///////////////////////////////////////////////////////////////////////
// Comment     :  Thinstall.VS.V3.035-V3.080.Single.Main.eXe.UnPacK
// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author      :  fly
// Date        :  2007-04-25 24:00
// WebSite     :  http://bbs.unpack.cn
// UnPacKcN    :  http://www.unpack.cn
///////////////////////////////////////////////////////////////////////
#log
dbh

var Temp
var Memory
var ImageBase
var BoundImportTable
var UnmapViewOfFile
var MapViewOfFile
var GetCommandLineA
var PassExpired
var MagicOccasion
var OEP


MSGYN "Plz Clear All BreakPoints  +  Set Debugging Option Ignore All Excepions Options  +  Set Events Make first pause at Entry Point !"
cmp $RESULT, 0
je TryAgain


//UnmapViewOfFile______________________________________

/*
00401CC8     FF15 48224000       call dword ptr ds:[402248] ; kernel32.UnmapViewOfFile
00401CCE     6A 00               push 0
00401CD0     6A 00               push 0
00401CD2     6A 00               push 0
00401CD4     6A 26               push 26
00401CD6     FFB5 ACFCFFFF       push dword ptr ss:[ebp-354]
00401CDC     FF15 18224000       call dword ptr ds:[402218] ; kernel32.MapViewOfFile
00401CE2     A3 00264000         mov dword ptr ds:[402600],eax
*/

gpa "UnmapViewOfFile", "KERNEL32.dll"
mov UnmapViewOfFile,$RESULT
bp UnmapViewOfFile

eob UnmapViewOfFile
esto
GoOn0:
esto

UnmapViewOfFile:
cmp eip,UnmapViewOfFile
jne GoOn0
bc UnmapViewOfFile


//MapViewOfFile______________________________________

gpa "MapViewOfFile", "KERNEL32.dll"
find $RESULT, #5DC21400#
cmp $RESULT, 0
je NoFind
add $RESULT,1
mov MapViewOfFile,$RESULT
bp MapViewOfFile

eob MapViewOfFile
esto
GoOn1:
esto

MapViewOfFile:
cmp eip,MapViewOfFile
jne GoOn1
cmp eax,0
je GoOn1
mov Memory,eax
log Memory
bc MapViewOfFile


//BoundImportTable______________________________________

eob ImageBase
mov Temp,eax
exec
                push 0
                call GetModuleHandleA
ende
ImageBase:
mov ImageBase,eax
mov eax,Temp
mov Temp,ImageBase
add Temp,3C
mov Temp,[Temp]
add Temp,ImageBase
add Temp,0D0
mov BoundImportTable,Temp


//GetCommandLineA______________________________________

/*
00D3378E     68 54C8E200         push 0E2C854               ; ASCII "-ThinstallVersion"
00D33793     FF15 B004E200       call dword ptr ds:[E204B0] ; kernel32.GetCommandLineA
00D33799     50                  push eax
00D3379A     E8 310D0000         call 00D344D0
00D3379F     83C4 08             add esp,8
00D337A2     85C0                test eax,eax
00D337A4     74 6B               je short 00D33811
00D337A6     8D8D E4FDFFFF       lea ecx,dword ptr ss:[ebp-21C]
00D337AC     E8 6F940400         call 00D7CC20
00D337B1     C745 FC 00000000    mov dword ptr ss:[ebp-4],0
00D337B8     68 48C8E200         push 0E2C848  
00D337BD     68 0CC5E200         push 0E2C50C               ; ASCII "3.080"
00D337C2     68 FCC7E200         push 0E2C7FC               ; UNICODE "Thinstall Runtime Version %s",LF,"Built %s"
*/

gpa "GetCommandLineA", "KERNEL32.dll"
mov GetCommandLineA,$RESULT
bp GetCommandLineA

eob GetCommandLineA
esto
GoOn2:
esto

GetCommandLineA:
cmp eip,GetCommandLineA
jne GoOn2
bc GetCommandLineA


//PassExpired______________________________________

/*
00A58F6F     FF15 4873AB00       call dword ptr ds:[AB7348] ; kernel32.SystemTimeToFileTime
00A58F75     8B4D 0C             mov ecx,dword ptr ss:[ebp+C]
00A58F78     51                  push ecx
00A58F79     E8 176A0400         call 00A9F995
00A58F7E     83C4 04             add esp,4
00A58F81     99                  cdq
00A58F82     68 C9000000         push 0C9
00A58F87     68 00C0692A         push 2A69C000
00A58F8C     52                  push edx
00A58F8D     50                  push eax
00A58F8E     E8 5D6C0400         call 00A9FBF0
00A58F93     8B4D F0             mov ecx,dword ptr ss:[ebp-10]
00A58F96     03C8                add ecx,eax
00A58F98     8B45 F4             mov eax,dword ptr ss:[ebp-C]
00A58F9B     13C2                adc eax,edx
00A58F9D     894D C4             mov dword ptr ss:[ebp-3C],ecx
00A58FA0     8945 C8             mov dword ptr ss:[ebp-38],eax
00A58FA3     8B4D FC             mov ecx,dword ptr ss:[ebp-4]
00A58FA6     3B4D C8             cmp ecx,dword ptr ss:[ebp-38]
00A58FA9     7F 13               jg short 00A58FBE
00A58FAB     7C 08               jl short 00A58FB5
00A58FAD     8B55 F8             mov edx,dword ptr ss:[ebp-8]
00A58FB0     3B55 C4             cmp edx,dword ptr ss:[ebp-3C]
00A58FB3     73 09               jnb short 00A58FBE
00A58FB5     C745 C0 01000000    mov dword ptr ss:[ebp-40],1
00A58FBC     EB 07               jmp short 00A58FC5
00A58FBE     C745 C0 00000000    mov dword ptr ss:[ebp-40],0
00A58FC5     8B45 C0             mov eax,dword ptr ss:[ebp-40]
00A58FC8     5F                  pop edi
00A58FC9     8BE5                mov esp,ebp
00A58FCB     5D                  pop ebp
00A58FCC     C3                  retn
*/

find Memory,#3B4DC87F137C088B55F83B55C47309C745C001000000EB07C745C0000000008B45C0#
cmp $RESULT,0
je FindOccasion

add $RESULT,1B
mov PassExpired,$RESULT
log PassExpired
mov [PassExpired],1


//MagicOccasion______________________________________

/*
00C074B4     6A 01              push 1
00C074B6     E8 A5CDFFFF        call 00C04260
00C074BB     83C4 04            add esp,4
00C074BE     5F                 pop edi
00C074BF     5E                 pop esi
00C074C0     8BE5               mov esp,ebp
00C074C2     5D                 pop ebp
00C074C3     C3                 retn
*/

FindOccasion:
find Memory,#6A01E8????????83C4045F5E8BE55DC3#
cmp $RESULT,0
je NoFind

add $RESULT,0F
mov MagicOccasion,$RESULT
bp MagicOccasion
log MagicOccasion

eob MagicOccasion
esto
GoOn3:
esto

MagicOccasion:
cmp eip,MagicOccasion
jne GoOn3
bc MagicOccasion


//Dump______________________________________

mov [BoundImportTable],#00000000000000000000000000000000#
//Clear Bound Import Table and Import Address Table's Address And Size.
log BoundImportTable

MSG "Please Set  LordPE ->Option ->Task View ->Select  " Full Dump: force RAW mode "  Only  !    "
Dump:
MSGYN  "  OK ,  Please dump it now !  Dump file will be fixed !  Don't click " Y " before dump . "
cmp $RESULT, 0
je Dump


//FindOEP______________________________________

/*
00AA18EC     51                  push ecx
00AA18ED     68 50C3B900         push 0B9C350 ; ASCII "APISPY: Calling EXE Entry Point %x",LF
00AA18F2     E8 C9350200         call 00AC4EC0
00AA18F7     83C4 08             add esp,8
00AA18FA     6A 00               push 0
00AA18FC     FF15 CC04B900       call dword ptr ds:[B904CC] ; kernel32.GetModuleHandleA
00AA1902     8985 3CFDFFFF       mov dword ptr ss:[ebp-2C4],eax
00AA1908     8B95 3CFDFFFF       mov edx,dword ptr ss:[ebp-2C4]
00AA190E     8B42 3C             mov eax,dword ptr ds:[edx+3C]
00AA1911     8B8D 3CFDFFFF       mov ecx,dword ptr ss:[ebp-2C4]
00AA1917     8D5401 04           lea edx,dword ptr ds:[ecx+eax+4]
00AA191B     8995 48FDFFFF       mov dword ptr ss:[ebp-2B8],edx
00AA1921     8B85 48FDFFFF       mov eax,dword ptr ss:[ebp-2B8]
00AA1927     83C0 14             add eax,14
00AA192A     8985 40FDFFFF       mov dword ptr ss:[ebp-2C0],eax
00AA1930     E8 EBF9FFFF         call 00AA1320
00AA1935     8985 38FDFFFF       mov dword ptr ss:[ebp-2C8],eax
00AA193B     8D05 5119AA00       lea eax,dword ptr ds:[AA1951]
00AA1941     8B9D 38FDFFFF       mov ebx,dword ptr ss:[ebp-2C8]
00AA1947     8B8D 44FDFFFF       mov ecx,dword ptr ss:[ebp-2BC]
00AA194D     50                  push eax
00AA194E     53                  push ebx
00AA194F     FFE1                jmp ecx
*/

find Memory,#8D??????????8B??????????8B??????????5053FFE16A00#
cmp $RESULT,0
je NoFind

FindOEP:
add $RESULT,14
mov OEP,$RESULT
bp OEP

eob OEP
esto
GoOn4:
esto

OEP:
cmp eip,OEP
jne GoOn4
bc OEP
esti


//GameOver______________________________________ 

log eip
cmt eip, "This is the OEP!  Found By: fly 『 UnPacKcN 』   " 
MSG "Just : OEP !  Your dump file already fiXed .    ☆  UnPacKcN  ☆  『 www.unpack.cn 』     Good Luck !       "
ret                       

NoFind:
MSG "Error! Don't find.     "
ret

TryAgain:
MSG " Plz  Try  Again   !   "
ret