/* Script written by CCDebuger Script : PECompact 2.x Unpacker 版本 : v0.2 日期 : 15-03-2009 调试环境 : OllyDbg 1.1, ODBGScript 1.65, WINXP, WIN2000 调试选项 : 设置 OllyDbg 忽略所有异常选项 工具 : OllyDbg, ODBGScript 1.65 感谢 : Oleh Yuschuk - author of OllyDbg SHaG - author of OllyScript hnhuqiong - author of ODbgScript Epsylon3 - author of ODbgScript */
var tmp1 var tmp2 var tmp3 var OrgCode var jumpflag var ProcName var ResetImageBase var VirtualAlloc var section var SecName var SecBase var SecNum var IATRVA var IATSize var RelocRVA var RelocSize var AllocVA var AllocVATemp var AllocVAReal var VirtualFree var imgbase var signVA var modsize var dllreloc var oep var oeprva var apiloc var unpackname
/* 查找命令序列: JMP SHORT 00AB0BC9 POP ESI POP EDI POP EBX LEAVE RETN 4 以上命令序列就是处理重定位表函数的返回部分 */ find eip, #EB??5E5F5BC9C2????# add $RESULT, 2 bp $RESULT cmp jumpflag, 0 je MustJump cmp tmp2,0 jne RunToRelocRet
MustJump: mov [dllreloc + 2], 0EB, 1
RunToRelocRet: mov ResetImageBase, tmp2 esto bc eval "{OrgCode}" asm tmp1, $RESULT mov [dllreloc + 2], 074, 1 rtr sto