PESPIN 0.3 AND 0.4 VB UNPACK SCRIPT.txt

/* ////////////////////////////////////////////////// PESpin 0.3x - 0.4x -> cyberbob Unpack Script v0.1(only for vb) Author: loveboom Email : bmd2chen@ OS : WinXP sp1,Ollydbg 1.1,OllyScript v0.85 Date : 02:06 2004-07-05 Config: Ignore other exceptions except 'Invalid or privileged instruction' Note : If you have one or more question, email me please,thank you! ////////////////////////////////////////////////// */ code: msgyn "Setting:Ignore other exceptions except 'Invalid or privileged instruction',Continue?" cmp $RESULT,0 je lblret var addr var espval //esp value var iatstart //iat start address var cbase var csize gmi eip,CODEBASE mov cbase,$RESULT gmi eip,CODESIZE mov csize,$RESULT start: dbh run esto esto lbl1: gpa "LoadLibraryA","kernel32.dll" bp $RESULT esto lbl2: bc $RESULT rtu cmp eip,70000000 jb lbl3 sto rtu lbl3: findop eip,#830A00# cmp $RESULT,0 je lblabort go $RESULT mov iatstart,edx rtr sto lbl4: mov espval,esp //esp value add espval,4 //esp+4 bphws espval,"r" run lbl5: bphwc espval bprm cbase,csize run lbl6: bpmc lblfixoep: mov addr,eip add addr,6 log "OEP is:" log addr mov [addr],68 add addr,1 mov espval,esp add espval,4 mov [addr],[espval] add addr,4 mov [addr],#E8F0FFFFFF# add addr,5 log "IAT start address is:" log iatstart cmt addr,"Please Open log window,you will see iat start address." lblend: msg "Script by loveboom[DFCG][FCG],Thank you for using my script!" lblret: ret lblabort: msg "Error,Script aborted!,Maybetaget is not protect by PESpin 0.3x - 0.4x -> cyberbob" ret