Jump to content
Tuts 4 You

[unpackme] Expressor 1.6.0.1


Teddy Rogers

Recommended Posts

old script edited

tested on UnPackMe_eXPressor 1.6.0.1.f.exe

var oep

var mh

var cb

var csz

var mbase

var em

var iat

var E8

var func

var iat_start

mov iat_start,00460818

GMI eip,CODEBASE

mov cb,$RESULT

GMI eip,CODESIZE

mov csz,$RESULT

GMI eip,ENTRY

mov oep,$RESULT

BC oep

gpa "GetProcAddress","kernel32.dll"

find $RESULT,#5F5BC9C2#

bp $RESULT+3

erun

erun

bc eip

rtu

find eip,#595985C0#

cmp $RESULT,0

je quit

mov [$RESULT+4],#9090#

run

mov [eip],#cc#

mov mh,[esp+8]

bp mh

run

bc eip

add mh,10

bp mh

run

bc eip

add eip,7

rtr

sti

find eip,#586A01585E5B5FC9C3#

cmp $RESULT,0

je quit

mov oep,$RESULT+8

bp oep

GMEMI eip, MEMORYBASE

mov mbase,$RESULT

find mbase,#8945D4837DD400750733C0#

mov em,$RESULT

bp em

find em,#C600E88B45E?#

mov E8,$RESULT

bp E8

mov mbase,E8+2C

bp mbase

loop:

erun

cmp eip,em

jne oepfind

mov iat,eax

find iat_start,iat

mov func,$RESULT

erun

sti

mov [eax],#FF15#

erun

inc eax

add eip,2

mov [eax],func

jmp loop

oepfind:

bc eip

sti

BPRM cb, csz

run

BPMC

bc E8

bc em

bc mbase

CMT eip,"OEP"

mov iat_start,40008C

mov [iat_start],60000

dpe "dump.exe", eip

msg " File Unpacked"

ret

quit:

ret

Link to comment

I think their file sizes got slightly bigger, but their protection hasnt really upgraded, guess we will have to wait for 2.0 for major change. Anyways, its always a good intermediate challenge. Thanks for the unpackmes.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...