|
Works for me too!
but Im new on aspr... I cant get a working dump.exe Im sure im screwing it up in Import Rec 1.6 I need some help there I get to the OEP I dump the process... I add back in the stolen bytes...correct OEP to offset 00255A44 i load up imprec, with the program running.. attach enter 0025A44, click on IAT autosearch... i increased the size to 3000... i level1 them... i ran the rest with the aspro 2.12 plugin and then I cut the remaining bad inports and finnally patch into dump clearly im doing something wrong can someone step me though from the point of the dump thanks mitch |
YEAH!!!
I got it unpacked I cracked out the Filesize check, that was easy but cracking out the trial stuff... im into it, but getting lost and i thought that would be the easy part did anyone try it, i dont give 2 sh**ts about the app infact i want to uninstall asap but i wanna crack it anyways, just because mitch |
Program name and link Mitchjs?
|
its mentioned a couple of posts up
I only picked it to practice unpacking aspr! "Website-Watcher 3.60b" hxxp://aignes.com/de/download.htm mitch |
Ollyscript v0.5
Ollyscript v0.5 can now be downloaded at:
http://ollyscript.apsvans.com New features like API breakpoints, run-to-return, module info etc. are implemented. From readme.txt: + New commands: CMT, GMI, GPA, LBL, RTR, RTU + New example script - tElock 0.98 OEP finder. Comments please!!! =) |
Hi ShaG,
using GMI eip,CODEBASE freezes olly and produces an error in ollyscript.dll at 44dc8de with error code C0000005. Please note this is caused by asprotect protected target, it runs ok on non protected targets. Regards. |
Not good... maybe you can pm me the url so I can have a look?
Sounds like an serious error, so maybe v0.51 will come soon... Tried GPA yet? I think this approach is more flexible then just API breakpoints... |
My errorhandling sucked... v0.51 uploaded, with bugfixes and better errorhandling...Still the GMI problem remains in brites case.. Will look into it more... If someone else has similar problems plz msg me.
GMI now returns 0 in $RESULT if no data is found. |
thanks Shag for the msg. , and your intuition for my intention is on the target
:) |
Umm... Another bugfix done. =/
v0.52 available. |
Shag, would it be possible for you to post these scripts written for certain protections be put on your website? I suggest this because eventually it's going to get too complicated to follow in this thread.
<edit> I also heavily suggest starting a mailing list to inform devout followers of your plugin, e.g. improvements, updates etc. |
pec oep finder
1 Attachment(s)
Guys, today I wrote oep finder for PECompact 1.84.
I think, it's unstable, but plz try it. |
UPX 1.xx and UPX Protector 1.0 OEP Finder v0.1
1 Attachment(s)
This script based on SHaG for UPX oep finding.
Now this script support oep finding in UPX 1.xx and UPX Protector 1.0 -> Blind Angel. |
1 Attachment(s)
here is a script that will find asprotect oep
that has stolen bytes, it willn't work on old asprotect with loops,or the expired targets. (You will enjoy the scenery of asprotect deleting the stolen bytes). note: I used shr x, 74 because shr x,14 didn't work first time, now it did work, and I uploaded the ajusted attachment. Note2:there is log y code I used it to test and I forgot to remove, you can delete this code if you want to. britedream. |
FSG 1.33 OEP Finder v0.1 !maybe unstable!
1 Attachment(s)
OEP finder for FSG 1.33. It work very quickly.
try it. |
A maillist is now available. Check hxxp://ollyscript.apsvans.com .
What is the general opinion, should I publish scripts on the site? Dunno if that can mean legal trouble? And do you script authors want your scripts published? BTW, I recommend marking OEP by using this command: cmt "OEP" This way its easier to see then going to the log. [Edit by JMI: I've asked you before to please stop making your link clickable. We need to stop the newbies from making clickable links to software vendors.] |
To ShaG
it will be nice if you can include in the next release jl and jg. Thanks. |
britedream : Consider it done =)
BTW, do you want your scripts to be published on OllyScript site? JM1 : Sorry, will not happen again. |
That's all anyone is asking. ;)
Yours is a very useful site and "should" have clickable links, except for the problem with the newbies going crazy and "linking" this site to software vendors while they are discussing cracks or warez copies of that vendors software. Regards, |
Thanks for the positive response.
