg 1.1, ODBGScript 1.64, WINXP, WIN2000 
*/


var br
var namefile
var dump
var jok
var ita
var oep
var rva
run

cmp $VERSION, "1.64"
jb odbgver
mov [eip],#CC#
mov br,[esp+8]
bp br
run
bc br
gpa "LoadLibraryA","kernel32.dll"
bp $RESULT
run
bc $RESULT
rtr
mov br,eip
gpa "VirtualAlloc","kernel32.dll"
eval "EDI=={$RESULT}"
bpcnd br, $RESULT
run
sti
sti
find eip,#8B46048B400474#
cmp $RESULT,0
je quit
mov jok,$RESULT
repl jok,#8B46048B400474#, #8B46048B4004EB#, 10
GMEMI eip, MEMORYOWNER
cmp $RESULT,0
je quit
mov ita, $RESULT
find ita,#FFE05F5E5B5DC3#
cmp $RESULT,0
je quit
mov oep,$RESULT
bphws oep, "x"
run
sti
GPI PROCESSNAME
mov namefile, $RESULT
eval "Joker_{namefile}.exe" 
dpe $RESULT, eip
cmt eip, "This is OEP by Joker_Italy"
GPI PROCESSNAME
mov namefile, $RESULT
mov rva, eip
sub rva, 400000
eval "Now Run ImpREc and Fix Joker_dump_{namefile}.exe , RVA OEP: --> {rva} " 
MSG $RESULT
MSG "Script by Joker_Italy,Thank you for using my script!"
ret
odbgver:
msg "This script work with ODbgscript 1.64 or above"
jmp quit
quit:
ret