Saturday, July 7, 2007

Pestil v1.0 OEP Finder

1-

find eip, #39C475FA83EC80E900ADFAFF#

bp $RESULT

run

bc eip

bp eip+7

run

bc eip

sti

an eip

cmt eip, “This is OEP!”

msg “OEP! Dump and rebuild imports !.”

ret

 

2-

var rgn

var sz

var va

GPA “CreateProcessA”,”kernel32.dll”

mov va,$RESULT

BP va

run

BC va

rtu

mov va,eip

add va,76

bp va

run

bc va

sti

mov rgn,eax

mov va,eip

add va,16

go va

mov sz,eax

eval ” damp partial in LordPe select IntelDump address:{rgn} , size:{sz}”

msg $RESULT

ret

 

 

 

Posted by REM at 14:32:24 | Permalink | No Comments »

Monday, June 25, 2007

NakedPacker 1.0 scripts

hi

this is a script for NakedPacker 1.0

 (use the ollydbg and olyscript plugins)

 var patch
var ImageBase
var oep
var counter
var iat_start

mov counter,0
gmi eip,MODULEBASE
mov ImageBase,$RESULT

find eip,#61FF25#
cmp $RESULT,0
je quit
mov oep,$RESULT
bp oep
find eip,#85C97476A1??????008D3401EB65#
cmp $RESULT,0
je quit
mov patch,$RESULT
add patch,C
bp patch
run
bc patch
mov iat_start,esi
find eip,#33C05F5E5B5DC3#
mov eip,$RESULT
run
bc oep
sti
sti
mov oep,eip

cmt eip, “This is the entry point”

sub oep,ImageBase
sub iat_start,ImageBase
mov counter,ImageBase
add counter,3C
mov counter,[counter]
add counter,ImageBase
add counter,28
mov [counter],oep
add counter,58
mov [counter],iat_start
DPE “dump.exe”,eip
msg “The file is unpacked! Name ->Dump.exe Remove unnecessary section in Dump”
ret

quit:
msg “Not nakedpack”
ret

 

Posted by REM at 14:58:52 | Permalink | No Comments »

Tuesday, June 12, 2007

Generic unwrap AnslymPacker, AREA51 Cryptor 1.1 NME.01,unnamed Scrambler 1.1C,WindOfCrypt1.0

hi
this is new script
for Generic unwrap  AnslymPacker,
AREA51 Cryptor 1.1 NME.01,
unnamed Scrambler 1.1C,
WindOfCrypt1.0
& other similar ;)
link:
Posted by REM at 13:27:55 | Permalink | No Comments »

OLLYDBG 1.10 FOR VISTA ULTIMATE

HI
I have some problems regarding OllyDbg and ImpRec on Vista x64 Ultimate.

OllyDbg: I ran it in compatibility mode (to nearly every OS supported to be emulated), with and without administrator privileges and with UAC enabled and disabled. I crash everytime somewhere in ntdll.

I was using OllyShadow, but I also tested with a “naked” OllyDbg 1.10 and it didn’t seem to work either.

I made a workaround script for my Olly

/ OLLYDBG 1.10 FOR VISTA ULTIMATE x64, scripted by F0GX in 2k7
   //
   // Successfully tested under Windows Vista Ultimate x64 with
   // UAC disabled as well as the driver signature check with
   // several programs. Script interpreter was ODbgScript.
   //
   // OllyDbg settings - Ignore all exceptions except the ones
   // thrown by the kernel.
   // You can reset these settings as you wish after the script has
   // been executed.
   //
   // Just run this script after loading the program in OllyDbg. It
   // will let Olly take you to the EP.
   //
   // Warning: This script is just a workaround, just for made for
   // own purposes. Use it on own risk!
   //
   // It throws the API “ZwSetInformationThread” away, so programs
   // could show unexpected behaviour.
   //
   // I couldn’t find any other workarounds, but if you do, please
   // send me an email to fogx@land.ru. Thanks in advance!
   //
   // Hope this’ll help you in some way,
   //
   //            F0GX
   //

   // Get address of api to patch away

      gpa “ZwSetInformationThread”, “ntdll.dll”

   // Store it in eax

      mov eax, $RESULT

   // Write the ‘retn 10, nop’ at beginning of api

      mov [eax], #c2100090#

   // Let program run until first exception

      run

   // Just step into exception twice

      esti

      esti

   // Now step over it and let the program execute…

      esto

   // … until it breaks at EP.

      cob

   // Place a nice comment there. Now we SHOULD be at EP.

      cmt eip, “[ POSSIBLY PROGRAM'S ENTRY POINT ]“

   // That’s everything. Not too much, but effective in most cases.

