/*
//////////////////////////////////////////////////
  eXePressor Unpacker 1.5.01
     !
Author :  
OS : XP SP2    + , 
Note :  
/////////////////////////////////////////////////
*/
var oep
var mh
var cb
var csz
var mbase
var em
var iat
var E8
var iat_start
mov iat_start,0047F740 
/*
//////////////////////////////////////////////////
        
   ! 
00480000  77DC7883  ADVAPI32.RegQueryValueExA
00480004  77DC761B  ADVAPI32.RegOpenKeyExA
00480008  77DEC123  ADVAPI32.RegDeleteKeyA
0048000C  77DCEBE7  ADVAPI32.RegSetValueExA
       
     :)    
0047F740  7C810C8F  kernel32.GetFileSize
0047F744  7C80180E  kernel32.ReadFile
0047F748  7C810DA6  kernel32.SetFilePointer
0047F74C  7C80180E  kernel32.ReadFile
0047F750  77D3E2AE  USER32.SendMessageA
0047F754  7C809B77  kernel32.CloseHandle
0047F758  7C80180E  kernel32.ReadFile
0047F75C  77D3A2DE  USER32.wsprintfA
0047F760  77D3A2DE  USER32.wsprintfA
0047F764  7C80B357  kernel32.GetModuleFileNameA
/////////////////////////////////////////////////
*/
mov iat,0047F740
GMI eip,CODEBASE
mov cb,$RESULT
GMI eip,CODESIZE
mov csz,$RESULT
GMI eip,ENTRY
mov oep,$RESULT
BC oep

gpa "GetProcAddress","kernel32.dll"
find $RESULT,#5F5BC9C2#
bp $RESULT+3
erun
bc eip
rtu
find eip,#595985C0#
cmp $RESULT,0
je quit
mov [$RESULT+4],#9090# //    
run
mov [eip],#cc# //     
mov mh,[esp+8]
bp mh
run
bc eip
add mh,10
bp mh
run
bc eip
add eip,7
rtr
sti
find eip,#586A01585E5B5FC9C3#
/*
//////////////////////////////////////////////////
00B43EF1     8945 D8                  mov dword ptr ss:[ebp-28],eax
00B43EF4     837D D8 00               cmp dword ptr ss:[ebp-28],0
00B43EF8     75 07                    jnz short 00B43F01
   
00B440EC     C600 E8                  mov byte ptr ds:[eax],0E8
00B440EF     8B45 E4                  mov eax,dword ptr ss:[ebp-1C]
00B440F2     40                       inc eax
     
00B44118     8908                     mov dword ptr ds:[eax],ecx
00B4411A     EB 01                    jmp short 00B4411D
. call 01xxxxxx  
call dword ptr ds:[0047FXXX]
/////////////////////////////////////////////////
*/
cmp $RESULT,0
je quit
mov oep,$RESULT+8
bp oep
GMEMI eip, MEMORYBASE
mov mbase,$RESULT
find mbase,#8945D8837DD800750733C0#
mov em,$RESULT
bp em
find em,#C600E88B45E4#
mov E8,$RESULT
bp E8
mov mbase,E8+2C
bp mbase
loop:
erun
cmp eip,em
jne oepfind
mov [iat],eax
erun
sti
mov [eax],#FF15#
erun
inc eax
add eip,2
mov [eax],iat
add iat,4
jmp loop

oepfind:
bc eip
sti
BPRM cb, csz
run
BPMC
bc E8
bc em
bc mbase
CMT eip,"OEP"
eval "eXePressor Unpacked! Iat fixed, emul api remove!IAT Start: {iat_start}"
msg $RESULT
ret




