////////////////////////////////////////////////////////////////////////
// FileName    :  Thinstall V2.73X.oSc
// Comment     :  Thinstall.V2.71X/V2.73X.Single.Main.eXe.UnPacK
// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author      :  fly
// Date        :  2007-02-18 24:00
// WebSite     :  http://www.unpack.cn
// WebSite     :  http://bbs.unpack.cn
////////////////////////////////////////////////////////////////////////
#log
dbh


var Map
var Temp
var CloseHandle
var MapViewOfFile
var GetEnvironmentVariableA
var MagicOccasion
var FindOEP
var ImageBase
var PE_Signature
var SizeOfImage
var NumberOfSections
var GetNumberOfSections

MSGYN "Plz Clear All BreakPoints  +  Set Debugging Option Ignore All Excepions Options  +  Set Events Make first pause at Entry Point !"
cmp $RESULT, 0
je TryAgain


//ImageBase______________________________________

mov Temp,eax
exec
		push 0
		call GetModuleHandleA
ende
mov ImageBase,eax
mov eax,Temp
mov Temp,ImageBase
add Temp,3C
mov Temp,[Temp]
add Temp,ImageBase
mov PE_Signature,Temp
log PE_Signature

mov Temp,PE_Signature
add Temp,50
mov SizeOfImage,[Temp]
log SizeOfImage


//CloseHandle______________________________________

gpa "CloseHandle", "KERNEL32.dll"
mov CloseHandle,$RESULT
bp CloseHandle

eob CloseHandle
esto
GoOn0:
esto

CloseHandle:
cmp eip,CloseHandle
jne GoOn0
bc CloseHandle


//MapViewOfFile______________________________________

gpa "MapViewOfFile", "KERNEL32.dll"
find $RESULT, #5DC21400#
cmp $RESULT, 0
je NoFind
add $RESULT,1
mov MapViewOfFile,$RESULT
bp MapViewOfFile

eob MapViewOfFile
esto
GoOn1:
esto

MapViewOfFile:
cmp eip,MapViewOfFile
jne GoOn1
cmp eax,0
je GoOn1
mov Map,eax
bc MapViewOfFile


//GetEnvironmentVariableA______________________________________

/*
0012FD3C    00D5243C  /CALL 到 GetEnvironmentVariableA 来自 00D52436
0012FD40    00DFB9B0  |VarName = "THNOCMDLN"
0012FD44    0012FD8C  |Buffer = 0012FD8C
0012FD48    00000002  \BufSize = 2
*/

gpa "GetEnvironmentVariableA", "KERNEL32.dll"
mov GetEnvironmentVariableA,$RESULT
bp GetEnvironmentVariableA

eob GetEnvironmentVariableA
esto
GoOn2:
esto

GetEnvironmentVariableA:
cmp eip,GetEnvironmentVariableA
jne GoOn2
mov Temp,esp
add Temp,4
mov Temp,[Temp]
log Temp
cmp [Temp],4F4E4854
jne GoOn2
bc GetEnvironmentVariableA


//CreateProcessA______________________________________

find Map,#A1????????250000000285C00F84#
cmp $RESULT,0
je NoFind
add $RESULT,0A
mov [$RESULT],#33C0#


//FixSizeOfImage______________________________________

/*
00D411A0     55                 push ebp
00D411A1     8BEC               mov ebp,esp
00D411A3     53                 push ebx
00D411A4     56                 push esi
00D411A5     57                 push edi
00D411A6     A1 1084E000        mov eax,dword ptr ds:[E08410]
00D411AB     25 00000001        and eax,1000000
00D411B0     85C0               test eax,eax
00D411B2     74 35              je short 00D411E9
00D411B4     64:A1 30000000     mov eax,dword ptr fs:[30]
00D411BA     85C0               test eax,eax
00D411BC     78 0F              js short 00D411CD
00D411BE     8B40 0C            mov eax,dword ptr ds:[eax+C]
00D411C1     8B40 0C            mov eax,dword ptr ds:[eax+C]
00D411C4     8140 20 00200000   add dword ptr ds:[eax+20],2000
//Modify SizeOfImage
00D411CB     EB 1C              jmp short 00D411E9
00D411CD     6A 00              push 0
00D411CF     FF15 B012DF00      call dword ptr ds:[DF12B0]; kernel32.GetModuleHandleA
*/

find Map,#250000000185C0743564A130000000#
cmp $RESULT,0
je NoFind
add $RESULT,05
mov [$RESULT],#85C0EB35#


