var oep

var gp

var iat_st

var fnm

var pfn

var namef

var wrname

var szname

var ImageBase

var counter

var buffer

var ordzer

mov counter,0

gmi eip,MODULEBASE

mov ImageBase,$RESULT





ask "Enter address code section vp.dll"

cmp $RESULT,0

je quit



mov bdl,$RESULT



find bdl,#E8????????FF65FC#

cmp $RESULT,0

je quit

mov oep,$RESULT+5



/*

003C5FED    E8 46BCFFFF     CALL VP.003C1C38

003C5FF2    FF65 FC         JMP DWORD PTR SS:[EBP-4]



*/

find bdl,#8945E88B06833800740955#

cmp $RESULT,0

je quit

mov iat_st,$RESULT+8

bp iat_st

erun

bc eip

mov iat_st,eax

sti

sti

sti



cmp [iat_st],0

jne c_table

mov pfn,eip+9E

fill pfn,2,90

jmp next

c_table: 

mov pfn,eip+B9

fill pfn,2,90

mov ordzer,eip+4D

mov [ordzer],#83280A8B1885DB7577EB229090# 

next:

find bdl,#8A1A428BF381E6FF0000008BCE8D45F8#

cmp $RESULT,0

je quit

mov fnm,$RESULT+29

mov gp,$RESULT+33

asm gp, "Call GetProcAddress"



bp oep

bp fnm

bp pfn

erun



find iat_st,#0000000000000000000000000000000000000000000000000000000000000000#

cmp $RESULT,0

je quit

mov buffer,$RESULT+8

impproc:



cmp eip,oep

jne nextpr

pause

sti

cmt eip,"<--oep"

bc oep

bc fnm

bc pfn

sub oep,ImageBase

sub iat_st,ImageBase

mov counter,ImageBase

add counter,3C

mov counter,[counter]

add counter,ImageBase

add counter,28

mov [counter],oep

add counter,58

mov [counter],iat_st

fill buffer,szname,00

dpe "dump.exe", eip



msg "File Unpacked!"

ret





quit:

msg "Not Visage"

ret

nextpr:

mov namef,eax

find namef,#00#

mov szname,$RESULT

sub szname,namef

MEMCPY buffer,namef,szname

erun

mov wrname,eax

mov wrname,[wrname]

add wrname,400002

MEMCPY wrname,buffer,szname

add wrname,szname

fill wrname,1,00

jmp impproc