#1
|
|||
|
|||
asprotect script
This script should work on old and new asprotect protected target to find the oep if there are no stolen, otherwise it will land on the code section,right after the emulation of the stolen bytes. it makes life easier if you want to check the target few times to make a loader.if there are targets that script didn't work on , please notify me , I only tested it on 5.
Edited for Version check. script is update to include more asprotect breeds. updated on 2/1/2006 update on 7/1/2006 to correct an error by ollscript plugin Last edited by britedream; 01-07-2006 at 17:24. |
#2
|
||||
|
||||
Hi britedream,
for which version of Ollyscript it has been written? Mine Ollyscript 0.92 (compiled 16 Jun 2004), by Shag, reports an error about an undeclared variable: "codeb is not declared" I'm probably using an old plugin.. ;-|
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#3
|
|||
|
|||
I used version 1.41. I will add version check Thanks for bringing this up..
Regards. |
#4
|
|||
|
|||
ODbgScript v1.41
Download link for Version 1.41:
hxxp://e3.epsylon.org/olly/ODbgScript.1.41.VC6.rar |
#5
|
|||
|
|||
Script is updated. Thanks.
|
#6
|
|||
|
|||
error in ollyscript plugin
I corrected the script by obtaining the values directly as follow:
mov pe,400000+[400000+3c] mov codes,[pe+100] // code size mov codeb,400000+[pe+104] // code base you can just correct the script as above or download the updated script. Thanks. Last edited by britedream; 01-07-2006 at 17:32. |
#7
|
||||
|
||||
Quote:
Please, if you have time take a view to this exe. Best Regards. |
#8
|
|||
|
|||
I checked the target and the script worked as it should, I updated the script today to bypass an error in the ollscript plugin.please download script and recheck it.
I had no feedback from anybody else so may be the script is working only on my pc. I hope someone had success with it. thanks. Last edited by britedream; 01-07-2006 at 22:17. |
#9
|
||||
|
||||
Hi britedream I tested on Archicrypt Stealth 4.2.1 the full version and seems not to work.
Here's the direct link hxtp://www.archicrypt.com/cgi-bin/countdownen.cgi?Stealth4_Vollversion.zip other targets worked fine..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com Last edited by Shub-Nigurrath; 01-08-2006 at 01:03. |
#10
|
|||
|
|||
Hi Shub-Nigurrath
Thanks for reporting the target but the target needs to be register to continue to the oep,due to that , I couldn't test it.but if the script report that "script isn't working", then it will not work, if it didn't report, then it may work, it just need to add one more flag for this new breed. if you can tell what the value of the ebp when you see fingerprint at the stack similar to this as you go on passing the exceptions.: 0012FF48 ASCII "F1BC5B13-6914" I might be able to include it in the script. Regards. Last edited by britedream; 01-08-2006 at 03:12. |
#11
|
|||
|
|||
no u do not need to register the program in order to reach the oep....
check location 0439C934, that is the original oep but it's has been "stolen" (VM) 0439C934 location has a long jump, go to that jump..... that's the start of vm or fake oep..... |
#12
|
||||
|
||||
exactly, the messagebox is part of the application and the OEP is reached in the way stephenteh told.
That application is anyway an interesting target..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#13
|
|||
|
|||
very strange target, the target is loaded in high memory, this is why I thought it is still in asprotect when the nag shows and never stopped on default range of an exe [400000+codeoffset+codesize].
Last edited by britedream; 01-08-2006 at 12:51. |
#14
|
|||
|
|||
u shouldn't use fixed imagebase 400000, because this program loaded at location 4190000....u should use gmi to get the modulebase....
|
#15
|
|||
|
|||
gmi has a problem with some asprotect target,you could do this :
mov pe1,eip and pe1,ff0000 cmp pe1,400000 je go2 mov pe1,eip and pe1,ffff0000 go2: mov pe,pe1+[pe1+3c] cmp pe1,[pe+34 ] // check to see if the imagebase you assumed is the right one. je go msg "wrong imagebase" ret go: mov codes ,[pe+100] mov codeb ,pe1+[pe+104] but the target doesn't conform to main coding of the script, it isnot worth it to have a major change in the script for one odd target , if there are few of those , then I will update the script with their pattern. Thanks. by the way, the imagebase of 400000 is the default where exe is usually loaded.we also can go to the extreme and for sure find the exact image base, but it will be long and isnot worth it. easy, if the imagebase is wrong ,just enter it manually. Last edited by britedream; 01-08-2006 at 19:21. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Odbgscript bug or script? | Human | General Discussion | 0 | 06-05-2006 22:34 |
Thanks to hobgoblin, asprotect script is updated | britedream | General Discussion | 5 | 05-11-2004 10:55 |