/*

////////////////////////////////////////////////////////////////////



PESpin v1.3 Unpacker script v0.1

Author: KuNgBiM

Email : kungbim@163.com

OS    : WinXP sp1,Ollydbg 1.1,OllyScript v0.92

Date  : 2006-1-3

Action: Auto fix IAT,Remove Junk code,Found stolen code

Config: Ignore ALL exceptions

Note  : If you have one or more question, email me please,thank you!



////////////////////////////////////////////////////////////////////

*/



var x

var A

var B

var C



msg "Script runs on Win XP only. Ignore ALL exceptions!"



//Break on GetTickCount

gpa "GetTickCount","kernel32.dll"

findop $RESULT,#C3#

bp $RESULT

esto

bc eip

rtu



//Find that code around timer call and just place bp.

mov A,eip

sub A,0F80

find A,#F?723F8D850F6E271E2D8417E71DFFD0EB02#

add $RESULT,1

bp $RESULT



//Now find place where is IAT redirection jump.

mov A,eip

sub A,1058

findop A,#FF6424FC#

bp $RESULT

esto

bc eip

mov A,$RESULT

//Find good call and NOP all bytes between.

find eip,#E8??????FFE803000000#

mov B,$RESULT

noping:

fill A,1,90

inc A

cmp A,B

jne noping

esto



//Timer place noping:

bc eip

fill eip,0F,90



//Go to byte before POPAD and NOP it.



mov A,eip

add A,221

fill A,1,90

add A,2

bp A

esto

bc eip

cmt eip,"Here starts stolen OEP.Find by KuNgBiM[DFCG][BCG][SLT][NCPH]"



//Code fixing:



var addr

var Redir

var buffer

var temp

var Value

mov addr,401000



search:

findop addr,#E???????FF#        //Find posible CALL/JMP to PEheader.

cmp $RESULT,0

je exit

mov addr,$RESULT

mov buffer,addr

add addr,1



mov Redir,[addr]                //Check does it realy jumps to PEheader.

add Redir,addr

and Redir,4FF000

cmp Redir,400000

jne search



mov Redir,[addr]                //Find that redirected address.

add Redir,addr

add Redir,4

mov Value,[Redir]               //Check is there JMP (E9) opcode.

and Value,0FF

cmp Value,0E9

je JumpsCalls                   //If not, just copy all bytes. If yes, goto Jumps fixing.



add Redir,1                     //Copy bytes, PUSH opcodes.

mov Value,[Redir]

sub addr,1

//cmt addr,"Fixed PUSH opcode."

fill addr,1,68

add addr,1

mov [addr],Value

mov addr,buffer

jmp search



JumpsCalls:                         //Fix jumps/calls.

sub addr,1

//cmt addr,"Fixed JMP or CALL opcode."

mov temp,[addr]

cmp temp,0E9

je Jump

fill addr,1,0E8

jmp Call

Jump:

fill addr,1,0E9

Call:

add Redir,1

add addr,1

mov Value,[Redir]

add Value,Redir

add Value,4

sub Value,addr

sub Value,4

mov [addr],Value

mov addr,buffer

jmp search





exit:

ret



// END