asprotect script

[britedream]

This script should work on old and new asprotect protected target to find the oep if there are no stolen, otherwise it will land on the code section,right after the emulation of the stolen bytes. it makes life easier if you want to check the target few times to make a loader.if there are targets that script didn't work on , please notify me , I only tested it on 5.

Edited for Version check.
script is update to include more asprotect breeds.
updated on 2/1/2006
update on 7/1/2006 to correct an error by ollscript plugin

[Shub-Nigurrath]

Hi britedream,
for which version of Ollyscript it has been written?
Mine Ollyscript 0.92 (compiled 16 Jun 2004), by Shag, reports an error about an undeclared variable: "codeb is not declared"

I'm probably using an old plugin.. ;-|

[britedream]

I used version 1.41. I will add version check Thanks for bringing this up..
Regards.

Download link for Version 1.41:

hxxp://e3.epsylon.org/olly/ODbgScript.1.41.VC6.rar

[britedream]

Script is updated. Thanks.

[britedream]

I corrected the script by obtaining the values directly as follow:

mov pe,400000+[400000+3c]
mov codes,[pe+100] // code size
mov codeb,400000+[pe+104] // code base
you can just correct the script as above or download the updated script. Thanks.

[taos]

Quote:

Originally Posted by britedream

This script should work on old and new asprotect protected target to find the oep if there are no stolen, otherwise it will land on the code section,right after the emulation of the stolen bytes. it makes life easier if you want to check the target few times to make a loader.if there are targets that script didn't work on , please notify me , I only tested it on 5.

Edited for Version check.
script is update to include more asprotect breeds.
updated on 2/1/2006
update on 7/1/2006 to correct an error by ollscript plugin

This is an exe that doesn't work with your script,doesn't stop at any point (running process).
Please, if you have time take a view to this exe.

Best Regards.

[britedream]

I checked the target and the script worked as it should, I updated the script today to bypass an error in the ollscript plugin.please download script and recheck it.

I had no feedback from anybody else so may be the script is working only on my pc. I hope someone had success with it.
thanks.

[Shub-Nigurrath]

Hi britedream I tested on Archicrypt Stealth 4.2.1 the full version and seems not to work.
Here's the direct link
hxtp://www.archicrypt.com/cgi-bin/countdownen.cgi?Stealth4_Vollversion.zip

other targets worked fine..

[britedream]

Hi Shub-Nigurrath
Thanks for reporting the target but the target needs to be register to continue to the oep,due to that , I couldn't test it.but if the script report that "script isn't working", then it will not work, if it didn't report, then it may work, it just need to add one more flag for this new breed.
if you can tell what the value of the ebp when you see fingerprint at the stack similar to this as you go on passing the exceptions.:
0012FF48 ASCII "F1BC5B13-6914" I might be able to include it in the script.



Regards.

no u do not need to register the program in order to reach the oep....

check location 0439C934, that is the original oep but it's has been "stolen" (VM)
0439C934 location has a long jump, go to that jump..... that's the start of vm or fake oep.....

[Shub-Nigurrath]

exactly, the messagebox is part of the application and the OEP is reached in the way stephenteh told.
That application is anyway an interesting target..

[britedream]

very strange target, the target is loaded in high memory, this is why I thought it is still in asprotect when the nag shows and never stopped on default range of an exe [400000+codeoffset+codesize].

u shouldn't use fixed imagebase 400000, because this program loaded at location 4190000....u should use gmi to get the modulebase....

[britedream]

gmi has a problem with some asprotect target,you could do this :

mov pe1,eip
and pe1,ff0000
cmp pe1,400000
je go2
mov pe1,eip
and pe1,ffff0000

go2:
mov pe,pe1+[pe1+3c]

cmp pe1,[pe+34 ] // check to see if the imagebase you assumed is the right one.
je go
msg "wrong imagebase"
ret
go:

mov codes ,[pe+100]
mov codeb ,pe1+[pe+104]

but the target doesn't conform to main coding of the script, it isnot worth it to have a major change in the script for one odd target , if there are few of those , then I will update the script with their pattern. Thanks.
by the way, the imagebase of 400000 is the default where exe is usually loaded.we also can go to the extreme and for sure find the exact image base, but it will be long and isnot worth it. easy, if the imagebase is wrong ,just enter it manually.