├── ASProtect ├── ASPack (a).txt ├── ASPack (b).txt ├── ASPack 1.08.02 OEP Finder.txt ├── ASPack 2.11 OEP Finder.txt ├── ASPack 2.12 DLL Unpack Finder.txt ├── ASPack 2.12 OEP Finder #1.txt ├── ASPack 2.12 OEP Finder #2.txt ├── ASPack 2.12 OEP Finder #3.txt ├── ASPack 2.12 OEP Finder #4.txt ├── ASPack 2.12 OEP Finder #5.txt ├── ASPack 2.12 OEP Finder #6.txt ├── ASPack 2.12 OEP Finder #7.txt ├── ASPack 2.12 OEP Finder 1.txt ├── ASPack 2.12 OEP Finder 2.txt ├── ASPack 2.12 OEP Finder 3.txt ├── ASPack 2.12 OEP Finder 4.txt ├── ASPack 2.12 OEP Finder 5.txt ├── ASPack 2.12 OEP Finder 6.txt ├── ASPack 2.xx Unpacker v0.1.txt ├── ASProtect #1 Breakpoint Last Exception.txt ├── ASProtect #2 Find Stolen Bytes.txt ├── ASProtect #3 Last Exception.txt ├── ASProtect #4 OEP Finder.txt ├── ASProtect #5 Anti-Debug Last Exception.txt ├── ASProtect 1 Breakpoint Last Exception.txt ├── ASProtect 1.0 OEP Finder + IAT Repair.txt ├── ASProtect 1.0 OEP Finder.txt ├── ASProtect 1.20 - 1.20c OEP Finder.txt ├── ASProtect 1.22 - 1.23 Beta 21 OEP Finder and Stolen Bytes.txt ├── ASProtect 1.22 - 1.23 Beta 21 OEP Finder v0.1b.txt ├── ASProtect 1.22 - 1.23 Beta 21 OEP Finder.txt ├── ASProtect 1.23 RC4 Anti-Debug + Last Exception.txt ├── ASProtect 1.23 RC4.txt ├── ASProtect 1.2x - 1.3x (Registered) OEP Finder & Olly Hide v1.0.txt ├── ASProtect 1.2x - 1.3x (Registered) OEP Finder & Olly Hide v1.1.txt ├── ASProtect 1.3 Lite OEP Finder.txt ├── ASProtect 1.3 Repair Sto.txt ├── ASProtect 1.30b Import Recovery + OEP Finder (Delphi & ImageBase 400000).txt ├── ASProtect 1.30b Stolen Code Finder v0.1.txt ├── ASProtect 1.31b Import Recovery + OEP Finder (Delphi & Imagebase 400000).txt ├── ASProtect 1.3x - 2.xx IAT Repair Script v1.02.txt ├── ASProtect 1.3x - 2.xx IAT Repair Script v2.2 SE.txt ├── ASProtect 1.3x - 2.xx OEP Finder v0.1.txt ├── ASProtect 1.3x - 2.xx Unpacker v1.0E.txt ├── ASProtect 1.3x - 2.xx Unpacker v1.12E.txt ├── ASProtect 1.3x - 2.xx Unpacker v1.12SC.txt ├── ASProtect 1.3x - 2.xx Unpacker v1.13E.txt ├── ASProtect 1.3x - 2.xx Unpacker v1.13SC (Skip CRC Check).txt ├── ASProtect 1.3x - 2.xx Unpacker v1.13SC (Skip Registration Box).txt ├── ASProtect 1.3x - 2.xx Unpacker v1.14E.txt ├── ASProtect 1.3x OEP Finder #1.txt ├── ASProtect 1.3x OEP Finder #2.txt ├── ASProtect 1.3x OEP Finder #3.txt ├── ASProtect 1.3x OEP Finder #4.txt ├── ASProtect 1.3x OEP Finder + IAT Rebuilder (Call to Call).txt ├── ASProtect 1.3x OEP Finder + IAT Rebuilder (Call to JMP).txt ├── ASProtect 1.3x OEP Finder 1.txt ├── ASProtect 1.3x OEP Finder 2.txt ├── ASProtect 1.3x OEP Finder 3.txt ├── ASProtect 1.3x OEP Finder 4.txt ├── ASProtect 1.xx Generic OEP Finder + IAT Recovery.txt ├── ASProtect 2 Find Stolen Bytes.txt ├── ASProtect 2.0 Stop Stolen Code.txt ├── ASProtect 2.0x Automatic SHIFT+F9.txt ├── ASProtect 2.0x Clear Junk Code + Stop Stolen Code.txt ├── ASProtect 2.0x Fix IAT with Import Elimination #1.txt ├── ASProtect 2.0x Fix IAT with Import Elimination #2.txt ├── ASProtect 2.0x Fix IAT with Import Elimination #3.txt ├── ASProtect 2.0x Fix IAT with Import Elimination #4.txt ├── ASProtect 2.0x Fix IAT with Import Elimination #4b.txt ├── ASProtect 2.0x Fix IAT with Import Elimination 1.txt ├── ASProtect 2.0x Fix IAT with Import Elimination 2.txt ├── ASProtect 2.0x Fix IAT with Import Elimination 3.txt ├── ASProtect 2.0x Fix IAT with Import Elimination 4.txt ├── ASProtect 2.0x Fix IAT with Import Elimination 4b.txt ├── ASProtect 2.0x Fix IAT with Import Elimination Optimized v1.1.txt ├── ASProtect 2.0x Fix IAT with Import Elimination Optimized.txt ├── ASProtect 2.0x Fix IAT.txt ├── ASProtect 2.0x Import Recovery + Scrambled Code Recovery (Delphi & Imagebase 400000).txt ├── ASProtect 2.0x Log all HIGHMEM Calls.txt ├── ASProtect 2.0x OEP Finder #1.txt ├── ASProtect 2.0x OEP Finder #2.txt ├── ASProtect 2.0x OEP Finder + Stolen Code Finder + Fix IAT Jumps.txt ├── ASProtect 2.0x OEP Finder 1.txt ├── ASProtect 2.0x OEP Finder 2.txt ├── ASProtect 2.0x Patch JMP or CALL.txt ├── ASProtect 2.0x Rebuild Thunks for VC++.txt ├── ASProtect 2.0x Resolve API To HIGHMEM Calls.txt ├── ASProtect 2.1 OEP Finder.txt ├── ASProtect 2.3 Build 04.26 OEP Finder v1.01.txt ├── ASProtect 2.xx Delphi Dumper v1.1.txt ├── ASProtect 2.xx IAT Recovery.txt ├── ASProtect 2.xx Virtual Machine Jump Redirector.txt ├── ASProtect 2.xx Virtual Machine Rebuilder.txt ├── ASProtect 3 Last Exception.txt ├── ASProtect 4 OEP Finder.txt ├── ASProtect 5 Anti-Debug Last Exception.txt ├── ASProtect Generic OEP Finder and Import Recovery.txt ├── ASProtect Last Exception + OEP.txt ├── ASProtect OEP Finder (all versions).txt ├── ASProtect OEP Finder.txt └── ASProtect Stolen Code Finder.txt ├── Armadillo ├── Armadillo 3.6x - 4.xx OEP Finder + Fix Magic Jumps.txt ├── Armadillo 3.70 Unpack.txt ├── Armadillo 3.78 - 4.xx + UPX OEP Finder.txt ├── Armadillo 3.7x - 8.xx Unpacker (Standard + Debug-Blocker) v0.1.txt ├── Armadillo 3.xx - 4.00 Nanomites VA Finder v1.0.txt ├── Armadillo 3.xx - 4.xx (Standard Protection) OEP Finder + Import Redirection Fixer.txt ├── Armadillo 3.xx - 4.xx OEP Finer + Fix IAT (Debug Blocker + Code Splicing + Import Elimination).txt ├── Armadillo 3.xx - 5.xx Detach from Client v0.2.txt ├── Armadillo 3.xx - 5.xx Detach from Client.txt ├── Armadillo 3.xx - 5.xx Fingerprint Patcher v0.1.txt ├── Armadillo 3.xx - 5.xx Fingerprint Patcher v0.2.txt ├── Armadillo 3.xx - 5.xx Standard Protection + Debug Blocker OEP Finder + IAT Repair v0.2.txt ├── Armadillo 3.xx - 5.xx Standard Protection + Debug Blocker OEP Finder + IAT Repair.txt ├── Armadillo 3.xx - 6.xx HardwareID Patcher v1.0.txt ├── Armadillo 3.xx DLL Unpack v0.1.txt ├── Armadillo 3.xx Unpack (Standard Protection) v0.1.txt ├── Armadillo 4.0 - 4.4 DLL Unpack.txt ├── Armadillo 4.0 - 4.40 OEP Finder + Debug Blocker (Standard Protection).txt ├── Armadillo 4.0 - 4.44 OEP Finder + Debug Blocker (Standard Protection).txt ├── Armadillo 4.0 - 5.xx OEP Finder + Debug Blocker (Standard Protection).txt ├── Armadillo 4.20 Public Builds OEP Finder (only for CopyMem2 + Debug Blocker).txt ├── Armadillo 4.30a Simple Unpacking Script.txt ├── Armadillo 4.4 OEP Finder + Fix Magic Jump.txt ├── Armadillo 4.42 CopyMem2 Child Process Decode.txt ├── Armadillo 4.42 CopyMem2 Decrypt Code Sections.txt ├── Armadillo 4.42 CopyMem2 Detach from Client + Fix Import Table Elimination.txt ├── Armadillo 4.xx CopyMem2 (DebugActiveProcess).txt ├── Armadillo 4.xx CopyMem2 (Fix IAT).txt ├── Armadillo 4.xx CopyMem2 OEP Finder v0.1.txt ├── Armadillo 4.xx Nanomites (WaitForDebugEvent).txt ├── Armadillo 4.xx OEP Finder.txt ├── Armadillo 4.xx OEP Finer + Fix IAT (Standard Protection + Debug Blocker + Spliced Code).txt ├── Armadillo 5.xx - 8.xx Password Patcher v0.1.txt ├── Armadillo 5.xx OEP Finder (Standard Protection + Debug Blocker).txt ├── Armadillo 6.40 Detach v0.1.txt ├── Armadillo 6.xx CRC Finder Script - Debug Blocker Protection.txt ├── Armadillo 6.xx CRC Patcher - DebugBlocker Protection.txt ├── Armadillo 6.xx CRC Patcher - Standard Protection.txt ├── Armadillo ArmVar.txt ├── Armadillo CheckFlags v2.txt ├── Armadillo Detach from Client + Unpack (Hipu 1000 Bytes Method).txt ├── Armadillo Detach from Client + Unpack (Ricardo 1000 Bytes Method) v0.1.txt ├── Armadillo Detach from Client + Unpack (Tenketsu 1000 Bytes Method) v0.1.txt ├── Armadillo Detach from Client.txt ├── Armadillo Detach.txt ├── Armadillo Detective (Debug Blocker or CopyMem2).txt ├── Armadillo Detective v1.00.txt ├── Armadillo Find Nag.txt ├── Armadillo IAT Destruction.txt ├── Armadillo IAT Eliminator.txt ├── Armadillo IAT Script v2.txt ├── Armadillo Magic Jump Finder.txt ├── Armadillo NanoTables v2.txt ├── Armadillo OEP Finder (CopyMem2).txt ├── Armadillo OEP Finder + Fix Magic Jumps + Fix Anti-Dump.txt ├── Armadillo OpenMutexA.txt ├── Armadillo Repair IAT Elimination.txt ├── Armadillo Standard (Pause).txt ├── Armadillo Standard Unpack (Specific).txt ├── Armadillo Standard Unpack + Strategic Code Splicing.txt └── Armadillo Standard Unpack.txt ├── Enigma ├── Enigma Protector 1.55 - 2.05 OEP Finder + IAT Repair v0.1 (1).txt ├── Enigma Protector 1.90 - 3.xx Alternativ Unpacker v1.0.txt └── Enigma Protector 4.xx VM API Fixer v0.5.0.txt ├── LARP └── LARP 2.0 Ultimate Bypass Hide + IAT Repair + OEP Finder v1.0.txt ├── PeCompact └── PeCompact 2.xx - 3.xx OEP Finder.txt ├── PeSpin └── PEspin1.33 unpacking script by Zoolander of AT4RE.txt ├── README.md ├── RL Pack └── RLPack 1.0 - 1.21 Unpacker v1.2.txt ├── ROR Pack └── ROR Packer 0.3 Decrypt v0.1.txt ├── VMProtect ├── VMProtect 1.7 - 1.8 OEP Finder + Unpack Helper v1.0.txt ├── VMProtect 1.7 - 2.0 OEP Finder + Unpack Helper v1.2.txt ├── VMProtect 1.7 EDI ESI EBX Fixer.txt ├── VMProtect 1.7 IAT Repair + Log.txt ├── VMProtect 1.7 IAT Repair.txt ├── VMProtect 1.70.4 IAT Repair.txt ├── VMProtect 1.8 - 2.x API Turbo Tracer v1.0.txt ├── VMProtect 1.8 - 2.x API Turbo Tracer v1.1.txt ├── VMProtect 1.8 - 2.x API Turbo Tracer v1.2.txt ├── VMProtect 1.8 IAT Repair.txt └── VMProtect 2.0x Unpacker v1.0.txt ├── VProtect └── VProtect 1.x - 2.x Direct IAT Unpacker v1.0.txt ├── ZProtect ├── ZProtect 1.3 - 1.6 Full Decryption + Inline Patcher v1.0.txt ├── ZProtect 1.3 - 1.6 MEDIUM Unpacker v1.0.txt ├── ZProtect 1.3 OEP Finder + IAT Repair.txt ├── ZProtect 1.4 Decryption + Inline Patcher v1.0.txt ├── ZProtect 1.4 Decryption + Inline Patcher v1.1.txt ├── ZProtect 1.4 Unpacker.txt ├── ZProtect 1.4.x HWID + Inline Patcher v1.0.txt ├── ZProtect 1.4.x HWID + Inline Patcher v1.1.txt └── ZProtect 1.4.x HWID + Inline Patcher v1.4.txt ├── eXPressor ├── eXPressor 1.2 OEP Finder.txt ├── eXPressor 1.3.0.1 OEP Finder.txt ├── eXPressor 1.4.5.1 OEP Finder #1.txt ├── eXPressor 1.4.5.1 OEP Finder #2.txt ├── eXPressor 1.5.0.1 OEP Finder + IAT Repair.txt ├── eXPressor 1.5.0.1 Unpacker.txt ├── eXPressor 1.5.01 Unpacker.txt ├── eXPressor 1.5x - 1.6x OEP Finder + IAT Repair.txt ├── eXPressor 1.6.0.1 OEP Finder v0.1.txt ├── eXPressor 1.6.0.1 OEP Finder v0.2.txt ├── eXPressor 1.6.0.1 Unpacker.txt ├── eXPressor 1.7.0.1 IAT Repair.txt ├── eXPressor 1.7.0.1 Unpacker.txt ├── eXPressor 1.8.0.1 Unpacker.txt └── eXPressor 1.x OEP Finder.txt └── ollydbg-scripts.png /ASProtect/ASPack (a).txt: -------------------------------------------------------------------------------- 1 | find eip,#60# // searches for pushad 2 | cmp eip,$RESULT // compares if we are already at pushad command 3 | je next // jumps sto if we are there 4 | go $RESULT // executes till pushad 5 | next: 6 | sto // step one command 7 | bphws esp,"r" // set hardware-breakpoint on ESP-value 8 | run // run target 9 | cob // wait till break occured 10 | sto // step 11 | sto // step 12 | sto // step -------------------------------------------------------------------------------- /ASProtect/ASPack (b).txt: -------------------------------------------------------------------------------- 1 | eob Break 2 | findop eip, #6175# 3 | bphws $RESULT, "x" 4 | run 5 | 6 | Break: 7 | bphwc $RESULT 8 | sto 9 | sto 10 | sto 11 | sto 12 | log eip 13 | 14 | ret -------------------------------------------------------------------------------- /ASProtect/ASPack 1.08.02 OEP Finder.txt: -------------------------------------------------------------------------------- 1 | //////////////////Aspack 1.08.02////////////////// 2 | // This script easely finds OEP for Aspack 1.08.02 3 | // Made by Sebby 4 | sto 5 | sto 6 | sto 7 | findop eip,#61# 8 | bp $RESULT 9 | run 10 | sto 11 | sto 12 | sto 13 | MSG "All done.Just dump the proces or press Ctrl+A to analyze the code." 14 | ret -------------------------------------------------------------------------------- /ASProtect/ASPack 2.11 OEP Finder.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////////////////////////////////////////////// 3 | // ASPack 2000 -ASPack 2.11 OEP finder 4 | // Author: hacnho/VCT2k4 5 | // Email : hacnho@hotmail.com 6 | // Website: http://nhandan.info/hacnho 7 | // OS : WinXP Pro, OllyDbg 1.10 Final, OllyScript v0.85 8 | //////////////////////////////////////////////////////////// 9 | */ 10 | var temp 11 | sti 12 | eob Break 13 | findop eip, #C3# 14 | bphws esp,"r" 15 | mov temp,esp 16 | run 17 | 18 | Break: 19 | sto 20 | sto 21 | sto 22 | log eip 23 | bphwc esp 24 | cmt eip, "This is the OEP! Found by hacnho/VCT2k4" 25 | MSG "Dumped and fix IAT now! Thanx for using my Script...!" 26 | bphwc temp 27 | ret -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 DLL Unpack Finder.txt: -------------------------------------------------------------------------------- 1 | 2 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 3 | /* 4 | ////////////////////////////////////////////////// 5 | Aspack 2.12 Dll Unpack Finder v0.1 6 | Author: loveboom 7 | Email : bmd2chen@tom.com 8 | OS : WinXP sp1,Ollydbg 1.1,OllyScript v0.92 9 | Date : 2004-8-13 10 | Action: Found Relocate table 11 | Config: N/A 12 | Note : If you have one or more question, email me please,thank you! 13 | ////////////////////////////////////////////////// 14 | */ 15 | var RelStart 16 | var RelEnd 17 | var RelLen 18 | var addr 19 | var base //Module base 20 | 21 | CheckVer: //Check OllyScript's version 22 | cmp $VERSION,"0.9" 23 | ja start 24 | msg "This script for aspack require OllyScript v.92" 25 | ret 26 | start: 27 | gmi eip,MODULEBASE 28 | mov base,$RESULT 29 | find eip,#2BD074# //Found command "sub edx,eax je xxxx" 30 | cmp $RESULT,0 31 | je lblabort 32 | go $RESULT 33 | 34 | lbl1: 35 | cmp edx,eax 36 | jne lbl2 37 | mov addr,eip 38 | add addr,2 39 | mov [addr],#75# 40 | 41 | lbl2: 42 | sto 43 | sto 44 | sto 45 | sto 46 | sto 47 | sto 48 | mov RelStart,esi 49 | cmp addr,0 50 | je lbl3 51 | mov [addr],#74# 52 | 53 | lbl3: 54 | find eip,#eb00# //Found command "OR WORD PTR DS:[ESI],0FFFF" 55 | cmp $RESULT,0 56 | je lblabort 57 | mov addr,$RESULT 58 | add addr,2 59 | fill addr,4,90 //Nop Crypt code 60 | find addr,#EB??8B95# 61 | cmp $RESULT,0 62 | je lblabort 63 | mov addr,$RESULT 64 | add addr,2 65 | go addr 66 | mov RelEnd,esi //Get Relocate table size 67 | sub RelEnd,base 68 | mov RelLen,RelEnd 69 | sub RelLen,RelStart 70 | 71 | lbl4: 72 | findop eip,#C3# //jump to oep 73 | cmp $RESULT,0 74 | je lblabort 75 | go $RESULT 76 | sto 77 | 78 | lbl5: //Record Relocate information 79 | eval "Relocate table start address is: {RelStart}.Length is: {RelLen}." 80 | log $RESULT 81 | cmt eip,$RESULT 82 | 83 | lblend: 84 | msg "Script by loveboom[DFCG[FCG][US],Thank you for using my script!" 85 | ret 86 | 87 | lblabort: 88 | msg "Error,Script aborted,Meybe target is not packed by aspacke 2.12.:-(" 89 | ret 90 | 91 | 92 | // [BACK] -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder #1.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////////////////////////////////////////////// 3 | // ASPack 2.12 OEP finder 4 | // Author: hacnho/VCT2k4 5 | // Email : hacnho@hotmail.com 6 | // Website: http://nhandan.info/hacnho 7 | // OS : WinXP Pro, OllyDbg 1.10 Final, OllyScript v0.85 8 | //////////////////////////////////////////////////////////// 9 | */ 10 | eob Break 11 | findop eip, #61# 12 | bphws $RESULT, "x" 13 | run 14 | Break: 15 | bphwc $RESULT 16 | sti 17 | sto 18 | sto 19 | sto 20 | log eip 21 | cmt eip, "This is the OEP! Found by hacnho/VCT2k4" 22 | MSG "Dumped and fix IAT now! Thanx for using my Script...!" 23 | ret -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder #2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASPack 2.12 OEP Finder #2.txt -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder #3.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 4 | find eip, #68000000# 5 | go $RESULT 6 | sti 7 | sti 8 | cmt eip,"You're at OEP" 9 | msgyn "Do you want to analyze now ?" 10 | cmp $RESULT,0 11 | je cancel 12 | an eip 13 | 14 | cancel: 15 | ret 16 | 17 | // [BACK] -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder #4.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASPack 2.12 OEP Finder #4.txt -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder #5.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASPack 2.12 OEP Finder #5.txt -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder #6.txt: -------------------------------------------------------------------------------- 1 | ///////////////////////////////////////////////////////////////// 2 | // OEP Find Script for ASPack 2.12 -> Alexey Solodovnikov 3 | // Coded by: PiONEER {RES} & greetz to: {RES},ICU,ARTeam,SnD 4 | // Data: 16:02 19.03.2007 5 | // Environment : WinXP SP1,OllyDbg V1.10,ODbgScript V1.48 6 | // Contact: http://www.appzclub.tk - or - admin@appzclub.tk 7 | /////////////////////////////////////////////////////////////////// 8 | 9 | start: 10 | find eip, #60# 11 | cmp $RESULT, 0 12 | je not found 13 | sto 14 | bphws esp,"r" 15 | run 16 | bphwc esp 17 | sto 18 | find eip, #68??????00# 19 | sto 20 | sto 21 | msg "OEP found! - Now dump and fix the IAT!" 22 | cmt eip, "<-- OEP found by TEAM {RES}!" 23 | ret 24 | 25 | not found: 26 | MSG ""Sorry this one isn't packed with ASPack 2.12 -> Alexey Solodovnikov!"" 27 | ret 28 | end: -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder #7.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////////////////////////////////////////////////////////////////////////////// 3 | // ASPack 2.12 4 | // Author : Ashraf Cracker 5 | // Email : AshraCracker@hotmail.com 6 | // OS : WinXP Pro, OllyDbg 1.10 Final, OllyScript 0.92 7 | // Check ALL Debugging Exceptions 8 | ///////////////////////////////////////////////////////////////////////////////////////////// 9 | */ 10 | cmp $VERSION, "1.47" 11 | jb odbgver 12 | sto 13 | BPHWS esp,"r" 14 | run 15 | BPHWC esp 16 | sto 17 | sto 18 | sto 19 | an eip 20 | dpe "Dumped.exe",eip 21 | msg "This is the OEP! Found By Ashraf Cracker" 22 | msg "The File was dumped successfully don't close OllyDbg and try now to Fix IAT with ImportREC" 23 | cmt eip, "<== Original Entry Point" 24 | ret 25 | 26 | odbgver: 27 | msg "This script work with ODbgscript 1.47 or above" 28 | ret 29 | -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder 1.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////////////////////////////////////////////// 3 | // ASPack 2.12 OEP finder 4 | // Author: hacnho/VCT2k4 5 | // Email : hacnho@hotmail.com 6 | // Website: http://nhandan.info/hacnho 7 | // OS : WinXP Pro, OllyDbg 1.10 Final, OllyScript v0.85 8 | //////////////////////////////////////////////////////////// 9 | */ 10 | eob Break 11 | findop eip, #61# 12 | bphws $RESULT, "x" 13 | run 14 | Break: 15 | bphwc $RESULT 16 | sti 17 | sto 18 | sto 19 | sto 20 | log eip 21 | cmt eip, "This is the OEP! Found by hacnho/VCT2k4" 22 | MSG "Dumped and fix IAT now! Thanx for using my Script...!" 23 | ret -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder 2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASPack 2.12 OEP Finder 2.txt -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder 3.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 4 | find eip, #68000000# 5 | go $RESULT 6 | sti 7 | sti 8 | cmt eip,"You're at OEP" 9 | msgyn "Do you want to analyze now ?" 10 | cmp $RESULT,0 11 | je cancel 12 | an eip 13 | 14 | cancel: 15 | ret 16 | 17 | // [BACK] -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder 4.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASPack 2.12 OEP Finder 4.txt -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder 5.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASPack 2.12 OEP Finder 5.txt -------------------------------------------------------------------------------- /ASProtect/ASPack 2.12 OEP Finder 6.txt: -------------------------------------------------------------------------------- 1 | ///////////////////////////////////////////////////////////////// 2 | // OEP Find Script for ASPack 2.12 -> Alexey Solodovnikov 3 | // Coded by: PiONEER {RES} & greetz to: {RES},ICU,ARTeam,SnD 4 | // Data: 16:02 19.03.2007 5 | // Environment : WinXP SP1,OllyDbg V1.10,ODbgScript V1.48 6 | // Contact: http://www.appzclub.tk - or - admin@appzclub.tk 7 | /////////////////////////////////////////////////////////////////// 8 | 9 | start: 10 | find eip, #60# 11 | cmp $RESULT, 0 12 | je not found 13 | sto 14 | bphws esp,"r" 15 | run 16 | bphwc esp 17 | sto 18 | find eip, #68??????00# 19 | sto 20 | sto 21 | msg "OEP found! - Now dump and fix the IAT!" 22 | cmt eip, "<-- OEP found by TEAM {RES}!" 23 | ret 24 | 25 | not found: 26 | MSG ""Sorry this one isn't packed with ASPack 2.12 -> Alexey Solodovnikov!"" 27 | ret 28 | end: -------------------------------------------------------------------------------- /ASProtect/ASPack 2.xx Unpacker v0.1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASPack 2.xx Unpacker v0.1.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect #1 Breakpoint Last Exception.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | eoe lab3 4 | eob lab3 5 | lab3: 6 | 7 | mov k,esp 8 | add k,1c 9 | mov l,[k] 10 | 11 | cmp l,400000 12 | 13 | je lab4 14 | esto 15 | jmp lab3 16 | lab4: 17 | 18 | eob lab5 19 | mov k,eip 20 | add k,3d 21 | bp k 22 | esto 23 | 24 | lab5: 25 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect #2 Find Stolen Bytes.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | var x 4 | var y 5 | 6 | sti 7 | bphws esp,"r" 8 | run 9 | sti 10 | eoe lab3 11 | eob lab3 12 | bphws esp,"r" 13 | esto 14 | 15 | 16 | 17 | lab3: 18 | 19 | mov k,esp 20 | add k,1c 21 | mov l,[k] 22 | cmp l,400000 23 | je lab4 24 | esto 25 | jmp lab3 26 | 27 | lab4: 28 | 29 | eob lab5 30 | mov k,eip 31 | add k,3d 32 | bp k 33 | esto 34 | 35 | lab5: 36 | esto 37 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect #3 Last Exception.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | eoe lab3 4 | eob lab3 5 | lab3: 6 | 7 | mov k,esp 8 | add k,1c 9 | mov l,[k] 10 | 11 | cmp l,400000 12 | 13 | je lab4 14 | esto 15 | jmp lab3 16 | lab4: 17 | 18 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect #4 OEP Finder.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | var x 4 | var y 5 | var m 6 | 7 | sti 8 | bphws esp,"r" 9 | run 10 | sti 11 | eoe lab3 12 | eob lab3 13 | bphws esp,"r" 14 | esto 15 | 16 | 17 | 18 | lab3: 19 | 20 | mov k,esp 21 | add k,1c 22 | mov l,[k] 23 | cmp l,400000 24 | je lab4 25 | esto 26 | jmp lab3 27 | 28 | lab4: 29 | 30 | eob lab5 31 | mov k,eip 32 | add k,3d 33 | bp k 34 | mov l,0 35 | esto 36 | 37 | lab5: 38 | 39 | 40 | eob loop6 41 | esto 42 | 43 | 44 | 45 | 46 | 47 | 48 | loop6: 49 | 50 | sti 51 | mov y,eip 52 | mov x,400000 53 | shr x,14 54 | shr y,14 55 | sub y,x 56 | mov m,4 57 | 58 | loop4: 59 | 60 | cmp y,0 61 | sub y,1 62 | je end 63 | sub m,1 64 | cmp m,0 65 | je test 66 | jmp loop4 67 | 68 | test: 69 | 70 | cmp y,0 71 | jne loop6 72 | MSG " Please click on k at toolbar,if is not empty double click on the last address within the code section that you see at the bottom,and please rmove analysis if analysis has been done. Thank you!;BriteDream " 73 | ret 74 | 75 | 76 | 77 | end: 78 | 79 | MSG " Please click on k at toolbar,if is not empty double click on the last address within the code section that you see at the bottom,and please rmove analysis if analysis has been done. Thank you!;BriteDream " 80 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect #5 Anti-Debug Last Exception.txt: -------------------------------------------------------------------------------- 1 | /* 2 | tested on asprotect 1.23 RC4 only - arz 3 | 4 | */ 5 | 6 | var j 7 | var k 8 | 9 | eoe main 10 | 11 | main: 12 | /* 13 | check for signature bytes 14 | */ 15 | mov j,eip 16 | add j,47 17 | mov k,[j] 18 | mov j,[k] 19 | cmp j,746F7250 20 | je reset 21 | 22 | 23 | /* 24 | last exception? 25 | */ 26 | mov j,esp //based on britedreams lastex 27 | add j,1C 28 | mov k,[j] 29 | cmp k,400000 30 | je exit 31 | cmp k,1000000 //did some testing on notepad :P 32 | je exit 33 | jmp continue 34 | 35 | 36 | reset: 37 | /* 38 | zero the debugger check flags for no debugger checks 39 | */ 40 | mov j,eip 41 | add j,41 42 | mov k,[j] // get ptr to debug check array 43 | sub k,4 // k Ptr do IsDebuggerPresent check flag 44 | mov [k],0 // kill it (api won't be called) 45 | add k,8 // k Ptr do anti-debug checks flag 46 | mov [k],0 // kill the internal FS[?],TRW and system debugger checks 47 | jmp continue 48 | 49 | 50 | continue: 51 | esto 52 | jmp main 53 | 54 | exit: 55 | ret 56 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1 Breakpoint Last Exception.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | eoe lab3 4 | eob lab3 5 | lab3: 6 | 7 | mov k,esp 8 | add k,1c 9 | mov l,[k] 10 | 11 | cmp l,400000 12 | 13 | je lab4 14 | esto 15 | jmp lab3 16 | lab4: 17 | 18 | eob lab5 19 | mov k,eip 20 | add k,3d 21 | bp k 22 | esto 23 | 24 | lab5: 25 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.0 OEP Finder + IAT Repair.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 1.0 OEP Finder + IAT Repair.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.0 OEP Finder.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////////////////////////////////// 3 | ASProtect 1.0 Unpacking script v0.1(for win2k/xp only) 4 | Author: loveboom 5 | Email : loveboom%163.com 6 | OS : WinXP sp2,Ollydbg 1.1,OllyScript v0.92 7 | Date : 2004-12-25 8 | Action: Find OEP 9 | Config: Ignore all exceptions 10 | Note : If you have one or more question, email me please,thank you! 11 | ////////////////////////////////////////////////// 12 | */ 13 | 14 | var espval 15 | var count 16 | var addr 17 | 18 | lblset: 19 | msgyn "Setting:Ignore all exceptions." 20 | cmp $RESULT,1 21 | je start 22 | ret 23 | 24 | start: 25 | mov count,2 26 | mov espval,esp 27 | sub espval,4 28 | gpa "LocalAlloc","kernel32.dll" //Get API function 'LocalAlloc' 29 | cmp $RESULT,0 30 | je lblabort 31 | bp $RESULT 32 | 33 | lbl1: 34 | run 35 | 36 | lbl2: 37 | cmp count,0 38 | je lbl3 39 | dec count 40 | jmp lbl1 41 | 42 | lbl3: 43 | mov addr,esp 44 | add addr,4 45 | mov [addr],40 46 | bc $RESULT 47 | bphws espval,"r" 48 | 49 | lblesto: 50 | esto 51 | esto 52 | esto 53 | esto 54 | 55 | lbl4: 56 | bphwc espval 57 | findop eip,#C3# //Find command 'RETN' 58 | cmp $RESULT,0 59 | je lblabort 60 | go $RESULT 61 | sto 62 | 63 | lbloep: 64 | cmt eip,"oep" 65 | msg "Script by loveboom[DFCG[FCG][US],Thank you for using my script!" 