//////////////////////////////////////////////////////////////////////////////////////////

//

//  tElock 0.99 OEP Finder

//  Coded by: kNiGhT

//  Note: Ignore all exceptions

//  

//////////////////////////////////////////////////////////////////////////////////////////



var temp

var temp1

var ImgBase

var CodeEnd

var CodeStart

var CodeSize



gmi eip, MODULEBASE

mov ImgBase, $RESULT

mov temp, 3c

add temp, ImgBase

mov temp, [temp]

add temp, ImgBase

add temp, 100

mov CodeSize, [temp]

add temp, 4

mov CodeStart, [temp]

add CodeStart, ImgBase

mov CodeEnd, CodeStart

add CodeEnd, CodeSize



gpa "LoadLibraryA", "kernel32.dll"

add $RESULT, 2

bp $RESULT

run

bc $RESULT

rtu



String_Schleife:

sto

mov temp, [eip]

and temp, FFFF

cmp temp, 858D

jne String_Schleife

sto



mov temp, eax

DeleteString:

mov temp1, [temp]

and temp1, FF000000

cmp temp1, 0

je FindOEP

mov [temp], 0

inc temp

jmp DeleteString



FindOEP:

bprm CodeStart, CodeSize



OEP_Schleife:

run

cmp eip, CodeStart

jb OEP_Schleife



cmp eip, CodeEnd

ja OEP_Schleife



bpmc

cmt eip, "OEP found by kNiGhT"

msg "Dump and rebuild IAT!"

ret