/*Autor: sEby
Date: 09.01.2006
Team: TEAM RESURRECTiON
Web: http://www.appznet.org
Mail: unpackme@gmail.com
Environment :  WinXP SP2,OllyDbg V1.10,ODbgScript V1.48
Ignore all exceptions
Erase all breakpoints
*/

var tmp
var temp
var temp1
var temp2
var temp3

find eip, #528D85F8FEFFFF508D8DE8FEFFFF51FF15????????83BDF8FEFFFF00740d#
cmp $RESULT,0
je error
mov temp, $RESULT
log temp
bphws temp, "x"
run
bphwc temp
sti
sti
sti
sti
sti
sti
find eip, #E8????????B201A1????????E8????????8945F88B45F8#
cmp $RESULT,0
je error
mov tmp, $RESULT
bphws tmp, "x"
run
bphwc tmp
sti

//first API redirect
find eip, #3B35????????74133B35????????740B5356E8????????8BD8#
cmp $RESULT,0
je error
mov temp1, $RESULT
log temp1
find temp1,#7413#
cmp $RESULT,0
je error
fill $RESULT,2,90
find temp1,#740B#
cmp $RESULT,0
je error
fill $RESULT,2,90
bphws temp1, "x"
run
bphwc temp1
sti
sti
sti
sti
sti
sti
sti
sti
sti
sti

//second api redirect
log eip
find eip, #6685C0751D8B4424083905????????75076681FE540174275650#
cmp $RESULT,0
je error
mov temp2, $RESULT
log temp2
find temp2,#751D#
cmp $RESULT,0
je error
fill $RESULT,2,90
find temp2,#7507#
cmp $RESULT,0
je error
fill $RESULT,2,90
find temp2,#7427#
cmp $RESULT,0
je error
fill $RESULT,2,90
rtr
sti

//find jmp to oep
find eip, #FF65FC6A00E8????????E9????????A1#
cmp $RESULT,0
je error
mov temp3, $RESULT
bphws temp3, "x"
run
bphwc temp3
sti
msg "OEP found, IAT redirection pached, one invalid function remaining: GetProcAddress!"

cmt eip, "<-- OEP found by sEby! one invalid function remaining: GetProcAddress"
ret


error:
MSGYN  " Script error... Aborting! "
ret

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)