nice olly plugin

@ britedream

Thanks for the updated script,
I have tested it on 5 aspr progs and it works a treat.

Thanks for sharing

R@dier

BriteDream,

Have a application according to peid packed with a earlier version of ASProtect 1.2 / 1.2c-> Alexey Solodovnikov where your modified script doesn't work
But this version doesn't have stolen bytes so the trick with the stack point did the job

[britedream]

the script should work unless the program is expired(in some). may I have the program name please.

Pm send to you

[britedream]

thanks R@dier for the testing you are always helpful.

thanks lownoise, I will take a look at it.

[britedream]

thank you again,it is just a matter of using signature, I left it for simplicity, but now I will write another one base on signature which should works for all.

[britedream]

the script set the breakpoint correctly, but
the problem with this is that even if I try
using shift+7 or shift+8 or shift+9 or run , it willn't stop on the breakpoint , so for the one doesn't have stolen bytes,we have to use the first script for the last exception.

my assumption that it will work with signature is wrong.

it is very nice of you lownoise to bring this to my attention.

regards.

[britedream]

To lownoise:

for the one doesn't have stolen bytes it
is easy, you don't need to use stack bps , just use the first script to get to the last
exception, set memory breakpoint on code section, shift+9 twice will be at the oep.

[SHaG]

Next version of OllyScript will support both hardware breakpoints
and memory breakpoints. Also assembly will be supported, as
well as searching for instructions/opcodes. Stack BP == mem BP, right?

Also, if any more features are wanted, please msg me on EFnet (nick SHaG) or mail to ollyscript at apsvans dot com.

BTW, if you want to modify the plugin, please send me the
modifications and they will be incorporated in the next release.
Don't want 100 different versions floating around.... =)

[britedream]

We greatly appreciate your effort, and looking forward to the next version.

Regards.
britedream

Here a quick and dirty script to stop on the oep of aspack compressed programs

Start Programmer comments
First it walks threw the program and search for the oep bytes 7561 and 7503 (when breakpoint has been set in a earlier run) if it's found we will set a breakpoint on that eip, then it runs the program and when the breakpoint occurs it does a singlestep to OEP. This script has only been tested on 2 programs so please test it and report the results back.
End Programmer comments


var x
var y

mov x, eip


lab1:
mov y, [eip]
and y, 0000ffff
cmp y,7561
je lab2
cmp y,75cc
je lab3
add eip,1
jmp lab1

lab2:
ubp eip

lab3:
mov eip,x

eob lab4
eoe lab4

lab4:
sto
sto
sto
sto
log eip
ret

OEP Script for neolite 2.0
Script will found OEP jump and set there a breakpoint
Program will run and stops on breakpoint (jmp eax)
this script has been tested on R@dier unpack neolite 2.0.exe

var x
var y

mov x, eip


lab1:
mov y, [eip]
and y, 0000ffff
cmp y,e0ff
je lab2
cmp y,e0cc
je lab3
add eip,1
jmp lab1

lab2:
ubp eip
lab3:
mov eip,x
run
ret

[britedream]

way to go lownoise, it is nice to see people start playing with script, this way we all benefit.
keep up the good work!.
britedream

Attached is a small script for asprotect(only tested on 1.23RC4).

It is basically a small extension of britedreams latex. With the addition of killing all the debugger checks. Also enclosed in the
.zip are a few of my notes, which may explain what the script is doing/killing a little.

One small problem, I added a SUB func to the .dll and recompiled
the source (details also enclosed) but I'm sure there's probably another easier way around the SUB.

Hope it's usefull....

arz

[SHaG]

SUB is included in 0.4 which is now available for download at hxxp://ollyscript.apsvans.com =)

[Edit by JMI: The NO CLICKABLE LINKS rule applies to tool sites, even your own, because noobies can stop themselves from posting clickable links to software vendors. ALWAYS uncheck the "Automatically parse URLs" button.]