首页
社区
课程
招聘
[转帖][Script]Execryptor 2.x - 2.41 find VM EP - Stolen OEP
发表于: 2008-6-16 08:15 5875

[转帖][Script]Execryptor 2.x - 2.41 find VM EP - Stolen OEP

2008-6-16 08:15
5875
From:EXETOOLS

by:trickyboy

Hi everyone, we know that Unpacker Execryptor by RSI (public version) can unpack a lot of target but sometimes it can find OEP (miss VC8 signature in public version)
Ex:
[Option: One-touch Trial + Protect Entry Point] VC8

http://www.chrismc.de/development/xarp/XArp.exe

[Option: Not Compress section code, Not dynamic import]


http://dl.powerarchiver.com/2007/powarc1022.exe

So I modified Bypass AntiDebug script to find VM EP or Stolen OEP and you can input it into Unpacker Execryptor.



///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//	FileName		:	Execryptor 2.x - 2.41 find VM EP - Stolen OEP.osc
//	Version			:	1.0
//	Comment			:	modified Bypass anti debug script,just for find Stolen OEP
//	Environment		:	WinXP SP2,OllyICE with Phantom plugin,ODBGScript V1.64+, Check bypass All Exception:00000000 - FFFFFFFF
//	Author			:	Trickyboy
//	WebSite			:	http://www.reaonline.net
//	Date			:	2008-06-15 14:50
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Data:
	var imagebase
	var ecseg
	var vmseg
	var ep
	var oep
	var vmep
	var codeseg
	var sizeheader
	var oriByte
	var temp
	
Init:
	BPHWCALL
	gmi eip, MODULEBASE
	mov imagebase, $RESULT
	mov codeseg, $RESULT
	mov temp, $RESULT
	gmemi imagebase, MEMORYSIZE
	mov sizeheader, $RESULT
	add codeseg, sizeheader
	add temp, 3C
	mov temp, [temp]
	add temp, imagebase
	add temp, 28
	mov temp, [temp]
	add temp, imagebase
	bc temp									//Clear memory breakpoint at EP
	mov ep, temp
	gmemi eip, MEMORYBASE
	mov ecseg, $RESULT
	gpa "CreateThread", "kernel32.dll"
	mov oriByte, [$RESULT] 					//Store original byte at CreateThread
	mov [$RESULT], #C3#						//Patch RETN at CreateThread
	
FindSOEPNotPacked:
	mov temp, eip							//Store current EIP
	cmp [codeseg], 00000000				//Is section code null?
	je FindVMEP								
	mov eip, codeseg						//If section code is not packed
	eval "JMP 0{ep}"
	findcmd eip, $RESULT					//Find command JMP EP
	cmp $RESULT, 0							
	jne FoundSOEP							//Found OEP
	
FindVMEP:
	mov eip, temp							//Restore last EIP
	bphws ep, "x"
	esto
	bphwc ep
	mov temp, ecseg
	sub temp, 1
	gmemi temp,MEMORYBASE
	mov vmseg,$RESULT
	gmemi temp,MEMORYSIZE
	bprm vmseg,$RESULT
	esto
	bpmc
	mov vmep, eax
	sti
	bprm vmep, 1
	
LoopFind:
	esto
	cmp eip, vmep
	jne LoopFind
	
FoundVMEP:
	bpmc
	mov temp, vmep
	sub temp, imagebase
	eval "VM EP: {vmep} RVA: {temp}"
	log $RESULT
	mov temp, $RESULT
	msg temp
	eval "<== Found VM EP by Trickyboy. {temp}"
	cmt vmep, $RESULT
	gpa "CreateThread","kernel32.dll"
	mov [$RESULT],oriByte					//Restore CreateThread API
	
FindSOEP:
	mov eip,codeseg
	eval "JMP 0{vmep}"
	findcmd eip,$RESULT
	cmp $RESULT,0
	je notFoundSOEP
	
FoundSOEP:
	mov eip, $RESULT
	mov oep, $RESULT
	mov temp, oep
	sub temp, imagebase
	eval "OEP: {oep} RVA: {temp}"
	log $RESULT
	mov temp, $RESULT
	msg temp
	eval "<== Found Stolen OEP by Trickyboy. {temp}"
	cmt oep, $RESULT
	ret
	
notFoundSOEP:
	mov eip, vmep
	msg "Sorry, not found Stolen OEP !"
	ret
	



Note:
1. OllyICE + Phantom plugin
2. ODBGScript V1.64+
3. Check bypass all exception in Olly option: 00000000 - FFFFFFFF

Hope it useful!

Regards,

Trick.

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (16)
雪    币: 590
活跃值: (177)
能力值: ( LV9,RANK:680 )
在线值:
发帖
回帖
粉丝
2
林版,不好意思,这个东东太好了,未经过你的同意,我转了一份到一蓑烟雨论坛,目的是期待那里专门写脚本的高手能把 Unpacker Execryptor脚本纠正整合一下(毕竟术业有专攻嘛),更加强大,方便大家,你不会责怪吧
2008-6-16 19:39
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
谢谢分享
2008-6-16 20:08
0
雪    币: 98745
活跃值: (201039)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
4
EXETOOLS论坛都可以转载的.

Trickyboy好像是Vietnamese.
2008-6-16 20:52
0
雪    币: 590
活跃值: (177)
能力值: ( LV9,RANK:680 )
在线值:
发帖
回帖
粉丝
5
我知道的,可是EXETOOLS 论坛注册好像需要邀请码,无法注册,就导致好多文章看不到,好多工具下不了,嘿嘿,可能是我等级还比较低吧,我就等着哪天此论坛大赦,我就去抢个ID回来
2008-6-18 07:37
0
雪    币: 161
活跃值: (261)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
感謝大大分享腳本
2008-6-18 08:07
0
雪    币: 98745
活跃值: (201039)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
7
Update NOTE!!!