66 | ret 67 | 68 | lblabort: 69 | msg "Script abort!Maybe target is not protect by Asprotect 1.0." 70 | ret 71 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.20 - 1.20c OEP Finder.txt: -------------------------------------------------------------------------------- 1 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 2 | /* 3 | ////////////////////////////////////////////////// 4 | Author: ~Hellsp@wN~ 5 | Email : alt-fox@mail.ru 6 | OS : OllyDbg 1.10 with OllyScript plugin v0.7 7 | Date : 24.07.2004 8 | 9 | Support with: 10 | ASProtect 1.2/1.2c 11 | ////////////////////////////////////////////////// 12 | */ 13 | 14 | var op 15 | mov op,esp 16 | sub op,4 17 | 18 | var k 19 | var l 20 | 21 | eoe lab1 22 | eob lab1 23 | run 24 | 25 | lab1: 26 | mov k,esp 27 | add k,2C 28 | mov l,[k] 29 | cmp l,400000 30 | je lab2 31 | esto 32 | 33 | lab2: 34 | eob lab3 35 | mov k,eip 36 | add k,4 37 | bp k 38 | esto 39 | 40 | lab3: 41 | bc k 42 | eob lab4 43 | eoe lab4 44 | bphws op,"r" 45 | esto 46 | 47 | lab4: 48 | bphwc op 49 | sto 50 | sto 51 | cmt eip, "This is the entry point (OEP)" 52 | ret 53 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.22 - 1.23 Beta 21 OEP Finder and Stolen Bytes.txt: -------------------------------------------------------------------------------- 1 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 2 | /* 3 | ////////////////////////////////////////////////// 4 | Author : ~Hellsp@wN~ 5 | Email : alt-fox@mail.ru 6 | OS : OllyDbg 1.10 with OllyScript plugin v0.7 7 | Date : 24.07.2004 8 | Version: 1.1 9 | 10 | 1) Find OEP 11 | 2) Find Stolen Bytes 12 | 13 | Support with: 14 | ASProtect 1.22 - 1.23 Beta 21 15 | ////////////////////////////////////////////////// 16 | */ 17 | 18 | var op 19 | mov op,esp 20 | sub op,4 21 | 22 | var k 23 | var l 24 | var Stolen Bytes 25 | var OEP 26 | var toep 27 | 28 | eoe lab1 29 | eob lab1 30 | run 31 | 32 | lab1: 33 | mov k,esp 34 | add k,1C 35 | mov l,[k] 36 | cmp l,400000 37 | je lab2 38 | esto 39 | 40 | lab2: 41 | eob lab3 42 | eoe lab4 43 | bphws op,"r" 44 | esto 45 | 46 | lab3: 47 | bphwc op 48 | mov OEP,eax 49 | mov Stolen Bytes,ebx 50 | mov toep,eip 51 | mov k,eax 52 | mov l,eip 53 | cmp l,k 54 | je OE 55 | eval "OEP: {OEP} and stolen bytes: {Stolen Bytes}" 56 | cmt toep,$RESULT 57 | sto 58 | sto 59 | findop toep, #55# 60 | cmp $RESULT,0 61 | je end 62 | cmp $RESULT,toep 63 | jb end 64 | bp $RESULT 65 | cmt $RESULT, "This is first stolen byte (may be)" 66 | end: 67 | ret 68 | 69 | OE: 70 | cmt eip, "This is OEP" 71 | ret 72 | 73 | lab4: 74 | bphwc op 75 | bphws op,"r" 76 | esto 77 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.22 - 1.23 Beta 21 OEP Finder v0.1b.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 1.22 - 1.23 Beta 21 OEP Finder v0.1b.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.22 - 1.23 Beta 21 OEP Finder.txt: -------------------------------------------------------------------------------- 1 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 2 | /* 3 | ////////////////////////////////////////////////// 4 | Author: ~Hellsp@wN~ 5 | Email : alt-fox@mail.ru 6 | OS : OllyDbg 1.10 with OllyScript plugin v0.7 7 | Date : 29.06.2004 8 | 9 | Support with: 10 | ASProtect 1.22 - 1.23 Beta 21 (may be some bugs) 11 | ////////////////////////////////////////////////// 12 | */ 13 | 14 | var t 15 | mov t,esp 16 | sub t,4 17 | 18 | EOE Error 19 | EOB Break 20 | bphws t, "w" 21 | run 22 | 23 | Error: 24 | esti 25 | bphwc t 26 | bphws t, "w" 27 | run 28 | 29 | Break: 30 | bphwc t 31 | sto 32 | sto 33 | cmt eip, "This is the entry point (OEP)" 34 | ret 35 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.23 RC4 Anti-Debug + Last Exception.txt: -------------------------------------------------------------------------------- 1 | /* 2 | tested on asprotect 1.23 RC4 only - arz 3 | 4 | */ 5 | 6 | var j 7 | var k 8 | 9 | eoe main 10 | 11 | main: 12 | /* 13 | check for signature bytes 14 | */ 15 | mov j,eip 16 | add j,47 17 | mov k,[j] 18 | mov j,[k] 19 | cmp j,746F7250 20 | je reset 21 | 22 | 23 | /* 24 | last exception? 25 | */ 26 | mov j,esp //based on britedreams lastex 27 | add j,1C 28 | mov k,[j] 29 | cmp k,400000 30 | je exit 31 | cmp k,1000000 //did some testing on notepad :P 32 | je exit 33 | jmp continue 34 | 35 | 36 | reset: 37 | /* 38 | zero the debugger check flags for no debugger checks 39 | */ 40 | mov j,eip 41 | add j,41 42 | mov k,[j] // get ptr to debug check array 43 | sub k,4 // k Ptr do IsDebuggerPresent check flag 44 | mov [k],0 // kill it (api won't be called) 45 | add k,8 // k Ptr do anti-debug checks flag 46 | mov [k],0 // kill the internal FS[?],TRW and system debugger checks 47 | jmp continue 48 | 49 | 50 | continue: 51 | esto 52 | jmp main 53 | 54 | exit: 55 | ret 56 | 57 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.23 RC4.txt: -------------------------------------------------------------------------------- 1 | /* 2 | tested on asprotect 1.23 RC4 only - arz 3 | 4 | */ 5 | 6 | var j 7 | var k 8 | 9 | eoe main 10 | 11 | main: 12 | /* 13 | check for signature bytes 14 | */ 15 | mov j,eip 16 | add j,47 17 | mov k,[j] 18 | mov j,[k] 19 | cmp j,746F7250 20 | je reset 21 | 22 | 23 | /* 24 | last exception? 25 | */ 26 | mov j,esp //based on britedreams lastex 27 | add j,1C 28 | mov k,[j] 29 | cmp k,400000 30 | je exit 31 | cmp k,1000000 //did some testing on notepad :P 32 | je exit 33 | jmp continue 34 | 35 | 36 | reset: 37 | /* 38 | zero the debugger check flags for no debugger checks 39 | */ 40 | mov j,eip 41 | add j,41 42 | mov k,[j] // get ptr to debug check array 43 | sub k,4 // k Ptr do IsDebuggerPresent check flag 44 | mov [k],0 // kill it (api won\'t be called) 45 | add k,8 // k Ptr do anti-debug checks flag 46 | mov [k],0 // kill the internal FS[?],TRW and system debugger checks 47 | jmp continue 48 | 49 | 50 | continue: 51 | esto 52 | jmp main 53 | 54 | exit: 55 | ret 56 | 57 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.2x - 1.3x (Registered) OEP Finder & Olly Hide v1.0.txt: -------------------------------------------------------------------------------- 1 | // - ASProtect 1.2x - 1.3x [Registered] - Find OEP and hide Olly (by ~Hellsp@wN~, 01 Dec 2004) 2 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 3 | /* 4 | ////////////////////////////////////////////////// 5 | Author : ~Hellsp@wN~ 6 | Email : alt-fox@mail.ru 7 | OS : OllyDbg 1.10 with OllyScript plugin v0.92 8 | Date : 02.12.2004 9 | Version: 1.0 10 | 11 | 1) Find OEP 12 | 2) Hide Olly ! 13 | 14 | Support with: 15 | ASProtect 1.2x - 1.3x [Registered] 16 | ////////////////////////////////////////////////// 17 | */ 18 | 19 | var cbase 20 | var csize 21 | var eip_ 22 | var check 23 | 24 | gmi eip, CODEBASE 25 | mov cbase, $RESULT 26 | log cbase 27 | gmi eip, CODESIZE 28 | mov csize, $RESULT 29 | log csize 30 | 31 | eob lab1 32 | esto 33 | 34 | lab1: 35 | mov check,0 36 | sto 37 | log "Find anti Debugger call:" 38 | trace: 39 | inc check 40 | log check 41 | cmp check,20 42 | je error 43 | sto 44 | mov eip_,[eip] 45 | log eip_ 46 | cmp eip_,C084D0FF 47 | jne trace 48 | cmt eip,"[ IsDebuggerPresent ]" 49 | log "call eax is found" 50 | FIND eip,#74# 51 | cmp $RESULT,0 52 | je error 53 | eob lab3 54 | log $RESULT 55 | bp $RESULT 56 | esto 57 | 58 | lab3: 59 | log "Change flag !ZF" 60 | mov !ZF,1 61 | sto 62 | bc $RESULT 63 | eob lab4 64 | esto 65 | 66 | lab4: 67 | cmt eip,"[ Anti Olly ]" 68 | mov eip_,[eip] 69 | log eip_ 70 | cmp eip_,00F88090 71 | jne error 72 | sto 73 | sto 74 | log "Change flag !ZF" 75 | mov !ZF,1 76 | eob end1 77 | esto 78 | 79 | end1: 80 | bprm cbase, csize 81 | eob end 82 | eoe end 83 | esto 84 | 85 | end: 86 | cmt eip," [ OEP ]" 87 | bpmc 88 | ret 89 | 90 | error: 91 | log "Not found" 92 | MSG "Error" 93 | ret 94 | 95 | 96 | 97 | 98 | // [BACK] -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.2x - 1.3x (Registered) OEP Finder & Olly Hide v1.1.txt: -------------------------------------------------------------------------------- 1 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 2 | /* 3 | ////////////////////////////////////////////////// 4 | Author : ~Hellsp@wN~ 5 | Email : alt-fox@mail.ru 6 | OS : OllyDbg 1.10 with OllyScript plugin v0.92 7 | Date : 02.12.2004 8 | Version: 1.0 9 | 10 | 1) Find OEP 11 | 2) Hide Olly ! 12 | 13 | Support with: 14 | ASProtect 1.2x - 1.3x [Registered] 15 | ////////////////////////////////////////////////// 16 | */ 17 | 18 | var cbase 19 | var csize 20 | var eip_ 21 | var check 22 | 23 | gmi eip, CODEBASE 24 | mov cbase, $RESULT 25 | log cbase 26 | gmi eip, CODESIZE 27 | mov csize, $RESULT 28 | log csize 29 | 30 | eob lab1 31 | esto 32 | 33 | lab1: 34 | mov check,0 35 | sto 36 | log "Find anti Debugger call:" 37 | trace: 38 | inc check 39 | log check 40 | cmp check,20 41 | je error 42 | sto 43 | mov eip_,[eip] 44 | log eip_ 45 | cmp eip_,C084D0FF 46 | jne trace 47 | cmt eip,"[ IsDebuggerPresent ]" 48 | log "call eax is found" 49 | FIND eip,#74# 50 | cmp $RESULT,0 51 | je error 52 | eob lab3 53 | log $RESULT 54 | bp $RESULT 55 | esto 56 | 57 | lab3: 58 | log "Change flag !ZF" 59 | mov !ZF,1 60 | sto 61 | bc $RESULT 62 | eob lab4 63 | esto 64 | 65 | lab4: 66 | cmt eip,"[ Anti Olly ]" 67 | mov eip_,[eip] 68 | log eip_ 69 | cmp eip_,00F88090 70 | jne error 71 | sto 72 | sto 73 | log "Change flag !ZF" 74 | mov !ZF,1 75 | eob end1 76 | esto 77 | 78 | end1: 79 | bprm cbase, csize 80 | eob end 81 | eoe end 82 | esto 83 | 84 | end: 85 | cmt eip," [ OEP ]" 86 | bpmc 87 | ret 88 | 89 | error: 90 | log "Not found" 91 | MSG "Error" 92 | ret 93 | 94 | 95 | 96 | 97 | // [BACK] -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3 Lite OEP Finder.txt: -------------------------------------------------------------------------------- 1 | var cbase 2 | gmi eip, CODEBASE 3 | mov cbase, $RESULT 4 | log cbase 5 | var csize 6 | gmi eip, CODESIZE 7 | mov csize, $RESULT 8 | log csize 9 | 10 | var k 11 | var l 12 | eoe lab1 13 | eob lab1 14 | run 15 | 16 | lab1: 17 | mov k,esp 18 | add k,40 19 | mov l,[k] 20 | cmp l,400000 21 | je lab2 22 | esto 23 | 24 | lab2: 25 | bprm cbase, csize 26 | eob end 27 | eoe end 28 | esto 29 | 30 | end: 31 | cmt eip,"OEP or tempOEP" 32 | bpmc 33 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3 Repair Sto.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | var temp1 4 | var temp2 5 | 6 | sti 7 | bphws esp,"r" 8 | mov temp1,esp 9 | run 10 | sti 11 | eoe lab3 12 | eob lab3 13 | bphws esp,"r" 14 | mov temp2,esp 15 | esto 16 | 17 | 18 | 19 | lab3: 20 | 21 | mov k,esp 22 | add k,40 23 | mov l,[k] 24 | cmp l,400000 25 | je lab4 26 | esto 27 | 28 | 29 | lab4: 30 | 31 | eob lab5 32 | mov k,eip 33 | add k,3d 34 | bp k 35 | esto 36 | 37 | lab5: 38 | esto 39 | ubp k 40 | bphwc temp1 41 | bphwc temp2 42 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.30b Import Recovery + OEP Finder (Delphi & ImageBase 400000).txt: -------------------------------------------------------------------------------- 1 | /* 2 | //////////////////////////////////////////////////// 3 | // ASProtect 1.30b import recovery & OEP / tempOEP finder (only Delphi & Imagebase = 400000) 4 | // Author: Mario555 5 | // Email : Mario555@pisem.net 6 | // OS : WinXP SP1, OllyDbg 1.10b,OllyScript v0.7 7 | // Note : Olly must be hide (IsDebuggerPresent) 8 | //////////////////////////////////////////////////// 9 | */ 10 | 11 | 12 | var cbase 13 | gmi eip, CODEBASE 14 | mov cbase, $RESULT 15 | log cbase 16 | var csize 17 | gmi eip, CODESIZE 18 | mov csize, $RESULT 19 | log csize 20 | 21 | var k 22 | var l 23 | var c 24 | var function 25 | var first 26 | var a1 27 | var a2 28 | var a3 29 | var iat_addr 30 | var wr_addr 31 | var mhandle 32 | var mhandle_old 33 | var iat_addr_old 34 | 35 | mov c,0 36 | mov mhandle_old,0 37 | mov first,0 38 | mov iat_addr, 400000 39 | cmp [4002d0],0 40 | jne loc_section_change 41 | add iat_addr, [4002cc] 42 | loc: 43 | log iat_addr 44 | eoe lab1 45 | eob lab1 46 | run 47 | 48 | 49 | lab1: 50 | cmp c,7 51 | je lab_Breaks 52 | add c,1 53 | mov k,esp 54 | add k,40 55 | mov l,[k] 56 | cmp l,400000 57 | je lab_last 58 | esto 59 | 60 | lab_Breaks: 61 | add c,1 62 | var addr 63 | var temp 64 | mov addr,eip 65 | shr addr, 10 66 | shl addr, 10 67 | mov temp, addr 68 | add temp, 776d 69 | mov a1,temp 70 | bp temp 71 | add temp, 159 72 | mov a2,temp 73 | bp temp 74 | add temp, 6d 75 | mov a3,temp 76 | bp temp 77 | eob lab2 78 | eoe lab2 79 | esto 80 | 81 | lab2: 82 | cmp eip, a1 83 | je loc_imp 84 | cmp eip, a2 85 | je loc_imp 86 | cmp eip, a3 87 | je loc_imp 88 | jmp lab1 89 | 90 | loc_imp: 91 | mov k, esp 92 | add k, 30 93 | mov mhandle, [k] 94 | cmp mhandle, mhandle_old 95 | je loc1 96 | mov mhandle_old, mhandle 97 | add iat_addr, 4 98 | 99 | loc1: 100 | cmp first,0 101 | mov first,1 102 | je loc3 103 | 104 | loc2: 105 | sub wr_addr,1 106 | mov [wr_addr], #25# 107 | add wr_addr,1 108 | mov [wr_addr], iat_addr_old 109 | mov [iat_addr_old], function 110 | 111 | loc3: 112 | mov wr_addr, ebx 113 | mov function, eax 114 | mov iat_addr_old, iat_addr 115 | add iat_addr, 4 116 | esto 117 | 118 | 119 | lab_last: 120 | bprm cbase, csize 121 | eob end 122 | eoe end 123 | esto 124 | 125 | end: 126 | sub wr_addr,1 127 | mov [wr_addr], #25# 128 | add wr_addr,1 129 | mov [wr_addr], iat_addr_old 130 | mov [iat_addr_old], function 131 | cmt eip,"!!!!!!!!!!!!!!!!!!" 132 | bpmc 133 | bc a1 134 | bc a2 135 | bc a3 136 | bc a4 137 | ret 138 | 139 | loc_section_change: 140 | add iat_addr, [4002a4] 141 | jmp loc -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.30b Stolen Code Finder v0.1.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////////////////////////////////// 3 | ASProtect 1.3B Stolen code Finder v0.1 4 | Author: loveboom 5 | Email : bmd2chen@tom.com 6 | OS : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.62 7 | Date : 2004-4-6 8 | Config: Ignore all Exceptions except "Memory access violation",Hide Ollydbg. 9 | Note : If you have one or more question, email me please,thank you! 10 | ////////////////////////////////////////////////// 11 | */ 12 | 13 | var eval //esp value 14 | var eaddr //eip address 15 | var faddr //Findop return address 16 | var evalue //eip value 17 | var pvalue //ebp value 18 | var ismodt //mode 2 19 | 20 | start: 21 | findop eip,#EB01# 22 | mov eaddr,$RESULT 23 | sub eaddr,eip 24 | sub eaddr,2 25 | cmp eaddr,0 26 | jne mod1 27 | mov ismodt,1 28 | 29 | mod2: 30 | jmp lbl1 31 | 32 | mod1: 33 | mov ismodt,0 34 | mov eval,esp 35 | sub eval,4 36 | run 37 | 38 | lbl1: 39 | eoe lbl2 40 | esto 41 | 42 | 43 | lbl2: 44 | mov eaddr,eip 45 | mov evalue,[eaddr] 46 | sub evalue,8F640031 47 | cmp evalue,0F640032 48 | je lbl3 49 | jmp lbl1 50 | 51 | lbl3: 52 | findop eip,#C3# 53 | cmp $RESULT,0 54 | je lbl1 55 | mov faddr,$RESULT 56 | sub faddr,eip 57 | sub faddr,3D 58 | cmp faddr,0 59 | je lbl4 60 | jmp lbl1 61 | 62 | lbl4: 63 | cmp ismodt,0 64 | jne jmod2 65 | mov faddr,$RESULT 66 | eob lbl5 67 | bp faddr 68 | esto 69 | 70 | lbl5: 71 | bc faddr 72 | mov pvalue,ebp 73 | bphws pvalue,"r" 74 | run 75 | 76 | lbl6: 77 | bphwc pvalue 78 | findop eip,#C20800# 79 | bp $RESULT 80 | eob lbl7 81 | run 82 | 83 | lbl7: 84 | bc $RESULT 85 | 86 | lbl8: 87 | eob lbl9 88 | sti 89 | 90 | lbl9: 91 | mov pvalue,ebp 92 | sub pvalue,eval 93 | cmp pvalue,0 94 | je lblend 95 | jmp lbl8 96 | 97 | lblend: 98 | cmt eip,"Now please fix stolen code,and then dumped it!" 99 | msg "Script by loveboom[DFCG],Thank you for using my script!" 100 | ret 101 | 102 | jmod2: 103 | eob mod1 104 | esto -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.31b Import Recovery + OEP Finder (Delphi & Imagebase 400000).txt: -------------------------------------------------------------------------------- 1 | /* 2 | //////////////////////////////////////////////////// 3 | // ASProtect 1.31b import recovery & OEP / tempOEP finder (only Delphi & Imagebase = 400000) 4 | // Author: Mario555 5 | // Email : Mario555@pisem.net 6 | // OS : WinXP SP1, OllyDbg 1.10b, OllyScript v0.7 7 | // Note : Olly must be hide (IsDebuggerPresent) 8 | //////////////////////////////////////////////////// 9 | */ 10 | 11 | var cbase 12 | gmi eip, CODEBASE 13 | mov cbase, $RESULT 14 | log cbase 15 | var csize 16 | gmi eip, CODESIZE 17 | mov csize, $RESULT 18 | log csize 19 | 20 | var k 21 | var l 22 | var c 23 | var function 24 | var first 25 | var a1 26 | var a2 27 | var a3 28 | var a4 29 | var a5 30 | var iat_addr 31 | var wr_addr 32 | var mhandle 33 | var mhandle_old 34 | var iat_addr_old 35 | 36 | mov c,0 37 | mov mhandle_old,0 38 | mov first,0 39 | mov iat_addr, 400000 40 | cmp [4002d0],0 41 | jne loc_section_change 42 | add iat_addr, [4002cc] 43 | loc: 44 | log iat_addr 45 | eoe lab1 46 | eob lab1 47 | run 48 | 49 | 50 | lab1: 51 | cmp c,0a 52 | je lab_Breaks 53 | add c,1 54 | mov k,esp 55 | add k,14 56 | mov l,[k] 57 | cmp l,400000 58 | je lab_last 59 | esto 60 | 61 | lab_Breaks: 62 | add c,1 63 | var addr 64 | var temp 65 | mov addr,eip 66 | shr addr, 10 67 | shl addr, 10 68 | mov temp, addr 69 | add temp, 4728 70 | mov [temp], #3bc090# 71 | add temp, 0ee1 72 | mov a1,temp 73 | bp temp 74 | add temp, 11f 75 | mov a2,temp 76 | bp temp 77 | add temp, 0a6 78 | mov a3,temp 79 | bp temp 80 | add temp, 52 81 | mov a4,temp 82 | bp temp 83 | sub temp, 4f 84 | mov a5, temp 85 | bp a5 86 | eob lab2 87 | eoe lab2 88 | esto 89 | 90 | lab2: 91 | cmp eip, a1 92 | je loc_imp 93 | cmp eip, a2 94 | je loc_imp 95 | cmp eip, a4 96 | je loc_imp 97 | cmp eip, a3 98 | je loc_imp2 99 | cmp eip, a5 100 | je loc_imp21 101 | jmp lab1 102 | 103 | 104 | 105 | loc_imp: 106 | mov k, esp 107 | add k, 14 108 | mov mhandle, [k] 109 | cmp mhandle, mhandle_old 110 | je loc1 111 | mov mhandle_old, mhandle 112 | add iat_addr, 4 113 | 114 | loc1: 115 | cmp first,0 116 | mov first,1 117 | je loc3 118 | 119 | loc2: 120 | sub wr_addr,2 121 | mov [wr_addr], #ff25# 122 | add wr_addr,2 123 | mov [wr_addr], iat_addr_old 124 | mov [iat_addr_old], function 125 | 126 | loc3: 127 | mov wr_addr, esi 128 | mov function, eax 129 | mov iat_addr_old, iat_addr 130 | add iat_addr, 4 131 | run 132 | 133 | loc_imp2: 134 | mov mhandle, eax 135 | cmp mhandle, mhandle_old 136 | je loc22 137 | mov mhandle_old, mhandle 138 | add iat_addr, 4 139 | 140 | loc22: 141 | sub wr_addr,2 142 | mov [wr_addr], #ff25# 143 | add wr_addr,2 144 | mov [wr_addr], iat_addr_old 145 | mov [iat_addr_old], function 146 | mov k, esp 147 | add k, 0c 148 | mov k, [k] 149 | run 150 | 151 | loc_imp21: 152 | mov l, esp 153 | sub l, 14 154 | mov l, [l] 155 | add k, l 156 | add k, 400000 157 | mov wr_addr, k 158 | mov k, esp 159 | sub k, 24 160 | mov k, [k] 161 | mov function, k 162 | mov iat_addr_old, iat_addr 163 | add iat_addr, 4 164 | run 165 | 166 | 167 | lab_last: 168 | bprm cbase, csize 169 | eob end 170 | eoe end 171 | esto 172 | 173 | end: 174 | sub wr_addr,2 175 | mov [wr_addr], #ff25# 176 | add wr_addr,2 177 | mov [wr_addr], iat_addr_old 178 | mov [iat_addr_old], function 179 | cmt eip,"!!!!!!!!!!!!!!!!!!" 180 | bpmc 181 | bc a1 182 | bc a2 183 | bc a3 184 | bc a4 185 | bc a5 186 | ret 187 | 188 | loc_section_change: 189 | add iat_addr, [4002a4] 190 | jmp loc -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x - 2.xx OEP Finder v0.1.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Script written by VolX 3 | purpose : This script will make Olly to break on the OEP of your target or on the first 4 | command of the stolen code if it exist 5 | Test Environment : OllyDbg 1.1 6 | ODBGScript 1.47 under WINXP 7 | Thanks : Oleh Yuschuk - author of OllyDbg 8 | SHaG - author of OllyScript 9 | Epsylon3 - author of ODbgScript 10 | */ 11 | //support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3 12 | 13 | var tmp1 14 | var tmp2 15 | var imgbase 16 | var 1stsecbase 17 | var 1stsecsize 18 | var dllimgbase 19 | 20 | dbh //hide debugger 21 | BPHWCALL //clear hardware breakpoint 22 | GMI eip, MODULEBASE //get imagebase 23 | mov imgbase, $RESULT 24 | log imgbase 25 | mov tmp1, imgbase 26 | add tmp1, 3C //40003C 27 | mov tmp1, [tmp1] 28 | add tmp1, imgbase //tmp1=signature VA 29 | add tmp1, f8 //1st section 30 | add tmp1, 8 31 | mov 1stsecsize, [tmp1] 32 | add tmp1, 4 33 | mov 1stsecbase, [tmp1] 34 | add 1stsecbase, imgbase 35 | gpa "GetSystemTime", "kernel32.dll" 36 | bp $RESULT 37 | esto 38 | bc eip 39 | rtr 40 | sti 41 | GMEMI eip, MEMORYOWNER 42 | mov dllimgbase, $RESULT 43 | cmp dllimgbase, 0 44 | je error 45 | log dllimgbase 46 | find dllimgbase, #C6463401# //search "mov byte[esi+34], 1" 47 | mov tmp2, $RESULT 48 | cmp tmp2, 0 49 | je error 50 | find tmp2, #68????????68????????68# 51 | mov tmp1, $RESULT 52 | cmp tmp1, 0 53 | je error 54 | log tmp1 55 | bp tmp1 56 | eob lab1 57 | eoe lab1 58 | esto 59 | 60 | lab1: 61 | cmp eip, tmp1 62 | je lab2 63 | esto 64 | 65 | lab2: 66 | bc tmp1 67 | find dllimgbase, #3130330D0A# //search ASCII"103" 68 | mov tmp2, $RESULT 69 | log tmp2 70 | cmp tmp2, 0 71 | je wrongver 72 | find tmp2, #8D00C3# //search "lea eax,[eax]" "ret" 73 | mov tmp1, $RESULT 74 | log tmp1 75 | cmp tmp1, 0 76 | je wrongver 77 | bphws tmp1, "x" 78 | eob lab3 79 | eoe lab3 80 | esto 81 | 82 | lab3: 83 | cmp eip, tmp1 84 | je lab4 85 | esto 86 | 87 | lab4: 88 | bphwc tmp1 89 | cob 90 | coe 91 | mov tmp1, [esp+8] 92 | cmp tmp1, 0 93 | log tmp1 94 | jne lab5 95 | mov tmp1, [esp+C] 96 | cmp tmp1, 0 97 | je lab6 98 | jmp lab7 99 | 100 | lab5: 101 | mov tmp1, [esp+10] 102 | cmp tmp1, 0 103 | jne lab7 104 | 105 | //No stolen code at the OEP 106 | lab6: 107 | bprm 1stsecbase, 1stsecsize 108 | esto 109 | bpmc 110 | msg "OEP found, no stolen code at the OEP!" 111 | jmp end 112 | 113 | //There are stolen code at the OEP 114 | lab7: 115 | bp tmp1 116 | esto 117 | bc tmp1 118 | msg "Stolen code start!" 119 | jmp end 120 | 121 | error: 122 | msg "Error!" 123 | pause 124 | jmp end 125 | 126 | wrongver: 127 | msg "Unsupported Aspr version or it is not packed with Aspr?" 128 | pause 129 | jmp end 130 | 131 | end: 132 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x - 2.xx Unpacker v1.12SC.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 1.3x - 2.xx Unpacker v1.12SC.