!EP Exe Pack (Software Compress) 1.2

mycsy

//////////////////////////////////////////////////////////
// !EP Exe Pack (Software Compress) 1.2
// Get Thunk Table Addresses, Keep Original Thunk Table,
// Calculate Thunk Table Size, Find OEP
// Written by Fungus
// Date: 2006-31-10
//////////////////////////////////////////////////////////

var addr1            // temp variable for thunk table origin
var addr2            // temp variable for think table end
var org                // variable for thunk table origin
var end               // variable for thunk table end
var size               // variable for thunk table size
var oep               // variable for OEP
var temp

eob getthunk
findop eip,#61#
bphws $RESULT,"x"
mov temp,$RESULT
run

getthunk:             // get thunk table origin, end, and size

eob dothunk
bphwc temp
findop eip,#0305#
bphws $RESULT,"x"
mov temp,$RESULT
run

dothunk:

eob findoep

bphwc temp
sto
mov addr1,eax      // get thunk table origin
mov org,eax
sto
sto
sto
sto
sto
sto
sto
sto
sto
mov addr2,ebx      // get thunk table end
mov end,ebx
sub addr2,addr1    // calculate size
mov size,addr2
find eip,#8907#
fill $RESULT,2,90 // keep original thunk table
find eip,#61#
bphws $RESULT,"x"
mov temp,$RESULT
run

findoep:                // find OEP

bphwc temp
sto
sto
sti
mov oep,eip
eval "OEP = {oep}"
msg $RESULT
eval "Start of Thunk Table = {org}"
msg $RESULT
eval "End of Thunk Table = {end}"
msg $RESULT
eval "Size of Thunk Table = {size}"
msg $RESULT
ret

/end

taody

耐人寻味，经典中的经典