/*
=====================================================================
   PESpin v0.7 unpacker script for OllyScript plugin (by SHaG)
=====================================================================

    Script requires Windows XP.
    Script works good only with ASM and BC++ programs. Delphi
    and VC++ will not be properly fixed using OllyDump plugin.
    For those programs check my other scripts and read tutorial.
    Script will fix IAT redirection, code redirection and find
    stolen OEP code. Before use, ignore ALL exceptions!

    [ haggar ]
=====================================================================
*/


var x
var A
var B
var C

msg "Script runs on Win XP only. Ignore ALL exceptions!"

//Break on GetTickCount
gpa "GetTickCount","kernel32.dll"
findop $RESULT,#C3#
bp $RESULT
esto
bc eip
rtu


//Find killer timer - last thing in packer
mov A,eip
sub A,0B77
find A,#F?720D8D853B56271E2D8417E71DFFD0EB01#
add $RESULT,1
bp $RESULT

//Find IAT redirection jump
mov B,$RESULT
sub B,79
findop B,#FF6424FC#
bp $RESULT
esto
bc eip



finding:
sti
mov C,[eip]
and C,0FF
cmp C,60
jne finding
sti
findop eip,#61#
mov C,eip

noping:
fill C,1,90
inc C
cmp C,$RESULT
jne noping

esto
bc eip
mov A,eip
add A,2
fill A,0D,90


add A,0DD
fill A,1,90
inc A
bp A
esto
bc eip
sto
cmt eip,"Start of stolen OEP mixed with junk."


exit:
ret














