/////////////////////////////////////////////////////////////
// FileName    :  Thinstall V2.5X.oSc
// Comment     :  Thinstall.V2.5X.Single.Main.eXe.UnPacK
// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author      :  fly
// WebSite     :  http://www.unpack.cn
// Date        :  2006-05-29 12:40
/////////////////////////////////////////////////////////////
#log
dbh


var Map
var Temp
var VirtualAlloc
var SetEnvironmentVariableA
var MagicOccasion
var FindOEP
var ImageBase
var PE_Signature
var SizeOfImage
var NumberOfSections
var GetNumberOfSections

MSGYN "Plz Clear All BreakPoints + Set Debugging Option Ignore All Excepions Options + Set Events Make first pause at Entry Point !"
cmp $RESULT, 0
je TryAgain

//ImageBase______________________________________

mov Temp,eax
exec
		push 0
		call GetModuleHandleA
ende
mov ImageBase,eax
mov eax,Temp
mov Temp,ImageBase
add Temp,3C
mov Temp,[Temp]
add Temp,ImageBase
mov PE_Signature,Temp
log PE_Signature

mov Temp,PE_Signature
add Temp,50
mov SizeOfImage,[Temp]
log SizeOfImage


//VirtualAlloc______________________________________

/*
004017C4     6A 40              push 40
004017C6     68 00101000        push 101000
004017CB     8B45 0C            mov eax,dword ptr ss:[ebp+C]
004017CE     6BC0 0C            imul eax,eax,0C
004017D1     FFB405 90FDFFFF    push dword ptr ss:[ebp+eax-270]
004017D8     6A 00              push 0
004017DA     FF15 F8534000      call dword ptr ds:[4053F8] ; kernel32.VirtualAlloc
004017E0     A3 845A4000        mov dword ptr ds:[405A84],eax
*/

gpa "VirtualAlloc", "KERNEL32.dll"
find $RESULT,#5DC21000#
cmp $RESULT,0
je NoFind
add $RESULT,1
mov VirtualAlloc,$RESULT
bp VirtualAlloc

eob VirtualAlloc
esto
GoOn0:
esto

VirtualAlloc:
cmp eip,VirtualAlloc
jne GoOn0
mov Temp,esp
mov Temp,[Temp]
sub Temp,12
cmp [Temp],FF0CC06B
jne GoOn0
bc VirtualAlloc
mov Map,eax
log Map	
		

//SetEnvironmentVariableA______________________________________

/*
0012FB38    7FF42553  /CALL to SetEnvironmentVariableA from 7FF4254D
0012FB3C    7FF866C4  |VarName = "TS_EXECUTE_EXTERNAL"
0012FB40    00000000  \Value = NULL
*/

gpa "SetEnvironmentVariableA", "KERNEL32.dll"
mov SetEnvironmentVariableA,$RESULT
bp SetEnvironmentVariableA

eob SetEnvironmentVariableA
esto
GoOn1:
esto

SetEnvironmentVariableA:
cmp eip,SetEnvironmentVariableA
jne GoOn1
mov Temp,esp
add Temp,4
mov Temp,[Temp]
cmp [Temp],455F5354
jne GoOn01
bc SetEnvironmentVariableA


//CreateProcessA______________________________________

/*
7FF75E35     833D E85FF97F 00   cmp dword ptr ds:[7FF95FE8],0
7FF75E3C     75 1C              jnz short 7FF75E5A
7FF75E3E     68 F86BF87F        push 7FF86BF8                    ; ASCII "IsDebuggerPresent"
7FF75E43     68 EC6BF87F        push 7FF86BEC                    ; ASCII "kernel32"
7FF75E48     FF15 D862F87F      call dword ptr ds:[7FF862D8]     ; kernel32.GetModuleHandleA
7FF75E4E     50                 push eax
7FF75E4F     FF15 C862F87F      call dword ptr ds:[7FF862C8]     ; kernel32.GetProcAddress
7FF75E55     A3 E85FF97F        mov dword ptr ds:[7FF95FE8],eax
7FF75E5A     C705 F05FF97F 9400>mov dword ptr ds:[7FF95FF0],94
7FF75E64     68 F05FF97F        push 7FF95FF0
7FF75E69     FF15 9C60F87F      call dword ptr ds:[7FF8609C]     ; kernel32.GetVersionExA
7FF75E6F     A1 AC59F97F        mov eax,dword ptr ds:[7FF959AC]
7FF75E74     25 00000002        and eax,2000000
7FF75E79     85C0               test eax,eax
7FF75E7B     0F84 B3010000      je 7FF76034
7FF75E81     FF15 9860F87F      call dword ptr ds:[7FF86098]     ; kernel32.GetCurrentProcessId
*/

find Map,#A1????????250000000285C00F84B3010000FF15#
cmp $RESULT,0
je NoFind
add $RESULT,0A
mov [$RESULT],#33C0#


