Posted March 8, 200817 yr eXPressor 1.6.0.1 I haven't patched the silly nag - if it pops up on you - but you get the idea... http://www.tuts4you.com/download.php?view.2179 Ted.
March 8, 200817 yr old script editedtested on UnPackMe_eXPressor 1.6.0.1.f.exevar oepvar mhvar cbvar cszvar mbasevar emvar iatvar E8var funcvar iat_startmov iat_start,00460818GMI eip,CODEBASEmov cb,$RESULTGMI eip,CODESIZEmov csz,$RESULTGMI eip,ENTRYmov oep,$RESULTBC oepgpa "GetProcAddress","kernel32.dll"find $RESULT,#5F5BC9C2#bp $RESULT+3erunerunbc eiprtufind eip,#595985C0#cmp $RESULT,0je quitmov [$RESULT+4],#9090# runmov [eip],#cc# mov mh,[esp+8]bp mhrunbc eipadd mh,10bp mhrunbc eipadd eip,7rtrstifind eip,#586A01585E5B5FC9C3#cmp $RESULT,0je quitmov oep,$RESULT+8bp oepGMEMI eip, MEMORYBASEmov mbase,$RESULTfind mbase,#8945D4837DD400750733C0#mov em,$RESULTbp emfind em,#C600E88B45E?#mov E8,$RESULTbp E8mov mbase,E8+2Cbp mbaseloop:eruncmp eip,emjne oepfindmov iat,eaxfind iat_start,iatmov func,$RESULTerunstimov [eax],#FF15#eruninc eaxadd eip,2mov [eax],funcjmp loopoepfind:bc eipstiBPRM cb, cszrunBPMCbc E8bc embc mbaseCMT eip,"OEP"mov iat_start,40008Cmov [iat_start],60000dpe "dump.exe", eipmsg " File Unpacked"retquit:ret
March 8, 200817 yr I think their file sizes got slightly bigger, but their protection hasnt really upgraded, guess we will have to wait for 2.0 for major change. Anyways, its always a good intermediate challenge. Thanks for the unpackmes.
March 8, 200817 yr Author I think their file sizes got slightly biggerI didn't pack resources this time...Ted.
Create an account or sign in to comment