FSG 1.x - 2.x OEP Finder
////////////////////////////////////////////////////FileName :FSG.osc
//Comment :OEP Find For FSG V1.0/V1.1/V1.31/V1.33/V2.0
//Environment :WinXP SP2,OllyDbg V1.10,OllyScript V0.92
//Author :fly
//WebSite :http://www.unpack.cn
//Date :2005-10-04 22:30
//////////////////////////////////////////////////
#log
var T0
var T1
var T2
MSGYN "Plz Clear All BreakPointsAndSet Debugging Options : Events->Make First Pause at->WinMain ! "
cmp $RESULT, 0
je TryAgain
//LoadLibraryA棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
gpa "LoadLibraryA", "KERNEL32.dll"
bp $RESULT
eob LoadLibraryA
esto
LoadLibraryA:
bc $RESULT
mov T2,
bp T2
eob Kaspersky
esto
Kaspersky:
bc T2
//FSG V1.X棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
FSG V1.X:
//FSG V1.0/V1.1/V1.31/V1.33/FPack
/*
005170DD EB 09 jmp short 005170E8
005170DF FE0F dec byte ptr ds:
005170E1 0F84 199FEEFF je 00401000
00401000=005170E1+6+0FFEE9F19
*/
find eip, #FE??0F84#
cmp $RESULT, 0
jne Take
jmp FSG V2.0
Take:
eob Break FSG V1.X
mov T0,$RESULT
add T0,4
mov T1,
log T1
add T1,4
add T1,T0
log T1
go T1
Break FSG V1.X:
bc $RESULT
jmp GetOEP
//FSG V2.0棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
FSG V2.0:
/*
0051E15A FF37 push dword ptr ds:
0051E15C AF scas dword ptr es:
0051E15D EB 09 jmp short 0051E168
0051E15F FE07 inc byte ptr ds:
0051E161 0F84 992EEEFF je 00401000
0051E167 57 push edi
0051E168 55 push ebp
*/
find eip, #FF630C#
cmp $RESULT, 0
je NoFind
bp $RESULT
eob Break FSG V2.0
run
Break FSG V2.0:
bc $RESULT
sti
//GameOver棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
GetOEP:
log eip
cmt eip, "This is the OEP! Found By: fly"
MSG "Just : OEP !Dump and Fix IAT.Good Luck "
ret
NoFind:
MSG "Error! Maybe It's not FSG V1.0/V1.1/V1.31/V1.33/V2.0 ! "
ret
TryAgain:
MSG " PlzTryAgain ! "
ret
页:
[1]