var oep

var nm

var counter

var iat_start

var imb

var iat_stall

var iat_end

var isz

var simb

var chtyp

var szth

var stcpy

var srhm

GMI eip,CODEBASE

mov srhm,$RESULT 



GMI eip,NAME

mov nm,$RESULT

eval "{nm}_U.exe"

mov nm,$RESULT

GMI eip,MODULEBASE

mov imb,$RESULT

mov simb,$RESULT

rev simb

mov simb,$RESULT

eval "#0000{simb}#"

mov simb,$RESULT



gpa "LoadLibraryA","kernel32.dll"

find $RESULT,#C20400#

bp $RESULT

erun

bc eip

rtu

mov iat_start,esi

mov iat_end,ebx

Alloc 10000

Cmp $RESULT,0 

Je abort 

mov iat_stall ,$RESULT

find iat_start,#00000000000000000000000000000000#

Cmp $RESULT,0 

Je abort 

mov isz,$RESULT+1

sub isz,iat_start

MEMCPY iat_stall,iat_start,isz



find eip,#DFBD??????00DFAD??????00#

cmp $RESULT,0

je abort

fill $RESULT,C,90

find eip,#DFBD??????00DFAD??????00#

cmp $RESULT,0

je abort

mov [$RESULT],#891F812F0200400090909090#



find eip,#68????????EB01??584050C3#

cmp $RESULT,0

je abort

fill $RESULT+C,3,90

mov oep,[$RESULT+1]

inc oep



bphws oep,"x"

erun

bphwc oep

cmt eip, "This is the OEP"

MEMCPY iat_start,iat_stall,isz

loop:

find iat_start,simb

cmp $RESULT,0

je quit

mov stofth,$RESULT

mov chtyp,$RESULT+4

cmp [chtyp],imb

je ctyp

cmp $RESULT,iat_end

jae quit

mov [$RESULT],0

jmp loop

quit:

find srhm,#E8??????FFFFFFFFFF#

cmp $RESULT,0

jne mrc

fnl:

mov eip,oep

sub oep,imb

sub iat_start,imb

mov counter,imb

add counter,3C

mov counter,[counter]

add counter,imb

add counter,28

mov [counter],oep

add counter,58

mov [counter],iat_start

dpe nm, eip



msg  "The file is completely unpacked!"

ret



abort:

ret 

ctyp:

add chtyp,4



l:

cmp [chtyp],imb

jne prct

add chtyp,4

jmp l

prct:

mov szth,chtyp

sub szth,stofth

mov stcpy,iat_start+10

mov stcpy,[stcpy]

add stcpy,imb

MEMCPY stofth,stcpy,szth

jmp quit



mrc:



mov srhm,$RESULT+5

mov eip,$RESULT

sti

bp eip+19

erun

bc eip

jmp quit