#16
|
|||
|
|||
@ britedream
Thanks for the updated script, I have tested it on 5 aspr progs and it works a treat. Thanks for sharing R@dier |
#17
|
|||
|
|||
BriteDream,
Have a application according to peid packed with a earlier version of ASProtect 1.2 / 1.2c-> Alexey Solodovnikov where your modified script doesn't work But this version doesn't have stolen bytes so the trick with the stack point did the job |
#18
|
|||
|
|||
the script should work unless the program is expired(in some). may I have the program name please.
|
#19
|
|||
|
|||
PM
Pm send to you
|
#20
|
|||
|
|||
thanks R@dier for the testing you are always helpful.
thanks lownoise, I will take a look at it. |
#21
|
|||
|
|||
thank you again,it is just a matter of using signature, I left it for simplicity, but now I will write another one base on signature which should works for all.
Last edited by britedream; 01-23-2004 at 01:09. |
#22
|
|||
|
|||
the script set the breakpoint correctly, but
the problem with this is that even if I try using shift+7 or shift+8 or shift+9 or run , it willn't stop on the breakpoint , so for the one doesn't have stolen bytes,we have to use the first script for the last exception. my assumption that it will work with signature is wrong. it is very nice of you lownoise to bring this to my attention. regards. Last edited by britedream; 01-23-2004 at 00:04. |
#23
|
|||
|
|||
To lownoise:
for the one doesn't have stolen bytes it is easy, you don't need to use stack bps , just use the first script to get to the last exception, set memory breakpoint on code section, shift+9 twice will be at the oep. |
#24
|
|||
|
|||
Next version of OllyScript will support both hardware breakpoints
and memory breakpoints. Also assembly will be supported, as well as searching for instructions/opcodes. Stack BP == mem BP, right? Also, if any more features are wanted, please msg me on EFnet (nick SHaG) or mail to ollyscript at apsvans dot com. BTW, if you want to modify the plugin, please send me the modifications and they will be incorporated in the next release. Don't want 100 different versions floating around.... =) |
#25
|
|||
|
|||
We greatly appreciate your effort, and looking forward to the next version.
Regards. britedream |
#26
|
|||
|
|||
aspack
Here a quick and dirty script to stop on the oep of aspack compressed programs
Start Programmer comments First it walks threw the program and search for the oep bytes 7561 and 7503 (when breakpoint has been set in a earlier run) if it's found we will set a breakpoint on that eip, then it runs the program and when the breakpoint occurs it does a singlestep to OEP. This script has only been tested on 2 programs so please test it and report the results back. End Programmer comments var x var y mov x, eip lab1: mov y, [eip] and y, 0000ffff cmp y,7561 je lab2 cmp y,75cc je lab3 add eip,1 jmp lab1 lab2: ubp eip lab3: mov eip,x eob lab4 eoe lab4 lab4: sto sto sto sto log eip ret |
#27
|
|||
|
|||
neolite 2.0
OEP Script for neolite 2.0
Script will found OEP jump and set there a breakpoint Program will run and stops on breakpoint (jmp eax) this script has been tested on R@dier unpack neolite 2.0.exe var x var y mov x, eip lab1: mov y, [eip] and y, 0000ffff cmp y,e0ff je lab2 cmp y,e0cc je lab3 add eip,1 jmp lab1 lab2: ubp eip lab3: mov eip,x run ret |
#28
|
|||
|
|||
way to go lownoise, it is nice to see people start playing with script, this way we all benefit.
keep up the good work!. britedream Last edited by britedream; 01-23-2004 at 20:07. |
#29
|
|||
|
|||
Attached is a small script for asprotect(only tested on 1.23RC4).
It is basically a small extension of britedreams latex. With the addition of killing all the debugger checks. Also enclosed in the .zip are a few of my notes, which may explain what the script is doing/killing a little. One small problem, I added a SUB func to the .dll and recompiled the source (details also enclosed) but I'm sure there's probably another easier way around the SUB. Hope it's usefull.... arz |
#30
|
|||
|
|||
SUB is included in 0.4 which is now available for download at hxxp://ollyscript.apsvans.com =)
[Edit by JMI: The NO CLICKABLE LINKS rule applies to tool sites, even your own, because noobies can stop themselves from posting clickable links to software vendors. ALWAYS uncheck the "Automatically parse URLs" button.] Last edited by SHaG; 01-26-2004 at 10:11. |
Thread Tools | |
Display Modes | |
|
|