Posted by REM at 10:40:05 | Permalink | No Comments »

Sunday, June 10, 2007

tElock 0.99 OEP Finder

// tElock 0.99 OEP Finder

// Coded by: kNiGhT

// Note: Ignore all exceptions

var temp

var temp1

var ImgBase

var CodeEnd

var CodeStart

var CodeSize

gmi eip, MODULEBASE

mov ImgBase, $RESULT

mov temp, 3c

add temp, ImgBase

mov temp, [temp]

add temp, ImgBase

add temp, 100

mov CodeSize, [temp]

add temp, 4

mov CodeStart, [temp]

add CodeStart, ImgBase

mov CodeEnd, CodeStart

add CodeEnd, CodeSize

gpa “LoadLibraryA”, “kernel32.dll”

add $RESULT, 2

bp $RESULT

run

bc $RESULT

rtu

String_Schleife:

sto

mov temp, [eip]

and temp, FFFF

cmp temp, 858D

jne String_Schleife

sto

mov temp, eax

DeleteString:

mov temp1, [temp]

and temp1, FF000000

cmp temp1, 0

je FindOEP

mov [temp], 0

inc temp

jmp DeleteString

FindOEP:

bprm CodeStart, CodeSize

OEP_Schleife:

run

cmp eip, CodeStart

jb OEP_Schleife

cmp eip, CodeEnd

ja OEP_Schleife

bpmc

cmt eip, “OEP found by kNiGhT”

msg “Dump and rebuild IAT!”

ret

Posted by REM at 22:43:37 | Permalink | No Comments »

NTkrnl Packer 0.15 OEP Finder + IAT Repair

// WinXP SP2,OllyDbg V1.10,ODbgScript 1.48xxx1.60,FantOm plugin0,58

var br

var pt

var va

run

mov [eip],#CC#

mov br,[esp+8]

bp br

run

bc br

gpa “LoadLibraryA”,”kernel32.dll”

bp $RESULT

run

bc $RESULT

rtr

mov br,eip

bpcnd br, “EDI==7C809A81″//–”VirtualAlloc”,”kernel32.dll”

run

bc br

sti

mov pt,eip

add pt,A8

mov [pt],#EB#

find eip,#8944241C61FFE0#

cmp $RESULT,0

je quit

mov br,$RESULT

add br,5

bp br

run

bc br

sti

cmt eip, “This is the entry point”

MSG “OEP Faund ! IAT fixed! Dump it”

ret

quit:

ret

Posted by REM at 22:41:28 | Permalink | No Comments »

Thinstall 2.736 Extract Dependecies (DLL’s)

hi
the new script for Thinstall

// Thinstall 2.736 Extract Dependecies (DLL’s)

// Note: This script is used for extracting dependencies, such as those found here:

// Coded by: Pavka

 

Var mod

var _isBad

var addr_dll

var size_dll

var img_dll

 

gpa “SetEnvironmentVariableA”,”kernel32.dll”

bp $RESULT

run

bc $RESULT

rtu

mov oep,eip

add oep,6F

bp oep

run

bc oep

sti

find eip,#51E8??????0083C4088B55C4899528FBFFFFC78578FEFFFF00000000C645FC058B8528FBFFFF#

cmp $RESULT,0

je quit

mov mod,$RESULT

bp mod

run

gpa “IsBadWritePtr”,”kernel32.dll”

mov _isBad,$RESULT

run

l:

bp _isBad

run

rtu

mov addr_dll,eip

add addr_dll,1E

bc _isBad

go addr_dll

mov img_dll,edx

mov size_dll,edx

add size_dll,90

mov size_dll,[size_dll]

eval “Name dll in ebx, damp partial address:{img_dll} , size:{size_dll}”

msg $RESULT

pause

run

jmp l

quit

ret

Posted by REM at 22:38:57 | Permalink | No Comments »