//NumberOfSections______________________________________

/*
00D489A3     F3:A5              rep movs dword ptr es:[edi],dword ptr ds:[esi]
00D489A5     8BB5 8CFEFFFF      mov esi,dword ptr ss:[ebp-174]
00D489AB     B9 38000000        mov ecx,38
00D489B0     8B7D EC            mov edi,dword ptr ss:[ebp-14]
00D489B3     F3:A5              rep movs dword ptr es:[edi],dword ptr ds:[esi]
00D489B5     E9 A6010000        jmp 00D48B60
*/

find Map,#B9380000008B7DECF3A5E9#
cmp $RESULT,0
je NoFind
add $RESULT,0A
mov GetNumberOfSections,$RESULT
bp GetNumberOfSections

eob GetNumberOfSections
esto
GoOn3:
esto

GetNumberOfSections:
cmp eip,GetNumberOfSections
jne GoOn3
bc GetNumberOfSections
mov Temp,PE_Signature
add Temp,6
mov NumberOfSections,[Temp]


//MagicOccasion______________________________________

/*
00C074B4     6A 01              push 1
00C074B6     E8 A5CDFFFF        call 00C04260
00C074BB     83C4 04            add esp,4
00C074BE     5F                 pop edi
00C074BF     5E                 pop esi
00C074C0     8BE5               mov esp,ebp
00C074C2     5D                 pop ebp
00C074C3     C3                 retn
*/

find Map,#6A01E8????FFFF83C4045F5E8BE55DC3#
cmp $RESULT,0
je NoFind
add $RESULT,0F
mov MagicOccasion,$RESULT
bp MagicOccasion
log MagicOccasion

eob MagicOccasion
esto
GoOn4:
esto

MagicOccasion:
cmp eip,MagicOccasion
jne GoOn4
bc MagicOccasion


//FixPE______________________________________

mov Temp,PE_Signature
add Temp,6
mov [Temp],NumberOfSections

add Temp,0CA
mov [Temp],#00000000000000000000000000000000#
//Clear Bound Import Table and Import Address Table's Address And Size.


MSG "Plz Set  LordPE->Option->Task View ->Select  " Full Dump: force RAW mode "  Only  !    "
Dump:
MSGYN  "  OK ,  plz dump it now !  Dump file will be fixed !  Don't click " Y " before dump . "
cmp $RESULT, 0
je Dump


//FindOEP______________________________________

/*
00C01C3A     FF15 9C22CB00      call dword ptr ds:[CB229C]   ; kernel32.VirtualProtect
00C01C40     8B55 D4            mov edx,dword ptr ss:[ebp-2C]
00C01C43     C742 10 00000000   mov dword ptr ds:[edx+10],0
00C01C4A     A1 6094CC00        mov eax,dword ptr ds:[CC9460]
00C01C4F     25 00004000        and eax,400000
00C01C54     85C0               test eax,eax
00C01C56     74 14              je short 00C01C6C
00C01C58     8B8D 50FFFFFF      mov ecx,dword ptr ss:[ebp-B0]
00C01C5E     51                 push ecx
00C01C5F     68 80B2CB00        push 0CBB280  ; ASCII "APISPY: Calling EXE Entry Point %x",LF
00C01C64     E8 F7CF0100        call 00C1EC60
00C01C69     83C4 08            add esp,8
00C01C6C     E8 0FF8FFFF        call 00C01480
00C01C71     8985 4CFFFFFF      mov dword ptr ss:[ebp-B4],eax
00C01C77     8D05 8D1CC000      lea eax,dword ptr ds:[C01C8D]
00C01C7D     50                 push eax
00C01C7E     8B85 4CFFFFFF      mov eax,dword ptr ss:[ebp-B4]
00C01C84     50                 push eax
00C01C85     8B85 50FFFFFF      mov eax,dword ptr ss:[ebp-B0]
00C01C8B     FFE0               jmp eax
*/

find Map,#85??74148B??50FFFFFF??68????????E8????????83C408#
cmp $RESULT,0
je NoFind
add $RESULT,18
cmp [$RESULT],FF5095FF
je Thinstall271X
add $RESULT,1F
cmp [$RESULT],006AE0FF
jne NoFind


Thinstall271X:
mov FindOEP,$RESULT
bp FindOEP

eob FindOEP
esto
GoOn5:
esto

FindOEP:
cmp eip,FindOEP
jne GoOn5
bc FindOEP
esti


//GameOver______________________________________ 

log eip
cmt eip, "This is the OEP!  Found By: fly "                                                                           
MSG "Just : OEP !  Your dump file already fiXed .    Good Luck     "
ret                       

NoFind:
MSG "Error! Don't find.     "
ret

TryAgain:
MSG " Plz  Try  Again   !   "
ret