////////////////////////////////////////////

// PEP2.x~3.x Resource Dumper.txt

// Kissy[UpK]

// www.unpack.cn

// info:reach to oep,run the script,then you'll get all the pieces of Resource which were encrypted by Pep 2.x~3.x.

////////////////////////////////////////////



var imgbase

var Loadrc

var Loadret

var Sizeofrc

var Sizeofret

var num

var dumpva

var dumpname

var dumpsize

var tmp



cmp $VERSION, "1.52"

jb odver



mov num,1

gmi eip,MODULEBASE

mov imgbase,$RESULT



gpa "LoadResource","Kernel32.dll"

mov Loadrc,$RESULT

find Loadrc,#E9#,1

cmp $RESULT,0

je error

gci Loadrc,DESTINATION

mov Loadret,$RESULT

find Loadret,#68????????C3#

mov tmp,$RESULT

mov Loadret,[tmp+1]

find Loadret,#C20800#

mov Loadret,$RESULT

bp Loadret

//hookLoadResource



gpa "SizeofResource","Kernel32.dll"

mov Sizeofrc,$RESULT

find Sizeofrc,#E9#,1

cmp $RESULT,0

je error

gci Sizeofrc,DESTINATION

mov Sizeofret,$RESULT

find Sizeofret,#68????????C3#

mov tmp,$RESULT

mov Sizeofret,[tmp+1]

find Sizeofret,#C20800#

mov Sizeofret,$RESULT

bp Sizeofret

//hookSizeofResource







loopdumprc:

mov [esp+4],imgbase

mov [esp+8],num

mov eip,Loadrc

esto

cmp eax,0

je exit

mov dumpva,eax

mov eip,Sizeofrc

esto

cmp eax,0

je error

mov dumpsize,eax

eval "{num}.bin"

mov dumpname,$RESULT

dm dumpva,dumpsize,dumpname

inc num

jmp loopdumprc





error:

msg "no resource needed to be dumped or you made some mistake."

pause



odver:

msg "plz update ODbgScript.dll to 1.65 or above."

ret



exit:

dec num

eval "All {num} pieces of resource were dumped! You can fix them to your target later."

msg $RESULT

msg "Kissy[UpK]"

ret