; Unpacking script for PESpin 1.32 ; This Script fix all but nanomites. To do this use the tool attached with this tutorial ; or get it from www.AT4RE.com ; ; ; Script done by Zool@nder of AT4RE ; Please for all remarks and suggestions, contact me at Zoolander@AT4RE.com or at ; WWW.AT4RE.COM ; Regards ; ; Tested on WINXP SP2 and VISTA ULTIMATE + OdbgScript 1.65.3mod by Zool@nder + OLLYDBG1.10 var var1 var var2 var var3 var var4 var cb_packer var 1shot var memal var oep var cb_target var cb_target2 var cs_packer var ibase mov var1,eip gmemi eip,MEMORYBASE mov cb_packer,$RESULT gmemi eip, MEMORYSIZE gmi eip, MODULEBASE mov ibase, $RESULT msgyn "Is DebugBlocker enabled" cmp $RESULT, 2 jne continuework_1 ret continuework_1: cmp $RESULT, 0 jne DB_Exist mov var1, cb_packer+296C bphws var1, "x" run bphwc var1 mov var1, cb_packer+29E7 mov var1, [var1] bp var1 esto bc var1 jmp no_DB DB_Exist: setoption ALL gpa "CreateMutexA","Kernel32.dll" cmp $RESULT,0 je errunknown find $RESULT, #C20C00# bp $RESULT esto bc $RESULT sti find eip,#3BC39C# add $RESULT,2 bp $RESULT esto mov !ZF,1 bc $RESULT bp $RESULT+47 esto bc $RESULT+47 mov eip,$RESULT+47+1F find eip,#F187DF57C3558BECC745FC00000000C745F800000000# cmp $RESULT,0 je errunknown bp $RESULT esto bc $RESULT mov eip,[esp] add esp,4 no_DB: find cb_packer,#FE4FFF83C7042BC78947FCEB02# cmp $RESULT,0 je errunknown cmp 1shot,0 je patchsinstall errCantalloc: msg "Can't alloc memory" ret continuework_2: mov var1,cb_packer+1974 fill var1,6,90 mov var1,cb_packer+118A fill var1,2,90 mov oep,cb_packer+1CB4 bp oep esto bc oep gmi oep,CODEBASE cmp $RESULT,0 je errcantcontinuefix mov cb_target,$RESULT mov cb_target2,$RESULT dec cb_target2 cleanjmpPE: find cb_target,#E9??????FF# cmp $RESULT,0 je continuework_3 mov cb_target,$RESULT+5 mov fpat,$RESULT mov var1,$RESULT+1 mov var1,[var1] add var1,$RESULT+5 cmp var1,cb_target2 ja cleanjmpPE cmp ibase, var1 ja cleanjmpPE opcode var1 add var1, $RESULT_2 gci var1, TYPE cmp $RESULT, 50 jne cleanjmpPE asm fpat,$RESULT_1 jmp cleanjmpPE continuework_3: gmi oep,CODEBASE cmp $RESULT,0 je errcantcontinuefix mov cb_target,$RESULT cleancallPE: find cb_target,#E8??????FF# cmp $RESULT,0 je continuework_4 mov cb_target,$RESULT+5 mov fpat,$RESULT gci fpat, DESTINATION mov var1, $RESULT mov var3, $RESULT cmp var1,cb_target2 ja cleancallPE cmp ibase, var1 ja cleancallPE gci var1, TYPE cmp $RESULT, 50 jne cleancallPE gci var3, DESTINATION eval "call {$RESULT}" asm fpat,$RESULT jmp cleancallPE continuework_4: mov var1,oep find oep,#6A00EB# mov var4,$RESULT find oep,#55EB01# mov var3,$RESULT find var1,#68????????812C24# mov var2,$RESULT eval "FAKE OEP AT : {$RESULT} or {var3} or {var4}" log $RESULT find var1,#EB????E9??????FF# cmp $RESULT,0 je cleanjmp1b mov var2,$RESULT+4 mov var2,[var2] add var2,$RESULT+8 eval "REAL OEP AT : {var2}" log $RESULT cleanjmp1b: find var1,#EB01# cmp $RESULT,0 je continuework_5 mov var1,$RESULT+3 fill $RESULT,3,90 