nice olly plugin
 

thanks to ShaG

ollyscript is a nice plugin eventhough still at the start. in this example(aimpr) I will show you how you can find the last exception in asprotect, I am not that familiar with it yet, but
it is very easy to understand.(please use the latest version: .3)

I didn't take into acount the programs with int 3 but you can easly correct that,
just add after eoe lab3: eob lab3 , and
delete the code before ret;(ubp eip)

the above attachment is now corrected for int 3

Very, very nice. :D

@britedream
Thanks
I tested your script on a couple of targets and it works great.


R@dier

my pleasure!

Terrific script britedream!
Nice to see that my plugin is indeed being used for something!! =)

If anyone has any improvement suggestions please feel free to
post them to OllyDbg users forum
(hxxp://ollydbg.win32asmcommunity.net ) or msg me on EFnet (nick: SHaG).

Nice plugin :)

for those of us who need to set the breakpoint in the right place, and for simplicity
I didn't check for the signature of the retn
I assumed it to be in the same place which
makes it less perfect, but it works.
for those can add under" lab4:" the following code:

lab4:

eob lab5
mov k,eip
add k,3d
ubp k
esto

lab5:
ret

I hope someone will give a feed back on this.
regards.
[note]
from the above breakpoint you can set memory breakpoint on the code section to find the oep, and also trace for your stolen .. etc, so it is very important breakpoint.

Nice work
 

Tested your modified script on severall asprotected programs and it works Great;)

To lownoise
I am truely grateful for your respond. Thanks.

Hardware Breakpoint
 

Hopefully in the next version of the plugin there's support for hardware breakpoints:D

I agree!
Also stack breakpoint is very important it will save alot of trace and avoid some loops plus other things. ollyscript should follow at least the bps in olly.

the good thing about script is that you see how things are done and you learn each time you see one, it is a live tutorial.

lets hope that SHaG modifies his plugin soon so we don't have to that :D

Special thanks goes to you britedream for the work you're doing to make a live without asprotect easily;)

Thank you Lowoise for the gentle consideration, wishing you the success in anything you do.

Regards
britedream

@ britedream

Thanks for the updated script,
I have tested it on 5 aspr progs and it works a treat.

Thanks for sharing

R@dier

BriteDream,

Have a application according to peid packed with a earlier version of ASProtect 1.2 / 1.2c-> Alexey Solodovnikov where your modified script doesn't work:mad:
But this version doesn't have stolen bytes so the trick with the stack point did the job;)

the script should work unless the program is expired(in some). may I have the program name please.

PM
 

Pm send to you

thanks R@dier for the testing you are always helpful.

thanks lownoise, I will take a look at it.

thank you again,it is just a matter of using signature, I left it for simplicity, but now I will write another one base on signature which should works for all.

the script set the breakpoint correctly, but
the problem with this is that even if I try
using shift+7 or shift+8 or shift+9 or run , it willn't stop on the breakpoint , so for the one doesn't have stolen bytes,we have to use the first script for the last exception.

my assumption that it will work with signature is wrong.

it is very nice of you lownoise to bring this to my attention.

regards.

To lownoise:

for the one doesn't have stolen bytes it
is easy, you don't need to use stack bps , just use the first script to get to the last
exception, set memory breakpoint on code section, shift+9 twice will be at the oep.

Next version of OllyScript will support both hardware breakpoints
and memory breakpoints. Also assembly will be supported, as
well as searching for instructions/opcodes. Stack BP == mem BP, right?

Also, if any more features are wanted, please msg me on EFnet (nick SHaG) or mail to ollyscript at apsvans dot com.

BTW, if you want to modify the plugin, please send me the
modifications and they will be incorporated in the next release.
Don't want 100 different versions floating around.... =)

We greatly appreciate your effort, and looking forward to the next version.

Regards.
britedream

aspack
 

Here a quick and dirty script to stop on the oep of aspack compressed programs

Start Programmer comments
First it walks threw the program and search for the oep bytes 7561 and 7503 (when breakpoint has been set in a earlier run) if it's found we will set a breakpoint on that eip, then it runs the program and when the breakpoint occurs it does a singlestep to OEP. This script has only been tested on 2 programs so please test it and report the results back.
End Programmer comments


var x
var y

mov x, eip


lab1:
mov y, [eip]
and y, 0000ffff
cmp y,7561
je lab2
cmp y,75cc
je lab3
add eip,1
jmp lab1

lab2:
ubp eip

lab3:
mov eip,x

eob lab4
eoe lab4

lab4:
sto
sto
sto
sto
log eip
ret

neolite 2.0
 

OEP Script for neolite 2.0
Script will found OEP jump and set there a breakpoint
Program will run and stops on breakpoint (jmp eax)
this script has been tested on R@dier unpack neolite 2.0.exe

var x
var y

mov x, eip


lab1:
mov y, [eip]
and y, 0000ffff
cmp y,e0ff
je lab2
cmp y,e0cc
je lab3
add eip,1
jmp lab1

lab2:
ubp eip
lab3:
mov eip,x
run
ret

way to go lownoise, it is nice to see people start playing with script, this way we all benefit.
keep up the good work!.
britedream

Attached is a small script for asprotect(only tested on 1.23RC4).