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x - 2.xx Unpacker v1.13SC (Skip CRC Check).txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 1.3x - 2.xx Unpacker v1.13SC (Skip CRC Check).txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x - 2.xx Unpacker v1.13SC (Skip Registration Box).txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 1.3x - 2.xx Unpacker v1.13SC (Skip Registration Box).txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x OEP Finder #1.txt: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////// 2 | // Asprotect // 3 | // Date: 29/8/2004 // 4 | // // 5 | //////////////////////////////////////////// 6 | 7 | var addra 8 | var addrb 9 | var count 10 | var test 11 | var valid 12 | var valid2 13 | var addrc 14 | eoe checklast 15 | eob checklast 16 | esto 17 | 18 | 19 | checklast: 20 | dbh 21 | find eip,#85c00f85# 22 | cmp $RESULT,0 23 | je cnt 24 | mov valid,$RESULT 25 | sub valid,3e 26 | cmp [valid],00001fb8 27 | 28 | jne cnt 29 | mov valid2,$RESULT 30 | sub valid2,eip 31 | cmp valid2,0ff 32 | ja cnt 33 | eob bypass 34 | bp $RESULT 35 | esto 36 | 37 | bypass: 38 | mov eax,0 39 | bc $RESULT 40 | esto 41 | cnt: 42 | eoe checklast 43 | eob checklast 44 | mov addra,ebp 45 | mov addrc,ebp 46 | sub addra,10 47 | 48 | mov addra,[addra] 49 | 50 | 51 | cmp addra,400000 52 | je found 53 | sub addrc,20 54 | mov addrc,[addrc] 55 | cmp addrc,400000 56 | je found 57 | 58 | esto 59 | 60 | found: 61 | MSGYN "this is the last exception, do you want to continue to the OEP?" 62 | cmp $RESULT,0 63 | je last 64 | mov addrb,[40003c] 65 | add addrb,400000 66 | add addrb,100 67 | mov addrb,[addrb] 68 | bprm 401000,addrb 69 | cob 70 | coe 71 | esto 72 | msg "this is the oep if no stolen,Thanks for using my script;BriteDream" 73 | bpmc 74 | ret 75 | 76 | 77 | 78 | last: 79 | 80 | msg "This is the last exception,Thank you for using my script;BriteDream" 81 | ret 82 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x OEP Finder #2.txt: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////// 2 | // Asprotect // 3 | // Date: 29/8/2004 // 4 | // // 5 | //////////////////////////////////////////// 6 | 7 | var addra 8 | var addrb 9 | var addrc 10 | var count 11 | var test 12 | var valid 13 | var valid2 14 | var csize 15 | eoe checklast 16 | eob checklast 17 | GMI 401000,CODESIZE 18 | mov csize,$RESULT 19 | esto 20 | 21 | 22 | checklast: 23 | dbh 24 | find eip,#85c00f85# 25 | cmp $RESULT,0 26 | je cnt 27 | mov valid,$RESULT 28 | sub valid,3e 29 | cmp [valid],00001fb8 30 | 31 | jne cnt 32 | mov valid2,$RESULT 33 | sub valid2,eip 34 | cmp valid2,0ff 35 | ja cnt 36 | eob bypass 37 | bp $RESULT 38 | esto 39 | 40 | bypass: 41 | mov eax,0 42 | bc $RESULT 43 | esto 44 | cnt: 45 | eoe checklast 46 | eob checklast 47 | mov addra,ebp 48 | mov addrc,ebp 49 | sub addra,10 50 | 51 | mov addra,[addra] 52 | 53 | 54 | cmp addra,400000 55 | je found 56 | sub addrc,20 57 | mov addrc,[addrc] 58 | cmp addrc,400000 59 | je found 60 | 61 | esto 62 | 63 | found: 64 | MSGYN "this is the last exception, do you want to continue to the OEP?" 65 | cmp $RESULT,0 66 | je last 67 | bprm 401000,csize 68 | cob 69 | coe 70 | esto 71 | msg "this is the oep if no stolen,Thanks for using my script;BriteDream" 72 | bpmc 73 | ret 74 | 75 | 76 | 77 | last: 78 | 79 | msg "This is the last exception,Thank you for using my script;BriteDream" 80 | ret 81 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x OEP Finder #3.txt: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////// 2 | // Asprotect // 3 | // Date: 19/10/2004 // 4 | // // 5 | var cebp //////////////////////////////////////////// 6 | var cesp 7 | var addra 8 | var addra2 9 | var addrb 10 | var addrclast 11 | var count 12 | var test 13 | var addrc 14 | var addrc2 15 | var valid 16 | var valid2 17 | var csize 18 | var msize 19 | var popc 20 | eoe checklast 21 | eob checklast 22 | GMI 401000,CODESIZE 23 | mov csize,$RESULT 24 | var sizet 25 | mov sizet,csize 26 | add sizet,400000 27 | GMI 401000,MODULESIZE 28 | mov msize, $RESULT 29 | add msize,400000 30 | 31 | 32 | esto 33 | 34 | 35 | checklast: 36 | dbh 37 | cmp edx,4 38 | jne f 39 | mov popc,eip 40 | add popc,4 41 | mov popc,[popc] 42 | cmp popc,0000068f 43 | jne f 44 | find eip,#74??E8# 45 | mov popc,$RESULT 46 | sub popc,5 47 | mov popc,[popc] 48 | mov [popc],1 49 | cmp $RESULT,0 50 | 51 | je f: 52 | bprm 401000,csize 53 | eob oep 54 | eoe oep 55 | esto 56 | f: 57 | find eip,#85c00f85# 58 | cmp $RESULT,0 59 | je cntlast 60 | mov valid,$RESULT 61 | sub valid,3e 62 | cmp [valid],00001fb8 63 | 64 | jne cntlast 65 | mov valid2,$RESULT 66 | sub valid2,eip 67 | cmp valid2,0ff 68 | ja cntlast 69 | eob bypass 70 | bp $RESULT 71 | esto 72 | 73 | bypass: 74 | mov eax,0 75 | bc $RESULT 76 | esto 77 | cntlast: 78 | eoe checklast 79 | eob checklast 80 | mov addra,ebp 81 | mov addrc,ebp 82 | sub addra,10 83 | mov addra2,addra 84 | mov addrc2,addra 85 | mov cesp,esp 86 | mov cebp,ebp 87 | and cesp,00ff0000 88 | and cebp,00ff0000 89 | cmp cesp,cebp 90 | jne false 91 | 92 | mov addra,[addra] 93 | 94 | cmp addra,400000 95 | 96 | jne false1 97 | add addra2,4 98 | mov addra2,[addra2] 99 | cmp addra2,msize 100 | jb foundlast 101 | false1: 102 | sub addrc,20 103 | mov addrc2,addrc 104 | mov cesp,esp 105 | mov cebp,ebp 106 | and cesp,00ff0000 107 | and cebp,00ff0000 108 | cmp cesp,cebp 109 | 110 | jne false 111 | 112 | mov addrc,[addrc] 113 | 114 | 115 | cmp addrc,400000 116 | jne false 117 | add addrc2,4 118 | mov addrc2,[addrc2] 119 | cmp addrc2,msize 120 | 121 | 122 | ja test1 123 | cmp addrc2,401000 124 | ja foundlast 125 | jmp false 126 | test1: 127 | mov addrc2,edi 128 | and addrc2,0000ffff 129 | cmp addrc2,0 130 | 131 | je foundlast 132 | false: 133 | esto 134 | ret 135 | foundlast: 136 | MSGYN "this is the last exception, do you want to continue to the OEP?" 137 | cmp $RESULT,0 138 | je last 139 | jmp oepn 140 | 141 | oep: 142 | cmp eip, sizet 143 | jb oepf 144 | esto 145 | oepn: 146 | bprm 401000,csize 147 | cob 148 | coe 149 | esto 150 | 151 | oepf: 152 | msg "this is the oep if no stolen,Thanks for using my script;BriteDream" 153 | bpmc 154 | ret 155 | 156 | 157 | 158 | last: 159 | msg "This is the last exception,Thank you for using my script;BriteDream" 160 | ret 161 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x OEP Finder #4.txt: -------------------------------------------------------------------------------- 1 | // ASProtect 1.32 and greater (except ASProtect 2.0 alpha) OEP finder by sanniassin::REVENGE Crew 2 | // Ignore all exceptions 3 | // Clear all breakpoints 4 | // Tested on WinXP only 5 | 6 | var x 7 | var y 8 | var is_DLL 9 | 10 | mov x,esp 11 | sub x,48 12 | bphws x,"r" 13 | mov y,[eip] 14 | and y,000000FF 15 | cmp y,60 16 | jne zzz 17 | mov is_DLL,1 18 | 19 | zzz: 20 | run 21 | mov y,[eip] 22 | cmp y,01B80875 23 | jne zzz 24 | bphwc x 25 | find edi,#83C404010424C3# 26 | mov x,$RESULT 27 | add x,6 28 | bp x 29 | run 30 | bc x 31 | sto 32 | mov x,eip 33 | 34 | findcall: 35 | dec x 36 | mov y,[x] 37 | cmp y,5B5E5F5D 38 | jne findcall 39 | sub x,8 40 | go x 41 | sti 42 | rtr 43 | sto 44 | mov x,eip 45 | and x,0000FFFF 46 | cmp x,0 47 | je no_VM_on_OEP 48 | 49 | VM_on_OEP: 50 | msg "OEP found! OEP stolen." 51 | jmp pause 52 | 53 | no_VM_on_OEP: 54 | mov x,esp 55 | cmp is_DLL,1 56 | jne is_exe 57 | add x,10 58 | jmp label_9 59 | is_exe: 60 | add x,8 61 | label_9: 62 | bphws x,"r" 63 | run 64 | mov y,eip 65 | dec y 66 | mov y,[y] 67 | and y,000000FF 68 | cmp y,5C 69 | jne label_9 70 | bphwc x 71 | cmp is_DLL,1 72 | jne is_exe2 73 | find eip,#8944241C61FFE0# 74 | add $RESULT,5 75 | bp $RESULT 76 | run 77 | bc $RESULT 78 | sto 79 | jmp msg 80 | is_exe2: 81 | mov x,eax 82 | go x 83 | msg: 84 | msg "OEP found! OEP not stolen." 85 | 86 | pause: 87 | pause -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x OEP Finder + IAT Rebuilder (Call to Call).txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 1.3x OEP Finder + IAT Rebuilder (Call to Call).txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x OEP Finder + IAT Rebuilder (Call to JMP).txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 1.3x OEP Finder + IAT Rebuilder (Call to JMP).txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x OEP Finder 1.txt: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////// 2 | // Asprotect // 3 | // Date: 29/8/2004 // 4 | // // 5 | //////////////////////////////////////////// 6 | 7 | var addra 8 | var addrb 9 | var count 10 | var test 11 | var valid 12 | var valid2 13 | var addrc 14 | eoe checklast 15 | eob checklast 16 | esto 17 | 18 | 19 | checklast: 20 | dbh 21 | find eip,#85c00f85# 22 | cmp $RESULT,0 23 | je cnt 24 | mov valid,$RESULT 25 | sub valid,3e 26 | cmp [valid],00001fb8 27 | 28 | jne cnt 29 | mov valid2,$RESULT 30 | sub valid2,eip 31 | cmp valid2,0ff 32 | ja cnt 33 | eob bypass 34 | bp $RESULT 35 | esto 36 | 37 | bypass: 38 | mov eax,0 39 | bc $RESULT 40 | esto 41 | cnt: 42 | eoe checklast 43 | eob checklast 44 | mov addra,ebp 45 | mov addrc,ebp 46 | sub addra,10 47 | 48 | mov addra,[addra] 49 | 50 | 51 | cmp addra,400000 52 | je found 53 | sub addrc,20 54 | mov addrc,[addrc] 55 | cmp addrc,400000 56 | je found 57 | 58 | esto 59 | 60 | found: 61 | MSGYN "this is the last exception, do you want to continue to the OEP?" 62 | cmp $RESULT,0 63 | je last 64 | mov addrb,[40003c] 65 | add addrb,400000 66 | add addrb,100 67 | mov addrb,[addrb] 68 | bprm 401000,addrb 69 | cob 70 | coe 71 | esto 72 | msg "this is the oep if no stolen,Thanks for using my script;BriteDream" 73 | bpmc 74 | ret 75 | 76 | 77 | 78 | last: 79 | 80 | msg "This is the last exception,Thank you for using my script;BriteDream" 81 | ret 82 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x OEP Finder 2.txt: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////// 2 | // Asprotect // 3 | // Date: 29/8/2004 // 4 | // // 5 | //////////////////////////////////////////// 6 | 7 | var addra 8 | var addrb 9 | var addrc 10 | var count 11 | var test 12 | var valid 13 | var valid2 14 | var csize 15 | eoe checklast 16 | eob checklast 17 | GMI 401000,CODESIZE 18 | mov csize,$RESULT 19 | esto 20 | 21 | 22 | checklast: 23 | dbh 24 | find eip,#85c00f85# 25 | cmp $RESULT,0 26 | je cnt 27 | mov valid,$RESULT 28 | sub valid,3e 29 | cmp [valid],00001fb8 30 | 31 | jne cnt 32 | mov valid2,$RESULT 33 | sub valid2,eip 34 | cmp valid2,0ff 35 | ja cnt 36 | eob bypass 37 | bp $RESULT 38 | esto 39 | 40 | bypass: 41 | mov eax,0 42 | bc $RESULT 43 | esto 44 | cnt: 45 | eoe checklast 46 | eob checklast 47 | mov addra,ebp 48 | mov addrc,ebp 49 | sub addra,10 50 | 51 | mov addra,[addra] 52 | 53 | 54 | cmp addra,400000 55 | je found 56 | sub addrc,20 57 | mov addrc,[addrc] 58 | cmp addrc,400000 59 | je found 60 | 61 | esto 62 | 63 | found: 64 | MSGYN "this is the last exception, do you want to continue to the OEP?" 65 | cmp $RESULT,0 66 | je last 67 | bprm 401000,csize 68 | cob 69 | coe 70 | esto 71 | msg "this is the oep if no stolen,Thanks for using my script;BriteDream" 72 | bpmc 73 | ret 74 | 75 | 76 | 77 | last: 78 | 79 | msg "This is the last exception,Thank you for using my script;BriteDream" 80 | ret 81 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x OEP Finder 3.txt: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////// 2 | // Asprotect // 3 | // Date: 19/10/2004 // 4 | // // 5 | var cebp //////////////////////////////////////////// 6 | var cesp 7 | var addra 8 | var addra2 9 | var addrb 10 | var addrclast 11 | var count 12 | var test 13 | var addrc 14 | var addrc2 15 | var valid 16 | var valid2 17 | var csize 18 | var msize 19 | var popc 20 | eoe checklast 21 | eob checklast 22 | GMI 401000,CODESIZE 23 | mov csize,$RESULT 24 | var sizet 25 | mov sizet,csize 26 | add sizet,400000 27 | GMI 401000,MODULESIZE 28 | mov msize, $RESULT 29 | add msize,400000 30 | 31 | 32 | esto 33 | 34 | 35 | checklast: 36 | dbh 37 | cmp edx,4 38 | jne f 39 | mov popc,eip 40 | add popc,4 41 | mov popc,[popc] 42 | cmp popc,0000068f 43 | jne f 44 | find eip,#74??E8# 45 | mov popc,$RESULT 46 | sub popc,5 47 | mov popc,[popc] 48 | mov [popc],1 49 | cmp $RESULT,0 50 | 51 | je f: 52 | bprm 401000,csize 53 | eob oep 54 | eoe oep 55 | esto 56 | f: 57 | find eip,#85c00f85# 58 | cmp $RESULT,0 59 | je cntlast 60 | mov valid,$RESULT 61 | sub valid,3e 62 | cmp [valid],00001fb8 63 | 64 | jne cntlast 65 | mov valid2,$RESULT 66 | sub valid2,eip 67 | cmp valid2,0ff 68 | ja cntlast 69 | eob bypass 70 | bp $RESULT 71 | esto 72 | 73 | bypass: 74 | mov eax,0 75 | bc $RESULT 76 | esto 77 | cntlast: 78 | eoe checklast 79 | eob checklast 80 | mov addra,ebp 81 | mov addrc,ebp 82 | sub addra,10 83 | mov addra2,addra 84 | mov addrc2,addra 85 | mov cesp,esp 86 | mov cebp,ebp 87 | and cesp,00ff0000 88 | and cebp,00ff0000 89 | cmp cesp,cebp 90 | jne false 91 | 92 | mov addra,[addra] 93 | 94 | cmp addra,400000 95 | 96 | jne false1 97 | add addra2,4 98 | mov addra2,[addra2] 99 | cmp addra2,msize 100 | jb foundlast 101 | false1: 102 | sub addrc,20 103 | mov addrc2,addrc 104 | mov cesp,esp 105 | mov cebp,ebp 106 | and cesp,00ff0000 107 | and cebp,00ff0000 108 | cmp cesp,cebp 109 | 110 | jne false 111 | 112 | mov addrc,[addrc] 113 | 114 | 115 | cmp addrc,400000 116 | jne false 117 | add addrc2,4 118 | mov addrc2,[addrc2] 119 | cmp addrc2,msize 120 | 121 | 122 | ja test1 123 | cmp addrc2,401000 124 | ja foundlast 125 | jmp false 126 | test1: 127 | mov addrc2,edi 128 | and addrc2,0000ffff 129 | cmp addrc2,0 130 | 131 | je foundlast 132 | false: 133 | esto 134 | ret 135 | foundlast: 136 | MSGYN "this is the last exception, do you want to continue to the OEP?" 137 | cmp $RESULT,0 138 | je last 139 | jmp oepn 140 | 141 | oep: 142 | cmp eip, sizet 143 | jb oepf 144 | esto 145 | oepn: 146 | bprm 401000,csize 147 | cob 148 | coe 149 | esto 150 | 151 | oepf: 152 | msg "this is the oep if no stolen,Thanks for using my script;BriteDream" 153 | bpmc 154 | ret 155 | 156 | 157 | 158 | last: 159 | msg "This is the last exception,Thank you for using my script;BriteDream" 160 | ret 161 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 1.3x OEP Finder 4.txt: -------------------------------------------------------------------------------- 1 | // ASProtect 1.32 and greater (except ASProtect 2.0 alpha) OEP finder by sanniassin::REVENGE Crew 2 | // Ignore all exceptions 3 | // Clear all breakpoints 4 | // Tested on WinXP only 5 | 6 | var x 7 | var y 8 | var is_DLL 9 | 10 | mov x,esp 11 | sub x,48 12 | bphws x,"r" 13 | mov y,[eip] 14 | and y,000000FF 15 | cmp y,60 16 | jne zzz 17 | mov is_DLL,1 18 | 19 | zzz: 20 | run 21 | mov y,[eip] 22 | cmp y,01B80875 23 | jne zzz 24 | bphwc x 25 | find edi,#83C404010424C3# 26 | mov x,$RESULT 27 | add x,6 28 | bp x 29 | run 30 | bc x 31 | sto 32 | mov x,eip 33 | 34 | findcall: 35 | dec x 36 | mov y,[x] 37 | cmp y,5B5E5F5D 38 | jne findcall 39 | sub x,8 40 | go x 41 | sti 42 | rtr 43 | sto 44 | mov x,eip 45 | and x,0000FFFF 46 | cmp x,0 47 | je no_VM_on_OEP 48 | 49 | VM_on_OEP: 50 | msg "OEP found! OEP stolen." 51 | jmp pause 52 | 53 | no_VM_on_OEP: 54 | mov x,esp 55 | cmp is_DLL,1 56 | jne is_exe 57 | add x,10 58 | jmp label_9 59 | is_exe: 60 | add x,8 61 | label_9: 62 | bphws x,"r" 63 | run 64 | mov y,eip 65 | dec y 66 | mov y,[y] 67 | and y,000000FF 68 | cmp y,5C 69 | jne label_9 70 | bphwc x 71 | cmp is_DLL,1 72 | jne is_exe2 73 | find eip,#8944241C61FFE0# 74 | add $RESULT,5 75 | bp $RESULT 76 | run 77 | bc $RESULT 78 | sto 79 | jmp msg 80 | is_exe2: 81 | mov x,eax 82 | go x 83 | msg: 84 | msg "OEP found! OEP not stolen." 85 | 86 | pause: 87 | pause -------------------------------------------------------------------------------- /ASProtect/ASProtect 2 Find Stolen Bytes.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | var x 4 | var y 5 | 6 | sti 7 | bphws esp,"r" 8 | run 9 | sti 10 | eoe lab3 11 | eob lab3 12 | bphws esp,"r" 13 | esto 14 | 15 | 16 | 17 | lab3: 18 | 19 | mov k,esp 20 | add k,1c 21 | mov l,[k] 22 | cmp l,400000 23 | je lab4 24 | esto 25 | jmp lab3 26 | 27 | lab4: 28 | 29 | eob lab5 30 | mov k,eip 31 | add k,3d 32 | bp k 33 | esto 34 | 35 | lab5: 36 | esto 37 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0 Stop Stolen Code.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0 Stop Stolen Code.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Automatic SHIFT+F9.txt: -------------------------------------------------------------------------------- 1 | ///////////////////////////////////////////////////////////// 2 | // this script does nothing but takes the amount of time you want 3 | // to do that shift+f9 thing for ASProtect targets and does tht shift+f9 4 | // throught ESTO command in script. 5 | // 6 | // remember the input is in HEX, so if u want to shift+f9 38 times, 7 | // enter 26 8 | // 9 | // currently ODBGScript 1.41 has some problem, some times mistakenly 10 | // it fails to catch the right input 'n rather takes a ZERO as input 11 | // tht's why i made a loop and if u want to exit without inputing anything 12 | // put a ` <-- the key right below escape key 13 | ///////////////////////////////////////////////////////////// 14 | 15 | /* 16 | ******************** 17 | nick_name 18 | TEAM RESSURRECTiON 19 | ******************** 20 | */ 21 | 22 | ASK: 23 | 24 | ASK "shift+F9 --> how many (HEX) times ??" 25 | cmp $RESULT,"`" 26 | je FINISH 27 | cmp $RESULT,0 28 | jbe ASK 29 | 30 | mov how_many,$RESULT 31 | run 32 | dec how_many 33 | 34 | TIME: 35 | 36 | esto 37 | dec how_many 38 | cmp how_many, 0 39 | jbe FINISH 40 | jmp TIME 41 | 42 | FINISH: 43 | ret 44 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Clear Junk Code + Stop Stolen Code.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Clear Junk Code + Stop Stolen Code.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT with Import Elimination #2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT with Import Elimination #2.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT with Import Elimination #3.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT with Import Elimination #3.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT with Import Elimination #4.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT with Import Elimination #4.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT with Import Elimination #4b.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT with Import Elimination #4b.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT with Import Elimination 2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT with Import Elimination 2.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT with Import Elimination 3.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT with Import Elimination 3.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT with Import Elimination 4.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT with Import Elimination 4.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT with Import Elimination 4b.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT with Import Elimination 4b.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT with Import Elimination Optimized v1.1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT with Import Elimination Optimized v1.1.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT with Import Elimination Optimized.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT with Import Elimination Optimized.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Fix IAT.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Fix IAT.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Log all HIGHMEM Calls.txt: -------------------------------------------------------------------------------- 1 | // Script for OllyScript plugin 2 | /* 3 | ////////////////////////////////////////////////// 4 | it's been a hard time finding all the HIGHMEM calls 'n fixing them 5 | so, i took some time 'n made these scripts. hope it'll be helpfull for 6 | guys with ASProtect. 7 | 8 | 1. scripts are for ODBGScript 1.41 version 9 | 2. at the beginning of the script source, define the values accordingly, before running the scripts 10 | 3. when app is running 'n script has'nt shown SCRIPT FINISHED, abort the script manually 11 | 12 | First Script - my_asprotect_HIGHMEM.txt 13 | 14 | this script logs all the highmem calls in log-HIGHMEM-calls.txt 15 | log-HIGHMEM-calls-BIN.txt contains the BYTES in reverse order 16 | for binary pasting in olly. 17 | 18 | there's a prob here in log-HIGHMEM-calls-BIN.txt 19 | sometimes addresses like 401204 will get reversed and 20 | log-HIGHMEM-calls-BIN.txt file will contain corresponding 21 | 41240 not 041240 ... so edit the BIN file manually b4 binary 22 | pasting and put an extra 0 before addresses like 41240 23 | 24 | Support with: 25 | ASProtect 2.0x 26 | ////////////////////////////////////////////////// 27 | */ 28 | 29 | DEFINE_BEFORE_EXECUTION: 30 | 31 | mov code_section,401000 32 | mov code_section_size,33000 33 | 34 | 35 | SCRIPT_START: 36 | 37 | mov path1,".\log-HIGHMEM-calls.txt" 38 | mov path2,".\log-HIGHMEM-calls-BIN.txt" 39 | 40 | FIND_HIGHMEM_CALLS: 41 | lc 42 | mov counter,0 43 | run 44 | 45 | BINARY_SEARCH: 46 | find eip,#807B20000F85????00003C01# 47 | cmp $RESULT,0 48 | je NOT_FOUND 49 | mov bp_addr,$RESULT 50 | bp bp_addr 51 | L1: 52 | eob LOG 53 | esto 54 | jmp L1 55 | 56 | jmp NOT_FOUND 57 | 58 | LOG: 59 | 60 | cmp ebp,code_section 61 | jb L1 62 | 63 | cmp ebp,code_section + code_section_size 64 | ja L1 65 | 66 | add counter,1 67 | eval "{counter}. {ebp}" 68 | log $RESULT,"" 69 | 70 | wrta path1, $RESULT 71 | wrta path1, "\r\n" 72 | 73 | rev ebp 74 | wrta path2, $RESULT 75 | wrta path2, "\r\n" 76 | 77 | eob LOG 78 | esto 79 | jmp L1 80 | 81 | 82 | 83 | NOT_FOUND: 84 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x OEP Finder #1.txt: -------------------------------------------------------------------------------- 1 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 2 | /* 3 | * ========================================================= 4 | * ASProtect 2.0 OEP-finder script (under Windows XP) 5 | * Author: bi0w0rM[AHT] 6 | * 7 | * note: ignore all exceptions and clear all breakpoints 8 | * ========================================================= 9 | */ 10 | 11 | var v1 12 | var VirtualFree 13 | gpa "VirtualFree","kernel32.dll" 14 | mov VirtualFree, $RESULT 15 | findret: 16 | cmp [VirtualFree],000CC25D 17 | je ret_found 18 | inc VirtualFree 19 | jmp findret 20 | ret_found: 21 | add VirtualFree,1 22 | bp VirtualFree 23 | lol_loop: 24 | esto 25 | mov v1,[esp] 26 | find v1,#C3# 27 | cmp v1,$RESULT 28 | jne lol_loop 29 | sto 30 | sto 31 | find eip,#5BC3# 32 | cmp eip,$RESULT 33 | jne lol_loop 34 | jmp lol_loop2 35 | jmp lol_loop 36 | lol_loop2: 37 | log eip 38 | sto 39 | find eip, #FF35# 40 | cmp eip, $RESULT 41 | je exit 42 | jmp lol_loop2 43 | exit: 44 | sto 45 | sto 46 | cmt eip, "OEP found with bi0w0rM's ASProtect 2.0 script" 47 | ret 48 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x OEP Finder #2.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ============================ 3 | .:[OllyScript Editor v2.0]:. 4 | Author: Dexter 5 | Packer: Asprotect 2.0x 6 | Script for: Asprotect 2.0x 7 | Level: Hard 8 | Date: Saturday, 7 January 2006 9 | 10 | Please ensure that only all exceptions are ignored except INT3 and CUSTOM. 11 | ============================ 12 | */ 13 | var $codebase 14 | var $codesize 15 | 16 | GMI eip,CODEBASE 17 | mov $codebase,$RESULT 18 | GMI eip,CODESIZE 19 | mov $codesize,$RESULT 20 | esto 21 | esto 22 | bprm $codebase,$codesize 23 | esto 24 | msg "OEP" 25 | bpmc -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x OEP Finder + Stolen Code Finder + Fix IAT Jumps.txt: -------------------------------------------------------------------------------- 1 | //This one finds OEP, stolen code and clear IAT jumps 2 | var VirtualAlloc 3 | var loader_base 4 | var loader_ep 5 | var loader_oep 6 | var first_import 7 | var second_import 8 | var stolen_code 9 | var oep 10 | var temp 11 | var temp2 12 | 13 | msg "Ignore ALL exceptions and delete ALL breakpoints before start!!!" 14 | dbh 15 | //Get to OEP of loader: 16 | gpa "VirtualAlloc","kernel32.dll" 17 | cmp $RESULT,0 18 | je error 19 | mov VirtualAlloc,$RESULT 20 | bp VirtualAlloc 21 | esto 22 | esto 23 | bc eip 24 | rtr 25 | mov loader_base,eax 26 | sti 27 | rtr 28 | mov loader_ep,[esp] 29 | sti 30 | sti 31 | sti 32 | mov temp,esp 33 | bphws temp,"r" 34 | esto 35 | bphwc temp 36 | rtr 37 | sti 38 | mov loader_oep,eip 39 | 40 | //Patch first import routine: 41 | mov first_import,loader_base 42 | add first_import,13780 43 | mov [first_import],#66C700FF1540408910892A909090909090# 44 | 45 | //Patch second import routine: 46 | mov second_import,loader_base 47 | add second_import,1CEBE 48 | mov [second_import],#6890909090C39090# 49 | mov temp,second_import 50 | add temp,1 51 | mov [temp],loader_base 52 | 53 | mov temp,loader_base 54 | mov [temp],#014308892A6890909090C3# 55 | add temp,6 56 | mov temp2,loader_base 57 | add temp2,1CC73 58 | mov [temp],temp2 59 | 60 | //Find OEP and stolen code: 61 | mov stolen_code,loader_base 62 | add stolen_code,13767 63 | bp stolen_code 64 | esto 65 | bc eip 66 | mov oep,ebx 67 | mov stolen_code,ecx 68 | bp ecx 69 | esto 70 | bc eip 71 | 72 | cmt eip,"<-- Stolen code starts here!" 73 | msg "Script is done! Check log for more information. " 74 | dbs 75 | 76 | //Logging notes: 77 | log " " 78 | log " ASPR2.0 - UNPACKING SCRIPT NOTES" 79 | log " " 80 | 81 | log loader_base 82 | log loader_ep 83 | log loader_oep 84 | log first_import 85 | log second_import 86 | log oep 87 | log stolen_code 88 | 89 | ret 90 | error: 91 | msg "ERROR! Exiting......" 92 | ret 93 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x OEP Finder 1.txt: -------------------------------------------------------------------------------- 1 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 2 | /* 3 | * ========================================================= 4 | * ASProtect 2.0 OEP-finder script (under Windows XP) 5 | * Author: bi0w0rM[AHT] 6 | * 7 | * note: ignore all exceptions and clear all breakpoints 8 | * ========================================================= 9 | */ 10 | 11 | var v1 12 | var VirtualFree 13 | gpa "VirtualFree","kernel32.dll" 14 | mov VirtualFree, $RESULT 15 | findret: 16 | cmp [VirtualFree],000CC25D 17 | je ret_found 18 | inc VirtualFree 19 | jmp findret 20 | ret_found: 21 | add VirtualFree,1 22 | bp VirtualFree 23 | lol_loop: 24 | esto 25 | mov v1,[esp] 26 | find v1,#C3# 27 | cmp v1,$RESULT 28 | jne lol_loop 29 | sto 30 | sto 31 | find eip,#5BC3# 32 | cmp eip,$RESULT 33 | jne lol_loop 34 | jmp lol_loop2 35 | jmp lol_loop 36 | lol_loop2: 37 | log eip 38 | sto 39 | find eip, #FF35# 40 | cmp eip, $RESULT 41 | je exit 42 | jmp lol_loop2 43 | exit: 44 | sto 45 | sto 46 | cmt eip, "OEP found with bi0w0rM's ASProtect 2.0 script" 47 | ret 48 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x OEP Finder 2.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ============================ 3 | .:[OllyScript Editor v2.0]:. 4 | Author: Dexter 5 | Packer: Asprotect 2.0x 6 | Script for: Asprotect 2.0x 7 | Level: Hard 8 | Date: Saturday, 7 January 2006 9 | 10 | Please ensure that only all exceptions are ignored except INT3 and CUSTOM. 11 | ============================ 12 | */ 13 | var $codebase 14 | var $codesize 15 | 16 | GMI eip,CODEBASE 17 | mov $codebase,$RESULT 18 | GMI eip,CODESIZE 19 | mov $codesize,$RESULT 20 | esto 21 | esto 22 | bprm $codebase,$codesize 23 | esto 24 | msg "OEP" 25 | bpmc -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Patch JMP or CALL.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Patch JMP or CALL.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Rebuild Thunks for VC++.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Is modified from PESpin for ASProtect so don't be confused with notes. It works! 3 | ======================================================================= 4 | Quick script for rebuilding thunks at VC++ apps protected with PESpin 5 | ======================================================================= 6 | */ 7 | 8 | var addr 9 | var pointer 10 | var thunk 11 | var new 12 | mov new,4040C0 //Points to start of PESpin section. 13 | 14 | //This algo will find all calls that point in table with imports: 15 | mov addr,401000 16 | LABEL1: 17 | find addr,#FF15????????# //Find CALL DWORD PTR:[constant]. 18 | cmp $RESULT,0 19 | je END1 20 | 21 | add $RESULT,2 22 | mov addr,$RESULT 23 | mov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table. 24 | 25 | cmp pointer,500000 26 | jb LABEL1 27 | 28 | mov [$RESULT],new 29 | mov pointer,[pointer] 30 | mov [new],pointer 31 | add new,8 32 | 33 | jmp LABEL1 34 | END1: 35 | 36 | //This algo will find all jumps that point in table with imports: 37 | mov addr,401000 38 | LABEL2: 39 | find addr,#FF25????????# //Find JMP DWORD PTR:[constant]. 40 | cmp $RESULT,0 41 | je END2 42 | 43 | add $RESULT,2 44 | mov addr,$RESULT 45 | mov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table. 46 | 47 | cmp pointer,500000 48 | jb LABEL2 49 | 50 | mov [$RESULT],new 51 | mov pointer,[pointer] 52 | mov [new],pointer 53 | add new,8 54 | 55 | jmp LABEL2 56 | END2: 57 | 58 | // ================================================================================ 59 | == 60 | //Fixing MOV EBP,API: 61 | mov addr,401000 62 | LABEL3: 63 | find addr,#8B2D????????