jmp cleanjmp1b continuework_5: mov var1,oep cleancalllike: find var1,#68????????E9??????FF# cmp $RESULT,0 je continuework_6 mov var1,$RESULT mov var3,$RESULT+6 mov var3,[var3] add var3,$RESULT+A fill $RESULT,A,90 eval "call {var3}" asm var1,$RESULT add var1,A jmp cleancalllike continuework_6: mov var1,oep cleanmetapush1: find var1,#68????????812C24# cmp $RESULT,0 je continuework_7 mov var1,$RESULT mov var3,$RESULT+1 mov var3,[var3] mov var4,$RESULT+8 mov var4,[var4] sub var3,var4 fill $RESULT,C,90 eval "push {var3}" asm var1,$RESULT add var1,C jmp cleanmetapush1 continuework_7: mov var1,oep cleanmetapush2: find var1,#68????????810424# cmp $RESULT,0 je continuework_8 mov var1,$RESULT mov var3,$RESULT+1 mov var3,[var3] mov var4,$RESULT+8 mov var4,[var4] add var3,var4 fill $RESULT,C,90 eval "push {var3}" asm var1,$RESULT add var1,C jmp cleanmetapush2 continuework_8: gmi oep, CODEBASE mov cb_target2, $RESULT mov var1,cb_target2 gmemi oep, MEMORYBASE mov cb_packer, $RESULT gmemi oep, MEMORYSIZE mov cs_packer, $RESULT add cs_packer,cb_packer dec cs_packer cleanextracall: findop var1, #FF15??????00# cmp $RESULT,0 je continuework_9 mov var1, $RESULT+6 mov var3, $RESULT+2 mov var4, $RESULT+2 mov var3,[var3] cmp cb_packer, var3 ja cleanextracall cmp var3, cs_packer ja cleanextracall gci $RESULT, DESTINATION mov [var4], $RESULT jmp cleanextracall continuework_9: mov var1,cb_target2 cleanextrajmp: findop var1, #FF25??????00# cmp $RESULT,0 je continuework_10 mov var1, $RESULT+6 mov var3, $RESULT+2 mov var4, $RESULT+2 mov var3,[var3] cmp cb_packer, var3 ja cleanextrajmp cmp var3, cs_packer ja cleanextrajmp gci $RESULT, DESTINATION mov [var4], $RESULT jmp cleanextrajmp continuework_10: mov var1, cb_target2 cleanmovr32extramem: findop var1, #8B????????00# cmp $RESULT,0 je jackpot mov var1, $RESULT+6 mov var3, $RESULT+2 mov var4, $RESULT+2 mov var3,[var3] cmp cb_packer, var3 ja cleanmovr32extramem cmp var3, cs_packer ja cleanmovr32extramem gci $RESULT, SIZE cmp $RESULT, 6 jne cleanmovr32extramem mov var3, [var3] mov [var4], var3 jmp cleanmovr32extramem jackpot: free memal,1000 msg "The OEP is too near,see log window" msg "PARTIAL Unpacked done by Zool@nder of AT4RE {WWW.AT4RE.COM}" ret errcantcontinuefix: msg "The script can't continue fixing the target ... Please do it by hand or send me an Email" ret errunknown: msg "There was an error,sorry" ret patchsinstall: mov var1,$RESULT+8 inc 1shot alloc 1000 cmp $RESULT,0 je errCantalloc mov memal,$RESULT eval "jmp {memal}" asm var1,$RESULT asm memal,"mov word ptr ds:[edi-5],25FF" asm memal+6,"mov dword ptr ds:[edi-3],edx" add var1,7 eval "jmp {var1}" asm memal+9,$RESULT find cb_packer,#8BBD124240003BC77635# cmp $RESULT,0 je errunknown add $RESULT,8 mov [$RESULT],BD0335EB find $RESULT,#8944241C61FF0424EB02# cmp $RESULT,0 je errunknown mov [$RESULT],90900289 find $RESULT,#C38902E803000000EB04# cmp $RESULT,0 je errunknown mov [$RESULT],E89090C3 jmp continuework_2