It is basically a small extension of britedreams latex. With the addition of killing all the debugger checks. Also enclosed in the
.zip are a few of my notes, which may explain what the script is doing/killing a little.

One small problem, I added a SUB func to the .dll and recompiled
the source (details also enclosed) but I'm sure there's probably another easier way around the SUB.

Hope it's usefull....

arz

SUB is included in 0.4 which is now available for download at hxxp://ollyscript.apsvans.com =)

[Edit by JMI: The NO CLICKABLE LINKS rule applies to tool sites, even your own, because noobies can stop themselves from posting clickable links to software vendors. ALWAYS uncheck the "Automatically parse URLs" button.]

thanks ShaG for the improvement, much better!.

inlight of my post on this forum and the three steps I mentioned for unpacking asprotect , now this script
will demonstrate this fact by locating
the stolen bytes , to do that , do the following:

1-hide debugger

2- run this script below, and look for your
stolen.(some time you may need to add to
the stolen bytes the mov eax,xxxxxx), it is easy, I did clarify this some where in this forum) .[hint: F9 few times once script finshes, you will be at mov ebp,esp in programs that start: push ebp, mov ebp,esp]

3.- look for your oep as I noted in a thread in this forum.

note:
this script will work on most of the aspr. programs that have stolen bytes, in some it will not , so you need to trace once you are in the break point of the updated script "lastex", I will provide a script for such programs later on, if a need for it arises.

scripts tested on registry cleaner expert. (this script is only to demonstrate steps I posted for unpacking asprotect. I didn't put any effort in it , I just added few codes to lastex script).

@ britedream

wow your script is awesome, worked well on 2 of the programs i tested it on. (acopy, dezine)

Thanks for sharing your work




@ SHaG

thanks for improving your plugin, it is truly usefull



R@dier

Thought I would try my hand at scripting
this works for pecompact1.76
I dont know about any other versions




R@dier

aspack, neolite
 

Rewrote te scripts for aspack and neolite for version 0.4

Neolite

eob Break
findop eip, #FFE0#
bphws $RESULT, "x"
run

Break:
bphwc $RESULT
sti
log eip
ret


aspack

eob Break
findop eip, #6175#
bphws $RESULT, "x"
run

Break:
bphwc $RESULT
sto
sto
sto
sto
log eip

ret

This one should prove useful:

tElock 0.98

Hi,

i'm testing your script on Target "Website-Watcher 3.60b" wich is protected with "ASProtect 1.22 - 1.23 Beta 21 -> Alexey Solodovnikov".

hxxp://aignes.com/de/download.htm

So i'm loading the wswatch.exe into OllyDbg and starting your Script. Then something happens and the Programm has started successful.

Now, i'm at Offset 0075F002 where is a CALL wswatch.0075F00A

Can you tell me what i have to do next for finding the OEP ?

Thank's for your help.

[Edit by JMI: dARWIN, you obviously did not look around here before you posted. You are NOT supposed to post clickable links here, espically to software venders. ALWAYS uncheck the "Automatically parse URLs" button and use "hxxp" or the like for the address.}

to darwin:

you are using the wrong script for this program "asprsto", this is for finding the solen bytes , but on most programs , for this one it willn't work, we have work around this , I will explain briefly , but
before that you have two options:
option one:
hide debugger
run" lastex" script
this will stop on the last exception , set bp(F2) on the first retn you see, shit+F9
will stop on the bp.

option two:
hide debugger:
run "asprbp" script
i t will stop on bp as above

now , view memory and set memory breakboint on access, on code section.

set trace condition:esp==12ffa4(for clarification search the forum for what I posted about this one)
control+F11
will encounter a loop, F12 to stop olly
bp (F2) under jnz , F9, then control+F11
once stopped, look below you will see
your stoln bytes :
push ebp
mov ebp,esp
add esp,-0c
push ebx
mov eax, 65526c
shift+f9 will stop below your oep
copy your stolen above where you have stopped, set origin here on the push ebp, then dump. fix your iat.
it should run.
here is asprobp=lastex updated.

@britedream

thank you very much for your explainations :)

But both scripts don't stop on the bp/exception...

so i used the unpacker ASPROTECTstripper 2.03 an it works fine :cool:

Perhaps you could try it yourself with my Target and tell me how you did it :)

thanks again

I did check your target and both stop as they should.