Hi all,

i wrote this small script for unpacking MEW10. Just for fun, but i encountered something weird:
when testing the script with Ollyscript 0.7 and with 0.85 it gives me different results.

this is the script:


var oki
var oki2

sto
sto

findop eip, #FFE0#
mov oki, $RESULT
bp oki
esto
sto
bc oki

findop eip, #C3#
mov oki2, $RESULT
bp oki2
esto
sto
bc oki2

MSG "OEP Reached!"


version 0.7 puts me at the RETN that leads to the OEP, but 0.85 leads me to a different (earlier)

location after searching for C3 byte:


0048C0FF ^EB C3 JMP SHORT Unpacked.0048C0C4 <-- 0.85 lands here
0048C101 52 PUSH EDX
0048C102 51 PUSH ECX
0048C103 57 PUSH EDI
0048C104 56 PUSH ESI
0048C105 AD LODS DWORD PTR DS:[ESI]
0048C106 50 PUSH EAX
0048C107 52 PUSH EDX
0048C108 FF11 CALL DWORD PTR DS:[ECX]
0048C10A 5E POP ESI
0048C10B 5F POP EDI
0048C10C 59 POP ECX
0048C10D 5A POP EDX
0048C10E AB STOS DWORD PTR ES:[EDI]
0048C10F ^EB B3 JMP SHORT Unpacked.0048C0C4
0048C111 C3 RETN <-- 0.7 lands here

so my question, is this a small bug or does 0.7 search for the first byte of the ASM command?

/scarabee

I've now fixed that unwanted "feature" and reuploaded the plugin. =)

Much appreciated!
Thanx