Execryptor 2.x - 2.41 find VM EP - Stolen OEP
Hi everyone, we know that Unpacker Execryptor by RSI (public version) can unpack a lot of target but sometimes it can find OEP (miss VC8 signature in public version)Ex:
http://www.chrismc.de/development/xarp/XArp.exe
http://dl.powerarchiver.com/2007/powarc1022.exe
So I modified Bypass AntiDebug script to find VM EP or Stolen OEP and you can input it into Unpacker Execryptor
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// FileName : Execryptor 2.x - 2.41 find VM EP - Stolen OEP v1.1.osc
// Version : 1.1
// Comment : modified Bypass anti debug script,just for find Stolen OEP
// Environment : WinXP SP2,OllyICE with Phantom plugin,
// ODBGScript V1.64+,
// Olly Advanced (Break on TLS Callback),
// Check bypass All Exception:00000000 - FFFFFFFF
// Author : Trickyboy
// WebSite : http://www.reaonline.net
// Date : 2008-06-19 09:10
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Data:
var imagebase
var ecseg
var vmseg
var ep
var oep
var vmep
var codeseg
var sizeheader
var oriByte
var temp
Init:
BPHWCALL
gmi eip, MODULEBASE
mov imagebase, $RESULT
mov codeseg, $RESULT
mov temp, $RESULT
gmemi imagebase, MEMORYSIZE
mov sizeheader, $RESULT
add codeseg, sizeheader
add temp, 3C
mov temp,
add temp, imagebase
add temp, 28
mov temp,
add temp, imagebase
bc temp //Clear memory breakpoint at EP
mov ep, temp
gmemi eip, MEMORYBASE
mov ecseg, $RESULT
gpa "CreateThread", "kernel32.dll"
mov oriByte, [$RESULT] //Store original byte at CreateThread
mov [$RESULT], #C3# //Patch RETN at CreateThread
FindSOEPNotPacked:
mov temp, eip //Store current EIP
cmp , 00000000 //Is section code null?
je FindVMEP
mov eip, codeseg //If section code is not packed
eval "JMP 0{ep}"
findcmd eip, $RESULT //Find command JMP EP
cmp $RESULT, 0
jne FoundSOEP //Found OEP
FindVMEP:
mov eip, temp //Restore last EIP
bphws ep, "x"
esto
bphwc ep
mov temp, ecseg
sub temp, 1
gmemi temp,MEMORYBASE
mov vmseg,$RESULT
gmemi temp,MEMORYSIZE
bprm vmseg,$RESULT
esto
bpmc
mov vmep, eax
sti
bprm vmep, 1
LoopFind:
esto
cmp eip, vmep
jne LoopFind
FoundVMEP:
bpmc
mov temp, vmep
sub temp, imagebase
eval "VM EP: {vmep} RVA: {temp}"
log $RESULT
mov temp, $RESULT
msg temp
eval "<== Found VM EP by Trickyboy. {temp}"
cmt vmep, $RESULT
gpa "CreateThread","kernel32.dll"
mov [$RESULT],oriByte //Restore CreateThread API
FindSOEP:
mov eip,codeseg
eval "JMP 0{vmep}"
findcmd eip,$RESULT
cmp $RESULT,0
jnz FoundSOEP
FindSOEP2ndseg: //Search on next section
gmemi codeseg, MEMORYSIZE
mov temp, codeseg
add temp, $RESULT
mov eip, temp
eval "JMP 0{vmep}"
findcmd eip,$RESULT
cmp $RESULT,0
je notFoundSOEP
FoundSOEP:
mov eip, $RESULT
mov oep, $RESULT
mov temp, oep
sub temp, imagebase
eval "OEP: {oep} RVA: {temp}"
log $RESULT
mov temp, $RESULT
msg temp
eval "<== Found Stolen OEP by Trickyboy. {temp}"
cmt oep, $RESULT
ret
notFoundSOEP:
mov eip, vmep
msg "Sorry, not found Stolen OEP !"
ret
Note:
1. OllyICE + Phantom plugin
2. ODBGScript V1.64+
3. Check bypass all exception in Olly option: 00000000 - FFFFFFFF
Hope it useful!
Regards,
Trick. 是什么呢``下来研究下``` 好脚本,就是看不懂楼主的说明 脚本要收藏,看看有没有中国人的脚本强大~ 中外脚本比拼一下 第一个是脚本隐藏插件
第二个是脚本执行插件要1.64以上,本论坛我有发1.65的
第三个应该是忽律的异常段! 脚本需要经常收集 收下了 谢LZ :loveliness: 收藏一下脚本啊 哈哈 谢谢楼主了 谢谢!试试看。 :)eee需要经常收集 收下了 谢LZ
页:
[1]
2