Jump to content
Tuts 4 You

[unpackme] PESpin.v1.33


Recommended Posts


Thanks for help lcf-at

Script for unpack



        var oep1
        var roep
        var VirtualProtect
        var stack1
        var eip1
        var eip2
        var eip3
        var dst1
        gpa "VirtualProtect", "kernel32.dll"
        mov VirtualProtect, $RESULT
        add VirtualProtect, 19
        bp VirtualProtect
        findmem #6834F98CF2810424000EB60D684AAD4500#
        CMP $RESULT, 0
        JE Failed
        MOV oep1, $RESULT
        bp oep1
        bc VirtualProtect
        ask "now read and insert your first    stack value here (example:00430734)"
        MOV stack1, $RESULT
        MOV eip1, eip
        // gci eip, DESTINATION
        // MOV dst1, $RESULT
        add eip, 06
        fill eip, 0A, 90
        MOV eip2, eip
        eval "push {stack1}"
        asm eip, $RESULT
        add eip, 05
        eval "call {eip1}"
        asm eip, $RESULT
        MOV eip, eip2
        an eip
        CMT eip, "<=== OEP , Dump it !!!!!!!!!"
        eval "OEP ==> {eip2}"
        MSG $RESULT
         retFailed:    msg "Error, Unknown"    

Edited by JJHACKER
  • Like 2
Link to comment

@LCF-AT : u tutorial is great .. many thanks bro .... i hope can learn much in u .. 


@GIV : thanks so much .. so simple to unpack pespin :)


@JJHACKER : Script work with me ... great script

Link to comment

Let's say that VB targets are in genere more easyer to unpack than the rest of the compilers.


that's a fair statement, in other compilers IAT is scattered..

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...