//FixSizeOfImage

/*
7FF41D41     25 00000001        and eax,1000000
7FF41D46     85C0               test eax,eax
7FF41D48     74 35              je short 7FF41D7F
7FF41D4A     64:A1 30000000     mov eax,dword ptr fs:[30]
7FF41D50     85C0               test eax,eax
7FF41D52     78 0F              js short 7FF41D63
7FF41D54     8B40 0C            mov eax,dword ptr ds:[eax+C]
7FF41D57     8B40 0C            mov eax,dword ptr ds:[eax+C]
7FF41D5A     8140 20 00200000   add dword ptr ds:[eax+20],2000
//Modify SizeOfImage
7FF41D61     EB 1C              jmp short 7FF41D7F
*/

find Map,#250000000185C0743564A130000000#
cmp $RESULT,0
je NoFind
add $RESULT,05
mov [$RESULT],#85C0EB35#


//NumberOfSections

/*
7FF614F3     F3:A5              rep movs dword ptr es:[edi],dword ptr ds:[esi]
7FF614F5     6A 38              push 38
7FF614F7     59                 pop ecx
7FF614F8     8DB5 BCFEFFFF      lea esi,dword ptr ss:[ebp-144]
7FF614FE     8B7D E8            mov edi,dword ptr ss:[ebp-18]
7FF61501     F3:A5              rep movs dword ptr es:[edi],dword ptr ds:[esi]
7FF61503     A1 A459F97F        mov eax,dword ptr ds:[7FF959A4]
7FF61508     25 00008000        and eax,800000
7FF6150D     85C0               test eax,eax
7FF6150F     0F84 8F000000      je 7FF615A4
*/

find Map,#F3A56A38598DB5????????8B7D??F3A5A1????????250000800085C00F848F000000#
cmp $RESULT,0
je NoFind
add $RESULT,2
mov GetNumberOfSections,$RESULT
bp GetNumberOfSections

eob GetNumberOfSections
esto
GoOn2:
esto

GetNumberOfSections:
cmp eip,GetNumberOfSections
jne GoOn2
bc GetNumberOfSections
mov Temp,PE_Signature
add Temp,6
mov NumberOfSections,[Temp]
log NumberOfSections


//MagicOccasion

/*
7FF61821     FF75 DC            push dword ptr ss:[ebp-24]
7FF61824     E8 FB2AFFFF        call 7FF54324
7FF61829     834D DC FF         or dword ptr ss:[ebp-24],FFFFFFFF
7FF6182D     8B45 0C            mov eax,dword ptr ss:[ebp+C]
7FF61830     8B00               mov eax,dword ptr ds:[eax]
7FF61832     83E0 02            and eax,2
7FF61835     85C0               test eax,eax
*/

find Map,#FF????E8????????83??????8B????8B0083E00285C0#
cmp $RESULT,0
je NoFind
mov MagicOccasion,$RESULT
bp MagicOccasion

eob MagicOccasion
esto
GoOn3:
esto

MagicOccasion:
cmp eip,MagicOccasion
jne GoOn3
bc MagicOccasion


//FixPE

mov Temp,PE_Signature
add Temp,6
mov [Temp],NumberOfSections

add Temp,0CA
mov [Temp],#0000000000000000#
//Clear Bound Import Table Address And Size.


MSG "Plz Set  LordPE->Option->Task View ->Select  " Full Dump: force RAW mode "  Only  !    "
Dump:
MSGYN  "  OK ,  plz dump it now !  Dump file will be fixed !  Don't click " Y " before dump . "
cmp $RESULT, 0
je Dump
esti


//FindOEP

/*
7FF4289C     FF95 48FCFFFF      call dword ptr ss:[ebp-3B8]
7FF428A2     6A 00              push 0
*/

find Map,#FF95????FFFF6A00#
cmp $RESULT,0
je NoFind
mov FindOEP,$RESULT
bp FindOEP

eob FindOEP
esto
GoOn4:
esto

FindOEP:
cmp eip,FindOEP
jne GoOn4
bc FindOEP
esti


//GameOver  

log eip
cmt eip, "This is the OEP!  Found By: fly  "                                                                           
MSG "Just : OEP !  Your dump file already fiXed .    Good Luck     "
ret                       

NoFind:
MSG "Error! Don't find.     "
ret

TryAgain:
MSG " Plz  Try  Again   !   "
ret