Hi everyone, we know that Unpacker Execryptor by RSI (public version) can unpack a lot of target but sometimes it can find OEP (miss VC8 signature in public version) Ex: [Option: One-touch Trial + Protect Entry Point] VC8
http://www.chrismc.de/development/xarp/XArp.exe
[Option: Not Compress section code, Not dynamic import]
http://dl.powerarchiver.com/2007/powarc1022.exe
So I modified Bypass AntiDebug script to find VM EP or Stolen OEP and you can input it into Unpacker Execryptor.
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// FileName : Execryptor 2.x - 2.41 find VM EP - Stolen OEP.osc
// Version : 1.0
// Comment : modified Bypass anti debug script,just for find Stolen OEP
// Environment : WinXP SP2,OllyICE with Phantom plugin,ODBGScript V1.64+, Check bypass All Exception:00000000 - FFFFFFFF
// Author : Trickyboy
// WebSite : http://www.reaonline.net
// Date : 2008-06-15 14:50
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Data:
var imagebase
var ecseg
var vmseg
var ep
var oep
var vmep
var codeseg
var sizeheader
var oriByte
var temp
Init:
BPHWCALL
gmi eip, MODULEBASE
mov imagebase, $RESULT
mov codeseg, $RESULT
mov temp, $RESULT
gmemi imagebase, MEMORYSIZE
mov sizeheader, $RESULT
add codeseg, sizeheader
add temp, 3C
mov temp, [temp]
add temp, imagebase
add temp, 28
mov temp, [temp]
add temp, imagebase
bc temp //Clear memory breakpoint at EP
mov ep, temp
gmemi eip, MEMORYBASE
mov ecseg, $RESULT
gpa "CreateThread", "kernel32.dll"
mov oriByte, [$RESULT] //Store original byte at CreateThread
mov [$RESULT], #C3# //Patch RETN at CreateThread
FindSOEPNotPacked:
mov temp, eip //Store current EIP
cmp [codeseg], 00000000 //Is section code null?
je FindVMEP
mov eip, codeseg //If section code is not packed
eval "JMP 0{ep}"
findcmd eip, $RESULT //Find command JMP EP
cmp $RESULT, 0
jne FoundSOEP //Found OEP
FindVMEP:
mov eip, temp //Restore last EIP
bphws ep, "x"
esto
bphwc ep
mov temp, ecseg
sub temp, 1
gmemi temp,MEMORYBASE
mov vmseg,$RESULT
gmemi temp,MEMORYSIZE
bprm vmseg,$RESULT
esto
bpmc
mov vmep, eax
sti
bprm vmep, 1
LoopFind:
esto
cmp eip, vmep
jne LoopFind
FoundVMEP:
bpmc
mov temp, vmep
sub temp, imagebase
eval "VM EP: {vmep} RVA: {temp}"
log $RESULT
mov temp, $RESULT
msg temp
eval "<== Found VM EP by Trickyboy. {temp}"
cmt vmep, $RESULT
gpa "CreateThread","kernel32.dll"
mov [$RESULT],oriByte //Restore CreateThread API
FindSOEP:
mov eip,codeseg
eval "JMP 0{vmep}"
findcmd eip,$RESULT
cmp $RESULT,0
je notFoundSOEP
FoundSOEP:
mov eip, $RESULT
mov oep, $RESULT
mov temp, oep
sub temp, imagebase
eval "OEP: {oep} RVA: {temp}"
log $RESULT
mov temp, $RESULT
msg temp
eval "<== Found Stolen OEP by Trickyboy. {temp}"
cmt oep, $RESULT
ret
notFoundSOEP:
mov eip, vmep
msg "Sorry, not found Stolen OEP !"
ret
Note: 1. OllyICE + Phantom plugin 2. ODBGScript V1.64+ 3. Check bypass all exception in Olly option: 00000000 - FFFFFFFF
Hi, I love this forum but don't know chinese. Hope that I will learn it on this summer. But I still understand you because I have a friend who is chinese.
目的是期待那里专门写脚本的高手能把 Unpacker Execryptor脚本纠正整合一下(毕竟术业有专攻嘛),更加强大,方便大家,你不会责怪吧