1. OllyICE + Phantom plugin
2. ODBGScript V1.64+
3. Olly Advanced (Break on TLS Callback) so script can get correct imagebase
4. Check bypass all exception in Olly option: 00000000 - FFFFFFFF

trickyboy
2008-6-18 08:58
0
雪    币: 88
活跃值: (115)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
谢谢分享 ...........
2008-6-18 15:47
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
Hi all, I updated script to version 1.1.

It can find stolen OEP some special target of Borland Delphi. ( public version Unpacker Execryptor can't find)

Ex:
http://www.diskinternals.com/files/Raid_Recovery.exe


///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//	FileName		:	Execryptor 2.x - 2.41 find VM EP - Stolen OEP v1.1.osc
//	Version			:	1.1
//	Comment			:	modified Bypass anti debug script,just for find Stolen OEP
//	Environment		:	WinXP SP2,OllyICE with Phantom plugin,
//						ODBGScript V1.64+,
//						Olly Advanced (Break on TLS Callback),
//						Check bypass All Exception:00000000 - FFFFFFFF
//	Author			:	Trickyboy
//	WebSite			:	http://www.reaonline.net
//	Date			:	2008-06-19 09:10
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Data:
	var imagebase
	var ecseg
	var vmseg
	var ep
	var oep
	var vmep
	var codeseg
	var sizeheader
	var oriByte
	var temp
	
Init:
	BPHWCALL
	gmi eip, MODULEBASE
	mov imagebase, $RESULT
	mov codeseg, $RESULT
	mov temp, $RESULT
	gmemi imagebase, MEMORYSIZE
	mov sizeheader, $RESULT
	add codeseg, sizeheader
	add temp, 3C
	mov temp, [temp]
	add temp, imagebase
	add temp, 28
	mov temp, [temp]
	add temp, imagebase
	bc temp									//Clear memory breakpoint at EP
	mov ep, temp
	gmemi eip, MEMORYBASE
	mov ecseg, $RESULT
	gpa "CreateThread", "kernel32.dll"
	mov oriByte, [$RESULT] 					//Store original byte at CreateThread
	mov [$RESULT], #C3#						//Patch RETN at CreateThread
	
FindSOEPNotPacked:
	mov temp, eip							//Store current EIP
	cmp [codeseg], 00000000				//Is section code null?
	je FindVMEP								
	mov eip, codeseg						//If section code is not packed
	eval "JMP 0{ep}"
	findcmd eip, $RESULT					//Find command JMP EP
	cmp $RESULT, 0							
	jne FoundSOEP							//Found OEP
	
FindVMEP:
	mov eip, temp							//Restore last EIP
	bphws ep, "x"
	esto
	bphwc ep
	mov temp, ecseg
	sub temp, 1
	gmemi temp,MEMORYBASE
	mov vmseg,$RESULT
	gmemi temp,MEMORYSIZE
	bprm vmseg,$RESULT
	esto
	bpmc
	mov vmep, eax
	sti
	bprm vmep, 1
	
LoopFind:
	esto
	cmp eip, vmep
	jne LoopFind
	
FoundVMEP:
	bpmc
	mov temp, vmep
	sub temp, imagebase
	eval "VM EP: {vmep} RVA: {temp}"
	log $RESULT
	mov temp, $RESULT
	msg temp
	eval "<== Found VM EP by Trickyboy. {temp}"
	cmt vmep, $RESULT
	gpa "CreateThread","kernel32.dll"
	mov [$RESULT],oriByte					//Restore CreateThread API
	
FindSOEP:
	mov eip,codeseg
	eval "JMP 0{vmep}"
	findcmd eip,$RESULT
	cmp $RESULT,0
	jnz FoundSOEP
FindSOEP2ndseg:							//Search on next section
	gmemi codeseg, MEMORYSIZE
	mov temp, codeseg
	add temp, $RESULT
	mov eip, temp
	eval "JMP 0{vmep}"
	findcmd eip,$RESULT
	cmp $RESULT,0
	je notFoundSOEP
	
FoundSOEP:
	mov eip, $RESULT
	mov oep, $RESULT
	mov temp, oep
	sub temp, imagebase
	eval "OEP: {oep} RVA: {temp}"
	log $RESULT
	mov temp, $RESULT
	msg temp
	eval "<== Found Stolen OEP by Trickyboy. {temp}"
	cmt oep, $RESULT
	ret
	
notFoundSOEP:
	mov eip, vmep
	msg "Sorry, not found Stolen OEP !"
	ret
2008-6-19 11:01
0
雪    币: 98745
活跃值: (201039)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
10
trickyboy:

Welcome to PEDIY Forum.
2008-6-19 14:38
0
雪    币: 98745
活跃值: (201039)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
11
I hope you can be more than a forum.
2008-6-19 14:40
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
Hi, I love this forum but don't know chinese. Hope that I will learn it on this summer.   But I still understand you because I have a friend who is chinese.

Cheers.
2008-6-19 17:29
0
雪    币: 98745
活跃值: (201039)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
13
trickyboy:Yes.Friend.
2008-6-19 21:14
0
雪    币: 98745
活跃值: (201039)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
14
I know you in Vietnam is a very good software debugging, I appreciate and praise.
2008-6-19 21:20
0
雪    币: 225
活跃值: (38)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
15
i don't known what are you talking
2008-7-26 03:07
0
雪    币: 200
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
16
nice script and  all friends here ;)
2008-7-26 04:27
0
雪    币: 195
活跃值: (513)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
17
I know you in Vietnam is a very good software debugging, I appreciate and praise.
非常感谢
2008-7-26 15:20
0
游客
登录 | 注册 方可回帖
返回
//