/*

==================================================================

    PESpin v0.3 unpacking script for SHaG's OllyScript plugin

==================================================================



    Script works only on Windows XP systems.

    Script will prevent IAT redirecting and it will stop at

    place where stolen OEP's bytes are. You can dump file from

    that place and use ImpREC if needed. If you know how, you

    can search for stolen bytes and restore them. Script is

    tested on VB, VC++, Delphi, BC++ and ASM programs. Before

    use, ignore ALL exceptions!



    haggar

==================================================================

*/



var x

var A

var B

var C



msg "Script runs on Win XP only. Ignore ALL exceptions!"



//Break on GetTickCount

gpa "GetTickCount","kernel32.dll"

cmp $RESULT,0

je er1

bp $RESULT

esto

esto

bc eip

rtu



//Fix IAT redirection.

mov $RESULT,eip

sub $RESULT,401

findop $RESULT,#60#

cmp $RESULT,0

je er2

mov A,$RESULT

add A,1



findop $RESULT,#61#

cmp $RESULT,0

je er2

mov B,$RESULT

sub B,1



nop:

fill A,1,90

cmp A,B

inc A

jne nop











cont1:

//Find instruction after redirectin IAT - first type.

find eip,#F97205E8??????00EB01#

cmp $RESULT,0

je SecondOption

add $RESULT,1

bp $RESULT

esto

bc eip

jmp continue



//Second type - also kill thread.

SecondOption:

find eip,#F87205E8??????00EB01#

cmp $RESULT,0

je er2

mov x,$RESULT

bphws x,"x"

esto

bphwc x

add $RESULT,2

fill $RESULT,5,90





continue:





find eip,#61#

cmp $RESULT,0

je er2

bp $RESULT

esto

bc eip

sto



msg "Here starts stolen OEP code. If there is no stolen OEP, after this POPAD opcode is jump to real OEP. In any case you can dump file now."

ret













er1:

msg "ERROR! Couldn't find GetTickCount in kernel32.dll. Exiting."

ret

er2:

msg "ERROR! Couldn't find needed opcode."

ret