/* ////////////////////////////////////////////////// eXePressor Unpacker 1.8.01 OS : XP SP2 Olly not use strong & fantom ///////////////////////////////////////////////// */ var fn var i_st var padr var pf var pend var isz var addr var ldrb var patch var imb var ipbase var mi var nm var counter var iatw GMI eip,NAME mov nm,$RESULT eval "{nm}_U.exe" mov nm,$RESULT GMI eip,IDATABASE mov ipbase,$RESULT GMI eip,MODULEBASE mov imb,$RESULT mov mi,imb rev mi mov mi,$RESULT eval " #0000{mi}#" mov mi,$RESULT GMI eip,CODEBASE mov cb,$RESULT GMI eip,CODESIZE mov csz,$RESULT GMI eip,ENTRY mov oep,$RESULT BC oep gpa "GetProcAddress","kernel32.dll" find $RESULT,#5F5BC9C2# bp $RESULT+3 erun erun bc eip rtu nxtf: find ipbase,mi cmp $RESULT,0 je quit mov ipbase,$RESULT+4 cmp [$RESULT+4],0 jne nxtf mov i_st,[$RESULT+c] mov oep,$RESULT-C mov iatw,[$RESULT+54] add iatw,imb GMEMI eip, MEMORYBASE mov ldrb,$RESULT find ldrb,#742481BD54FDFFFF3B1032E3741881BD54FDFFFFAB1CA7D7740C81BD54FDFFFF3C7C33B67533EB01# cmp $RESULT,0 je quit mov patch,$RESULT find ldrb,#8B4DF02BC88B45D08908EB01# cmp $RESULT,0 je quit mov padr,$RESULT+A mov pend,$RESULT+22 find ldrb,#8945E8837DE800750733C0# cmp $RESULT,0 je quit mov pf,$RESULT find ldrb,#405B5FC9C3558BEC81EC5001000053565733F68D511C8B028BF8C1CF0881E700FF00FF# mov pendoep,$RESULT+4 fill patch,24,90 mov [patch+24],#EB# bp padr bp pf bp pend erun mov [eip],#cc# mov mh,[esp+8] bp mh erun bc eip add eip,0D erun jmp wrimp proci: bp pend erun cmp eip,pend je end cmp eip,padr je mem_adr cmp eip,pf je wrimp mem_adr: mov addr,eax-1 mov [addr],#FF15# mov [addr+2],fn jmp proci wrimp: mov fn,eax find iatw,fn cmp $RESULT,0 je end mov fn,$RESULT jmp proci end: //pause bp pendoep cmt pendoep,"if Show Nag push try:)" l: erun cmp oep,[esp+4] jne l mov oep,[oep] add oep,imb mov eip,oep sub oep,imb mov counter,imb add counter,3C mov counter,[counter] add counter,imb add counter,28 mov [counter],oep add counter,58 mov [counter],i_st dpe nm, eip msg "File Unpacked" ret quit: ret