//by apuromafo
//need olly+OllyDump v3.00.110 by Gigapede+ollyscript optional:import rec+lord pe
//this script need start from entrypoint
//all checks and exceptions tilded
//dont put bp..maybe can see too much exceptions..
//try bp and remove bp when is ok..
//this script only find the jump to oep with yours stolen (1 byte)
//but resources are encripted..
//base code and base data are in 0 must change..
//post oep must dump whit olly ..because this can see good the iat..
//because the section is very encripted-
//good luck
var temp
var JmpAddress
var JmpOEP
var moving
start:
findop eip,#c3#
cmp $RESULT,0
je bad1
bp $RESULT
run
bc $RESULT
//maybe this way can be transformed..
sto
//entrypoint->0040009C > 83EC 04          SUB ESP,4
//----------->0040009F   C70424 005C4700  MOV DWORD PTR SS:[ESP],UnPackMe.00475C00
//c3--------->004000A6   C3               RETN
mov temp, esp
//EAX 00000000
//ECX 0012FFB0
//EDX 7C91EB94 ntdll.KiFastSystemCallRet
//EBX 7FFD5000
//->>>>>ESP 0012FFC4
//EBP 0012FFF0
//ESI FFFFFFFF
//EDI 7C920738 ntdll.7C920738
//EIP 00475C00 UnPackMe.00475C00
// now bp in access
bphws temp,"r"
run
bphwc temp
//this is the same 
sto
mov temp,eax
mov temp,esp
bphws temp,"r"
run
bphwc temp
sto
//search jmp that remove oep good push..
good:
find eip,#7524C60090#
cmp $RESULT,0
je bad2
mov JmpAddress,$RESULT
find JmpAddress,#FFE0#
mov JmpOEP,$RESULT
eval "jmp {JmpOEP}"
asm JmpAddress,$RESULT
bphws JmpOEP,"x"
run
bphwc JmpOEP
sti
an eip
log "dump in oep with olly dump in method 1 (jmp api)..etc with rebuild import tilded from olly dumper example:d1.exe"
log "post can do if you want..lord pe-> rebuild PE and dump whit imagesize correct d1.exe->d2.exe"
log "and can dump other d3.exe and take the iat from dumped with method 1 d1.exe in import rec ->d1_.exe "
msg "dump in oep with olly dump in method 1 (jmp api)..etc with rebuild import tilded from olly dumper example:d1.exe"
msg "post can do if you want..lord pe-> rebuild PE and dump whit imagesize correct d1.exe->d2.exe"
msg "and can dump other d3.exe and take the iat from dumped with method 1 d1.exe in import rec ->d1_.exe "
msg "review the log again if you need see again this info"
ret

bad:
msg "i cant bp??"
ret

bad1:
msg "i cant1 exeptions??"
ret

je bad2
msg "are sure that this is the packer correct?"
msg "find the jump to stolen oep... and oep ->jmp eax more down.."
ret