Posted: Sun May 13, 2007 11:15 am Post subject: ExeCryptor 2.4 script for killing olly traps
I have already posted this on several forums. It is script that allows you to run any ExeCryptor target under Olly, without fancy plugins. Actually, those plugins like OllyAdvanced and HideOlly will probably be detected by ExeCryptor.
I was planing to write script for finding OEP, but it looks like impossible job.
ExeCryptor 2.0.x - 2.4 OEP finder script by HAGGAR
- Script bypass all anti-debug tricks in ExeCryptor;
- Script attempt to find OEP of protected file or, in
such case, STOLEN_OEP_CODE start address.
1. You need to have NT based operating system;
2. Configure OllyDbg in "Debugging Options"->"Events" to
"Make first pause at - System breakpoint";
3. Ignore all exceptions and add to custom this one
C000001E (INVALID LOCK SEQUENCE)
4. Remove or disable all plugins which purpose is to hide
OllyDbg from protecors. ExeCryptor detects modified
imports and by that most such plugins are detected.
5. Now load target in OllyDbg. Remove all breakpoints
(hardware, memory, software). OllyDbg sets one bp
on OEP by default and ExeCryptor checks that. Hit
Alt+B to see is that breakpoint listed there. If
it is, remove it.
//--------- Find block with process information ------------
mov bak_eip,eip //Backup current EIP (SYSTEM_BP).
mov bak_1,eip //Backup original bytes at SYSTEM_BP.
mov [eip],#5064A11800000058# //Little hack to obtain data block.
mov addr,eax //Take pointer.
mov eip,bak_eip //Restore original EIP.
mov [eip],bak_1 //Restore original bytes.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You can attach files in this forum You can download files in this forum