-
Notifications
You must be signed in to change notification settings - Fork 109
/
PECompact3.txt
32 lines (27 loc) · 1.34 KB
/
PECompact3.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
///////////////////////////////////////////////////////////////////////////////////////
// //
// PECompact v3.02.2 OEP Finder //
// n2u [brc] //
// //
// Before running the script, make sure you: //
// - Are at the program's entrypoint //
// - Have Scylla plugin enabled with at least one option set (we need Scylla hook) //
// //
///////////////////////////////////////////////////////////////////////////////////////
find cip, "B8????????5064FF"
log " [PECompact v3 OEP Finder] Found PECompact EP pattern at {p:0}", $result
cmp $result, 0
je err_notfound
bpc
bphc
step // Execute a single instruction
bph cip-5 // Put a HW BP at the previous instruction (EP)
erun // Run the program
cmt cip, "OEP" // HW BP will trigger with the uncompressed code
d // Show the disassembly window
bpc
bphc
ret
err_notfound:
msg "PECompact v3 EP pattern not found"
ret