var va
var peps 
var ptype
var code
var sizec
GMI eip, CODEBASE
mov code,$RESULT
GMI eip, CODESIZE
mov sizec,$RESULT
gpa  "VirtualAlloc","kernel32.dll"
mov va, $RESULT
bp va
erun
rtr
mov peps,eax
erun
bc va
find peps,#8B45FC3B05??????007539#//#5356575583C4F48BF28BE88D542404B9040000008BC6# 
cmp $RESULT,0
je quit 
mov ptype,$RESULT+9
mov [ptype],#EB#
bp ptype
erun
bc eip
find ptype,#5DC208#
cmp $RESULT,0
je quit
bp $RESULT+1
erun 
bc eip
BPRM code,sizec
erun
BPMC
msg "OEP Faund Emulate Api Fix"
ret
/*
2E0881FE    892C24          MOV DWORD PTR SS:[ESP],EBP <---OEP Stolen
2E088201    8BEC            MOV EBP,ESP
2E088203    6A FF           PUSH -1
2E088205    68 600E4500     PUSH 450E60
2E08820A    57              PUSH EDI
2E08820B    C70424 C8924200 MOV DWORD PTR SS:[ESP],4292C8
2E088212    64:A1 00000000  MOV EAX,DWORD PTR FS:[0]
2E088218    81EC 04000000   SUB ESP,4
2E08821E    890424          MOV DWORD PTR SS:[ESP],EAX
2E088221    64:8925 0000000>MOV DWORD PTR FS:[0],ESP
2E088228    83C4 A8         ADD ESP,-58
2E08822B    53              PUSH EBX
2E08822C    56              PUSH ESI
2E08822D    81EC 04000000   SUB ESP,4
2E088233    893C24          MOV DWORD PTR SS:[ESP],EDI
2E088236    8965 E8         MOV DWORD PTR SS:[EBP-18],ESP
2E088239    FF15 DC0A4600   CALL DWORD PTR DS:[460ADC] <---Stop
2E08823F    33D2            XOR EDX,EDX
2E088241    8AD4            MOV DL,AH
..................
2E088285    898C24 04000000 MOV DWORD PTR SS:[ESP+4],ECX             ; UnPackMe.0042720E <--in code
2E08828C    59              POP ECX
2E08828D    C3              RETN
*/

quit:
ret










    