Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Monday, December 18 2017 @ 08:12 AM CET
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

ExeCryptor 2.4 script for killing olly traps

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking
View previous topic :: View next topic  
Author Message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Sun May 13, 2007 11:15 am    Post subject: ExeCryptor 2.4 script for killing olly traps Reply with quote

I have already posted this on several forums. It is script that allows you to run any ExeCryptor target under Olly, without fancy plugins. Actually, those plugins like OllyAdvanced and HideOlly will probably be detected by ExeCryptor.

I was planing to write script for finding OEP, but it looks like impossible job.

Code:

/*
==========================================================
  ExeCryptor 2.0.x - 2.4  OEP finder script by HAGGAR
==========================================================

Features:

- Script bypass all anti-debug tricks in ExeCryptor;
- Script attempt to find OEP of protected file or, in
  such case, STOLEN_OEP_CODE start address.




Instructions:

1. You need to have NT based operating system;

2. Configure OllyDbg in "Debugging Options"->"Events" to
   "Make first pause at - System breakpoint";

3. Ignore all exceptions and add to custom this one
   C000001E (INVALID LOCK SEQUENCE)

4. Remove or disable all plugins which purpose is to hide
   OllyDbg from protecors. ExeCryptor detects modified
   imports and by that most such plugins are detected.

5. Now load target in OllyDbg. Remove all breakpoints
   (hardware, memory, software). OllyDbg sets one bp
   on OEP by default and ExeCryptor checks that. Hit
   Alt+B to see is that breakpoint listed there. If
   it is, remove it.

6. Now, run this script :).

===========================================================
*/





var bak_eip
var bak_1
var bak_2
var addr
var temp
var proc

var image_base
var entry_point
var ec_iat
var decompressor
var jc_modify





log " "
log "------------------------------------------------------"
log " ExeCryptor 2.0.x - 2.4 OEP finder script by HAGGAR"
log "------------------------------------------------------"

//-------------- Patch what can be patched -----------------
gpa "FindWindowA","user32.dll"
mov [$RESULT],#8BFF5533C05DC20800#
gpa "OutputDebugStringA","kernel32.dll"
mov [$RESULT],#8BFF5533C05DC20400#
gpa "ReadProcessMemory","kernel32.dll"
mov [$RESULT],#8BFF5533C05DC21400#
gpa "CreateThread","kernel32.dll"
mov [$RESULT],#8BFF555DC21800#
gpa "CloseHandle","kernel32.dll"
mov [$RESULT],#8BFF555DC20400#
gpa "CheckRemoteDebuggerPresent","kernel32.dll"
mov [$RESULT],#8BFF5533C05DC20800#
gpa "KiRaiseUserExceptionDispatcher","ntdll.dll"
mov [$RESULT],#C390909090#


//--------- Find block with process information ------------
mov bak_eip,eip     //Backup current EIP (SYSTEM_BP).

mov bak_1,eip       //Backup original bytes at SYSTEM_BP.
mov bak_2,bak_1
add bak_2,4
mov bak_1,[bak_1]
mov bak_2,[bak_2]
mov [eip],#5064A11800000058# //Little hack to obtain data block.
sti
sti
mov addr,eax                 //Take pointer.
sti
mov eip,bak_eip              //Restore original EIP.
mov [eip],bak_1              //Restore original bytes.
add eip,4
mov [eip],bak_2
sub eip,4
add addr,30
mov addr,[addr]


//---------------------- Erase debug bits ------------------------
mov temp,[addr]         //BeingDebugged
and temp,0ff00ffff
mov [addr],temp
mov temp,addr           //HeapFlag
add temp,18
mov temp,[temp]
add temp,10
mov [temp],0
mov temp,addr           //NtGlobalFlag
add temp,68
mov [temp],0


//---------- Erase EP bp that OllyDbg sets by default ------------
mov temp,addr
add temp,8
mov temp,[temp]                               //Module base.
mov image_base,temp
    log " "
    log "Module base of protected file is:"
    log image_base
add temp,3C
add temp,[temp]                               //PE signature offset.
sub temp,3C
add temp,28
mov temp,[temp]                               //EP offset.
add addr,8
add temp,[addr]                               //Virtual offset.
mov entry_point,temp
sub addr,8
    log " "
    log "EntryPoint of protected file is:"
    log entry_point
bp temp  //Set bp.
bc temp  //Erase bp. That erases default OllyDbg bp on EP.


//------------ Find IAT of protected application ----------------
mov ec_iat,image_base
add ec_iat,3c
mov ec_iat,[ec_iat]
add ec_iat,image_base
add ec_iat,80
mov ec_iat,[ec_iat]
add ec_iat,image_base
    log " "
    log "IAT of protected application is at:"
    log ec_iat

mov addr,ec_iat
add addr,40
mov temp,[addr]
add addr,10
xor temp,[addr]
add addr,12
xor temp,[addr]
add addr,10
xor temp,[addr]
add addr,14
xor temp,[addr]
add addr,40
xor temp,[addr]
 cmp temp,65533612
 je IAT_PROTECTED
 cmp temp,8d342fdf
 je IAT_PROTECTED
    log "IAT is not protected by ExeCryptor."
 jmp COMPRESSION_TEST
 IAT_PROTECTED:
    log "IAT is protected by ExeCryptor."


COMPRESSION_TEST:
//--------------- Find is application compressed -----------------
 find ec_iat,#558BEC83C4ECFC5357568945FC8955F889C689D766813E4A43#
 mov decompressor,$RESULT
 cmp decompressor,0
jne COMPRESSED
 find ec_iat,#56575331DB89C689D70FB60689C283E01FC1EA05742D4A7415#
 mov decompressor,$RESULT
 cmp decompressor,0
je NOT_COMPRESSED
COMPRESSED:
    log " "
    log "Application is probably compressed. Decompression algo is at:"
    log decompressor
jmp JUMP_MODIFIER
NOT_COMPRESSED:
    log " "
    log "Application is not compressed."


JUMP_MODIFIER:
//--------------- Find jump and calls corrector -----------------
 find ec_iat,#89C689D183E904FCACD0E880F874750E#
 mov jc_modify,$RESULT
 cmp jc_modify,0
je NO_JC
    log " "
    log "Jump and call corrector is found:"
    log jc_modify
jmp EXECUTE_APP
NO_JC:
    log " "
    log "Couldn't find jump and call corrector."
ret


EXECUTE_APP:
//---------------- Let's try to find OEP --------------------

//Under work.
ret
ERROR:
msg "ERROR! Error in my script (haggar)!"
ret







Back to top
View user's profile Send private message
Lukasz3k
New to the board
New to the board


Joined: 09 Dec 2006
Posts: 13

PostPosted: Sun May 13, 2007 12:53 pm    Post subject: Reply with quote

nice job haggar Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2017 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.05 seconds