1、/*= PESpin v0.3 unpacking script for SHaGs OllyScript plugin= Script works only on Windows XP systems. Script will prevent IAT redirecting and it will stop at place where stolen OEPs bytes are. You can dump file from that place and use ImpREC if needed. If you know how, you can search for stolen byt
2、es and restore them. Script is tested on VB, VC+, Delphi, BC+ and ASM programs. Before use, ignore ALL exceptions! haggar=*/var xvar Avar Bvar Cmsg Script runs on Win XP only. Ignore ALL exceptions!/Break on GetTickCountgpa GetTickCount,kernel32.dllcmp $RESULT,0je er1bp $RESULTestoestobc eiprtu/Fix
3、IAT redirection.mov $RESULT,eipsub $RESULT,401findop $RESULT,#60#cmp $RESULT,0je er2mov A,$RESULTadd A,1findop $RESULT,#61#cmp $RESULT,0je er2mov B,$RESULTsub B,1nop:fill A,1,90cmp A,Binc Ajne nopcont1:/Find instruction after redirectin IAT - first type.find eip,#F97205E8?00EB01#cmp $RESULT,0je Seco
4、ndOptionadd $RESULT,1bp $RESULTestobc eipjmp continue/Second type - also kill thread.SecondOption:find eip,#F87205E8?00EB01#cmp $RESULT,0je er2mov x,$RESULTbphws x,xestobphwc xadd $RESULT,2fill $RESULT,5,90continue:find eip,#61#cmp $RESULT,0je er2bp $RESULTestobc eipstomsg Here starts stolen OEP code. If there is no stolen OEP, after this POPAD opcode is jump to real OEP. In any case you can dump file now.reter1:msg ERROR! Couldnt find GetTickCount in kernel32.dll. Exiting.reter2:msg ERROR! Couldnt find needed opcode.ret