# 64 | cmp $RESULT,0 65 | je END3 66 | 67 | add $RESULT,2 68 | mov addr,$RESULT 69 | mov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table. 70 | 71 | cmp pointer,500000 72 | jb LABEL3 73 | 74 | mov [$RESULT],new 75 | mov pointer,[pointer] 76 | mov [new],pointer 77 | add new,8 78 | 79 | jmp LABEL3 80 | END3: 81 | 82 | //Fixing MOV EDI,API: 83 | mov addr,401000 84 | LABEL4: 85 | find addr,#8B3D????????# 86 | cmp $RESULT,0 87 | je END4 88 | 89 | add $RESULT,2 90 | mov addr,$RESULT 91 | mov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table. 92 | 93 | cmp pointer,500000 94 | jb LABEL4 95 | 96 | mov [$RESULT],new 97 | mov pointer,[pointer] 98 | mov [new],pointer 99 | add new,8 100 | 101 | jmp LABEL4 102 | END4: 103 | 104 | //Fixing MOV EBX,API: 105 | mov addr,401000 106 | LABEL5: 107 | find addr,#8B1D????????# 108 | cmp $RESULT,0 109 | je END5 110 | 111 | add $RESULT,2 112 | mov addr,$RESULT 113 | mov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table. 114 | 115 | cmp pointer,500000 116 | jb LABEL5 117 | 118 | mov [$RESULT],new 119 | mov pointer,[pointer] 120 | mov [new],pointer 121 | add new,8 122 | 123 | jmp LABEL5 124 | END5: 125 | 126 | //Fixing MOV ECX,API: 127 | mov addr,401000 128 | LABEL6: 129 | find addr,#8B0D????????# 130 | cmp $RESULT,0 131 | je END6 132 | 133 | add $RESULT,2 134 | mov addr,$RESULT 135 | mov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table. 136 | 137 | cmp pointer,500000 138 | jb LABEL6 139 | 140 | mov [$RESULT],new 141 | mov pointer,[pointer] 142 | mov [new],pointer 143 | add new,8 144 | 145 | jmp LABEL6 146 | END6: 147 | 148 | //Fixing MOV EDX,API: 149 | mov addr,401000 150 | LABEL7: 151 | find addr,#8B15????????# 152 | cmp $RESULT,0 153 | je END7 154 | 155 | add $RESULT,2 156 | mov addr,$RESULT 157 | mov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table. 158 | 159 | cmp pointer,500000 160 | jb LABEL7 161 | 162 | mov [$RESULT],new 163 | mov pointer,[pointer] 164 | mov [new],pointer 165 | add new,8 166 | 167 | jmp LABEL7 168 | END7: 169 | 170 | //Fixing MOV ESI,API: 171 | mov addr,401000 172 | LABEL8: 173 | find addr,#8B35????????# 174 | cmp $RESULT,0 175 | je END8 176 | 177 | add $RESULT,2 178 | mov addr,$RESULT 179 | mov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table. 180 | 181 | cmp pointer,500000 182 | jb LABEL8 183 | 184 | mov [$RESULT],new 185 | mov pointer,[pointer] 186 | mov [new],pointer 187 | add new,8 188 | 189 | jmp LABEL8 190 | END8: 191 | 192 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.0x Resolve API To HIGHMEM Calls.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.0x Resolve API To HIGHMEM Calls.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.1 OEP Finder.txt: -------------------------------------------------------------------------------- 1 | gmi 401000,CODESIZE 2 | mov codes,$RESULT 3 | eoe chk 4 | eob chk 5 | esto 6 | chk: 7 | cmp eax,0 8 | je cnt 9 | cmp eax,ebx 10 | jne cnt 11 | cmp [esp],edx 12 | jne cnt 13 | bprm 401000,codes 14 | eob end 15 | cnt: 16 | esto 17 | end: 18 | bpmc 19 | ret 20 | best regards!; britedream 21 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.3 Build 04.26 OEP Finder v1.01.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ///////////////////////////////////////////////////// 3 | Auther : Linex 4 | version : v1.01 5 | Test Environment : OllyDbg 1.1 6 | ODBGScript 1.47 under WINXP or WIN2003 7 | ///////////////////////////////////////////////////// 8 | */ 9 | 10 | var tmp1 11 | var tmp2 12 | var tmp3 13 | var tmp4 14 | var tmp5 15 | var tmp6 16 | var tmp7 17 | var tmp8 18 | var tmp9 19 | var imgbase 20 | var 1stsecbase 21 | var 1stsecsize 22 | var dllimgbase 23 | var count 24 | var transit1 25 | var stolen 26 | var stolenstart 27 | var stolencmt 28 | var stolenadds 29 | 30 | checkversion: 31 | cmp $VERSION,"1.47" 32 | jae int3 33 | msg "ODBGScript version need 1.47 or higher!" 34 | ret 35 | int3: 36 | msgyn "Setting:Ignore all exceptions except 'INT 3 breaks',Continue?(请设置忽略除INT3外的所有异常!继续吗?)" 37 | cmp $RESULT,1 38 | je start 39 | ret 40 | start: 41 | dbh 42 | BPHWCALL //clear hardware breakpoint 43 | GMI eip, MODULEBASE //get imagebase 44 | mov imgbase, $RESULT 45 | log imgbase 46 | mov tmp1, imgbase 47 | add tmp1, 3C //40003C 48 | mov tmp1, [tmp1] 49 | add tmp1, imgbase //tmp1=signature VA 50 | add tmp1, f8 //1st section 51 | log tmp1 52 | add tmp1, 8 53 | mov 1stsecsize, [tmp1] 54 | log 1stsecsize 55 | add tmp1, 4 56 | mov 1stsecbase, [tmp1] 57 | add 1stsecbase, imgbase 58 | log 1stsecbase 59 | gpa "GetSystemTime", "kernel32.dll" 60 | bp $RESULT 61 | run 62 | bc $RESULT 63 | rtr 64 | sti 65 | GMEMI eip, MEMORYOWNER 66 | mov dllimgbase, $RESULT 67 | cmp dllimgbase, 0 68 | je error 69 | log dllimgbase 70 | alloc 2000 71 | mov stolen,$RESULT 72 | log stolen 73 | mov stolenstart,stolen 74 | find dllimgbase, #3135310D0A# 75 | mov tmp1, $RESULT 76 | cmp tmp1, 0 77 | je wrongver 78 | mov tmp1, dllimgbase 79 | add tmp1, 010e00 80 | find tmp1, #B8050000005b5dc20400# //MOV EAX,5 POP EBX POP EBP RETN 4 81 | mov tmp4, $RESULT 82 | cmp tmp4, 0 83 | je error31 84 | bphws tmp4 ,"x" 85 | 86 | find tmp1, #8B45F08B55F43B55FC# //remove anti 87 | mov tmp5, $RESULT 88 | cmp tmp5, 0 89 | je wrongver 90 | add tmp5,0e 91 | bp tmp5 92 | 93 | find tmp1, #83c4245f5e5bc3# //ADD ESP,24 POP EDI POP ESI POP EBX 94 | mov tmp6, $RESULT 95 | cmp tmp6, 0 96 | je wrongver 97 | sub tmp6,5 98 | bphws tmp6 ,"x" 99 | 100 | find tmp1, #83c3088b0385c075df33c0# //ADD EBX,8 MOV EAX,DWORD PTR DS:[EBX] TEST EAX,EAX 101 | mov tmp7, $RESULT 102 | cmp tmp7, 0 103 | je error31 104 | add tmp7,9 105 | bp tmp7 106 | eob lab3 107 | eoe lab3 108 | run 109 | 110 | lab3: 111 | cmp eip, tmp4 112 | je lab4 113 | cmp eip,tmp5 114 | je lab31 115 | cmp eip,tmp7 116 | je lab6 117 | cmp eip,tmp6 118 | je lab62 119 | eob lab3 120 | eoe lab3 121 | run 122 | 123 | lab31: 124 | cmp !zf,1 125 | je lab32 126 | mov !zf,1 127 | bc tmp5 128 | run 129 | 130 | lab4: 131 | mov [stolen],ebx 132 | add stolen,4 133 | run 134 | 135 | lab6: 136 | bc tmp7 137 | bphwc tmp4 138 | cob 139 | coe 140 | 141 | 142 | lab61: 143 | run 144 | cmp eip,tmp6 145 | je lab5 146 | jmp lab61 147 | 148 | lab62: 149 | bc tmp7 150 | bphwc tmp4 151 | cob 152 | coe 153 | bphwc tmp6 154 | sti 155 | rtr 156 | sti 157 | bprm 1stsecbase, 1stsecsize 158 | run 159 | bpmc 160 | msg "OEP found, no stolen code at the OEP!" 161 | pause 162 | ret 163 | 164 | 165 | 166 | lab5: 167 | bphwc tmp6 168 | sti 169 | rtr 170 | sti 171 | 172 | oep: 173 | msg "Stolen Oep Find !Press Ok to add cmtments" 174 | 175 | cmtstolen: 176 | mov stolencmt,[stolenstart] 177 | cmp stolencmt,0 178 | je end 179 | mov tmp8,stolencmt 180 | add tmp8,1 181 | mov stolenadds,[tmp8] 182 | mov stolenadds,stolenadds+stolencmt+5 183 | eval "{stolencmt}" 184 | cmt stolenadds, $RESULT 185 | add stolenstart,4 186 | jmp cmtstolen 187 | 188 | end: 189 | 190 | msg "cmtments are added!" 191 | ret 192 | 193 | 194 | error: 195 | msg "Error!" 196 | pause 197 | jmp end 198 | 199 | wrongver: 200 | msg "Unsupported Aspr version or it is not packed with Aspr?" 201 | pause 202 | jmp end 203 | 204 | error31: 205 | msg "Error 31!" 206 | pause 207 | jmp end 208 | 209 | notfound: 210 | msg "Not found" 211 | pause 212 | 213 | end: 214 | ret 215 | -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.xx IAT Recovery.txt: -------------------------------------------------------------------------------- 1 | // eax = API addr 2 | // ecx = start IAT 3 | // edx = end IAT 4 | // ebx = addr stolen redir 5 | // esi = current DLL 6 | // edi = lost DLL 7 | var LoadLibrary 8 | 9 | var scan_start 10 | var scan_end 11 | var addr_cur 12 | var temp 13 | 14 | var IAT_start 15 | var IAT_end 16 | var DLL_cur 17 | var DLL_lost 18 | var addr_finder 19 | var addr_iat_reb 20 | var stack 21 | var counter 22 | var type_api 23 | 24 | var OEP 25 | 26 | ask "Enter start IAT:" 27 | cmp $RESULT,0 28 | je @halt 29 | mov IAT_start ,$RESULT 30 | ask "Enter end IAT:" 31 | cmp $RESULT,0 32 | je @halt 33 | mov IAT_end ,$RESULT 34 | mov type_api,15 35 | msgyn "Do you want to use opcod "call" (FF15) for recovering redirector? If you choose "No" will be used opcod "jmp" (FF25)." 36 | cmp $RESULT,1 37 | je @init 38 | mov type_api,25 39 | 40 | @init: 41 | mov counter,0 42 | mov OEP,eip 43 | mov temp,eip 44 | mov scan_start,[eip] 45 | mov [eip],#6A00# 46 | sto 47 | add temp,4 48 | mov scan_end,[temp] 49 | asm eip,"call GetModuleHandleA" 50 | sto 51 | mov eip,OEP 52 | mov [eip],scan_start 53 | mov [temp],scan_end 54 | mov scan_start,eax 55 | add scan_start,1000 56 | mov scan_end,scan_start 57 | gmi scan_start,CODESIZE 58 | add scan_end,$RESULT 59 | mov eip,scan_start 60 | sub eip,200 61 | mov [eip],#60413BCA73138039E875F68B410103C183C0056683F80075E861# 62 | sto 63 | mov stack,esp 64 | mov addr_finder,eip 65 | mov ecx,scan_start 66 | dec ecx 67 | mov edx,scan_end 68 | add eip,18 69 | bp eip 70 | sub eip,18 71 | @find_aspr_call: 72 | mov eip,addr_finder 73 | run 74 | cmp ecx,edx 75 | jae @end 76 | cmp eax,7FFE0000 77 | jae @find_aspr_call 78 | mov aspr_call,eax 79 | find aspr_call,#EB01# 80 | cmp $RESULT,0 81 | je @find_aspr_call 82 | mov temp,$RESULT 83 | sub temp,aspr_call 84 | cmp temp,10 85 | jbe @repuild_api_init 86 | find aspr_call,#EB02CD20# 87 | cmp $RESULT,0 88 | je @find_aspr_call 89 | mov temp,$RESULT 90 | sub temp,aspr_call 91 | cmp temp,10 92 | ja @find_aspr_call 93 | 94 | @repuild_api_init: 95 | bc eip 96 | sub eip,18 97 | mov [eip],#413BCA73118039E875F68B410103C183C0053BC375EA61# 98 | add eip,16 99 | bp eip 100 | mov addr_cur,scan_start 101 | dec addr_cur 102 | inc eip 103 | mov addr_iat_reb,eip 104 | mov [eip],#5750E8099E407C9083C1043BCA7706390175F5EB0F3BF77409C7010000000083C104890166C703FF00894B02# 105 | add eip,2 106 | asm eip,"call GetProcAddress" 107 | add eip,5 108 | bp eip 109 | add eip,25 110 | bp eip 111 | sub eip,4 112 | add [eip],type_api 113 | 114 | gpa "LoadLibraryA","kernel32" 115 | findop $RESULT,#C20400# 116 | mov LoadLibrary,$RESULT 117 | bphws LoadLibrary, "x" 118 | 119 | @START: 120 | mov DLL_lost,00000000 121 | @repuild_api: 122 | mov esp,stack 123 | mov eip,addr_finder 124 | mov ecx,addr_cur 125 | mov edx,scan_end 126 | mov ebx,aspr_call 127 | run 128 | cmp ecx,edx 129 | jae @end 130 | inc counter 131 | mov addr_cur,ecx 132 | mov eip,addr_cur 133 | run 134 | cmp eip,LoadLibrary 135 | jne @ERR_BP_AT_API_NOT_WORK 136 | mov DLL_cur,eax 137 | mov eip,addr_iat_reb 138 | run 139 | mov ecx,IAT_start 140 | sub ecx,4 141 | mov edx,IAT_end 142 | mov ebx,addr_cur 143 | mov esi,DLL_cur 144 | mov edi,DLL_lost 145 | bc eip 146 | run 147 | sub eip,25 148 | bp eip 149 | mov DLL_lost,DLL_cur 150 | cmp ecx,edx 151 | jbe @repuild_api 152 | mov IAT_end,ecx 153 | jmp @repuild_api 154 | 155 | @end: 156 | mov esp,stack 157 | mov eip,addr_finder 158 | add eip,16 159 | bc eip 160 | sto 161 | mov eip,addr_iat_reb 162 | add eip,7 163 | bc eip 164 | add eip,25 165 | bc eip 166 | dec addr_finder 167 | fill addr_finder,44,00 168 | bphwc LoadLibrary 169 | mov eip,OEP 170 | bp eip 171 | ai 172 | bc eip 173 | eval "Script finished! In total {counter} functions are restored!" 174 | msg $RESULT 175 | @halt: 176 | pause 177 | ret 178 | 179 | @ERR_BP_AT_API_NOT_WORK: 180 | msg "[Error!] BreakPoint at 'LoadLibrary' not work!" 181 | jmp @end -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.xx Virtual Machine Jump Redirector.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.xx Virtual Machine Jump Redirector.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 2.xx Virtual Machine Rebuilder.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ASProtect/ASProtect 2.xx Virtual Machine Rebuilder.txt -------------------------------------------------------------------------------- /ASProtect/ASProtect 3 Last Exception.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | eoe lab3 4 | eob lab3 5 | lab3: 6 | 7 | mov k,esp 8 | add k,1c 9 | mov l,[k] 10 | 11 | cmp l,400000 12 | 13 | je lab4 14 | esto 15 | jmp lab3 16 | lab4: 17 | 18 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect 4 OEP Finder.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | var x 4 | var y 5 | var m 6 | 7 | sti 8 | bphws esp,"r" 9 | run 10 | sti 11 | eoe lab3 12 | eob lab3 13 | bphws esp,"r" 14 | esto 15 | 16 | 17 | 18 | lab3: 19 | 20 | mov k,esp 21 | add k,1c 22 | mov l,[k] 23 | cmp l,400000 24 | je lab4 25 | esto 26 | jmp lab3 27 | 28 | lab4: 29 | 30 | eob lab5 31 | mov k,eip 32 | add k,3d 33 | bp k 34 | mov l,0 35 | esto 36 | 37 | lab5: 38 | 39 | 40 | eob loop6 41 | esto 42 | 43 | 44 | 45 | 46 | 47 | 48 | loop6: 49 | 50 | sti 51 | mov y,eip 52 | mov x,400000 53 | shr x,14 54 | shr y,14 55 | sub y,x 56 | mov m,4 57 | 58 | loop4: 59 | 60 | cmp y,0 61 | sub y,1 62 | je end 63 | sub m,1 64 | cmp m,0 65 | je test 66 | jmp loop4 67 | 68 | test: 69 | 70 | cmp y,0 71 | jne loop6 72 | MSG " Please click on k at toolbar,if is not empty double click on the last address within the code section that you see at the bottom,and please rmove analysis if analysis has been done. Thank you!;BriteDream " 73 | ret 74 | 75 | 76 | 77 | end: 78 | 79 | MSG " Please click on k at toolbar,if is not empty double click on the last address within the code section that you see at the bottom,and please rmove analysis if analysis has been done. Thank you!;BriteDream " 80 | ret -------------------------------------------------------------------------------- /ASProtect/ASProtect 5 Anti-Debug Last Exception.txt: -------------------------------------------------------------------------------- 1 | /* 2 | tested on asprotect 1.23 RC4 only - arz 3 | 4 | */ 5 | 6 | var j 7 | var k 8 | 9 | eoe main 10 | 11 | main: 12 | /* 13 | check for signature bytes 14 | */ 15 | mov j,eip 16 | add j,47 17 | mov k,[j] 18 | mov j,[k] 19 | cmp j,746F7250 20 | je reset 21 | 22 | 23 | /* 24 | last exception? 25 | */ 26 | mov j,esp //based on britedreams lastex 27 | add j,1C 28 | mov k,[j] 29 | cmp k,400000 30 | je exit 31 | cmp k,1000000 //did some testing on notepad :P 32 | je exit 33 | jmp continue 34 | 35 | 36 | reset: 37 | /* 38 | zero the debugger check flags for no debugger checks 39 | */ 40 | mov j,eip 41 | add j,41 42 | mov k,[j] // get ptr to debug check array 43 | sub k,4 // k Ptr do IsDebuggerPresent check flag 44 | mov [k],0 // kill it (api won't be called) 45 | add k,8 // k Ptr do anti-debug checks flag 46 | mov [k],0 // kill the internal FS[?],TRW and system debugger checks 47 | jmp continue 48 | 49 | 50 | continue: 51 | esto 52 | jmp main 53 | 54 | exit: 55 | ret 56 | -------------------------------------------------------------------------------- /ASProtect/ASProtect Last Exception + OEP.txt: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////// 2 | // Asprotect // 3 | // Date: 29/8/2004 // 4 | // // 5 | //////////////////////////////////////////// 6 | 7 | var addra 8 | var addrb 9 | var count 10 | var test 11 | var valid 12 | var valid2 13 | var addrc 14 | eoe checklast 15 | eob checklast 16 | esto 17 | 18 | 19 | checklast: 20 | dbh 21 | find eip,#85c00f85# 22 | cmp $RESULT,0 23 | je cnt 24 | mov valid,$RESULT 25 | sub valid,3e 26 | cmp [valid],00001fb8 27 | 28 | jne cnt 29 | mov valid2,$RESULT 30 | sub valid2,eip 31 | cmp valid2,0ff 32 | ja cnt 33 | eob bypass 34 | bp $RESULT 35 | esto 36 | 37 | bypass: 38 | mov eax,0 39 | bc $RESULT 40 | esto 41 | cnt: 42 | eoe checklast 43 | eob checklast 44 | mov addra,ebp 45 | mov addrc,ebp 46 | sub addra,10 47 | 48 | mov addra,[addra] 49 | 50 | 51 | cmp addra,400000 52 | je found 53 | sub addrc,20 54 | mov addrc,[addrc] 55 | cmp addrc,400000 56 | je found 57 | 58 | esto 59 | 60 | found: 61 | MSGYN "this is the last exception, do you want to continue to the OEP?" 62 | cmp $RESULT,0 63 | je last 64 | mov addrb,[40003c] 65 | add addrb,400000 66 | add addrb,100 67 | mov addrb,[addrb] 68 | bprm 401000,addrb 69 | cob 70 | coe 71 | esto 72 | msg "this is the oep if no stolen,Thanks for using my script;BriteDream" 73 | bpmc 74 | ret 75 | 76 | 77 | 78 | last: 79 | 80 | msg "This is the last exception,Thank you for using my script;BriteDream" 81 | ret 82 | -------------------------------------------------------------------------------- /ASProtect/ASProtect OEP Finder (all versions).txt: -------------------------------------------------------------------------------- 1 | var addra 2 | var addrb 3 | var addrc 4 | var test 5 | 6 | run 7 | eoe checkme 8 | eob checkme 9 | 10 | checkme: 11 | mov addrb,eip 12 | add addrb,2 13 | mov addrb,[addrb] 14 | cmp addrb,00058f64 15 | je checklast 16 | esto 17 | 18 | 19 | checklast: 20 | 21 | mov addra,ebp 22 | sub addra,10 23 | mov addra,[addra] 24 | 25 | cmp addra,400000 26 | je found 27 | esto 28 | 29 | found: 30 | eob end 31 | eoe end 32 | mov addrc,[40003c] 33 | add addrc,100 34 | add addrc,400000 35 | 36 | mov addrc,[addrc] 37 | 38 | bprm 401000,addrc 39 | esto 40 | 41 | end: 42 | mov addra,[eip] 43 | and addra,0000ff 44 | 45 | cmp addra,c3 46 | 47 | 48 | jne endmsg 49 | mov test,[esp] 50 | 51 | and test,f00000 52 | shr test,14 53 | 54 | cmp test,9 55 | 56 | jae loop 57 | jmp endmsg 58 | loop: 59 | eob endmsg 60 | eoe endmsg 61 | esto 62 | 63 | endmsg: 64 | MSG " Please click on k at toolbar,if is not empty double click on the last address within the code section that you see at the bottom,and please rmove analysis if analysis has been done. Thank you!;BriteDream " 65 | ret 66 | -------------------------------------------------------------------------------- /ASProtect/ASProtect OEP Finder.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | var x 4 | var y 5 | var m 6 | 7 | sti 8 | bphws esp,"r" 9 | run 10 | sti 11 | eoe lab3 12 | eob lab3 13 | bphws esp,"r" 14 | esto 15 | 16 | 17 | 18 | lab3: 19 | 20 | mov k,esp 21 | add k,1c 22 | mov l,[k] 23 | cmp l,400000 24 | je lab4 25 | esto 26 | jmp lab3 27 | 28 | lab4: 29 | 30 | eob lab5 31 | mov k,eip 32 | add k,3d 33 | bp k 34 | mov l,0 35 | esto 36 | 37 | lab5: 38 | 39 | 40 | eob loop6 41 | esto 42 | 43 | 44 | 45 | 46 | 47 | 48 | loop6: 49 | 50 | sti 51 | mov y,eip 52 | mov x,400000 53 | shr x,14 54 | shr y,14 55 | sub y,x 56 | mov m,4 57 | 58 | loop4: 59 | 60 | cmp y,0 61 | sub y,1 62 | je end 63 | sub m,1 64 | cmp m,0 65 | je test 66 | jmp loop4 67 | 68 | test: 69 | 70 | cmp y,0 71 | jne loop6 72 | MSG " Please click on k at toolbar,if is not empty double click on the last address within the code section that you see at the bottom,and please rmove analysis if analysis has been done. Thank you!;BriteDream " 73 | ret 74 | 75 | 76 | 77 | end: 78 | 79 | MSG " Please click on k at toolbar,if is not empty double click on the last address within the code section that you see at the bottom,and please rmove analysis if analysis has been done. Thank you!;BriteDream " 80 | ret 81 | -------------------------------------------------------------------------------- /ASProtect/ASProtect Stolen Code Finder.txt: -------------------------------------------------------------------------------- 1 | var k 2 | var l 3 | var x 4 | var y 5 | 6 | sti 7 | bphws esp,"r" 8 | run 9 | sti 10 | eoe lab3 11 | eob lab3 12 | bphws esp,"r" 13 | esto 14 | 15 | 16 | 17 | lab3: 18 | 19 | mov k,esp 20 | add k,1c 21 | mov l,[k] 22 | cmp l,400000 23 | je lab4 24 | esto 25 | jmp lab3 26 | 27 | lab4: 28 | 29 | eob lab5 30 | mov k,eip 31 | add k,3d 32 | bp k 33 | esto 34 | 35 | lab5: 36 | esto 37 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.6x - 4.xx OEP Finder + Fix Magic Jumps.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 3.6x - 4.xx OEP Finder + Fix Magic Jumps.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.78 - 4.xx + UPX OEP Finder.txt: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////////////////// 2 | // OEP Find Script for Armadillo 3.78 - 4.xx + UPX 3 | // Coded by: PiONEER {RES} 4 | // TEAM: TEAM RESURRECTiON 5 | // Greetz to: {RES},ICU,ARTeam,SnD,CiM,RLD,AGN,trainer-paradies.de,XeonByte,Anorganix 6 | // starzboy,Till.CH,oxy87,Orthodox,ALiEN,cyclops,l0calh0st/ICU,sEby,zyzygy,dR.oLLe 7 | // Data: 13:19 30.03.2007 8 | // Environment : WinXP SP1,OllyDbg V1.10,ODbgScript V1.48 9 | // Contact: http://www.appzclub.tk - or - admin@appzclub.tk 10 | ////////////////////////////////////////////////////////////////////////////////////////// 11 | 12 | start: 13 | #log 14 | find eip, #60E8# 15 | cmp $RESULT,0 16 | je _error 17 | gpa "CreateThread", "kernel32.dll" 18 | bp $RESULT 19 | esto 20 | bc $RESULT 21 | find eip, #C2??00# 22 | bp $RESULT 23 | run 24 | bc $RESULT 25 | sto 26 | find eip, #C3# 27 | bp $RESULT 28 | run 29 | bc $RESULT 30 | sto 31 | find eip, #EB??# 32 | bp $RESULT 33 | run 34 | bc $RESULT 35 | sto 36 | find eip, #75??# 37 | bp $RESULT 38 | run 39 | bc $RESULT 40 | sto 41 | find eip, #FFD1# 42 | bp $RESULT 43 | run 44 | bc $RESULT 45 | sti 46 | find eip, #E97856A6FF# 47 | bp $RESULT 48 | run 49 | bp $RESULT 50 | sto 51 | cmt eip, "This is the OEP! Found by PiONEER/TEAM {RES}" 52 | msg "Dumped and fix IAT now! Thanx for using my Script...!" 53 | ret 54 | 55 | 56 | _error: 57 | msg "error!" 58 | ret 59 | end: -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.xx - 4.00 Nanomites VA Finder v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 3.xx - 4.00 Nanomites VA Finder v1.0.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.xx - 4.xx (Standard Protection) OEP Finder + Import Redirection Fixer.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 3.xx - 4.xx (Standard Protection) OEP Finder + Import Redirection Fixer.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.xx - 5.xx Detach from Client v0.2.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Detach Father from Child+Patch Crypto Process+CopyMem2 4 | Credits go to Ricardo, Hippu, Tenketsu and VolX for thier scripts and ideas. 5 | 6 | */ 7 | 8 | //Variable Declarations 9 | 10 | var WaitForDebugEvent 11 | var WriteProcessMemory 12 | var DebugActiveProcessStop 13 | var PEHeaderBase 14 | var ImageBase 15 | var CodeBegin 16 | var DataBegin 17 | var ProcessDebugEvent 18 | var ProcessBuffer 19 | var ChildProcessID 20 | var ChildOEP 21 | var OEPBytes 22 | var OEPOffset1 23 | var OEPOffset2 24 | var OEPOffset3 25 | var CryptoProcess 26 | var Address 27 | var Buffer 28 | var Patch1 29 | var Patch2 30 | var temp1 31 | 32 | //Setup 33 | 34 | dbh 35 | 36 | msg "Clear all breakpoints, and Set Ollydbg to pass all exceptions,\r\nand add custom exceptions C0000005, C000001D, C000001E and C0000096, press OK to continue." 37 | 38 | gpa "WaitForDebugEvent", "kernel32.dll" 39 | mov WaitForDebugEvent, $RESULT 40 | gpa "WriteProcessMemory", "kernel32.dll" 41 | mov WriteProcessMemory, $RESULT 42 | gpa "DebugActiveProcessStop", "kernel32.dll" 43 | mov DebugActiveProcessStop, $RESULT 44 | 45 | //Get Section Bases 46 | 47 | gmi eip, MODULEBASE 48 | mov ImageBase, $RESULT 49 | mov PEHeaderBase, ImageBase 50 | add PEHeaderBase, 3C // Offset to PE signature 51 | mov PEHeaderBase, [PEHeaderBase] 52 | add PEHeaderBase, ImageBase 53 | 54 | mov CodeBegin, PEHeaderBase 55 | add CodeBegin, 104 // Offset to 1st Section Virtual Address 56 | mov CodeBegin, [CodeBegin] 57 | add CodeBegin, ImageBase 58 | 59 | mov DataBegin, PEHeaderBase // Offset to 2nd Section Virtual Address 60 | add DataBegin, 12C 61 | mov DataBegin, [DataBegin] 62 | add DataBegin, ImageBase 63 | 64 | log CodeBegin 65 | log DataBegin 66 | 67 | // Begin Unpacking 68 | 69 | bphws WriteProcessMemory, "x" 70 | erun 71 | 72 | bphwc WriteProcessMemory 73 | bphws WaitForDebugEvent, "x" 74 | erun 75 | 76 | // Get Information at WaitForDebugEvent 77 | 78 | bphwc WaitForDebugEvent 79 | mov ProcessDebugEvent, esp 80 | add ProcessDebugEvent, 04 81 | mov ProcessDebugEvent, [ProcessDebugEvent] 82 | mov OEPOffset1, ProcessDebugEvent 83 | add OEPOffset1, 18 84 | mov OEPOffset2, ProcessDebugEvent 85 | add OEPOffset2, 24 86 | mov OEPOffset3, ProcessDebugEvent 87 | add OEPOffset3, 28 88 | log ProcessDebugEvent 89 | log OEPOffset1 90 | log OEPOffset2 91 | log OEPOffset3 92 | 93 | // Get Child Process ID and Child OEP 94 | 95 | bphws WriteProcessMemory, "x" 96 | erun 97 | 98 | bphwc WriteProcessMemory 99 | mov ChildProcessID, ProcessDebugEvent 100 | add ChildProcessID, 04 101 | mov ChildProcessID, [ChildProcessID] 102 | mov ChildOEP, [OEPOffset1] 103 | 104 | // Get Stack Info 105 | 106 | mov Address, esp 107 | add Address, 08 108 | mov Address, [Address] 109 | log Address 110 | 111 | mov Buffer, esp 112 | add Buffer, 0C 113 | mov Buffer, [Buffer] 114 | log Buffer 115 | 116 | // Patch OEP of Child 117 | 118 | mov temp1, ChildOEP 119 | sub temp1, Address 120 | add temp1, Buffer 121 | mov OEPBytes, [temp1] 122 | log "OEP of Child Process was patched to EBFE" 123 | log ChildOEP 124 | log ChildProcessID 125 | mov [temp1], #EBFE# 126 | 127 | // Find and patch Crypto Proc 128 | 129 | rtr 130 | sti 131 | gmemi eip, MEMORYBASE 132 | mov CryptoProcess, $RESULT 133 | find CryptoProcess, #8B048A50E8????????83C40C# // "mov eax, dword ptr ds:[edx+ecx*4]" "push eax" "call XXXXXXXX" "add esp,0c" 134 | cmp $RESULT, 0 135 | je Error1 136 | mov CryptoProcess, $RESULT 137 | add CryptoProcess, 04 138 | mov [CryptoProcess], #9090909090# 139 | log CryptoProcess 140 | log "Crypto Process was nopped." 141 | 142 | eval "Successfully Patched OEP = {ChildOEP} of Child Process (PID= {ChildProcessID}) from {OEPBytes} (Inverted) to EBFE.\r\n\r\nCheck log for more info. Press OK to continue." 