#61
|
|||
|
|||
SHaG
You can publish on your website my scripts (if u want). p.s. check your e-mail. |
#62
|
|||
|
|||
My scripts
Look attachment. There my:
Updated scripts: - FSG 1.33 OEP Finder v0.1 !maybe unstable! - PECompact 1.84 OEP Finder v0.1 !unstable edition! - UPX 1.xx and UPX Protector 1.0 OEP Finder v0.1 New scripts: - PeX 0.99 OEP Finder IMPORTANT NOTE: before using this script, CHECK following option - Menu -> Options -> Debugging options -> Exceptions -> INT3 breaks. Script willnot work if u do not do that! - PE Diminisher 0.1 OEP Finder |
#63
|
|||
|
|||
this script finds Svkp Oep:
Last edited by britedream; 02-15-2004 at 01:13. |
#64
|
|||
|
|||
OEP Finder for EXEStealth 2.7
|
#65
|
|||
|
|||
OEP Finder for petite2.2
|
#66
|
|||
|
|||
this script find oep for protection plus, it is only tested on one target. (I couldn't find more targets to test). (windows xp).
Last edited by britedream; 02-25-2004 at 12:55. |
#67
|
|||
|
|||
Y0da Crypter 1.2 OEP Finder!
yeah...it's really works! SHaG, put my scripts on your page. |
#68
|
|||
|
|||
Scripts added to site. Great work guys!
I suppose you know that OS v0.6 is out? |
#69
|
|||
|
|||
OEP Finder for PKLITE32 1.1
|
#70
|
|||
|
|||
Heh, just wanted to post this one here... It really makes use of all the capabilities of OllyScript. Requires OllyScript v0.6.
|
#71
|
|||
|
|||
Awesome script,
Many thanks R@dier |
#72
|
|||
|
|||
OllyScript v0.62 posted.
* Breakpoint bug fixed (again). * EFLAGS can be changed. |
#73
|
|||
|
|||
Didn't really know where to post this, but here seems to be the best place.
I have written a PEShield v0.25 OEP finder. Enjoy! EDIT: The upload didn't seems to work? I'll post the whole script then: ---------COPY FROM HERE----------------------------- /* This script finds OEP for programs packed with PEShield v0.25 (I havn't tested for other versions) IMPORTANT! You have to hide OllyDbg from IsDebuggerPresent manually BEFORE you run this script (There is plugins that do that.) You have to let OllyDbg handle all exceptions (options --> Debugging Options --> Exceptions --> Uncheck all except KERNEL32) When the script is finished, dump and rebuild IAT for unpacked program. If you find any bugs in my script, please let me know. You can reach me on Efnet (IRC) with nickname Harding Have fun! */ msg "Have you read the IMPORTANT part in peshield.osc? If not, do so BEFORE you run peshield.osc. -Harding" //Variables var codeSize var codeBase var codeBaseAddCodeSize var tempEIP var i //Execute on breakpoint (and exception) eob breakHandler eoe breakHandler //Gets information about a module to which the specified address belongs. //"info" can be MODULEBASE, MODULESIZE, CODEBASE or CODESIZE (if you want other info in the future versions plz tell me). //Sets the reserved $RESULT variable (0 if data not found). GMI eip, CODEBASE mov codeBase, $RESULT //Gets information about a module to which the specified address belongs. //"info" can be MODULEBASE, MODULESIZE, CODEBASE or CODESIZE (if you want other info in the future versions plz tell me). //Sets the reserved $RESULT variable (0 if data not found). GMI eip, CODESIZE mov codeSize, $RESULT //Fix codeBaseAddCodeSize mov codeBaseAddCodeSize, codeBase add codeBaseAddCodeSize, codeSize //Shift F9 esto first: //Shift F9 esto second: //Set memory breakpoint on write. Size is size of memory in bytes. bpwm codeBase, codeSize //Shift F9 esto third: //Shift F9 esto fourth: //Clear memory breakpoint. bpmc //Save current EIP mov tempEIP,eip //Set breakpoint on address addr with condition cond. bpcnd eip,"ECX==1" //Shift F9 esto fifth: //Clear unconditional breakpoint at addr. (And conditional) bc tempEIP //Set memory breakpoint on read. Size is size of memory in bytes. bprm codeBase, codeSize lastBreakHandler: //Are we in CODE section? If yes, then we're at OEP, if not then Shift F9 cmp eip,codeBaseAddCodeSize jb finish esto breakHandler: add i,1 cmp i,1 je first cmp i,2 je second cmp i,3 je third cmp i,4 je fourth cmp i,5 je fifth jmp lastBreakHandler finish: //Clear memory breakpoint. bpmc //Exit script ret //Written by Harding ---------STOP COPY HERE----------------------------- Last edited by Harding; 03-28-2004 at 04:53. |
|
|