For my scripts , it is all yours. regards. |
SHaG
You can publish on your website my scripts (if u want). p.s. check your e-mail. |
My scripts
1 Attachment(s)
Look attachment. There my:
Updated scripts: - FSG 1.33 OEP Finder v0.1 !maybe unstable! - PECompact 1.84 OEP Finder v0.1 !unstable edition! - UPX 1.xx and UPX Protector 1.0 OEP Finder v0.1 New scripts: - PeX 0.99 OEP Finder IMPORTANT NOTE: before using this script, CHECK following option - Menu -> Options -> Debugging options -> Exceptions -> INT3 breaks. Script willnot work if u do not do that! - PE Diminisher 0.1 OEP Finder |
1 Attachment(s)
this script finds Svkp Oep:
|
1 Attachment(s)
OEP Finder for EXEStealth 2.7
|
1 Attachment(s)
OEP Finder for petite2.2
|
1 Attachment(s)
this script find oep for protection plus, it is only tested on one target. (I couldn't find more targets to test). (windows xp).
|
1 Attachment(s)
Y0da Crypter 1.2 OEP Finder!
yeah...it's really works! SHaG, put my scripts on your page. |
Scripts added to site. Great work guys!
I suppose you know that OS v0.6 is out? |
1 Attachment(s)
OEP Finder for PKLITE32 1.1
|
1 Attachment(s)
Heh, just wanted to post this one here... It really makes use of all the capabilities of OllyScript. Requires OllyScript v0.6.
|
Awesome script,
Many thanks R@dier |
OllyScript v0.62 posted.
* Breakpoint bug fixed (again). * EFLAGS can be changed. |
Didn't really know where to post this, but here seems to be the best place.
I have written a PEShield v0.25 OEP finder. Enjoy! EDIT: The upload didn't seems to work? I'll post the whole script then: ---------COPY FROM HERE----------------------------- /* This script finds OEP for programs packed with PEShield v0.25 (I havn't tested for other versions) IMPORTANT! You have to hide OllyDbg from IsDebuggerPresent manually BEFORE you run this script (There is plugins that do that.) You have to let OllyDbg handle all exceptions (options --> Debugging Options --> Exceptions --> Uncheck all except KERNEL32) When the script is finished, dump and rebuild IAT for unpacked program. If you find any bugs in my script, please let me know. You can reach me on Efnet (IRC) with nickname Harding Have fun! */ msg "Have you read the IMPORTANT part in peshield.osc? If not, do so BEFORE you run peshield.osc. -Harding" //Variables var codeSize var codeBase var codeBaseAddCodeSize var tempEIP var i //Execute on breakpoint (and exception) eob breakHandler eoe breakHandler //Gets information about a module to which the specified address belongs. //"info" can be MODULEBASE, MODULESIZE, CODEBASE or CODESIZE (if you want other info in the future versions plz tell me). //Sets the reserved $RESULT variable (0 if data not found). GMI eip, CODEBASE mov codeBase, $RESULT //Gets information about a module to which the specified address belongs. //"info" can be MODULEBASE, MODULESIZE, CODEBASE or CODESIZE (if you want other info in the future versions plz tell me). //Sets the reserved $RESULT variable (0 if data not found). GMI eip, CODESIZE mov codeSize, $RESULT //Fix codeBaseAddCodeSize mov codeBaseAddCodeSize, codeBase add codeBaseAddCodeSize, codeSize //Shift F9 esto first: //Shift F9 esto second: //Set memory breakpoint on write. Size is size of memory in bytes. bpwm codeBase, codeSize //Shift F9 esto third: //Shift F9 esto fourth: //Clear memory breakpoint. bpmc //Save current EIP mov tempEIP,eip //Set breakpoint on address addr with condition cond. bpcnd eip,"ECX==1" //Shift F9 esto fifth: //Clear unconditional breakpoint at addr. (And conditional) bc tempEIP //Set memory breakpoint on read. Size is size of memory in bytes. bprm codeBase, codeSize lastBreakHandler: //Are we in CODE section? If yes, then we're at OEP, if not then Shift F9 cmp eip,codeBaseAddCodeSize jb finish esto breakHandler: add i,1 cmp i,1 je first cmp i,2 je second cmp i,3 je third cmp i,4 je fourth cmp i,5 je fifth jmp lastBreakHandler finish: //Clear memory breakpoint. bpmc //Exit script ret //Written by Harding ---------STOP COPY HERE----------------------------- |
| All times are GMT +8. The time now is 02:35. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX