1、/*This script finds OEP for programs packed with PEShield v0.25 (I havnt tested for other versions)IMPORTANT!You have to hide OllyDbg from IsDebuggerPresent manually BEFORE you run this script (There is plugins that do that.)You have to let OllyDbg handle all exceptions (options - Debugging Options
2、- Exceptions - Uncheck all except KERNEL32)When the script is finished, dump and rebuild IAT for unpacked program.If you find any bugs in my script, please let me know. You can reach me on Efnet (IRC) with nickname HardingHave fun!*/msg Have you read the IMPORTANT part in peshield.osc? If not, do so
3、 BEFORE you run peshield.osc. -Harding /Variablesvar codeSizevar codeBasevar codeBaseAddCodeSizevar tempEIPvar i/Execute on breakpoint (and exception)eob breakHandlereoe breakHandler/Gets information about a module to which the specified address belongs./info can be MODULEBASE, MODULESIZE, CODEBASE
4、or CODESIZE (if you want other info in the future versions plz tell me)./Sets the reserved $RESULT variable (0 if data not found).GMI eip, CODEBASEmov codeBase, $RESULT/Gets information about a module to which the specified address belongs./info can be MODULEBASE, MODULESIZE, CODEBASE or CODESIZE (i
5、f you want other info in the future versions plz tell me)./Sets the reserved $RESULT variable (0 if data not found).GMI eip, CODESIZEmov codeSize, $RESULT/Fix codeBaseAddCodeSize mov codeBaseAddCodeSize, codeBaseadd codeBaseAddCodeSize, codeSize/Shift F9estofirst:/Shift F9estosecond:/Set memory brea
6、kpoint on write. Size is size of memory in bytes.bpwm codeBase, codeSize/Shift F9estothird:/Shift F9estofourth:/Clear memory breakpoint.bpmc/Save current EIPmov tempEIP,eip/Set breakpoint on address addr with condition cond.bpcnd eip,ECX=1/Shift F9estofifth:/Clear unconditional breakpoint at addr. (
7、And conditional)bc tempEIP/Set memory breakpoint on read. Size is size of memory in bytes.bprm codeBase, codeSizelastBreakHandler:/Are we in CODE section? If yes, then were at OEP, if not then Shift F9cmp eip,codeBaseAddCodeSizejb finishestobreakHandler:add i,1cmp i,1je firstcmp i,2je secondcmp i,3je thirdcmp i,4je fourthcmp i,5je fifthjmp lastBreakHandlerfinish:/Clear memory breakpoint.bpmc/Exit scriptret/Written by Harding