143 | msg $RESULT 144 | 145 | // Patch CopyMemII and WaitForDebugEvent 146 | 147 | bphws WaitForDebugEvent, "x" 148 | erun 149 | 150 | bphwc WaitForDebugEvent 151 | 152 | mov Patch1, [esp] 153 | sub Patch1, 12 154 | log Patch1 155 | mov [Patch1], #909090909090909090909090909090909090# 156 | add Patch1, 14 157 | eval "jmp {CodeBegin}" 158 | asm Patch1, $RESULT 159 | add Patch1, 05 160 | eval "nop" 161 | asm Patch1, $RESULT 162 | 163 | mov Patch2, CodeBegin 164 | eval "add dword [{OEPOffset1}],1000" 165 | asm Patch2, $RESULT 166 | add Patch2, 0A 167 | eval "add dword [{OEPOffset2}],1000" 168 | asm Patch2, $RESULT 169 | add Patch2, 0A 170 | eval "add dword [{OEPOffset3}],1000" 171 | asm Patch2, $RESULT 172 | add Patch2, 0A 173 | eval "cmp dword [{OEPOffset3}],{DataBegin}" 174 | asm Patch2, $RESULT 175 | add Patch2, 0A 176 | eval "jnz {Patch1}" 177 | asm Patch2, $RESULT 178 | add Patch2, 06 179 | eval "push {ChildProcessID}" 180 | asm Patch2, $RESULT 181 | add Patch2, 05 182 | eval "call {DebugActiveProcessStop}" 183 | asm Patch2, $RESULT 184 | add Patch2, 05 185 | eval "nop" 186 | asm Patch2, $RESULT 187 | 188 | sub CodeBegin, 1000 189 | mov [OEPOffset1], CodeBegin 190 | mov [OEPOffset2], CodeBegin 191 | mov [OEPOffset3], CodeBegin 192 | 193 | //go [esp] 194 | 195 | mov eip, [esp] 196 | bphws Patch2, "x" 197 | erun 198 | 199 | bphwc Patch2 200 | msg "Script Completed Successfully! More Info in Log. Have fun!" 201 | jmp End 202 | 203 | Error1: 204 | msg "Can't find Crypto Process call!" 205 | 206 | End: 207 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.xx - 5.xx Detach from Client.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Detach Father from Child+Patch Crypto Process+CopyMem2 4 | Credits go to Ricardo, Hippu, Tenketsu and VolX for thier scripts and ideas. 5 | 6 | */ 7 | 8 | //Variable Declarations 9 | 10 | var WaitForDebugEvent 11 | var WriteProcessMemory 12 | var DebugActiveProcessStop 13 | var PEHeaderBase 14 | var ImageBase 15 | var CodeBegin 16 | var DataBegin 17 | var ProcessDebugEvent 18 | var ProcessBuffer 19 | var ChildProcessID 20 | var ChildOEP 21 | var OEPBytes 22 | var OEPOffset1 23 | var OEPOffset2 24 | var OEPOffset3 25 | var CryptoProcess 26 | var Address 27 | var Buffer 28 | var Patch1 29 | var Patch2 30 | var temp1 31 | 32 | //Setup 33 | 34 | dbh 35 | 36 | msg "Clear all breakpoints, and Set Ollydbg to pass all exceptions,\r\nand add custom exceptions C0000005, C000001D, C000001E and C0000096, press OK to continue." 37 | 38 | gpa "WaitForDebugEvent", "kernel32.dll" 39 | mov WaitForDebugEvent, $RESULT 40 | gpa "WriteProcessMemory", "kernel32.dll" 41 | mov WriteProcessMemory, $RESULT 42 | gpa "DebugActiveProcessStop", "kernel32.dll" 43 | mov DebugActiveProcessStop, $RESULT 44 | 45 | //Get Section Bases 46 | 47 | gmi eip, MODULEBASE 48 | mov ImageBase, $RESULT 49 | mov PEHeaderBase, ImageBase 50 | add PEHeaderBase, 3C // Offset to PE signature 51 | mov PEHeaderBase, [PEHeaderBase] 52 | add PEHeaderBase, ImageBase 53 | 54 | mov CodeBegin, PEHeaderBase 55 | add CodeBegin, 104 // Offset to 1st Section Virtual Address 56 | mov CodeBegin, [CodeBegin] 57 | add CodeBegin, ImageBase 58 | 59 | mov DataBegin, PEHeaderBase // Offset to 2nd Section Virtual Address 60 | add DataBegin, 12C 61 | mov DataBegin, [DataBegin] 62 | add DataBegin, ImageBase 63 | 64 | log CodeBegin 65 | log DataBegin 66 | 67 | // Begin Unpacking 68 | 69 | bphws WriteProcessMemory, "x" 70 | erun 71 | 72 | bphwc WriteProcessMemory 73 | bphws WaitForDebugEvent, "x" 74 | erun 75 | 76 | // Get Information at WaitForDebugEvent 77 | 78 | bphwc WaitForDebugEvent 79 | mov ProcessDebugEvent, esp 80 | add ProcessDebugEvent, 04 81 | mov ProcessDebugEvent, [ProcessDebugEvent] 82 | mov OEPOffset1, ProcessDebugEvent 83 | add OEPOffset1, 18 84 | mov OEPOffset2, ProcessDebugEvent 85 | add OEPOffset2, 24 86 | mov OEPOffset3, ProcessDebugEvent 87 | add OEPOffset3, 28 88 | log ProcessDebugEvent 89 | log OEPOffset1 90 | log OEPOffset2 91 | log OEPOffset3 92 | 93 | // Get Child Process ID and Child OEP 94 | 95 | bphws WriteProcessMemory, "x" 96 | erun 97 | 98 | bphwc WriteProcessMemory 99 | mov ChildProcessID, ProcessDebugEvent 100 | add ChildProcessID, 04 101 | mov ChildProcessID, [ChildProcessID] 102 | mov ChildOEP, [OEPOffset1] 103 | 104 | // Get Stack Info 105 | 106 | mov Address, esp 107 | add Address, 08 108 | mov Address, [Address] 109 | log Address 110 | 111 | mov Buffer, esp 112 | add Buffer, 0C 113 | mov Buffer, [Buffer] 114 | log Buffer 115 | 116 | // Patch OEP of Child 117 | 118 | mov temp1, ChildOEP 119 | sub temp1, Address 120 | add temp1, Buffer 121 | mov OEPBytes, [temp1] 122 | log "OEP of Child Process was patched to EBFE" 123 | log ChildOEP 124 | log ChildProcessID 125 | mov [temp1], #EBFE# 126 | 127 | // Find and patch Crypto Proc 128 | 129 | rtr 130 | sti 131 | gmemi eip, MEMORYBASE 132 | mov CryptoProcess, $RESULT 133 | find CryptoProcess, #8B048A50E8????????83C40C# // "mov eax, dword ptr ds:[edx+ecx*4]" "push eax" "call XXXXXXXX" "add esp,0c" 134 | cmp $RESULT, 0 135 | je Error1 136 | mov CryptoProcess, $RESULT 137 | add CryptoProcess, 04 138 | mov [CryptoProcess], #9090909090# 139 | log CryptoProcess 140 | log "Crypto Process was nopped." 141 | 142 | eval "Successfully Patched OEP = {ChildOEP} of Child Process (PID= {ChildProcessID}) from {OEPBytes} (Inverted) to EBFE.\r\n\r\nCheck log for more info. Press OK to continue." 143 | msg $RESULT 144 | 145 | // Patch CopyMemII and WaitForDebugEvent 146 | 147 | bphws WaitForDebugEvent, "x" 148 | erun 149 | 150 | bphwc WaitForDebugEvent 151 | 152 | mov Patch1, [esp] 153 | sub Patch1, 12 154 | log Patch1 155 | mov [Patch1], #909090909090909090909090909090909090# 156 | add Patch1, 14 157 | eval "jmp {CodeBegin}" 158 | asm Patch1, $RESULT 159 | add Patch1, 05 160 | eval "nop" 161 | asm Patch1, $RESULT 162 | 163 | mov Patch2, CodeBegin 164 | eval "add dword [{OEPOffset1}],1000" 165 | asm Patch2, $RESULT 166 | add Patch2, 0A 167 | eval "add dword [{OEPOffset2}],1000" 168 | asm Patch2, $RESULT 169 | add Patch2, 0A 170 | eval "add dword [{OEPOffset3}],1000" 171 | asm Patch2, $RESULT 172 | add Patch2, 0A 173 | eval "cmp dword [{OEPOffset3}],{DataBegin}" 174 | asm Patch2, $RESULT 175 | add Patch2, 0A 176 | eval "jnz {Patch1}" 177 | asm Patch2, $RESULT 178 | add Patch2, 06 179 | eval "push {ChildProcessID}" 180 | asm Patch2, $RESULT 181 | add Patch2, 05 182 | eval "call {DebugActiveProcessStop}" 183 | asm Patch2, $RESULT 184 | add Patch2, 05 185 | eval "nop" 186 | asm Patch2, $RESULT 187 | 188 | sub CodeBegin, 1000 189 | mov [OEPOffset1], CodeBegin 190 | mov [OEPOffset2], CodeBegin 191 | mov [OEPOffset3], CodeBegin 192 | 193 | //go [esp] 194 | 195 | mov eip, [esp] 196 | bphws Patch2, "x" 197 | erun 198 | 199 | bphwc Patch2 200 | msg "Script Completed Successfully! More Info in Log. Have fun!" 201 | jmp End 202 | 203 | Error1: 204 | msg "Can't find Crypto Process call!" 205 | 206 | End: 207 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.xx - 5.xx Fingerprint Patcher v0.1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 3.xx - 5.xx Fingerprint Patcher v0.1.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.xx - 5.xx Fingerprint Patcher v0.2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 3.xx - 5.xx Fingerprint Patcher v0.2.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.xx - 6.xx HardwareID Patcher v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 3.xx - 6.xx HardwareID Patcher v1.0.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.xx DLL Unpack v0.1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 3.xx DLL Unpack v0.1.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 3.xx Unpack (Standard Protection) v0.1.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////////////////////////////////// 3 | Armadillo 3.x Unpacking script(Standard protection) v0.1 4 | Author: loveboom 5 | Email : loveboom%163.com 6 | OS : WinXP sp2,Ollydbg 1.1,OllyScript v0.92 7 | Date : 2004-12-20 8 | Action: Auto fix IAT,find oep 9 | Config: Ignore all exceptions and ingnore exception: 'C000001E (INVALID LOCK SEQUENCE)' 10 | Note : If you have one or more question, email me please,thank you! 11 | ////////////////////////////////////////////////// 12 | */ 13 | 14 | var addr 15 | 16 | start: 17 | msgyn "Setting:Ignore all exceptions and ingnore exception: 'C000001E (INVALID LOCK SEQUENCE)'" 18 | cmp $RESULT,1 19 | je lbl1 20 | ret 21 | 22 | lbl1: 23 | gpa "GetModuleHandleA","kernel32.dll" 24 | bphws $RESULT,"x" 25 | esto 26 | 27 | lbl2: 28 | mov addr,esp 29 | add addr,4 30 | mov addr,[addr] 31 | mov addr,[addr] 32 | cmp addr,4256534D //'MSVMVB60.dll' 33 | je lbl3 34 | esto 35 | jmp lbl2 36 | 37 | lbl3: 38 | esto 39 | 40 | lbl4: 41 | mov addr,esp 42 | add addr,4 43 | mov addr,[addr] 44 | mov addr,[addr] 45 | cmp addr,61766461 //'ADVAPI32.DLL' 46 | je lbl5 47 | esto 48 | jmp lbl4 49 | 50 | lbl5: 51 | esto 52 | bphwc $RESULT 53 | rtu 54 | 55 | lblfs: 56 | find eip,#8338000F84# //Find command 'CMP [EAX],0' 57 | cmp $RESULT,0 58 | je lblabort 59 | bp $RESULT 60 | esto 61 | bc $RESULT 62 | mov [eax],0 //clear [eax] 63 | find eip,#2BF9FFD7# //find commands 'SUB EDI,ECX;call edi' 64 | cmp $RESULT,0 65 | je lblabort 66 | bp $RESULT 67 | esto 68 | 69 | lblfinished: 70 | bc $RESULT 71 | sto 72 | sti 73 | 74 | lbloep: 75 | cmt eip,"oep" 76 | msg "Script by loveboom[DFCG[FCG][US],Thank you for using my script!" 77 | ret 78 | 79 | lblabort: 80 | msg "Script abort!Maybe target is not protect by Armadillo Standard protection." 81 | ret 82 | 83 | -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.0 - 4.4 DLL Unpack.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 4.0 - 4.4 DLL Unpack.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.0 - 4.40 OEP Finder + Debug Blocker (Standard Protection).txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 4.0 - 4.40 OEP Finder + Debug Blocker (Standard Protection).txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.0 - 5.xx OEP Finder + Debug Blocker (Standard Protection).txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 4.0 - 5.xx OEP Finder + Debug Blocker (Standard Protection).txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.20 Public Builds OEP Finder (only for CopyMem2 + Debug Blocker).txt: -------------------------------------------------------------------------------- 1 | /* 2 | Armadillo 4.20 public builds OEP finder by KaGra,use it only if target has CopyMEM2+DebugBlocker (both) 3 | May works in all 4.xx versionz,test it 4 | */ 5 | 6 | var writeproc 7 | var waitfordbg 8 | var oeploc 9 | var findbp 10 | 11 | 12 | 13 | 14 | gpa "WriteProcessMemory", "kernel32.dll" 15 | mov writeproc, $RESULT 16 | 17 | jmp here 18 | again: 19 | inc writeproc 20 | here: 21 | find writeproc,#55??????# 22 | cmp writeproc,$RESULT 23 | jne again 24 | 25 | 26 | add writeproc,3 27 | 28 | 29 | gpa "WaitForDebugEvent", "kernel32.dll" 30 | mov waitfordbg, $RESULT 31 | 32 | jmp there 33 | 34 | again2: 35 | inc waitfordbg 36 | there: 37 | find waitfordbg,#55??????# 38 | cmp waitfordbg,$RESULT 39 | jne again2 40 | 41 | 42 | 43 | add waitfordbg,3 44 | 45 | 46 | 47 | bp writeproc 48 | 49 | esto 50 | esto 51 | 52 | bp waitfordbg 53 | esto 54 | 55 | add esp,8 56 | mov oeploc,[esp] 57 | sub esp,8 //SOS 58 | 59 | 60 | bc waitfordbg 61 | esto 62 | 63 | bc writeproc 64 | 65 | add oeploc,54 66 | 67 | mov eax,[oeploc] 68 | 69 | msg "EAX has the OEP :),script made by KaGra" 70 | 71 | 72 | 73 | 74 | 75 | -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.30a Simple Unpacking Script.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ============================================== 3 | Armadillo 4.30a - simple unpacking script 4 | ============================================== 5 | 6 | This script can unpack Armadillo 4.30a 7 | with standard protection enabled. 8 | 9 | Features: 10 | 11 | - Finds OEP; 12 | - Prevents import emulation. 13 | 14 | Usage: 15 | - Ignore all exceptions!!! 16 | - Add to custom C000001E and ignore it. 17 | ============================================== 18 | */ 19 | 20 | 21 | 22 | //Defining_variables: 23 | 24 | var DebugString 25 | var TickCount 26 | var MagicJump 27 | 28 | 29 | //============================================== 30 | // 1. Fooling Olly debug string exploit 31 | //============================================== 32 | 33 | 34 | gpa "OutputDebugStringA","kernel32.dll" 35 | mov DebugString,$RESULT 36 | bp DebugString 37 | esto 38 | bc eip 39 | asm eip,"RETN 4" 40 | 41 | 42 | 43 | //================================================================ 44 | // 2. Finding import redirection procedure and preventing it 45 | //================================================================ 46 | 47 | gpa "GetTickCount","kernel32.dll" 48 | mov TickCount,$RESULT 49 | bp TickCount 50 | esto 51 | bc eip 52 | rtr 53 | bp eip 54 | mov TickCount,eip 55 | 56 | 57 | SearchingPlace: 58 | esto 59 | sti 60 | find eip,#75118B85??????FF8B40??8985??????FFEB02EB??8B85??????FF408985??????FFEB378D8D??????FFE8????????0FB6C0996A??59F7F9# 61 | cmp $RESULT,0 62 | je SearchingPlace 63 | 64 | bc TickCount 65 | mov MagicJump,$RESULT 66 | bphws MagicJump,"x" 67 | esto 68 | 69 | bphwc MagicJump 70 | mov [eip],858B11EB 71 | 72 | 73 | find MagicJump,#8B85??????FF8985??????FFFFB5??????FFE8??????005983BD??????FF000F84??????00# 74 | bp $RESULT 75 | esto 76 | 77 | bc eip 78 | mov [MagicJump],858B1175 79 | 80 | 81 | 82 | 83 | //================ 84 | // 3. Find OEP 85 | //================ 86 | 87 | gpa "CreateThread","kernel32.dll" 88 | bp $RESULT 89 | esto 90 | bc eip 91 | rtu 92 | rtr 93 | sti 94 | 95 | find eip,#FFD18945FC8B45FC5F5EC9C3# 96 | bp $RESULT 97 | esto 98 | bc eip 99 | sti 100 | 101 | 102 | cmt eip,"OEP found! Fix header by copy-paste before dump." 103 | ret 104 | 105 | 106 | -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.4 OEP Finder + Fix Magic Jump.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 4.4 OEP Finder + Fix Magic Jump.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.42 CopyMem2 Child Process Decode.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 4.42 CopyMem2 Child Process Decode.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.42 CopyMem2 Decrypt Code Sections.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 4.42 CopyMem2 Decrypt Code Sections.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.xx CopyMem2 (DebugActiveProcess).txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 4.xx CopyMem2 (DebugActiveProcess).txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.xx CopyMem2 (Fix IAT).txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 4.xx CopyMem2 (Fix IAT).txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.xx CopyMem2 OEP Finder v0.1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo 4.xx CopyMem2 OEP Finder v0.1.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.xx Nanomites (WaitForDebugEvent).txt: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////// 2 | // FileName : WaitForDebugEvent.osc 3 | // Comment : Armadillo V4.X Nanomites WaitForDebugEvent 4 | // Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92 5 | // Author : fly 6 | // WebSite : http://www.unpack.cn 7 | // Date : 2005-11-04 16:40 8 | ////////////////////////////////////////////////////////// 9 | #log 10 | dbh 11 | 12 | var BeginFix 13 | var WaitForDebugEvent 14 | 15 | 16 | gpa "OutputDebugStringA", "KERNEL32.dll" 17 | mov [$RESULT], #C20400# 18 | 19 | gpa "WaitForDebugEvent", "KERNEL32.dll" 20 | find $RESULT,#C20800# 21 | mov WaitForDebugEvent,$RESULT 22 | bp WaitForDebugEvent 23 | esto 24 | GoOn0: 25 | esto 26 | WaitForDebugEvent: 27 | cmp eip,WaitForDebugEvent 28 | jne GoOn0 29 | 30 | bc WaitForDebugEvent 31 | rtu 32 | 33 | 34 | find eip,#C785????????000000006AFF6A04# 35 | cmp $RESULT, 0 36 | je Error 37 | mov BeginFix,$RESULT 38 | eob BeginFix 39 | bp BeginFix 40 | esto 41 | GoOn1: 42 | esto 43 | BeginFix: 44 | cmp eip,BeginFix 45 | jne GoOn1 46 | bc BeginFix 47 | cmt BeginFix,"Plz Continue Fix Nanomites !" 48 | 49 | 50 | OK: 51 | MSG " Plz Continue Fix Nanomites ! Game Over. " 52 | ret 53 | 54 | Error: 55 | msg "Error!" 56 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo 4.xx OEP Finder.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92 3 | NOTES: 4 | - Remove all hardware breakpoints before run the script. 5 | - Add the following custom exceptions on OllyDbg: 6 | C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION) 7 | C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION) 8 | */ 9 | 10 | // Modified by Maltese. Allows Armadillo to function within Olly. 11 | // Armadillo functions would not work with ORIGINAL SCRIPT. 12 | // Confirmed working with TheaterTek 2.11 13 | 14 | 15 | var CreateThread 16 | var OEP 17 | 18 | gpa "CreateThread", "kernel32.dll" 19 | mov CreateThread, $RESULT 20 | 21 | bp CreateThread 22 | esto 23 | esto 24 | rtu 25 | bc CreateThread 26 | rtr 27 | sti 28 | 29 | find eip, #2B??FF??8?# 30 | mov OEP, $RESULT 31 | add OEP, 2 32 | bp OEP 33 | run 34 | bc OEP 35 | sti 36 | cmt eip, "<- OEP" 37 | 38 | msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)" 39 | -------------------------------------------------------------------------------- /Armadillo/Armadillo 5.xx - 8.xx Password Patcher v0.1.txt: -------------------------------------------------------------------------------- 1 | //Armadillo v5.xx - 8.xx password patcher script 2 | //Created by: Mr. eXoDia // T.P.o.D.T 2011 3 | //You may need to detach Debugger-Blocker before you run this script... 4 | 5 | //Tested on versions: 6 | //5.42 7 | //6.40.0329 (Custom Build!) 8 | //6.60.0140 (Custom Build!) 9 | //7.00.0081 (Custom Build!) 10 | //7.20 11 | //8.00 12 | //8.20 13 | 14 | //Byte signatures: 15 | //#8945??# = MOV DWORD PTR SS:[LOCAL.XX], EAX 16 | 17 | bphwc //We need to clear HWBPs 18 | 19 | var Sleep //Set a variable for the Sleep HWBP 20 | 21 | gpa "Sleep", "kernel32.dll" //Obtain the address 22 | add $RESULT, 10 //Add 10h to the result (RETN of kernel32.Sleep) 23 | mov Sleep, $RESULT //Move the result in 'Sleep' 24 | msg "Pause OllyDbg (F12) when the 'Enter Password' dialog is fully loaded..." //Instructions 25 | erun //Run the target after the user clicked OK 26 | bphws Sleep, "x" //If the user pressed pause we set a HWBP on 'Sleep+10h' 27 | erun //Run the target again 28 | esti //If Break @ Sleep+10h step into the RETN 29 | bphwc //Clear HWBPs 30 | find eip, #8945??# //Search for MOV DWORD PTR SS:[LOCAL.XX], EAX 31 | cmp $RESULT, 0 //compare the result with 0 32 | je error //If it's equal, show an error. 33 | 34 | bphws $RESULT, "x" //Else set a HWBP on the command 35 | msg "Now click Cancel on the 'Enter Password' dialog to continue..." //More instruction 36 | erun //Run the target after the user clicked Cancel 37 | 38 | cmp eax,0 //check if the cancel button is clicked 39 | jne error //if not, error! 40 | mov eax,1 //Move 1 in EAX (the actual patch!) 41 | rtr //Execute till return 42 | esti //Step into 43 | bphwc //Clear HWBPs 44 | jmp end //Jump to the end of the script... 45 | 46 | error: 47 | msg "Error while executing script... maybe unsupported version :(" //Show an error message 48 | 49 | end: 50 | msg "Password patched! You can load another script or continue manual unpacking (set your HWBPs again!)" //Script success!!! -------------------------------------------------------------------------------- /Armadillo/Armadillo 6.40 Detach v0.1.txt: -------------------------------------------------------------------------------- 1 | var CreateProcessW 2 | var WriteProcessMemory 3 | var ResumeThread 4 | var WaitForDebugEvent 5 | var buffer 6 | var pProcessInfo 7 | var oldbyte1 8 | var oldbyte2 9 | var PID 10 | var OEP 11 | 12 | msg "Armadillo v6.40 Detach script by Mr. eXoDia" 13 | 14 | gpa "CreateProcessW", "kernel32.dll" 15 | mov CreateProcessW, $RESULT 16 | gpa "WriteProcessMemory", "kernel32.dll" 17 | mov WriteProcessMemory, $RESULT 18 | gpa "ResumeThread", "kernel32.dll" 19 | mov ResumeThread, $RESULT 20 | gpa "WaitForDebugEvent", "kernel32.dll" 21 | mov WaitForDebugEvent, $RESULT 22 | 23 | bp CreateProcessW 24 | erun 25 | bc 26 | mov pProcessInfo, [esp+28] 27 | 28 | 29 | bp WriteProcessMemory 30 | erun 31 | mov PID, [pProcessInfo+8] 32 | bc 33 | mov OEP, [esp+8] 34 | estep 35 | bp WriteProcessMemory 36 | erun 37 | bc 38 | mov buffer, [esp+C] 39 | mov oldbyte2, [buffer+1] 40 | mov [buffer+1], #00# 41 | mov oldbyte1, [buffer] 42 | mov [buffer], #EBFE# 43 | 44 | bp ResumeThread 45 | erun 46 | bc 47 | rtr 48 | bp WaitForDebugEvent 49 | erun 50 | bc 51 | rtr 52 | 53 | esti 54 | 55 | exec 56 | push {PID} 57 | call DebugActiveProcessStop 58 | ende 59 | 60 | eval "PID: {PID}, OEP: {OEP}, Original bytes {oldbyte1} {oldbyte2}, New bytes: EB FE" 61 | msg $RESULT -------------------------------------------------------------------------------- /Armadillo/Armadillo 6.xx CRC Finder Script - Debug Blocker Protection.txt: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////// 2 | // Author: Unregistered ! 3 | // Homepage: www.reaonline.net 4 | // Date: 05/09/2008 5 | ////////////////////////////////////////////////// 6 | 7 | 8 | bc 9 | bphwc 10 | mov Chk,0 11 | FaCh: 12 | gpa "OpenMutexA", "kernel32.dll" 13 | bp $RESULT 14 | esto 15 | bc eip 16 | mov pra3,[esp+0C] 17 | cmp [pra3+3],41443A3A 18 | je OMA 19 | 20 | OMA: 21 | add Chk,1 22 | findop eip, #C2# 23 | bp $RESULT 24 | esto 25 | bc eip 26 | sto 27 | sto 28 | mov !ZF,0 29 | cmp Chk,2 30 | je Con 31 | jmp FaCh 32 | 33 | 34 | Con: 35 | gpa "OutputDebugStringA", "KERNEL32.dll" 36 | bp $RESULT 37 | esto 38 | esto 39 | bc eip 40 | 41 | findop [esp],#3345??# 42 | cmp $RESULT,0 43 | bp $RESULT 44 | esto 45 | bc eip 46 | mov Temp,[$RESULT+2] 47 | and Temp,0FF 48 | mov lCRC1,0FF 49 | sub lCRC1,Temp 50 | add lCRC1,1 51 | mov bCRC1,eax 52 | sto 53 | mov CRC1,eax 54 | xor CRC1,bCRC1 55 | 56 | findop eip,#8D45??# 57 | cmp $RESULT,0 58 | je Error 59 | bp $RESULT 60 | esto 61 | bc eip 62 | mov Temp,[$RESULT+2] 63 | and Temp,0FF 64 | mov lCRC2,0FF 65 | sub lCRC2,Temp 66 | add lCRC2,1 67 | mov bCRC1,eax 68 | sto 69 | 70 | mov CRC2,[eax] 71 | mov CRC3,[eax+4] 72 | mov CRC4,[eax+8] 73 | mov CRC5,[eax+0C] 74 | mov Temp,lCRC2 75 | sub Temp,4 76 | mov lCRC3,Temp 77 | sub Temp,4 78 | mov lCRC4,Temp 79 | sub Temp,4 80 | mov lCRC5,Temp 81 | 82 | eval "CRC1 : {CRC1} (EBP - {lCRC1}) \r\nCRC2 : {CRC2} (EBP - {lCRC2}) \r\nCRC3 : {CRC3} (EBP - {lCRC3}) \r\nCRC4 : {CRC4} (EBP - {lCRC4}) \r\nCRC5 : {CRC5} (EBP - {lCRC5}) \r\nTry to fix these CRC Values by hooking OutputDebugStringA at the second execute !" 83 | msg $RESULT 84 | ret 85 | 86 | Error: 87 | msg "Error occured ! Script terminated now !" 88 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo 6.xx CRC Patcher - DebugBlocker Protection.txt: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////////////// 2 | // Author: Unregistered ! 3 | // Homepage: www.reaonline.net 4 | // Date: 06/09/2008 5 | /////////////////////////////////////////////////// 6 | 7 | BC 8 | BPHWC 9 | //Get some necessary API from Target's Import Table 10 | gmi eip,MODULEBASE 11 | mov ImgBase,$RESULT 12 | mov EP,eip 13 | mov PEaddr, [$RESULT+3C] 14 | add PEaddr,ImgBase 15 | mov ExpTable,[PEaddr+0D8] 16 | add ExpTable,ImgBase 17 | 18 | mov Cave,eip 19 | 20 | FindEmptyByte: 21 | add Cave,4 22 | find Cave,#00000000# 23 | cmp $RESULT,0 24 | je Error 25 | mov Cave,$RESULT 26 | cmp [$RESULT+4],0 27 | jne FindEmptyByte 28 | cmp [$RESULT+8],0 29 | jne FindEmptyByte 30 | cmp [$RESULT+0C],0 31 | jne FindEmptyByte 32 | cmp [$RESULT+10],0 33 | jne FindEmptyByte 34 | cmp [$RESULT+14],0 35 | jne FindEmptyByte 36 | 37 | gpa "VirtualProtect","kernel32.dll" 38 | mov pVirtual,$RESULT 39 | gpa "GetProcAddress","kernel32.dll" 40 | mov pGetProc,$RESULT 41 | gpa "GetModuleHandleA","kernel32.dll" 42 | mov pGetModule,$RESULT 43 | exec 44 | pushad 45 | ende 46 | 47 | mov eax,pVirtual 48 | mov ebx,pGetProc 49 | mov ecx,0 50 | mov edx,0 51 | 52 | mov esi,3 53 | L1: 54 | mov cl,al 55 | mov dl,bl 56 | cmp esi,0 57 | je Cont1 58 | dec esi 59 | shr eax,8 60 | shr ebx,8 61 | shl ecx,8 62 | shl edx,8 63 | jmp L1 64 | 65 | Cont1: 66 | mov eax,pGetModule 67 | mov ebx,0 68 | mov esi,3 69 | 70 | L2: 71 | mov bl,al 72 | cmp esi,0 73 | je next 74 | dec esi 75 | shr eax,8 76 | shl ebx,8 77 | jmp L2 78 | 79 | next: 80 | mov pVirtual,ecx 81 | mov pGetProc,edx 82 | mov pGetModule,ebx 83 | exec 84 | popad 85 | ende 86 | 87 | //Get address of "GetModuleHandleA" Import 88 | eval "#{pGetModule}#" 89 | find ExpTable,$RESULT 90 | mov GetModuleHandleA,$RESULT 91 | 92 | //Get address of "GetProcAddress" Import 93 | eval "#{pGetProc}#" 94 | find ExpTable,$RESULT 95 | mov GetProcAddress,$RESULT 96 | 97 | //Get address of "VirtualProtect" Import 98 | eval "#{pVirtual}#" 99 | find ExpTable,$RESULT 100 | mov VirtualProtect,$RESULT 101 | 102 | FindCRCs: 103 | mov Chk,0 104 | FaCh: 105 | gpa "OpenMutexA", "kernel32.dll" 106 | bp $RESULT 107 | esto 108 | bc eip 109 | mov pra3,[esp+0C] 110 | cmp [pra3+3],41443A3A 111 | je OMA 112 | 113 | OMA: 114 | add Chk,1 115 | findop eip, #C2# 116 | bp $RESULT 117 | esto 118 | bc eip 119 | sto 120 | sto 121 | mov !ZF,0 122 | cmp Chk,2 123 | je Con 124 | jmp FaCh 125 | 126 | 127 | Con: 128 | gpa "OutputDebugStringA", "KERNEL32.dll" 129 | bp $RESULT 130 | esto 131 | esto 132 | bc eip 133 | 134 | findop [esp],#3345??# 135 | cmp $RESULT,0 136 | bp $RESULT 137 | esto 138 | bc eip 139 | mov Temp,[$RESULT+2] 140 | and Temp,0FF 141 | mov lCRC1,0FF 142 | sub lCRC1,Temp 143 | add lCRC1,1 144 | mov bCRC1,eax 145 | sto 146 | mov CRC1,eax 147 | xor CRC1,bCRC1 148 | 149 | findop eip,#8D45??# 150 | cmp $RESULT,0 151 | je Error 152 | bp $RESULT 153 | esto 154 | bc eip 155 | mov Temp,[$RESULT+2] 156 | and Temp,0FF 157 | mov lCRC2,0FF 158 | sub lCRC2,Temp 159 | add lCRC2,1 160 | mov bCRC1,eax 161 | sto 162 | 163 | mov CRC2,[eax] 164 | mov CRC3,[eax+4] 165 | mov CRC4,[eax+8] 166 | mov CRC5,[eax+0C] 167 | mov Temp,lCRC2 168 | sub Temp,4 169 | mov lCRC3,Temp 170 | sub Temp,4 171 | mov lCRC4,Temp 172 | sub Temp,4 173 | mov lCRC5,Temp 174 | 175 | 176 | 177 | //Inline Place 178 | mov [Cave],#6B65726E656C33322E646C6C004F75747075744465627567537472696E674100# //String 179 | mov [Cave+20],#609C#//PUSHAD - PUSHFD 180 | mov Temp,Cave 181 | add Temp,22 182 | eval "PUSH {Cave}" 183 | asm Temp,$RESULT 184 | add Temp,5 185 | mov [Temp],#FF15# 186 | mov [Temp+2],GetModuleHandleA 187 | add Temp,6 188 | mov Temp2,Cave 189 | add Temp2,0D 190 | eval "PUSH {Temp2}" 191 | asm Temp,$RESULT 192 | eval "PUSH EAX" 193 | mov [Cave+32],#50FF15# 194 | mov [Cave+35],GetProcAddress 195 | mov Temp,Cave 196 | mov Temp2,Cave 197 | add Temp2,41 198 | add Temp,39 199 | eval "MOV DWORD PTR DS:[{Temp2}],EAX" 200 | asm Temp,$RESULT 201 | mov Temp,Cave 202 | add Temp,3F 203 | mov [Temp],#EB04# 204 | add Temp,6 205 | mov Temp2,Temp 206 | add Temp2,12 207 | eval "PUSH {Temp2}" 208 | asm Temp,$RESULT 209 | mov [Temp+5],#6A406A1050# 210 | mov [Temp+0A],#FF15# 211 | mov [Temp+0C],VirtualProtect 212 | mov [Temp+10],#EB04# 213 | add Temp,16 214 | mov Temp2,Cave 215 | add Temp2,41 216 | mov [Temp],#A1# 217 | mov [Temp+1],Temp2 218 | 219 | add Temp,5 220 | eval "MOV BYTE PTR DS:[EAX],68" 221 | asm Temp,$RESULT 222 | add Temp,3 223 | mov Temp2,Cave 224 | add Temp2,75 225 | eval "MOV DWORD PTR DS:[EAX+1],{Temp2}" 226 | asm Temp,$RESULT 227 | add Temp,7 228 | mov [Temp],#C64005C39D61# 229 | add Temp,6 230 | eval "JMP {EP}" 231 | asm Temp,$RESULT 232 | mov Temp,Cave 233 | add Temp,75 234 | mov [Temp],#EB01# 235 | mov Temp2,Temp 236 | add Temp2,2 237 | add Temp,3 238 | eval "CMP BYTE PTR DS:[{Temp2}],1" 239 | asm Temp,$RESULT 240 | add Temp,7 241 | mov [Temp],#7537# 242 | add Temp,2 243 | eval "MOV DWORD PTR SS:[EBP-{lCRC1}],{CRC1}" 244 | asm Temp,$RESULT 245 | add Temp,7 246 | eval "MOV DWORD PTR SS:[EBP-{lCRC2}],{CRC2}" 247 | asm Temp,$RESULT 248 | add Temp,7 249 | eval "MOV DWORD PTR SS:[EBP-{lCRC3}],{CRC3}" 250 | asm Temp,$RESULT 251 | add Temp,7 252 | eval "MOV DWORD PTR SS:[EBP-{lCRC4}],{CRC4}" 253 | asm Temp,$RESULT 254 | add Temp,7 255 | eval "MOV DWORD PTR SS:[EBP-{lCRC5}],{CRC5}" 256 | asm Temp,$RESULT 257 | add Temp,7 258 | eval "PUSHAD" 259 | asm Temp,$RESULT 260 | add Temp,1 261 | mov Temp2,Cave 262 | add Temp2,41 263 | mov [Temp],#A1# 264 | mov [Temp+1],Temp2 265 | add Temp,5 266 | mov [Temp],#C700B8010000C7400400C2040061FE05# 267 | add Temp,10 268 | mov Temp2,Cave 269 | add Temp2,77 270 | mov [Temp],Temp2 271 | add Temp,4 272 | mov [Temp],#B801000000C20400# 273 | add Temp,8 274 | mov Temp2,Cave 275 | add Temp2,20 276 | mov eip,Temp2 277 | cmt eip,"<- Change new EP to this VA" 278 | sub Temp2,ImgBase 279 | 280 | eval "Inlined Successfully ! \r\nSave change from VA: {Cave} to VA: {Temp} to new file \r\nAnd use a PE Editor (LordPE, CFF Exlporer,...) to change EP of saved file to {Temp2}" 281 | msg $RESULT 282 | ret 283 | 284 | Error: 285 | msg "Error occured ! Script terminated now !" 286 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo 6.xx CRC Patcher - Standard Protection.txt: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////////////// 2 | // Author: Unregistered ! 3 | // Homepage: www.reaonline.net 4 | // Date: 06/09/2008 5 | /////////////////////////////////////////////////// 6 | 7 | 8 | 9 | 10 | BC 11 | BPHWC 12 | //Get some necessary API from Target's Import Table 13 | gmi eip,MODULEBASE 14 | mov ImgBase,$RESULT 15 | mov EP,eip 16 | mov PEaddr, [$RESULT+3C] 17 | add PEaddr,ImgBase 18 | mov ExpTable,[PEaddr+0D8] 19 | add ExpTable,ImgBase 20 | 21 | mov Cave,eip 22 | 23 | FindEmptyByte: 24 | add Cave,4 25 | find Cave,#00000000# 26 | cmp $RESULT,0 27 | je Error 28 | mov Cave,$RESULT 29 | cmp [$RESULT+4],0 30 | jne FindEmptyByte 31 | cmp [$RESULT+8],0 32 | jne FindEmptyByte 33 | cmp [$RESULT+0C],0 34 | jne FindEmptyByte 35 | cmp [$RESULT+10],0 36 | jne FindEmptyByte 37 | cmp [$RESULT+14],0 38 | jne FindEmptyByte 39 | 40 | gpa "VirtualProtect","kernel32.dll" 41 | mov pVirtual,$RESULT 42 | gpa "GetProcAddress","kernel32.dll" 43 | mov pGetProc,$RESULT 44 | gpa "GetModuleHandleA","kernel32.dll" 45 | mov pGetModule,$RESULT 46 | exec 47 | pushad 48 | ende 49 | 50 | mov eax,pVirtual 51 | mov ebx,pGetProc 52 | mov ecx,0 53 | mov edx,0 54 | 55 | mov esi,3 56 | L1: 57 | mov cl,al 58 | mov dl,bl 59 | cmp esi,0 60 | je Cont1 61 | dec esi 62 | shr eax,8 63 | shr ebx,8 64 | shl ecx,8 65 | shl edx,8 66 | jmp L1 67 | 68 | Cont1: 69 | mov eax,pGetModule 70 | mov ebx,0 71 | mov esi,3 72 | 73 | L2: 74 | mov bl,al 75 | cmp esi,0 76 | je next 77 | dec esi 78 | shr eax,8 79 | shl ebx,8 80 | jmp L2 81 | 82 | next: 83 | mov pVirtual,ecx 84 | mov pGetProc,edx 85 | mov pGetModule,ebx 86 | exec 87 | popad 88 | ende 89 | 90 | //Get address of "GetModuleHandleA" Import 91 | eval "#{pGetModule}#" 92 | find ExpTable,$RESULT 93 | mov GetModuleHandleA,$RESULT 94 | 95 | //Get address of "GetProcAddress" Import 96 | eval "#{pGetProc}#" 97 | find ExpTable,$RESULT 98 | mov GetProcAddress,$RESULT 99 | 100 | //Get address of "VirtualProtect" Import 101 | eval "#{pVirtual}#" 102 | find ExpTable,$RESULT 103 | mov VirtualProtect,$RESULT 104 | 105 | gpa "OutputDebugStringA", "KERNEL32.dll" 106 | bp $RESULT 107 | esto 108 | esto 109 | bc eip 110 | 111 | findop [esp],#3345??# 112 | cmp $RESULT,0 113 | bp $RESULT 114 | esto 115 | bc eip 116 | mov Temp,[$RESULT+2] 117 | and Temp,0FF 118 | mov lCRC1,0FF 119 | sub lCRC1,Temp 120 | add lCRC1,1 121 | mov bCRC1,eax 122 | sto 123 | mov CRC1,eax 124 | xor CRC1,bCRC1 125 | 126 | findop eip,#8D45??# 127 | cmp $RESULT,0 128 | je Error 129 | bp $RESULT 130 | esto 131 | bc eip 132 | mov Temp,[$RESULT+2] 133 | and Temp,0FF 134 | mov lCRC2,0FF 135 | sub lCRC2,Temp 136 | add lCRC2,1 137 | mov bCRC1,eax 138 | sto 139 | 140 | mov CRC2,[eax] 141 | mov CRC3,[eax+4] 142 | mov CRC4,[eax+8] 143 | mov CRC5,[eax+0C] 144 | mov Temp,lCRC2 145 | sub Temp,4 146 | mov lCRC3,Temp 147 | sub Temp,4 148 | mov lCRC4,Temp 149 | sub Temp,4 150 | mov lCRC5,Temp 151 | 152 | 153 | 154 | //Inline Place 155 | mov [Cave],#6B65726E656C33322E646C6C004F75747075744465627567 537472696E674100# //String 156 | mov [Cave+20],#609C#//PUSHAD - PUSHFD 157 | mov Temp,Cave 158 | add Temp,22 159 | eval "PUSH {Cave}" 160 | asm Temp,$RESULT 161 | add Temp,5 162 | mov [Temp],#FF15# 163 | mov [Temp+2],GetModuleHandleA 164 | add Temp,6 165 | mov Temp2,Cave 166 | add Temp2,0D 167 | eval "PUSH {Temp2}" 168 | asm Temp,$RESULT 169 | eval "PUSH EAX" 170 | mov [Cave+32],#50FF15# 171 | mov [Cave+35],GetProcAddress 172 | mov Temp,Cave 173 | mov Temp2,Cave 174 | add Temp2,41 175 | add Temp,39 176 | eval "MOV DWORD PTR DS:[{Temp2}],EAX" 177 | asm Temp,$RESULT 178 | mov Temp,Cave 179 | add Temp,3F 180 | mov [Temp],#EB04# 181 | add Temp,6 182 | mov Temp2,Temp 183 | add Temp2,12 184 | eval "PUSH {Temp2}" 185 | asm Temp,$RESULT 186 | mov [Temp+5],#6A406A1050# 187 | mov [Temp+0A],#FF15# 188 | mov [Temp+0C],VirtualProtect 189 | mov [Temp+10],#EB04# 190 | add Temp,16 191 | mov Temp2,Cave 192 | add Temp2,41 193 | mov [Temp],#A1# 194 | mov [Temp+1],Temp2 195 | 196 | add Temp,5 197 | eval "MOV BYTE PTR DS:[EAX],68" 198 | asm Temp,$RESULT 199 | add Temp,3 200 | mov Temp2,Cave 201 | add Temp2,75 202 | eval "MOV DWORD PTR DS:[EAX+1],{Temp2}" 203 | asm Temp,$RESULT 204 | add Temp,7 205 | mov [Temp],#C64005C39D61# 206 | add Temp,6 207 | eval "JMP {EP}" 208 | asm Temp,$RESULT 209 | mov Temp,Cave 210 | add Temp,75 211 | mov [Temp],#EB01# 212 | mov Temp2,Temp 213 | add Temp2,2 214 | add Temp,3 215 | eval "CMP BYTE PTR DS:[{Temp2}],1" 216 | asm Temp,$RESULT 217 | add Temp,7 218 | mov [Temp],#7537# 219 | add Temp,2 220 | eval "MOV DWORD PTR SS:[EBP-{lCRC1}],{CRC1}" 221 | asm Temp,$RESULT 222 | add Temp,7 223 | eval "MOV DWORD PTR SS:[EBP-{lCRC2}],{CRC2}" 224 | asm Temp,$RESULT 225 | add Temp,7 226 | eval "MOV DWORD PTR SS:[EBP-{lCRC3}],{CRC3}" 227 | asm Temp,$RESULT 228 | add Temp,7 229 | eval "MOV DWORD PTR SS:[EBP-{lCRC4}],{CRC4}" 230 | asm Temp,$RESULT 231 | add Temp,7 232 | eval "MOV DWORD PTR SS:[EBP-{lCRC5}],{CRC5}" 233 | asm Temp,$RESULT 234 | add Temp,7 235 | eval "PUSHAD" 236 | asm Temp,$RESULT 237 | add Temp,1 238 | mov Temp2,Cave 239 | add Temp2,41 240 | mov [Temp],#A1# 241 | mov [Temp+1],Temp2 242 | add Temp,5 243 | mov [Temp],#C700B8010000C7400400C2040061FE05# 244 | add Temp,10 245 | mov Temp2,Cave 246 | add Temp2,77 247 | mov [Temp],Temp2 248 | add Temp,4 249 | mov [Temp],#B801000000C20400# 250 | add Temp,8 251 | mov Temp2,Cave 252 | add Temp2,20 253 | mov eip,Temp2 254 | cmt eip,"<- Change new EP to this VA" 255 | sub Temp2,ImgBase 256 | 257 | eval "Patched Successfully ! \r\nSave change from VA: {Cave} to VA: {Temp} to new file \r\nAnd use a PE Editor (LordPE, CFF Exlporer,...) to change EP of saved file to {Temp2}" 258 | msg $RESULT 259 | ret 260 | 261 | Error: 262 | msg "Error occured ! Script terminated now !" 263 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo ArmVar.txt: -------------------------------------------------------------------------------- 1 | var VarVal 2 | var VarName 3 | var ActEip 4 | 5 | dbh 6 | mov ActEip, eip 7 | ask "VA disponible?" 8 | cmp $RESULT, 0 9 | mov VarVal, $RESULT 10 | je FIN 11 | mov [VarVal], "60" 12 | mov VarName, VarVal 13 | add VarName, 40 14 | mov [VarName], "DAYSLEFT" 15 | exec 16 | pushad 17 | pushfd 18 | push {VarVal} 19 | push {VarName} 20 | call SetEnvironmentVariableA 21 | popfd 22 | popad 23 | jmp {ActEip} 24 | ende 25 | ret 26 | 27 | FIN: 28 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo CheckFlags v2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo CheckFlags v2.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo Detach from Client + Unpack (Hipu 1000 Bytes Method).txt: -------------------------------------------------------------------------------- 1 | /* 2 | Armadillo script - detach parent from client and unpack (1000 bytes method) - by hipu 3 | tnx to Ricardo for his complete instructions (im just emulating what the man says...) 4 | 5 | MAKE SURE ALL BREAKPOINTS ARE DELETED BEFORE EXECUTING THE SCRIPT!!! 6 | 7 | ALSO: since im using the IsDebuggerPresent plugin, i didnt do IsDebuggerPresent patch. 8 | do whatever is needed if u dont use the plugin... 9 | 10 | */ 11 | 12 | var WaitForDebugEvent 13 | var WriteProcessMemory 14 | var pDebugEvent 15 | var pBuffer 16 | var child_ProcID 17 | var oep_offset1 18 | var oep_offset2 19 | var oep_offset3 20 | var crypto_proc 21 | var child_OEP 22 | var patched_line1 23 | var imgbase 24 | var rdata_begin 25 | 26 | gmi eip,MODULEBASE 27 | mov imgbase, $RESULT 28 | mov rdata_begin, imgbase 29 | find rdata_begin, #2E726461746100# //find ".rdata" string 30 | mov rdata_begin, $RESULT 31 | add rdata_begin, 0c 32 | mov rdata_begin, [rdata_begin] 33 | add rdata_begin, imgbase 34 | log rdata_begin 35 | 36 | /* 37 | another way to get the .rdata_begin - taken from VolX 38 | gmi eip,MODULEBASE 39 | mov imgbase, $RESULT 40 | mov rdata_begin, imgbase 41 | add rdata_begin, 3c 42 | mov rdata_begin, [rdata_begin] 43 | add rdata_begin, imgbase 44 | add rdata_begin, 0f8 45 | add rdata_begin, 28 46 | add rdata_begin, 0c 47 | mov rdata_begin, [rdata_begin] 48 | add rdata_begin, imgbase 49 | log rdata_begin 50 | */ 51 | 52 | //eob found_WaitForDebugEvent 53 | gpa "WaitForDebugEvent", "kernel32.dll" 54 | mov WaitForDebugEvent, $RESULT 55 | gpa "WriteProcessMemory", "kernel32.dll" 56 | mov WriteProcessMemory, $RESULT 57 | 58 | bp WaitForDebugEvent 59 | run 60 | bc WaitForDebugEvent 61 | 62 | mov pDebugEvent, esp 63 | add pDebugEvent, 04 64 | mov pDebugEvent, [pDebugEvent] 65 | log pDebugEvent 66 | 67 | mov oep_offset1, pDebugEvent 68 | add oep_offset1, 18 69 | mov oep_offset2, pDebugEvent 70 | add oep_offset2, 24 71 | mov oep_offset3, pDebugEvent 72 | add oep_offset3, 28 73 | 74 | bp WriteProcessMemory 75 | run 76 | bc WriteProcessMemory 77 | 78 | mov child_ProcID, pDebugEvent 79 | add child_ProcID, 4 80 | mov child_ProcID, [child_ProcID] 81 | mov child_OEP, [oep_offset1] 82 | 83 | // ******* UGLY WAY TO FIND ENCRYPTOR. USE AT YOUR OWN RISK! 84 | mov crypto_proc, esp 85 | add crypto_proc, 128 86 | mov crypto_proc, [crypto_proc] 87 | //1st crypto_proc cal... 88 | //sub crypto_proc, 5 89 | add crypto_proc, 2d0 90 | mov [crypto_proc], #9090909090# 91 | rtr //ctrl-f9 92 | sto //f8 93 | 94 | log "crypto_proc was nopped..." 95 | log "patch OEP of child process to EBFE (using PUPE...)" 96 | log child_ProcID 97 | log child_OEP 98 | log "press script/resume when ready" 99 | msg "look in the log, and press script/resume when ready" 100 | 101 | pause 102 | 103 | bp WaitForDebugEvent 104 | run 105 | bc WaitForDebugEvent 106 | 107 | mov patched_line1, [esp] 108 | sub patched_line1, 12 109 | fill patched_line1, 1a, 90 110 | asm [esp], "CALL 401000" 111 | asm 401000, "ADD DWORD PTR DS:[0], 1000" 112 | asm 40100A, "ADD DWORD PTR DS:[0], 1000" 113 | asm 401014, "ADD DWORD PTR DS:[0], 1000" 114 | asm 40101E, "CMP DWORD PTR DS:[0], 0" 115 | asm 401028, "JNZ 401035" 116 | asm 40102A, "PUSH 0FFFFFFFF" 117 | asm 40102F, "CALL DebugActiveProcessStop" 118 | asm 401034, "NOP" 119 | asm 401035, "RET" 120 | 121 | mov [401002], oep_offset1 122 | mov [40100C], oep_offset2 123 | mov [401016], oep_offset3 124 | mov [401020], oep_offset3 125 | mov [401024], rdata_begin 126 | mov [40102B], child_ProcID 127 | 128 | mov [oep_offset1], 400000 129 | mov [oep_offset2], 400000 130 | mov [oep_offset3], 400000 131 | 132 | //go [esp] 133 | mov eip, [esp] 134 | 135 | bp 401034 136 | run 137 | bc 401034 138 | 139 | msg "Close OllyDbg, execute again and attach to your newely created process. Have fun." 140 | 141 | ret 142 | -------------------------------------------------------------------------------- /Armadillo/Armadillo Detach from Client.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Armadillo script - detach parent from client - by hipu 3 | tnx to Ricardo for his complete instructions (im just emulating what the man says...) 4 | 5 | MAKE SURE ALL BREAKPOINTS ARE DELETED BEFORE EXECUTING THE SCRIPT!!! 6 | 7 | ALSO: since im using the IsDebuggerPresent plugin, i didnt do IsDebuggerPresent patch. 8 | do whatever is needed if u dont use the plugin... 9 | 10 | */ 11 | 12 | var WaitForDebugEvent 13 | var WriteProcessMemory 14 | var pDebugEvent 15 | var pBuffer 16 | var child_ProcID 17 | 18 | //eob found_WaitForDebugEvent 19 | gpa "WaitForDebugEvent", "kernel32.dll" 20 | mov WaitForDebugEvent, $RESULT 21 | gpa "WriteProcessMemory", "kernel32.dll" 22 | mov WriteProcessMemory, $RESULT 23 | 24 | bp WriteProcessMemory 25 | run 26 | 27 | //stopped here cause of breakpoint 28 | run 29 | 30 | //stopped here cause of breakpoint (2nd time) 31 | bc WriteProcessMemory 32 | mov pBuffer, esp 33 | add pBuffer, 0c 34 | mov pBuffer, [pBuffer] 35 | log "*** original OEP bytes :" 36 | log [pBuffer] 37 | mov [pBuffer], #EBFE# 38 | log "*** changed OEP bytes :" 39 | log [pBuffer] 40 | 41 | bp WaitForDebugEvent 42 | run 43 | run 44 | run 45 | bc WaitForDebugEvent 46 | 47 | mov pDebugEvent, esp 48 | add pDebugEvent, 04 49 | mov pDebugEvent, [pDebugEvent] 50 | log pDebugEvent 51 | mov child_ProcID, pDebugEvent 52 | add child_ProcID, 4 53 | mov child_ProcID, [child_ProcID] 54 | log child_ProcID 55 | 56 | rtr //ctrl-f9 57 | sto //f8 58 | mov eax, child_ProcID 59 | asm eip, "push eax" 60 | sto //f8 61 | asm eip, "call DebugActiveProcessStop" 62 | sto //f8 63 | asm eip, "nop" 64 | sto //f8 65 | ret 66 | -------------------------------------------------------------------------------- /Armadillo/Armadillo Detach.txt: -------------------------------------------------------------------------------- 1 | var CreateP 2 | var ChildH 3 | var WriteP 4 | var Count 5 | var WaitFDV 6 | 7 | dbh 8 | mov Count, 0 9 | gpa "CreateProcessW", "kernel32.dll" 10 | mov CreateP, $RESULT 11 | bp CreateP 12 | eob SaveH 13 | run 14 | 15 | SaveH: 16 | bc CreateP 17 | cob 18 | mov ChildH, esp 19 | add ChildH, 28 20 | mov ChildH, [ChildH] 21 | add ChildH, 8 22 | rtr 23 | mov ChildH, [ChildH] 24 | gpa "WriteProcessMemory", "kernel32.dll" 25 | mov WriteP, $RESULT 26 | bp WriteP 27 | eob OEP 28 | run 29 | 30 | OEP: 31 | add Count, 1 32 | cmp Count, 2 33 | jne Sig 34 | bc WriteP 35 | cob 36 | mov Count, esp 37 | add Count, 0C 38 | mov Count, [Count] 39 | log Count 40 | log [Count] 41 | mov [Count], #EBFE# 42 | mov Count, 0 43 | gpa "WaitForDebugEvent", "kernel32.dll" 44 | mov WaitFDV, $RESULT 45 | bp WaitFDV 46 | eob Detach 47 | run 48 | 49 | Detach: 50 | add Count, 1 51 | cmp Count, 10 52 | jne Sig 53 | bc WaitFDV 54 | cob 55 | rtr 56 | sto 57 | eval "push {ChildH}" 58 | asm eip, $RESULT 59 | add eip, 5 60 | asm eip, "Call DebugActiveProcessStop" 61 | add eip, 5 62 | asm eip, "nop" 63 | add eip, 1 64 | asm eip, "nop" 65 | add eip, 1 66 | asm eip, "nop" 67 | sub eip, 0C 68 | sto 69 | sto 70 | sto 71 | ret 72 | 73 | Sig: 74 | run -------------------------------------------------------------------------------- /Armadillo/Armadillo Detective (Debug Blocker or CopyMem2).txt: -------------------------------------------------------------------------------- 1 | 2 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 3 | /* 4 | ////////////////////////////////////////////////////////////// 5 | // Armadillo's Debug Blocker Feature or CopyMEM2 detective 6 | // Author: hacnho mod from MEPHiST0s - ARMADiLLO DETECTiVE v1.00 7 | // Email : hacnho@hotmail.com 8 | // Website: http://tinicat.de/hacnho 9 | // OS : WinXP Pro SP1, OllyDbg 1.10 Final, OllyScript v0.92 10 | // DaTe ReLeAsE: 14 July 2005 11 | ///////////////////////////////////////////////////////////// 12 | */ 13 | var dbcheck 14 | var debugblock 15 | var mem 16 | var time 17 | var nono 18 | 19 | 20 | gpa "OpenMutexA", "kernel32.dll" 21 | mov mem,$RESULT 22 | bp mem 23 | esto 24 | esto 25 | rtr 26 | sti 27 | bc mem 28 | gpa "time", "MSVCRT.dll" 29 | mov time,$RESULT 30 | bp time 31 | mov dbcheck,[eip] 32 | and dbcheck,0000FFFF 33 | cmp dbcheck,0000C085 //checking for debug blocker signal 34 | je db 35 | 36 | db: 37 | jne nono 38 | msg "This file is protected with Armadillo's Debug Blocker Feature or CopyMEM2." 39 | ret 40 | 41 | nono: 42 | msg "This file is not protected with Armadillo's Debug Blocker Feature or CopyMEM2." 43 | ret 44 | -------------------------------------------------------------------------------- /Armadillo/Armadillo Find Nag.txt: -------------------------------------------------------------------------------- 1 | /* 2 | .:TEAM RESURRECTiON:. 3 | Armadillo Standard Script by AvAtAr//stephenteh 4 | Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92 5 | NOTES: 6 | - Remove all hardware breakpoints before run the script. 7 | - Add the following custom exceptions on OllyDbg: 8 | C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION) 9 | C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION) 10 | */ 11 | 12 | var OpenMutexA 13 | var CreateMutexA 14 | var GetModuleHandleA 15 | var VirtualAlloc 16 | var CreateThread 17 | var JumpLocation 18 | var JumpLength 19 | var OEP 20 | 21 | gpa "OpenMutexA", "kernel32.dll" 22 | mov OpenMutexA, $RESULT 23 | gpa "CreateMutexA", "kernel32.dll" 24 | mov CreateMutexA, $RESULT 25 | gpa "GetModuleHandleA", "kernel32.dll" 26 | mov GetModuleHandleA, $RESULT 27 | gpa "VirtualAlloc", "kernel32.dll" 28 | mov VirtualAlloc, $RESULT 29 | gpa "CreateThread", "kernel32.dll" 30 | mov CreateThread, $RESULT 31 | 32 | bp OpenMutexA 33 | esto 34 | exec 35 | PUSHAD 36 | PUSHFD 37 | PUSH EDX 38 | XOR EAX,EAX 39 | PUSH EAX 40 | PUSH EAX 41 | CALL CreateMutexA 42 | POPFD 43 | POPAD 44 | JMP OpenMutexA 45 | ende 46 | bc OpenMutexA 47 | 48 | bphws GetModuleHandleA, "x" 49 | pause 50 | label1: 51 | esto 52 | cmp eax,VirtualAlloc 53 | jne label1 54 | esto 55 | bphwc GetModuleHandleA 56 | rtu 57 | 58 | find eip, #0F84????????# 59 | mov JumpLocation, $RESULT 60 | mov JumpLength, JumpLocation 61 | add JumpLength, 2 62 | mov JumpLength, [JumpLength] 63 | inc JumpLength 64 | mov [JumpLocation], 0E9 65 | inc JumpLocation 66 | mov [JumpLocation], JumpLength 67 | 68 | bp CreateThread 69 | //pause 70 | run 71 | cob 72 | bc CreateThread 73 | rtu 74 | rtr 75 | sti 76 | 77 | find eip, #2B??FF??8?# 78 | mov OEP, $RESULT 79 | add OEP, 2 80 | bp OEP 81 | run 82 | bc OEP 83 | sti 84 | cmt eip, "<- OEP" 85 | msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)" 86 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo IAT Eliminator.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo IAT Eliminator.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo IAT Script v2.txt: -------------------------------------------------------------------------------- 1 | var SalMag 2 | 3 | dbh 4 | eoe LABEL 5 | ask "Direccion del Salto Magico?" 6 | cmp $RESULT, 0 7 | je FIN 8 | mov SalMag, $RESULT 9 | msgyn "Preguntar = SI || No preguntar = NO" 10 | cmp $RESULT, 0 11 | je NoPreg 12 | eob BABEL 13 | jmp PregFin 14 | 15 | NoPreg: 16 | eob BABEL2 17 | 18 | PregFin: 19 | run 20 | 21 | BABEL: 22 | cmp eip, SalMag 23 | jne FIN 24 | cmp eax, 1 25 | jne SIGPAS 26 | msgyn "Continuar?" 27 | cmp $RESULT, 1 28 | je SIGPAS 29 | jmp FIN 30 | 31 | SIGPAS: 32 | mov !ZF, 1 33 | run 34 | jmp SIGPAS 35 | 36 | BABEL2: 37 | cmp eip, SalMag 38 | jne FIN 39 | mov !ZF, 1 40 | run 41 | jmp BABEL2 42 | 43 | FIN: 44 | ret 45 | 46 | LABEL: 47 | esto 48 | jmp LABEL -------------------------------------------------------------------------------- /Armadillo/Armadillo Magic Jump Finder.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Magic Jump Finder Script 3 | 4 | */ 5 | 6 | var GetModuleHandleA 7 | 8 | gpa "GetModuleHandleA", "kernel32.dll" 9 | mov GetModuleHandleA, $RESULT 10 | 11 | bphws GetModuleHandleA, "x" 12 | repeat: 13 | esto 14 | rtu 15 | find eip, #0F84????????????????????74??????????EB??# 16 | cmp $RESULT,0 17 | je repeat 18 | bphwc GetModuleHandleA 19 | ret 20 | -------------------------------------------------------------------------------- /Armadillo/Armadillo NanoTables v2.txt: -------------------------------------------------------------------------------- 1 | var TabNum 2 | var TypeDW 3 | var Count 4 | var Count2 5 | var ActEip 6 | var ActPunt 7 | var VACTab 8 | var VATab 9 | var VATab1 //nano_addr.hex 10 | var VATab2 //nano_type.hex 11 | var VATab3 //nano_size.hex 12 | var VATab4 //nano_dest.hex 13 | var EipBytes 14 | 15 | dbh 16 | mov TypeDW, 0 17 | eoe LABEL 18 | eob BABEL 19 | run 20 | 21 | BABEL: 22 | cob 23 | bphwc eip 24 | ask "VA base?" 25 | cmp $RESULT, 0 26 | je NoVA 27 | mov VATab, $RESULT 28 | ask "Numero de pedazos? [HEX]" 29 | cmp $RESULT, 0 30 | je NoTabNum 31 | mov TabNum, $RESULT 32 | shl TabNum, 2 33 | msgyn "Nanotyes DWORD = SI || Nanotypes BYTE = NO" 34 | cmp $RESULT, 0 35 | je NanTypB 36 | mov TypeDW, 1 37 | 38 | NanTypB: 39 | sub eip, 20 40 | mov ActEip, eip 41 | mov EipBytes, [eip] 42 | add eip, 20 43 | exec 44 | pushad 45 | pushfd 46 | push {ActEip} 47 | push 40 48 | push 40000 49 | push {VATab} 50 | call VirtualProtect 51 | popfd 52 | popad 53 | ende 54 | mov [ActEip], EipBytes 55 | 56 | mov VACTab, VATab 57 | add VATab, TabNum 58 | add VATab, TabNum 59 | mov VATab1, VATab 60 | eval "VA de nano_addr.hex = {VATab1}" 61 | log $RESULT 62 | mov Count, 0 63 | mov ActEip, eip 64 | add ActEip, 3 65 | mov ActEip, [ActEip] 66 | 67 | Tab0: 68 | mov ActPunt, ActEip 69 | add ActPunt, Count 70 | mov ActPunt, [ActPunt] 71 | 72 | InTab1: 73 | mov EipBytes, [ActPunt] 74 | cmp EipBytes, ABABABAB 75 | je FinTab1 76 | cmp EipBytes, BAADF00D 77 | je FinTab1 78 | mov [VATab1], EipBytes 79 | add ActPunt, 4 80 | add VATab1, 4 81 | inc [VACTab] 82 | jmp InTab1 83 | 84 | FinTab1: 85 | add VACTab, 4 86 | add Count, 4 87 | cmp Count, TabNum 88 | jne Tab0 89 | 90 | mov VATab2, VATab1 91 | sub VATab1, VATab 92 | dm VATab, VATab1, "C:\Documents and Settings\tenketsu\Escritorio\nano_addr.hex" 93 | sub VACTab, TabNum 94 | eob BABEL2 95 | run 96 | jmp BABEL 97 | 98 | 99 | BABEL2: 100 | cob 101 | bphwc eip 102 | 103 | add VATab2, 40 104 | eval "VA de nano_type.hex = {VATab2}" 105 | log $RESULT 106 | mov VATab, VATab2 107 | mov Count, 0 108 | mov ActEip, eip 109 | add ActEip, 3 110 | mov ActEip, [ActEip] 111 | cmp TypeDW, 0 112 | je Tab0_2B 113 | 114 | Tab0_2DW: 115 | mov Count2, 0 116 | mov ActPunt, ActEip 117 | add ActPunt, Count 118 | mov ActPunt, [ActPunt] 119 | 120 | InTab2DW: 121 | mov EipBytes, [ActPunt] 122 | mov [VATab2], EipBytes 123 | add ActPunt, 4 124 | add VATab2, 4 125 | inc Count2 126 | cmp [VACTab], Count2 127 | je FinTab2DW 128 | jmp InTab2DW 129 | 130 | FinTab2DW: 131 | add VACTab, 4 132 | add Count, 4 133 | cmp Count, TabNum 134 | jne Tab0_2DW 135 | jmp Tab2Fin 136 | 137 | Tab0_2B: 138 | mov Count2, 0 139 | mov ActPunt, ActEip 140 | add ActPunt, Count 141 | mov ActPunt, [ActPunt] 142 | 143 | InTab2B: 144 | mov EipBytes, [ActPunt] 145 | shl EipBytes, 18 146 | shr EipBytes, 18 147 | mov [VATab2], EipBytes 148 | add ActPunt, 1 149 | add VATab2, 1 150 | inc Count2 151 | cmp [VACTab], Count2 152 | je FinTab2B 153 | jmp InTab2B 154 | 155 | FinTab2B: 156 | add VACTab, 4 157 | add Count, 4 158 | cmp Count, TabNum 159 | jne Tab0_2B 160 | 161 | Tab2Fin: 162 | mov VATab3, VATab2 163 | sub VATab2, VATab 164 | dm VATab, VATab2, "C:\Documents and Settings\tenketsu\Escritorio\nano_type.hex" 165 | sub VACTab, TabNum 166 | eob BABEL3 167 | run 168 | jmp BABEL2 169 | 170 | 171 | BABEL3: 172 | cob 173 | bphwc eip 174 | 175 | add VATab3, 40 176 | eval "VA de nano_dest.hex = {VATab3}" 177 | log $RESULT 178 | mov VATab, VATab3 179 | mov Count, 0 180 | mov ActEip, eip 181 | add ActEip, 3 182 | mov ActEip, [ActEip] 183 | 184 | Tab0_3: 185 | mov Count2, 0 186 | mov ActPunt, ActEip 187 | add ActPunt, Count 188 | mov ActPunt, [ActPunt] 189 | 190 | InTab3: 191 | mov EipBytes, [ActPunt] 192 | mov [VATab3], EipBytes 193 | add ActPunt, 4 194 | add VATab3, 4 195 | inc Count2 196 | cmp [VACTab], Count2 197 | je FinTab3 198 | jmp InTab3 199 | 200 | FinTab3: 201 | add VACTab, 4 202 | add Count, 4 203 | cmp Count, TabNum 204 | jne Tab0_3 205 | 206 | mov VATab4, VATab3 207 | sub VATab3, VATab 208 | dm VATab, VATab3, "C:\Documents and Settings\tenketsu\Escritorio\nano_dest.hex" 209 | sub VACTab, TabNum 210 | eob BABEL4 211 | run 212 | jmp BABEL3 213 | 214 | 215 | BABEL4: 216 | cob 217 | bphwc eip 218 | 219 | add VATab4, 40 220 | eval "VA de nano_size.hex = {VATab4}" 221 | log $RESULT 222 | mov VATab, VATab4 223 | mov Count, 0 224 | mov ActEip, eip 225 | add ActEip, 3 226 | mov ActEip, [ActEip] 227 | 228 | Tab0_4: 229 | mov Count2, 0 230 | mov ActPunt, ActEip 231 | add ActPunt, Count 232 | mov ActPunt, [ActPunt] 233 | 234 | InTab4: 235 | mov EipBytes, [ActPunt] 236 | shl EipBytes, 18 237 | shr EipBytes, 18 238 | mov [VATab4], EipBytes 239 | add ActPunt, 1 240 | add VATab4, 1 241 | inc Count2 242 | cmp [VACTab], Count2 243 | je FinTab4 244 | jmp InTab4 245 | 246 | FinTab4: 247 | add VACTab, 4 248 | add Count, 4 249 | cmp Count, TabNum 250 | jne Tab0_4 251 | 252 | sub VATab4, VATab 253 | dm VATab, VATab4, "C:\Documents and Settings\tenketsu\Escritorio\nano_size.hex" 254 | msg "El dumpeo de las tablas ha terminado." 255 | ret 256 | 257 | 258 | LABEL: 259 | esto 260 | jmp LABEL 261 | 262 | NoVA: 263 | msg "No se ha especificado una VA base para las tablas, script terminado." 264 | ret 265 | 266 | NoTabNum: 267 | msg "No se ha especificado un numero de pedazos, script terminado." 268 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo OEP Finder (CopyMem2).txt: -------------------------------------------------------------------------------- 1 | var addr 2 | var espval 3 | var oepaddr 4 | var maddr 5 | var cbase 6 | 7 | lblstart: 8 | msgyn "Setting:Ingore all exceptions.go?" 9 | cmp $RESULT,1 10 | je lbl1 11 | ret 12 | 13 | lbl1: 14 | dbh 15 | gpa "OutputDebugStringA","kernel32.dll" 16 | cmp $RESULT,0 17 | je lbl2 18 | asm $RESULT,"ret 4" 19 | 20 | lbl2: 21 | gpa "WaitForDebugEvent","kernel32.dll" 22 | bp $RESULT 23 | esto 24 | 25 | lbl3: 26 | bc $RESULT 27 | mov addr,esp 28 | add addr,4 29 | mov espval,[addr] 30 | gpa "WriteProcessMemory","kernel32.dll" 31 | bp $RESULT 32 | esto 33 | bc $RESULT 34 | mov addr,espval 35 | add addr,18 36 | mov oepaddr,[addr] 37 | mov addr,esp 38 | add addr,8 39 | mov cbase,[addr] 40 | mov maddr,oepaddr 41 | sub maddr,cbase 42 | add addr,4 43 | mov addr,[addr] 44 | add maddr,addr 45 | mov addr,maddr 46 | fill addr,1,eb 47 | inc addr 48 | fill addr,1,FE 49 | 50 | lbl4: 51 | eval "Orignal Entry Point:{oepaddr}, Code base:{cbase},please use lordpe's arm plugin dump this process." 52 | rtu 53 | cmt eip,$RESULT 54 | msg $RESULT 55 | ret 56 | 57 | -------------------------------------------------------------------------------- /Armadillo/Armadillo OEP Finder + Fix Magic Jumps + Fix Anti-Dump.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Armadillo/Armadillo OEP Finder + Fix Magic Jumps + Fix Anti-Dump.txt -------------------------------------------------------------------------------- /Armadillo/Armadillo OpenMutexA.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Armadillo script OpenMutexA 3 | Exceptions c000001e 4 | invalid or privileged instruction 5 | */ 6 | 7 | dbh 8 | 9 | var pBuffer 10 | var OpenMutexA 11 | var VirtualProtect 12 | 13 | gpa "OpenMutexA", "kernel32.dll" 14 | mov OpenMutexA, $RESULT 15 | bp OpenMutexA 16 | run 17 | 18 | 19 | //Breakpoint 20 | bc OpenMutexA 21 | mov pBuffer, esp 22 | log pBuffer 23 | add pBuffer, 0c 24 | mov pBuffer, [pBuffer] 25 | log [pBuffer] 26 | 27 | exec 28 | PUSHAD 29 | push {pBuffer} 30 | push 0 31 | push 0 32 | CALL kernel32.CreateMutexA 33 | POPAD 34 | jmp kernel32.OpenMutexA 35 | ende 36 | 37 | gpa "VirtualProtect", "kernel32.dll" 38 | mov VirtualProtect, $RESULT 39 | log VirtualProtect 40 | bp VirtualProtect 41 | run 42 | bc VirtualProtect 43 | -------------------------------------------------------------------------------- /Armadillo/Armadillo Repair IAT Elimination.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ======================================================================= 3 | Srcipt for repairing Armadillo's IAT Elimination feature 4 | ======================================================================= 5 | 6 | This script should help you to rebuild IAT on targets protected 7 | with Armadillo's IAT Eliminator feature. You will need to modify 8 | some parts of script to work on your file. First you need to unpack 9 | your file, and prevent common import redirection and then use this 10 | script after you found OEP. Read my comments below. 11 | ======================================================================= 12 | */ 13 | 14 | var code //Code section is one that holds your code. 15 | var NewPointer //Base address of new section where thunks will be placed (use some armadillo's). 16 | var OldPointer 17 | var Import 18 | 19 | ask "Enter base address of code section:" //Ask user to enter base of code section: 20 | cmp $RESULT,0 21 | je exit 22 | mov code,$RESULT 23 | 24 | ask "Enter address of new section for imports:" //Ask user to enter base of new IAT section: 25 | cmp $RESULT,0 26 | je exit 27 | mov NewPointer,$RESULT 28 | 29 | 30 | 31 | 32 | searching: 33 | findop code,#FF15????A900# //Find calls that points to 00A90000 section. You need to change this. 34 | cmp $RESULT,0 35 | je exit 36 | 37 | mov code,$RESULT //Caclulations. 38 | add $RESULT,2 39 | mov OldPointer,[$RESULT] 40 | mov Import,[OldPointer] 41 | mov [NewPointer],Import 42 | mov [$RESULT],NewPointer 43 | add NewPointer,8 44 | 45 | jmp searching 46 | 47 | 48 | 49 | 50 | 51 | exit: 52 | ret 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /Armadillo/Armadillo Standard (Pause).txt: -------------------------------------------------------------------------------- 1 | /* 2 | .:TEAM RESURRECTiON:. 3 | Armadillo Standard+Pause Script by AvAtAr Modified By Teddy Rogers 4 | Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92 5 | NOTES: 6 | - Remove all hardware breakpoints before run the script. 7 | - Add the following custom exceptions on OllyDbg: 8 | C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION) 9 | C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION) 10 | */ 11 | 12 | var CreateMutexA 13 | var CreateThread 14 | var GetModuleHandleA 15 | var OpenMutexA 16 | var VirtualAlloc 17 | var JumpLocation 18 | var JumpLength 19 | var adata 20 | var regESP 21 | var OEP 22 | 23 | gpa "CreateMutexA", "kernel32.dll" 24 | mov CreateMutexA, $RESULT 25 | gpa "CreateThread", "kernel32.dll" 26 | mov CreateThread, $RESULT 27 | gpa "GetModuleHandleA", "kernel32.dll" 28 | mov GetModuleHandleA, $RESULT 29 | gpa "OpenMutexA", "kernel32.dll" 30 | mov OpenMutexA, $RESULT 31 | gpa "VirtualAlloc", "kernel32.dll" 32 | mov VirtualAlloc, $RESULT 33 | 34 | gmi eip,MODULEBASE 35 | find $RESULT,#2E6164617461# 36 | mov adata,$RESULT 37 | add adata,0c 38 | mov adata,[adata] 39 | gmi eip,MODULEBASE 40 | add adata,$RESULT 41 | 42 | bp OpenMutexA 43 | esto 44 | exec 45 | PUSH EDX 46 | PUSH 0 47 | PUSH 0 48 | CALL CreateMutexA 49 | JMP OpenMutexA 50 | ende 51 | bc OpenMutexA 52 | 53 | bphws GetModuleHandleA, "x" 54 | label1: 55 | esto 56 | rtu 57 | find eip, #0F84????????????????????74??????????EB??# 58 | cmp $RESULT,0 59 | je label1 60 | bphwc GetModuleHandleA 61 | 62 | mov JumpLocation, $RESULT 63 | mov JumpLength, JumpLocation 64 | add JumpLength, 2 65 | mov JumpLength, [JumpLength] 66 | inc JumpLength 67 | mov [JumpLocation], 0E9 68 | inc JumpLocation 69 | mov [JumpLocation], JumpLength 70 | pause 71 | -------------------------------------------------------------------------------- /Armadillo/Armadillo Standard Unpack (Specific).txt: -------------------------------------------------------------------------------- 1 | /* 2 | .:TEAM RESURRECTiON:. 3 | Armadillo Standard Script by AvAtAr//stephenteh 4 | Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92 5 | NOTES: 6 | - Remove all hardware breakpoints before run the script. 7 | - Add the following custom exceptions on OllyDbg: 8 | C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION) 9 | C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION) 10 | */ 11 | 12 | var OpenMutexA 13 | var CreateMutexA 14 | var GetModuleHandleA 15 | var VirtualAlloc 16 | var CreateThread 17 | var JumpLocation 18 | var JumpLength 19 | var OEP 20 | 21 | gpa "OpenMutexA", "kernel32.dll" 22 | mov OpenMutexA, $RESULT 23 | gpa "CreateMutexA", "kernel32.dll" 24 | mov CreateMutexA, $RESULT 25 | gpa "GetModuleHandleA", "kernel32.dll" 26 | mov GetModuleHandleA, $RESULT 27 | gpa "VirtualAlloc", "kernel32.dll" 28 | mov VirtualAlloc, $RESULT 29 | gpa "CreateThread", "kernel32.dll" 30 | mov CreateThread, $RESULT 31 | 32 | bp OpenMutexA 33 | esto 34 | exec 35 | PUSHAD 36 | PUSHFD 37 | PUSH EDX 38 | XOR EAX,EAX 39 | PUSH EAX 40 | PUSH EAX 41 | CALL CreateMutexA 42 | POPFD 43 | POPAD 44 | JMP OpenMutexA 45 | ende 46 | bc OpenMutexA 47 | 48 | bphws GetModuleHandleA, "x" 49 | label1: 50 | esto 51 | cmp eax,VirtualAlloc 52 | jne label1 53 | esto 54 | bphwc GetModuleHandleA 55 | rtu 56 | 57 | find eip, #0F84????????# 58 | mov JumpLocation, $RESULT 59 | mov JumpLength, JumpLocation 60 | add JumpLength, 2 61 | mov JumpLength, [JumpLength] 62 | inc JumpLength 63 | mov [JumpLocation], 0E9 64 | inc JumpLocation 65 | mov [JumpLocation], JumpLength 66 | 67 | bp CreateThread 68 | run 69 | cob 70 | bc CreateThread 71 | rtu 72 | rtr 73 | sti 74 | 75 | find eip, #2BF9FFD7# 76 | mov OEP, $RESULT 77 | add OEP, 2 78 | bp OEP 79 | run 80 | bc OEP 81 | sti 82 | cmt eip, "<- OEP" 83 | msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)" 84 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo Standard Unpack + Strategic Code Splicing.txt: -------------------------------------------------------------------------------- 1 | /* 2 | .:TEAM RESURRECTiON:. 3 | Armadillo Standard+Strategic Code Splicing Script by AvAtAr 4 | Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92 5 | NOTES: 6 | - Remove all hardware breakpoints before run the script. 7 | - Add the following custom exceptions on OllyDbg: 8 | C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION) 9 | C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION) 10 | */ 11 | 12 | var CreateMutexA 13 | var CreateThread 14 | var GetModuleHandleA 15 | var OpenMutexA 16 | var VirtualAlloc 17 | var JumpLocation 18 | var JumpLength 19 | var adata 20 | var regESP 21 | var OEP 22 | 23 | gpa "CreateMutexA", "kernel32.dll" 24 | mov CreateMutexA, $RESULT 25 | gpa "CreateThread", "kernel32.dll" 26 | mov CreateThread, $RESULT 27 | gpa "GetModuleHandleA", "kernel32.dll" 28 | mov GetModuleHandleA, $RESULT 29 | gpa "OpenMutexA", "kernel32.dll" 30 | mov OpenMutexA, $RESULT 31 | gpa "VirtualAlloc", "kernel32.dll" 32 | mov VirtualAlloc, $RESULT 33 | 34 | gmi eip,MODULEBASE 35 | find $RESULT,#2E6164617461# 36 | mov adata,$RESULT 37 | add adata,0c 38 | mov adata,[adata] 39 | gmi eip,MODULEBASE 40 | add adata,$RESULT 41 | 42 | bp OpenMutexA 43 | esto 44 | exec 45 | PUSH EDX 46 | PUSH 0 47 | PUSH 0 48 | CALL CreateMutexA 49 | JMP OpenMutexA 50 | ende 51 | bc OpenMutexA 52 | 53 | bphws GetModuleHandleA, "x" 54 | label1: 55 | esto 56 | rtu 57 | find eip, #0F84????????????????????74??????????EB??# 58 | cmp $RESULT,0 59 | je label1 60 | bphwc GetModuleHandleA 61 | 62 | mov JumpLocation, $RESULT 63 | mov JumpLength, JumpLocation 64 | add JumpLength, 2 65 | mov JumpLength, [JumpLength] 66 | inc JumpLength 67 | mov [JumpLocation], 0E9 68 | inc JumpLocation 69 | mov [JumpLocation], JumpLength 70 | 71 | msgyn "Resolve Strategic Code Splicing?" 72 | cmp $RESULT,0 73 | je label3 74 | bphws VirtualAlloc, "x" 75 | label2: 76 | esto 77 | mov regESP,esp 78 | add regESP,0C 79 | cmp [regESP],1000 80 | jne label2 81 | add regESP,4 82 | cmp [regESP],40 83 | jne label2 84 | rtu 85 | mov eax,adata 86 | bphwc VirtualAlloc 87 | label3: 88 | 89 | bp CreateThread 90 | run 91 | cob 92 | bc CreateThread 93 | rtu 94 | rtr 95 | sti 96 | 97 | find eip, #2B??FF??8?# 98 | mov OEP, $RESULT 99 | add OEP, 2 100 | bp OEP 101 | run 102 | bc OEP 103 | sti 104 | cmt eip, "<- OEP" 105 | msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)" 106 | ret -------------------------------------------------------------------------------- /Armadillo/Armadillo Standard Unpack.txt: -------------------------------------------------------------------------------- 1 | /* 2 | .:TEAM RESURRECTiON:. 3 | Armadillo Standard Script by AvAtAr//stephenteh 4 | Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92 5 | NOTES: 6 | - Remove all hardware breakpoints before run the script. 7 | - Add the following custom exceptions on OllyDbg: 8 | C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION) 9 | C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION) 10 | */ 11 | 12 | var OpenMutexA 13 | var CreateMutexA 14 | var GetModuleHandleA 15 | var VirtualAlloc 16 | var CreateThread 17 | var JumpLocation 18 | var JumpLength 19 | var OEP 20 | 21 | gpa "OpenMutexA", "kernel32.dll" 22 | mov OpenMutexA, $RESULT 23 | gpa "CreateMutexA", "kernel32.dll" 24 | mov CreateMutexA, $RESULT 25 | gpa "GetModuleHandleA", "kernel32.dll" 26 | mov GetModuleHandleA, $RESULT 27 | gpa "VirtualAlloc", "kernel32.dll" 28 | mov VirtualAlloc, $RESULT 29 | gpa "CreateThread", "kernel32.dll" 30 | mov CreateThread, $RESULT 31 | 32 | bp OpenMutexA 33 | esto 34 | exec 35 | PUSHAD 36 | PUSHFD 37 | PUSH EDX 38 | XOR EAX,EAX 39 | PUSH EAX 40 | PUSH EAX 41 | CALL CreateMutexA 42 | POPFD 43 | POPAD 44 | JMP OpenMutexA 45 | ende 46 | bc OpenMutexA 47 | 48 | bphws GetModuleHandleA, "x" 49 | //pause 50 | label1: 51 | esto 52 | cmp eax,VirtualAlloc 53 | jne label1 54 | esto 55 | bphwc GetModuleHandleA 56 | rtu 57 | 58 | find eip, #0F84????????# 59 | mov JumpLocation, $RESULT 60 | mov JumpLength, JumpLocation 61 | add JumpLength, 2 62 | mov JumpLength, [JumpLength] 63 | inc JumpLength 64 | mov [JumpLocation], 0E9 65 | inc JumpLocation 66 | mov [JumpLocation], JumpLength 67 | 68 | bp CreateThread 69 | //pause 70 | run 71 | cob 72 | bc CreateThread 73 | rtu 74 | rtr 75 | sti 76 | 77 | find eip, #2B??FF??8?# 78 | mov OEP, $RESULT 79 | add OEP, 2 80 | bp OEP 81 | run 82 | bc OEP 83 | sti 84 | cmt eip, "<- OEP" 85 | msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)" 86 | ret -------------------------------------------------------------------------------- /Enigma/Enigma Protector 1.55 - 2.05 OEP Finder + IAT Repair v0.1 (1).txt: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////// 2 | // Enigma Protector V1.55 - V2.05 OEP Finder + IAT Repair By Ronar22 / 3 | ///////////////////////////////////////////////////////////////////// 4 | 5 | Var X 6 | Var Y 7 | GPA "VirtualAlloc", "Kernel32.dll" 8 | BP $RESULT 9 | RUN 10 | RUN 11 | FINDMEM #8D047F8B55FC8B4DF0894C820447FF4DD0# 12 | BPHWS $RESULT,"x" 13 | Bp $RESULT 14 | Mov X,$RESULT 15 | FINDMEM #89431083C31C4E75B7# 16 | Cmp $RESULT,0 17 | Je Old 18 | ASM $RESULT,"MOV DWORD PTR DS:[EBX+14],EAX" 19 | Jmp Os 20 | Old: 21 | FINDMEM #894C820483C304668B3B83C3026685FF# 22 | FILL $RESULT,4,90 23 | Os: 24 | GPA "VirtualAlloc", "Kernel32.dll" 25 | BC $RESULT 26 | RUN 27 | ADD eip,17 28 | FINDMEM #????000000000000000000008C000000250000000000000000200000000000008D0000002A0000000000000000202000FCFFFFFF0000000000000000000000000000000000000000??00000000000000000000008C0000002500000000000000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000# 29 | Cmp $RESULT,0 30 | Je NoVm 31 | BPHWS $RESULT,"r" 32 | Run 33 | Call Check 34 | Done: 35 | FINDMEM #E904000000????????E904000000????????FFE0E904000000# 36 | Bp $RESULT+12 37 | BPHWC 38 | Run 39 | STO 40 | RET 41 | NoVm: 42 | FINDMEM #8BC6E8????????8B45FCFFE0# 43 | Mov Y,$RESULT+A 44 | BPHWS $RESULT+A 45 | GPA "VirtualQuery", "Kernel32.dll" 46 | BP $RESULT+2 47 | Run 48 | Nex: 49 | Call Check 50 | Run 51 | Cmp eip,Y 52 | Jne Nex 53 | Jmp Done 54 | Check: 55 | Cmp eip,X 56 | Je As 57 | Ret 58 | As: 59 | Add eip,17 60 | Run 61 | Ret -------------------------------------------------------------------------------- /Enigma/Enigma Protector 1.90 - 3.xx Alternativ Unpacker v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/Enigma/Enigma Protector 1.90 - 3.xx Alternativ Unpacker v1.0.txt -------------------------------------------------------------------------------- /LARP/LARP 2.0 Ultimate Bypass Hide + IAT Repair + OEP Finder v1.0.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////////////////////////////////////////////////////// 3 | // .:[CracksLatinoS]:. 2013 CLS !.- / 4 | // lARP 2.0 Ultimate _ByPass Hide Process Driver & VMWare & IAT & / 5 | // JMP Rebuild & Stolen Bytes & OEP. / 6 | // OS: XP SP2/3 (Tested), OllyDbg V1.10, OllyScript v1.83.1 / 7 | // StrongOD v.4.8.xxx or Above.- / 8 | // Author: _/\_-=InDuLgEo=-_/\_ (CLS).- / 9 | // WebSite :-> http://indulgeoeddy.orgfree.com/ / 10 | ////////////////////////////////////////////////////////////// 11 | */ 12 | 13 | 14 | 15 | VAR API 16 | VAR OEP 17 | VAR EIP2 18 | VAR Near_OEP 19 | VAR VMware 20 | VAR Base 21 | VAR Jump 22 | VAR Byte 23 | VAR Byte1 24 | VAR Byte2 25 | VAR rva 26 | 27 | 28 | 29 | BPMC 30 | BPHWC 31 | BC 32 | 33 | 34 | 35 | Vamos: 36 | MOV OEP, 402059 37 | MOV Near_OEP, 402061 38 | MOV VMware, 4113FD 39 | MOV Jump, 41870A 40 | mov Base, 401000 41 | BPHWS VMware 42 | ERUN 43 | mov ebx, F1ACA 44 | BPHWC 45 | BPWM Jump, 1 46 | ERUN 47 | MOV eax, 85 48 | BPMC 49 | BPHWC 50 | BPRM Near_OEP, 1 51 | 52 | 53 | 54 | Bucle: 55 | CMP eip, Near_OEP 56 | JE Repara 57 | ERUN 58 | JMP Bucle 59 | 60 | 61 | 62 | Repara: 63 | FIND Base, #68????????C3# 64 | mov Byte, $RESULT 65 | mov eip, Byte 66 | sti 67 | sti 68 | 69 | 70 | 71 | Mira: 72 | mov Byte1, [eip], 1 73 | cmp Byte1, E9 74 | je Dale 75 | sti 76 | jmp Mira 77 | 78 | 79 | 80 | Dale: 81 | sub eip, 5 82 | mov EIP2, eip 83 | sti 84 | mov Byte2, eip 85 | mov API, 40515C 86 | mov conta,0 87 | 88 | 89 | 90 | Sigue: 91 | mov [API], Byte2 92 | add EIP2, 5 93 | mov eip, EIP2 94 | inc conta 95 | cmp conta, 8 96 | je Fin 97 | add API, 4 98 | sti 99 | mov Byte2, eip 100 | jmp Sigue 101 | 102 | 103 | 104 | Fin: 105 | MOV [402053], #FF15F8504000# 106 | MOV [40205B], #FF15FC504000# 107 | MOV [40106C], #FF1560514000# 108 | MOV [401085], #FF1564514000# 109 | MOV [40109C], #FF1568514000# 110 | MOV [4010BD], #FF156C514000# 111 | MOV [401BB7], #FF1570514000# 112 | MOV [401C13], #FF1528514000# 113 | MOV [401D91], #FF1578514000# 114 | MOV [401BF3], #FF1570514000# 115 | MOV eip, OEP 116 | cmt eip,"<-- OEP by InDuLgEo (CLS) !.-" 117 | mov rva, eip 118 | GMI eip, MODULEBASE 119 | sub rva, $RESULT 120 | EVAL "-= OEP Alcanzado y Todo Reparado ;)\r\n\r\n =- Fija la IAT: RVA = 50EC | SIZE: = 9C | RVA OEP:-> {rva} !\r\n\r\n_/\_-=InDuLgEo=-_/\_ CLS 2013.-" 121 | MSG $RESULT 122 | LOG "<- lARP 2.0 Ultimate _ByPass Hide Process Driver & VMWare & IAT & JMP Rebuild & Stolen Bytes & OEP. By InDuLgEo (CLS)!.-" 123 | BPMC 124 | BPHWC 125 | RET 126 | 127 | 128 | /* 129 | ////////////////////////////////////////////////////////////// 130 | // _/\_-=InDuLgEo=-_/\_ (CLS).- / 131 | / *** To : -= CLS & SnD *** / 132 | // - Art Of Reverse Engineering - / 133 | // Have a nice day ! / 134 | // Enjoy ! / 135 | // \_____JMP____ASM____x386_____/ E.O.F./ 136 | /////////////////////////////////////////////////////// 137 | */ 138 | -------------------------------------------------------------------------------- /PeCompact/PeCompact 2.xx - 3.xx OEP Finder.txt: -------------------------------------------------------------------------------- 1 | // --------------------------------------------------------------------------------------------------------- 2 | // PECompact 2.x / 3.x OEP Finder (Using ESP Trick) 3 | // Simple OEP finder for PECompact, tested with versions: 4 | // - 2.08 5 | // - 3.02.2 trial 6 | // 7 | // Usage: Simply load the script and let it run, if the OEP 8 | // is found, the script will prompt with a messagebox. 9 | // 10 | // Enable The Following Exception Options 11 | // - Ingore memory access violations in KERNEL32 12 | // - INT3 breaks 13 | // - Memory access violation 14 | // 15 | // Author: atom0s 16 | // Date: 06.11.2010 17 | // 18 | // --------------------------------------------------------------------------------------------------------- 19 | // This script was made using OllyScript v1.78.3 20 | // --------------------------------------------------------------------------------------------------------- 21 | 22 | 23 | BC // Clear Loaded Breakpoints 24 | BPMC // Clear Memory Breakpoints 25 | BPHWC // Clear Hardware Breakpoints 26 | DBH // Hide Debugger [Minimal] 27 | 28 | MOV temp1, esp 29 | ESPCheck: 30 | STO 31 | CMP temp1, esp 32 | JE ESPCheck 33 | 34 | BPHWS esp, "w" 35 | ERUN 36 | BPHWC 37 | 38 | FINDMEM #8BC65A5E5F595B5DFFE0#, eip 39 | CMP $RESULT, 0 40 | JE Failed 41 | 42 | MOV temp2, $RESULT 43 | ADD temp2, 08 44 | BP temp2 45 | ERUN 46 | STI 47 | MOV temp3, eip 48 | 49 | EVAL "OEP Found!: 0x{temp3}" 50 | MSG $RESULT 51 | CMT temp3, "<==== OEP !!!!!!!!!!!!!!!!!!!!!!" 52 | 53 | Failed: 54 | ret 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![alt text](https://github.com/ThomasThelen/OllyDbg-Scripts/raw/master/ollydbg-scripts.png) 2 | 3 | [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](http://www.repostatus.org/badges/latest/active.svg)](http://www.repostatus.org/#active) [![license](https://img.shields.io/github/license/mashape/apistatus.svg)]() 4 | 5 | OllyDbg is a classic debugger that I'll always have nostalgia for. Maybe it's the memories of late nights, cracking software with friends, the satisfaction with coming up to speed in the field, for what OllyDbg represented as an ideal, and the awesome user base community. Over the years, scripts for unpacking, cracking, and mapping have been developed for most of the packers-including pesky commercial ones like Armadillo. 6 | 7 | This repository contains a number of useful scripts that I had built up over the years. 8 | 9 | ### Repository Structure 10 | 11 | Each folder is a type of packer. Within each folder, you'll find curated unpacking scripts for it. 12 | 13 | ### Sources 14 | [Tuts 4 You](https://tuts4you.com) 15 | 16 | [Open RCE](http://www.openrce.org) 17 | -------------------------------------------------------------------------------- /RL Pack/RLPack 1.0 - 1.21 Unpacker v1.2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/RL Pack/RLPack 1.0 - 1.21 Unpacker v1.2.txt -------------------------------------------------------------------------------- /ROR Pack/ROR Packer 0.3 Decrypt v0.1.txt: -------------------------------------------------------------------------------- 1 | Filename: ROR Packer 0.3 Decrypt v0.1 2 | Description: 3 | Uploader: AbsolutZero 4 | Website: 5 | Date: Tuesday 13 April 2010 - 07:09:05 6 | 7 | var base 8 | VAR base1 9 | VAR adr 10 | VAR dest 11 | VAR dest1 12 | VAR start 13 | VAR end 14 | VAR ep 15 | VAR x 16 | VAR seek 17 | VAR op 18 | VAR patch 19 | 20 | encryption: 21 | GMEMI eip,MEMORYBASE 22 | MOV base,$RESULT 23 | MOV base1,base 24 | 25 | MOV ep,eip 26 | mov adr,base 27 | add adr,1c9e 28 | repl adr,#89462c#,#eb1590#,3 //no SEH instalation 29 | MOV dest,1c34 30 | ADD dest,base //encryption call destination 31 | MOV dest1,2045 32 | ADD dest1,base // decryption call destination 33 | 34 | start_: 35 | find base,#68????000068????????e8# //start of encryption routine 36 | MOV base,$RESULT 37 | CMP $RESULT,0 38 | JE finish 39 | MOV adr,[$RESULT+b] 40 | ADD adr,$RESULT+0F 41 | CMP adr,dest 42 | JNE start 43 | MOV start,base 44 | MOV eip,base 45 | STI //run encryption 46 | STI 47 | STI 48 | RTR 49 | STI 50 | POP x 51 | POP x 52 | MOV seek,eip 53 | 54 | find eip,#68????000068????????e8# //end of encryption routine 55 | MOV end,$RESULT 56 | MOV base,$RESULT 57 | CALL deemulate 58 | REPL start, #68????????68????????e8????????#,#e90a000000e9fbffffff9090909090#,0f 59 | REPL end, #68????????68????????e8????????