Thread: private exe protector unpacking?
View Single Post
  #28  
Old 03-05-2020, 19:12
0xall0c 0xall0c is offline
Friend
  
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
my progress till now in python x64dbg:


Code:
from x64dbgpy import pluginsdk
from x64dbgpy.pluginsdk._scriptapi import module
from x64dbgpy.pluginsdk._scriptapi import memory
from x64dbgpy.pluginsdk._scriptapi import pattern
from x64dbgpy.pluginsdk._scriptapi import register

PEP_425_REG = "B? ?? ?? ?? ?? E8 ?? ?? 00 00 0F B6 ?? ?? 5? 5? C2 10 00"

addr  = pluginsdk.RemoteGetProcAddress('kernel32.dll','CompareStringW')
pluginsdk.Run()
pluginsdk.Run()
pluginsdk.SetBreakpoint(addr)
pluginsdk.Run()
pluginsdk.DeleteBreakpoint(addr)


pattern_location = pattern.FindMem(module.GetMainModuleBase(), module.GetMainModuleSize(), PEP_425_REG)

setEaxAddress = pattern_location + 10

pluginsdk.SetHardwareBreakpoint(setEaxAddress,pluginsdk.HardwareType.HardwareExecute)
pluginsdk.Run()

# called 14 times, if ebp-1 set to 0
for i in range(13):
    memory.WriteByte(register.GetEBP() - 1, 0)
    pluginsdk.Run()

pluginsdk.DeleteHardwareBreakpoint(setEaxAddress)

# now it will jump to oep 0x4c0000
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
niculaita (03-05-2020)