; SafeDisc v2.60 OEP Finder
; Tested with:
;	- Stronghold Deluxe
; Use Scylla to hide debugger
; Pass all exceptions

bpc
bphwc

; Find Tail jump
; call eax; popad; pop ebp; jmp ??
find eip, FFD0615DEB
cmp $RESULT, 0
je error_msg
$oep_jmp_offset = byte:[$RESULT + 5]
$oep_jmp_address = $RESULT + 4 + $oep_jmp_offset + 2
$oep_jmp_offset = dword:[$oep_jmp_address + 1]
$oep_address = $oep_jmp_address + $oep_jmp_offset + 5
log "OEP jump at {p:$oep_jmp_address}"
log "OEP at {p:$oep_address}"

; Wait until game is unpacked
$addr_LoadLibraryA = LoadLibraryA + dis.len(LoadLibraryA)
bphws $addr_LoadLibraryA
bphwcond $addr_LoadLibraryA, "stristr(utf8(arg.get(0)), \"shell32\") == 1"

erun

bphwc $addr_LoadLibraryA

; Wait until the second event is created
$addr_CreateEventA = CreateEventA
bphws $addr_CreateEventA
bphwcond $addr_CreateEventA, "stristr(utf8(arg.get(3)), \"BLT_\") == 1"

erun

bphwc $addr_CreateEventA

; Steal the handle
rtr
$event_handle = eax

; Wait for process to wait for event
$addr_WaitForSingleObject = WaitForSingleObject + dis.len(WaitForSingleObject)
bphws $addr_WaitForSingleObject
bphwcond $addr_WaitForSingleObject, "arg.get(1) == 0xffffffff"

erun

bphwc $addr_WaitForSingleObject

; Set the event
$eip_org = eip
eip = SetEvent
esp -= 8
dword:[esp+4] = $event_handle
rtr
esp += 8

; jump back
eip = $eip_org

; We can finally break on the OEP
bphws $oep_address, x, 1

erun

bphwc $oep_address

log "You should be at the OEP now :)"
jmp end

error_msg:
	error "Could not find OEP :("

end: