forked from Exidous/Unpackers
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathClsUnpacker.vb
67 lines (51 loc) · 2.08 KB
/
ClsUnpacker.vb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Public Class ClsUnpacker
Public Shared Sub UnpackFSG(ByRef TheProgram As String)
Dim Debugger As New NonIntrusive.NIDebugger
Dim StartOpts As New NonIntrusive.NIStartupOptions
Dim DumpOpts As New NonIntrusive.NIDumpOptions
Dim ImportRec As New ImportReconstruction.ARImpRec
Dim SearchOpts As New NonIntrusive.NISearchOptions
With StartOpts
.commandLine = ""
.executable = TheProgram
.resumeOnCreate = False
End With
With Debugger
.StepIntoCalls = False
.Execute(StartOpts)
.SetBreakpoint(.Context.Eip)
.ClearBreakpoint(.Context.Eip)
Dim Result() As UInteger = {}
With SearchOpts
.SearchString = "78 F3 75 03 FF 63 0C"
.SearchImage = True
.MaxOccurs = 1
End With
.SearchMemory(SearchOpts, Result)
If Result.Length > 0 Then
Else
MsgBox("Are you sure its protected with FSG?")
End
End If
.SetBreakpoint((Result(0) + &H4))
.Continue()
.SingleStep()
With DumpOpts
.ChangeEP = True
.EntryPoint = Debugger.Context.Eip - Debugger.Process.MainModule.BaseAddress
.OutputPath = Strings.Left(TheProgram, TheProgram.Length - 4) & "_dump.exe"
.PerformDumpFix = True
End With
.DumpProcess(DumpOpts)
With ImportRec
.Initilize(Application.StartupPath & "\")
If .FixImports(Debugger.Process.Id, DumpOpts.OutputPath, DumpOpts.EntryPoint + Debugger.ProcessImageBase, TheProgram, True) = True Then
MsgBox("Successfully unpacked FSG! Saved To:" & Environment.NewLine & .GetSavePath)
Else
MsgBox("Auto Rebuild Imports Failed!, Manually rebuild now!")
End If
End With
.Detach.Terminate()
End With
End Sub
End Class