Hi Kameo!
If you want find the correct OEP in stolen code, you can use this script:
Code:
// ASProtect 1.32 and greater (except ASProtect 2.0 alpha) OEP finder
by sanniassin::REVENGE Crew
// Ignore all exceptions
// Clear all breakpoints
// Tested on WinXP only
var x
var y
var is_DLL
mov x,esp
sub x,48
bphws x,"r"
mov y,[eip]
and y,000000FF
cmp y,60
jne zzz
mov is_DLL,1
zzz:
run
mov y,[eip]
cmp y,01B80875
jne zzz
bphwc x
find edi,#83C404010424C3#
mov x,$RESULT
add x,6
bp x
run
bc x
sto
mov x,eip
findcall:
dec x
mov y,[x]
cmp y,5B5E5F5D
jne findcall
sub x,8
go x
sti
rtr
sto
mov x,eip
and x,0000FFFF
cmp x,0
je no_VM_on_OEP
VM_on_OEP:
msg "OEP found! OEP stolen."
jmp pause
no_VM_on_OEP:
mov x,esp
cmp is_DLL,1
jne is_exe
add x,10
jmp label_9
is_exe:
add x,8
label_9:
bphws x,"r"
run
mov y,eip
dec y
mov y,[y]
and y,000000FF
cmp y,5C
jne label_9
bphwc x
cmp is_DLL,1
jne is_exe2
find eip,#8944241C61FFE0#
add $RESULT,5
bp $RESULT
run
bc $RESULT
sto
jmp msg
is_exe2:
mov x,eax
go x
msg:
msg "OEP found! OEP not stolen."
pause:
pause
scherzo