#,#e90a000000e9fbffffff9090909090#,0f 60 | INC base 61 | JMP start_ 62 | finish: 63 | 64 | MOV eip,ep 65 | RET 66 | 67 | /////////////////////////////////////////////////////////////////////////////// 68 | deemulate: 69 | 70 | start: 71 | CMP seek,end 72 | JE end 73 | MOV op,[seek],1 74 | CMP op,ef 75 | JNE short 76 | MOV op,[seek+1],1 77 | CMP op,e4 78 | JE findefe4 //jz long 79 | CMP op,e3 80 | JE findefe3 //jnz long 81 | CMP op,e6 82 | JE findefe6 //jb long 83 | CMP op,e1 84 | JE findefe1 //ja long 85 | CMP op,e5 86 | JE findefe5 //jae long 87 | CMP op,e2 88 | JE findefe2 //jbe long 89 | CMP op,e0 90 | JE findefe0 //jl long 91 | CMP op,df 92 | JE findefdf //jge long 93 | CMP op,de 94 | JE findefde //jle long 95 | CMP op,dd 96 | JE findefdd //jg long 97 | 98 | short: 99 | MOV op,[seek],1 100 | CMP op,6f 101 | JE find6f //call 102 | CMP op,ed 103 | JE finded //jz 104 | CMP op,ec 105 | JE findec //jmp short 106 | CMP op,6c 107 | JE find6c //jnz 108 | CMP op,cf 109 | JE findcf //ja 110 | CMP op,e6 111 | JE finde6 //jb 112 | CMP op,6e 113 | JE find6e //jmp long 114 | CMP op,f1 115 | JE findf1 //jle 116 | CMP op,fb 117 | JE findfb //jae 118 | CMP op,6d 119 | JE find6d //jbe 120 | CMP op,e4 121 | JE finde4 //jl 122 | CMP op,f4 123 | JE findf4 //jge 124 | CMP op,e7 125 | JE finde7 //jg 126 | 127 | next: 128 | OPCODE seek 129 | ADD seek,$RESULT_2 //address of next instruction 130 | JMP start 131 | 132 | end: 133 | RET 134 | 135 | /////////////////////////////////////////////////////////////////////////////// 136 | 137 | finde6: //jb 138 | mov x,[seek+1],1 139 | sub x,0e6 140 | sub x,0 141 | MOV [seek],72,1 142 | mov [seek+1],x,1 143 | ADD seek,2 144 | JMP start 145 | 146 | findfb: //jae 147 | mov x,[seek+1],1 148 | sub x,0fb 149 | sub x,1 150 | MOV [seek],74,1 151 | mov [seek+1],x,1 152 | ADD seek,2 153 | JMP start 154 | 155 | finded: //jz 156 | mov x,[seek+1],1 157 | sub x,0ed 158 | sub x,2 159 | MOV [seek],74,1 160 | mov [seek+1],x,1 161 | ADD seek,2 162 | JMP start 163 | 164 | find6c: //jnz 165 | mov x,[seek+1],1 166 | sub x,06c 167 | sub x,3 168 | MOV [seek],75,1 169 | mov [seek+1],x,1 170 | ADD seek,2 171 | jmp start 172 | 173 | find6d: //jbe 174 | mov x,[seek+1],1 175 | sub x,06d 176 | sub x,4 177 | MOV [seek],76,1 178 | mov [seek+1],x,1 179 | ADD seek,2 180 | jmp start 181 | 182 | findcf: //ja 183 | mov x,[seek+1],1 184 | sub x,0cf 185 | sub x,5 186 | MOV [seek],77,1 187 | mov [seek+1],x,1 188 | ADD seek,2 189 | jmp start 190 | 191 | finde4: //jl 192 | mov x,[seek+1],1 193 | sub x,0e4 194 | sub x,6 195 | MOV [seek],7c,1 196 | mov [seek+1],x,1 197 | ADD seek,2 198 | jmp start 199 | 200 | findf4: //jge 201 | mov x,[seek+1],1 202 | sub x,0f4 203 | sub x,7 204 | MOV [seek],7d,1 205 | mov [seek+1],x,1 206 | ADD seek,2 207 | jmp start 208 | 209 | findf1: //jle 210 | mov x,[seek+1],1 211 | sub x,0f1 212 | sub x,8 213 | MOV [seek],7e,1 214 | mov [seek+1],x,1 215 | ADD seek,2 216 | jmp start 217 | 218 | finde7: //jg 219 | mov x,[seek+1],1 220 | sub x,0e7 221 | sub x,9 222 | MOV [seek],7f,1 223 | mov [seek+1],x,1 224 | ADD seek,2 225 | jmp start 226 | 227 | findec: //jmp short 228 | mov x,[seek+1],1 229 | sub x,0ec 230 | sub x,0a 231 | MOV [seek],0eb,1 232 | mov [seek+1],x,1 233 | ADD seek,2 234 | jmp start 235 | 236 | find6f: //call 237 | MOV x,[seek+1] 238 | sub x,6f 239 | sub x,0b 240 | mov [seek],0e8 241 | mov [seek+1],x 242 | ADD seek,5 243 | JMP start 244 | 245 | find6e: //jmp long 246 | MOV x,[seek+1] 247 | sub x,6e 248 | sub x,0c 249 | mov [seek],0e9 250 | mov [seek+1],x 251 | ADD seek,5 252 | JMP start 253 | 254 | findefe6: //jb long 255 | MOV x,[seek+2] 256 | sub x,0e6 257 | sub x,8 258 | mov [seek],820f 259 | mov [seek+2],x 260 | ADD seek,6 261 | JMP start 262 | 263 | findefe5: //jae long 264 | MOV x,[seek+2] 265 | sub x,0e5 266 | sub x,9 267 | mov [seek],830f 268 | mov [seek+2],x 269 | ADD seek,6 270 | JMP start 271 | 272 | findefe4: //jz long 273 | MOV x,[seek+2] 274 | sub x,0e4 275 | sub x,0a 276 | mov [seek],840f 277 | mov [seek+2],x 278 | ADD seek,6 279 | JMP start 280 | 281 | findefe3: //jnz long 282 | MOV x,[seek+2] 283 | sub x,0e3 284 | sub x,0b 285 | mov [seek],850f 286 | mov [seek+2],x 287 | ADD seek,6 288 | JMP start 289 | 290 | findefe2: //jbe long 291 | MOV x,[seek+2] 292 | sub x,0e2 293 | sub x,c 294 | mov [seek],860f 295 | mov [seek+2],x 296 | ADD seek,6 297 | JMP start 298 | 299 | findefe1: //ja long 300 | MOV x,[seek+2] 301 | sub x,0e1 302 | sub x,d 303 | mov [seek],870f 304 | mov [seek+2],x 305 | ADD seek,6 306 | JMP start 307 | 308 | findefe0: //jl long 309 | MOV x,[seek+2] 310 | sub x,0e0 311 | sub x,e 312 | mov [seek],8c0f 313 | mov [seek+2],x 314 | ADD seek,6 315 | JMP start 316 | 317 | findefdf: //jge long 318 | MOV x,[seek+2] 319 | sub x,0df 320 | sub x,f 321 | mov [seek],8d0f 322 | mov [seek+2],x 323 | ADD seek,6 324 | JMP start 325 | 326 | findefde: //jle long 327 | MOV x,[seek+2] 328 | sub x,0de 329 | sub x,10 330 | mov [seek],8e0f 331 | mov [seek+2],x 332 | ADD seek,6 333 | JMP start 334 | 335 | findefdd: //jg long 336 | MOV x,[seek+2] 337 | sub x,0dd 338 | sub x,11 339 | mov [seek],8f0f 340 | mov [seek+2],x 341 | ADD seek,6 342 | JMP start 343 | -------------------------------------------------------------------------------- /VMProtect/VMProtect 1.7 - 1.8 OEP Finder + Unpack Helper v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/VMProtect/VMProtect 1.7 - 1.8 OEP Finder + Unpack Helper v1.0.txt -------------------------------------------------------------------------------- /VMProtect/VMProtect 1.7 - 2.0 OEP Finder + Unpack Helper v1.2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/VMProtect/VMProtect 1.7 - 2.0 OEP Finder + Unpack Helper v1.2.txt -------------------------------------------------------------------------------- /VMProtect/VMProtect 1.7 EDI ESI EBX Fixer.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/VMProtect/VMProtect 1.7 EDI ESI EBX Fixer.txt -------------------------------------------------------------------------------- /VMProtect/VMProtect 1.7 IAT Repair + Log.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/VMProtect/VMProtect 1.7 IAT Repair + Log.txt -------------------------------------------------------------------------------- /VMProtect/VMProtect 1.7 IAT Repair.txt: -------------------------------------------------------------------------------- 1 | //vmp 1.7 iat repair 2 | //run the script at oep 3 | //vmp code base = va of .vmp0 4 | //vmp code end = va of .vmp1 5 | //if the program crashes, check log and make sure "mov reg32, [iat]" references are correctly fixed! 6 | 7 | var codebase 8 | var refaddr 9 | var vmpbase 10 | var vmpend 11 | var ptr 12 | var tmpesp 13 | var oep 14 | var tmp 15 | var codesize 16 | var isfirst 17 | var phase 18 | mov oep, eip 19 | GMI eip, CODEBASE 20 | mov codebase, $RESULT 21 | mov ptr, codebase 22 | GMI eip, CODESIZE 23 | mov codesize, $RESULT 24 | Ask "vmp code base" 25 | mov vmpbase, $RESULT 26 | Ask "vmp code end" 27 | mov vmpend, $RESULT 28 | mov tmpesp, esp 29 | next: 30 | mov esp, tmpesp 31 | cmp phase, 0 32 | jne findcall 33 | find ptr, #E9??????00# 34 | jmp check 35 | findcall: 36 | find ptr, #E8??????0090# 37 | check: 38 | cmp $RESULT,0 39 | je done 40 | cmp $RESULT, vmpbase 41 | ja done 42 | mov ptr, $RESULT 43 | mov eip, ptr 44 | inc ptr 45 | mov tmp, [ptr] 46 | add tmp, eip 47 | cmp tmp, vmpbase 48 | jb next 49 | cmp tmp, vmpend 50 | ja next 51 | mov refaddr, ptr 52 | cmp isfirst, 0 53 | jne **** 54 | first****: 55 | sti 56 | find eip,#c2#,1 57 | cmp $RESULT,0 58 | je first**** 59 | bphws eip, "x" 60 | inc isfirst 61 | jmp fix 62 | ****: 63 | run 64 | 65 | fix: 66 | mov eip, refaddr 67 | mov tmp, eip 68 | add tmp, 5 69 | find tmp, #ffd6#, 12 70 | cmp $RESULT,0 71 | je fix1 72 | dec eip 73 | eval "mov esi, {eax}" 74 | asm eip, $RESULT 75 | log eip 76 | add ptr, 6 77 | jmp next 78 | 79 | fix1: 80 | find tmp, #ffd7#, 12 81 | cmp $RESULT,0 82 | je fix2 83 | dec eip 84 | eval "mov edi, {eax}" 85 | asm eip, $RESULT 86 | log eip 87 | add ptr, 6 88 | jmp next 89 | 90 | fix2: 91 | find tmp, #ffd3#, 12 92 | cmp $RESULT,0 93 | je normalfix 94 | dec eip 95 | eval "mov ebx, {eax}" 96 | asm eip, $RESULT 97 | log eip 98 | add ptr, 6 99 | jmp next 100 | 101 | 102 | normalfix: 103 | sub eax, refaddr 104 | sub eax, 4 105 | mov [refaddr], eax, 4 106 | add ptr, 5 107 | log eip 108 | jmp next 109 | done: 110 | cmp phase, 0 111 | jne exit 112 | inc phase 113 | mov ptr, codebase 114 | jmp next 115 | exit: 116 | mov eip, oep 117 | ret -------------------------------------------------------------------------------- /VMProtect/VMProtect 1.70.4 IAT Repair.txt: -------------------------------------------------------------------------------- 1 | //fuck vmp iat by nooby 2 | //run the script at ep 3 | //vmp code base = va of .vmp0 4 | //vmp code size = size of .vmp0 5 | 6 | 7 | var vmpbase 8 | var vmpsize 9 | var magic 10 | var isfirst 11 | var first 12 | var decode 13 | var dllname 14 | var funcname 15 | var stackdep 16 | var sFile 17 | mov sFile, "iat_log.txt" 18 | mov isfirst, 0 19 | 20 | 21 | mov magic, 13e76ac 22 | mov first, 01007412 23 | mov decode, 113e6c8 24 | mov stackdep, c 25 | 26 | 27 | Ask "vmp code base" 28 | mov vmpbase, $RESULT 29 | Ask "vmp code size" 30 | mov vmpsize, $RESULT 31 | bphws first, "x" 32 | bphws magic, "x" 33 | bphws decode, "x" 34 | looper: 35 | esto 36 | cmp eip, first 37 | je patch 38 | cmp eip, magic 39 | je setbp 40 | cmp eip, decode 41 | je patch 42 | jmp looper 43 | setbp: 44 | cmp isfirst, 0 45 | jne p1 46 | inc isfirst 47 | bpwm vmpbase, vmpsize 48 | wrt sFile, "Fuck VMP IAT\r\n" 49 | wrta sFile, "VA, DLL.FUNCTION\r\n" 50 | p1: 51 | mov tmp, eax 52 | len [esi] 53 | readstr [esi], $RESULT 54 | mov dllname, $RESULT 55 | len [edi] 56 | readstr [edi], $RESULT 57 | mov funcname, $RESULT 58 | 59 | esti 60 | esto 61 | cmp eip, magic 62 | je p1 63 | cmp eip, first 64 | je patch 65 | cmp eip, decode 66 | je patch 67 | mov edx, tmp 68 | wrta sFile, eax 69 | wrta sFile, ", " 70 | wrta sFile, dllname 71 | wrta sFile, "." 72 | wrta sFile, funcname 73 | wrta sFile, "\r\n" 74 | 75 | jmp looper 76 | patch: 77 | mov [decode], c3 78 | 79 | end: 80 | ret -------------------------------------------------------------------------------- /VMProtect/VMProtect 1.8 - 2.x API Turbo Tracer v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/VMProtect/VMProtect 1.8 - 2.x API Turbo Tracer v1.0.txt -------------------------------------------------------------------------------- /VMProtect/VMProtect 1.8 - 2.x API Turbo Tracer v1.1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/VMProtect/VMProtect 1.8 - 2.x API Turbo Tracer v1.1.txt -------------------------------------------------------------------------------- /VMProtect/VMProtect 1.8 - 2.x API Turbo Tracer v1.2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/VMProtect/VMProtect 1.8 - 2.x API Turbo Tracer v1.2.txt -------------------------------------------------------------------------------- /VMProtect/VMProtect 1.8 IAT Repair.txt: -------------------------------------------------------------------------------- 1 | //fuck vmp iat by nooby 2 | //run this script at tls entry/ep 3 | 4 | var vmpbase 5 | var vmpsize 6 | var magic 7 | var isfirst 8 | var first 9 | var dllname 10 | var funcname 11 | var sFile 12 | mov sFile, "iat_log.txt" 13 | mov isfirst, 0 14 | 15 | //the checkapi function entry 16 | mov magic, 111 17 | 18 | //when shall we stop logging the crap 19 | mov first, 222 20 | 21 | 22 | //vmp code base = va of the second last vmp section 23 | mov vmpbase, 333 24 | 25 | //vmp code size = size of the second last vmp section 26 | mov vmpsize, 444 27 | 28 | bc 29 | bphwc 30 | 31 | gpa "ZwSetInformationThread", "ntdll.dll" 32 | bp $RESULT 33 | bphws first, "x" 34 | bphws magic, "x" 35 | esto 36 | 37 | looper: 38 | esto 39 | cmp eip, first 40 | je end 41 | cmp eip, magic 42 | je setbp 43 | jmp looper 44 | 45 | setbp: 46 | cmp isfirst, 0 47 | jne logger 48 | inc isfirst 49 | bpwm vmpbase, vmpsize 50 | wrt sFile, "Fuck VMP IAT\r\n" 51 | wrta sFile, "VA, KEY, DLL.FUNCTION\r\n" 52 | 53 | logger: 54 | mov tmp, eax 55 | len [esi] 56 | readstr [esi], $RESULT 57 | mov dllname, $RESULT 58 | len [edi] 59 | readstr [edi], $RESULT 60 | mov funcname, $RESULT 61 | esto 62 | sub tmp, edx 63 | wrta sFile, eax 64 | wrta sFile, ", " 65 | wrta sFile, tmp 66 | wrta sFile, ", " 67 | wrta sFile, dllname 68 | wrta sFile, "." 69 | wrta sFile, funcname 70 | wrta sFile, "\r\n" 71 | 72 | jmp looper 73 | 74 | end: 75 | ret -------------------------------------------------------------------------------- /VMProtect/VMProtect 2.0x Unpacker v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/VMProtect/VMProtect 2.0x Unpacker v1.0.txt -------------------------------------------------------------------------------- /VProtect/VProtect 1.x - 2.x Direct IAT Unpacker v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/VProtect/VProtect 1.x - 2.x Direct IAT Unpacker v1.0.txt -------------------------------------------------------------------------------- /ZProtect/ZProtect 1.3 - 1.6 Full Decryption + Inline Patcher v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ZProtect/ZProtect 1.3 - 1.6 Full Decryption + Inline Patcher v1.0.txt -------------------------------------------------------------------------------- /ZProtect/ZProtect 1.3 - 1.6 MEDIUM Unpacker v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ZProtect/ZProtect 1.3 - 1.6 MEDIUM Unpacker v1.0.txt -------------------------------------------------------------------------------- /ZProtect/ZProtect 1.3 OEP Finder + IAT Repair.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ZProtect/ZProtect 1.3 OEP Finder + IAT Repair.txt -------------------------------------------------------------------------------- /ZProtect/ZProtect 1.4 Decryption + Inline Patcher v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ZProtect/ZProtect 1.4 Decryption + Inline Patcher v1.0.txt -------------------------------------------------------------------------------- /ZProtect/ZProtect 1.4 Decryption + Inline Patcher v1.1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ZProtect/ZProtect 1.4 Decryption + Inline Patcher v1.1.txt -------------------------------------------------------------------------------- /ZProtect/ZProtect 1.4.x HWID + Inline Patcher v1.0.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ZProtect/ZProtect 1.4.x HWID + Inline Patcher v1.0.txt -------------------------------------------------------------------------------- /ZProtect/ZProtect 1.4.x HWID + Inline Patcher v1.1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ZProtect/ZProtect 1.4.x HWID + Inline Patcher v1.1.txt -------------------------------------------------------------------------------- /ZProtect/ZProtect 1.4.x HWID + Inline Patcher v1.4.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ZProtect/ZProtect 1.4.x HWID + Inline Patcher v1.4.txt -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.2 OEP Finder.txt: -------------------------------------------------------------------------------- 1 | - eXPressor 1.2 - Finds OEP. (by haggar, 25 Mar 2005) 2 | // Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com 3 | /////////////////////////////////////////////////////////////////////////// 4 | // 5 | // Brilliant "eXPressor v1.2.0.1" OEP finder script - by Haggar :-) 6 | // 7 | // I think that you need more time to click on Pluggins menu in Olly 8 | // to use this script, than scroll a litlle bit in CPU window in Olly 9 | // and find jump that leads to OEP ;-) , but maybe this script will 10 | // be of use to somebody. 11 | // 12 | // Script has two ways (methods) to find OEP (in case that one is not 13 | // working try other one): 14 | // 1. way - uses hardware breakpoint, 15 | // 2. way - calculates address of OEP jmp and puts bp on it. 16 | // 17 | /////////////////////////////////////////////////////////////////////////// 18 | 19 | start: 20 | ask "Enter 1 or 2 to select search method:" 21 | cmp $RESULT,1 22 | je first_method 23 | cmp $RESULT,2 24 | je second_method 25 | cmp $RESULT,0 26 | je exit 27 | jmp wrong_input 28 | 29 | 30 | //////////////////////////////////////////////// 31 | first_method: 32 | sto 33 | var x 34 | mov x,esp 35 | bphws x,"r" 36 | run 37 | bphwc x 38 | sto 39 | an eip 40 | cmt eip, "This is OEP! Now dump it and rebuild IAT." 41 | msg "OEP found with eXPressor 1.2 script by haggar - thanks for using it ;-)!" 42 | jmp exit 43 | //////////////////////////////////////////////// 44 | 45 | //////////////////////////////////////////////// 46 | second_method: 47 | var x 48 | mov x,eip 49 | add x,45 50 | mov x,[x] 51 | add x,eip 52 | add x,59 53 | bp x 54 | run 55 | bc eip 56 | sto 57 | an eip 58 | cmt eip, "This is OEP! Now dump it and rebuild IAT." 59 | msg "OEP found with eXPressor 1.2 script by haggar - thanks for using it ;-)!" 60 | jmp exit 61 | //////////////////////////////////////////////// 62 | 63 | //////////////////////////////////////////////// 64 | wrong_input: 65 | msgyn "Wrong input :-( ! Do you want to try again?" 66 | cmp $RESULT,1 67 | je start 68 | ret 69 | //////////////////////////////////////////////// 70 | 71 | 72 | /////////////// 73 | exit: 74 | ret 75 | /////////////// 76 | 77 | // [BACK] -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.3.0.1 OEP Finder.txt: -------------------------------------------------------------------------------- 1 | sto 2 | var x 3 | mov x,esp 4 | bphws x,"r" 5 | run 6 | bphwc x 7 | sto 8 | an eip 9 | sti 10 | sti 11 | cmt eip, "Dump here and rebuild IAT with ImpRec." 12 | ret -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.4.5.1 OEP Finder #1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/eXPressor/eXPressor 1.4.5.1 OEP Finder #1.txt -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.4.5.1 OEP Finder #2.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////////////////////////////////////////////////////////////////////////////// 3 | // eXPressor 1.4.5.1 4 | // Author : Ashraf Cracker 5 | // Email : AshraCracker@hotmail.com 6 | // OS : WinXP Pro, OllyDbg 1.10 Final, OllyScript 0.92 7 | // Check ALL Debugging Exceptions 8 | ///////////////////////////////////////////////////////////////////////////////////////////// 9 | */ 10 | var filename 11 | var Dumped 12 | cmp $VERSION, "1.47" 13 | jb odbgver 14 | sto 15 | BPHWS esp,"r" 16 | run 17 | BPHWC esp 18 | sto 19 | sto 20 | sto 21 | sto 22 | sto 23 | sto 24 | an eip 25 | GPI PROCESSNAME 26 | mov filename,$RESULT 27 | eval "de_{filename}.exe" 28 | mov Dumped,$RESULT 29 | dpe Dumped,eip 30 | msg "This is the OEP! Found By Ashraf Cracker" 31 | msg "The File was dumped successfully don't close OllyDbg and try now to Fix IAT with ImportREC" 32 | cmt eip, "<== Original Entry Point" 33 | ret 34 | 35 | odbgver: 36 | msg "This script work with ODbgscript 1.47 or above" 37 | ret -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.5.0.1 OEP Finder + IAT Repair.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/eXPressor/eXPressor 1.5.0.1 OEP Finder + IAT Repair.txt -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.5.0.1 Unpacker.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/eXPressor/eXPressor 1.5.0.1 Unpacker.txt -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.5.01 Unpacker.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/eXPressor/eXPressor 1.5.01 Unpacker.txt -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.5x - 1.6x OEP Finder + IAT Repair.txt: -------------------------------------------------------------------------------- 1 | //code for expressor 1.5x ~ 1.6x 使用原版od,忽略所有异常 停在系统断点 2 | //code by skylly 3 | starting: 4 | //隐藏调试器 5 | exec 6 | pushad 7 | //clear beingdebugged 8 | mov eax,fs:[30] 9 | inc eax 10 | inc eax 11 | mov ebx,eax 12 | mov eax,[eax] //取出旧值 13 | xor al,al //置0 14 | mov [ebx],eax //写入 15 | xor eax,eax 16 | 17 | //clear forceflag 18 | mov ebx,fs:[30] 19 | add ebx,18 20 | mov ebx,[ebx] 21 | add ebx,10 22 | mov [ebx],eax 23 | //clear NtGlobalFlag 24 | mov ebx,fs:[30] 25 | add ebx,68 26 | mov [ebx],eax 27 | popad 28 | ende 29 | 30 | //这里有些anti 像exec的 31 | gpa "OutputDebugStringA","kernel32.dll" 32 | mov [$RESULT],#8BFF5533C05DC20400# 33 | 34 | gpa "CheckRemoteDebuggerPresent","kernel32.dll" 35 | mov [$RESULT],#8BFF5533C05DC20800# 36 | 37 | gpa "FindWindowA","user32.dll" //ollydbg,filemon等 38 | mov [$RESULT],#8BFF5533C05DC20800# 39 | 40 | gpa "VirtualProtect", "kernel32.dll" 41 | cmp $RESULT,0 42 | je err 43 | var VirtualProtect 44 | mov VirtualProtect,$RESULT 45 | var tmp 46 | bp VirtualProtect 47 | lpvp: 48 | esto 49 | mov tmp,[esp+8] 50 | cmp tmp,1000 51 | jne lpvp 52 | bc VirtualProtect 53 | rtu 54 | mov tmp,eip 55 | and tmp,FFFF0000 56 | 57 | find tmp, #C7402000100000# 58 | cmp $RESULT,0 59 | je err 60 | mov [$RESULT],#90909090909090# //anti anti dump 61 | 62 | find tmp,#75F4FE4DFF75EF# 63 | cmp $RESULT,0 64 | je err 65 | mov [$RESULT],#EB# //heap magic检测,真是会学习... 66 | 67 | find tmp,#C745F801000000C3837DF800# //page页异常,把ntkrnel那套都学了... 68 | cmp $RESULT,0 69 | je err 70 | mov [$RESULT],#EB23# 71 | 72 | find tmp,#58833D????????000F84# 73 | cmp $RESULT,0 74 | je err 75 | var nagaddr 76 | mov nagaddr,$RESULT 77 | add nagaddr,8 78 | mov [nagaddr],#90E9# //去掉nag,不知道对不对,乱改的 79 | log nagaddr 80 | 81 | find tmp,#5356570F843C01# 82 | cmp $RESULT,0 83 | je nomagic 84 | //magic jmp 85 | add $RESULT,3 86 | mov [$RESULT],#90E9# 87 | nomagic: 88 | 89 | var djmp 90 | mov djmp,0 91 | 92 | find tmp,#83C0058B4DF8# 93 | cmp $RESULT,0 94 | je nodjmp 95 | msgyn "是否修复direct jmp? 如果选是则要配合uif来修复,如果选否则自己负责..." 96 | cmp $RESULT,0 97 | je nodjmp 98 | 99 | //direct jmp? 100 | mov djmp,$RESULT 101 | log djmp 102 | add $RESULT,5 103 | mov [$RESULT],#D8# 104 | nodjmp: 105 | 106 | #log 107 | find tmp,#83780C000F84# 108 | cmp $RESULT,0 109 | je err 110 | bp $RESULT 111 | esto 112 | bc $RESULT 113 | var iidstart 114 | var iidsize 115 | mov iidstart,eax 116 | 117 | cmp djmp,0 118 | jne concon 119 | msg "此时dump下来,等会到oep后根据日志用loadpe修复即可" 120 | 121 | concon: 122 | mov tmp,eip 123 | add tmp,6 124 | mov tmp,[tmp] 125 | add tmp,eip 126 | add tmp,A 127 | bp tmp 128 | esto 129 | bc tmp 130 | mov iidsize,eax 131 | sub iidsize,iidstart 132 | 133 | var nearoep 134 | find eip,#005F5E5B8BE55DEB01# 135 | cmp $RESULT,0 136 | je err 137 | mov nearoep,$RESULT 138 | inc nearoep 139 | bp nearoep 140 | 141 | going: 142 | esto 143 | cmp eip,nearoep 144 | jne going 145 | bc nearoep 146 | 147 | find eip,#FFE0# 148 | cmp $RESULT,0 149 | je err 150 | bp $RESULT 151 | esto 152 | bc $RESULT 153 | sti 154 | 155 | var espvar 156 | mov espvar,esp 157 | sub espvar,4 158 | bphws espvar,"r" 159 | esto 160 | esto 161 | bphwc espvar 162 | 163 | //这里已经非常非常接近oep了,一般f7两到三下就可以了,但为了方便那些比较"懒"的朋友所以写了个非常恶心的单步脚本... 164 | loopsti: 165 | mov tmp,[eip] 166 | and tmp,FF 167 | cmp tmp,58 168 | je mysti 169 | cmp tmp,5A 170 | je mysti 171 | cmp tmp,59 172 | je mysti 173 | cmp tmp,51 174 | je mysti 175 | cmp tmp,68 176 | je mysti 177 | cmp tmp,EB 178 | je mysti 179 | cmp tmp,FF 180 | je mysti 181 | cmp tmp,C3 182 | je mysti 183 | jmp atoep 184 | mysti: 185 | esti 186 | jmp loopsti 187 | atoep: 188 | cmt eip,"OEP" 189 | var oep 190 | mov oep,eip 191 | log oep 192 | log iidstart 193 | log iidsize 194 | msg "根据日志内容自己用loadpe修复dump文件的oep及引入表地址和大小" 195 | ret 196 | err: 197 | msg "error" 198 | ret -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.6.0.1 OEP Finder v0.1.txt: -------------------------------------------------------------------------------- 1 | var break 2 | var dire 3 | var anti 4 | 5 | start: 6 | msg "ASEGURATE DE TILDAR TODAS LAS EXCEPCIONES" 7 | bprm 401000,06a000 8 | eob corre 9 | run 10 | 11 | corre: 12 | mov anti,eip 13 | cmp [anti],0c3 14 | je pasa 15 | 16 | bpmc 17 | find eip, #8B4424048A4C240880C1508B10880AFF00# 18 | cmp $RESULT,0 19 | je fin 20 | 21 | mov anti,eip 22 | cmp [anti],0c3 23 | je pasa 24 | 25 | mov break, $RESULT 26 | bp break 27 | eob sigue 28 | run 29 | 30 | sigue: 31 | mov anti,eip 32 | cmp [anti],0c3 33 | je pasa 34 | 35 | bc break 36 | bprm 401000,06a000 37 | eob termina 38 | run 39 | 40 | termina: 41 | bpmc 42 | msg "OEP ALCANZADO !" 43 | ret 44 | 45 | fin: 46 | msg "direccion no encontrada" 47 | ret 48 | 49 | pasa: 50 | mov [anti],090 51 | run -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.6.0.1 OEP Finder v0.2.txt: -------------------------------------------------------------------------------- 1 | var break 2 | var dire 3 | var anti 4 | 5 | 6 | start: 7 | msg "DESTILDA LA EXCEPCION MEMORY ACCESS VIOLATION" 8 | eoe para 9 | run 10 | 11 | para: 12 | 13 | mov anti,eip 14 | cmp [anti],0c3 15 | je pasa 16 | 17 | bprm 401000,06a000 18 | eob corre 19 | esto 20 | 21 | corre: 22 | mov anti,eip 23 | cmp [anti],0c3 24 | je pasa 25 | 26 | bpmc 27 | find eip, #8B4424048A4C240880C1508B10880AFF00# 28 | cmp $RESULT,0 29 | je fin 30 | 31 | mov break, $RESULT 32 | bp break 33 | eob sigue 34 | run 35 | 36 | sigue: 37 | mov anti,eip 38 | cmp [anti],0c3 39 | je pasa 40 | bc break 41 | bprm 401000,06a000 42 | eob termina 43 | run 44 | 45 | termina: 46 | bpmc 47 | msg "OEP ALCANZADO !" 48 | ret 49 | 50 | fin: 51 | msg "direccion no encontrada" 52 | ret 53 | 54 | pasa: 55 | pasa: 56 | mov [anti],090 57 | esto -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.6.0.1 Unpacker.txt: -------------------------------------------------------------------------------- 1 | var oep 2 | var mh 3 | var cb 4 | var csz 5 | var mbase 6 | var em 7 | var iat 8 | var E8 9 | var func 10 | var iat_start 11 | mov iat_start,00460818 12 | 13 | GMI eip,CODEBASE 14 | mov cb,$RESULT 15 | GMI eip,CODESIZE 16 | mov csz,$RESULT 17 | GMI eip,ENTRY 18 | mov oep,$RESULT 19 | BC oep 20 | 21 | gpa "GetProcAddress","kernel32.dll" 22 | find $RESULT,#5F5BC9C2# 23 | bp $RESULT+3 24 | erun 25 | erun 26 | bc eip 27 | rtu 28 | find eip,#595985C0# 29 | cmp $RESULT,0 30 | je quit 31 | mov [$RESULT+4],#9090# 32 | run 33 | mov [eip],#cc# 34 | mov mh,[esp+8] 35 | bp mh 36 | run 37 | bc eip 38 | add mh,10 39 | bp mh 40 | run 41 | bc eip 42 | add eip,7 43 | rtr 44 | sti 45 | find eip,#586A01585E5B5FC9C3# 46 | 47 | cmp $RESULT,0 48 | je quit 49 | mov oep,$RESULT+8 50 | bp oep 51 | GMEMI eip, MEMORYBASE 52 | mov mbase,$RESULT 53 | find mbase,#8945D4837DD400750733C0# 54 | mov em,$RESULT 55 | bp em 56 | find em,#C600E88B45E?# 57 | mov E8,$RESULT 58 | bp E8 59 | mov mbase,E8+2C 60 | bp mbase 61 | loop: 62 | erun 63 | cmp eip,em 64 | jne oepfind 65 | mov iat,eax 66 | find iat_start,iat 67 | mov func,$RESULT 68 | erun 69 | sti 70 | mov [eax],#FF15# 71 | erun 72 | inc eax 73 | add eip,2 74 | mov [eax],func 75 | 76 | jmp loop 77 | 78 | oepfind: 79 | bc eip 80 | sti 81 | BPRM cb, csz 82 | run 83 | BPMC 84 | bc E8 85 | bc em 86 | bc mbase 87 | CMT eip,"OEP" 88 | mov iat_start,40008C 89 | mov [iat_start],60000 90 | dpe "dump.exe", eip 91 | msg " File Unpacked" 92 | ret 93 | 94 | quit: 95 | ret -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.7.0.1 IAT Repair.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/eXPressor/eXPressor 1.7.0.1 IAT Repair.txt -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.7.0.1 Unpacker.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/eXPressor/eXPressor 1.7.0.1 Unpacker.txt -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.8.0.1 Unpacker.txt: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////////////////////////////////// 3 | eXePressor Unpacker 1.8.01 4 | OS : XP SP2 Olly not use strong & fantom 5 | ///////////////////////////////////////////////// 6 | */ 7 | 8 | var fn 9 | var i_st 10 | var padr 11 | var pf 12 | var pend 13 | var isz 14 | var addr 15 | var ldrb 16 | var patch 17 | var imb 18 | var ipbase 19 | var mi 20 | var nm 21 | var counter 22 | var iatw 23 | GMI eip,NAME 24 | mov nm,$RESULT 25 | eval "{nm}_U.exe" 26 | mov nm,$RESULT 27 | GMI eip,IDATABASE 28 | mov ipbase,$RESULT 29 | GMI eip,MODULEBASE 30 | mov imb,$RESULT 31 | mov mi,imb 32 | rev mi 33 | mov mi,$RESULT 34 | eval " #0000{mi}#" 35 | mov mi,$RESULT 36 | 37 | 38 | GMI eip,CODEBASE 39 | mov cb,$RESULT 40 | GMI eip,CODESIZE 41 | mov csz,$RESULT 42 | GMI eip,ENTRY 43 | mov oep,$RESULT 44 | BC oep 45 | 46 | 47 | 48 | gpa "GetProcAddress","kernel32.dll" 49 | find $RESULT,#5F5BC9C2# 50 | bp $RESULT+3 51 | erun 52 | erun 53 | bc eip 54 | rtu 55 | 56 | 57 | 58 | nxtf: 59 | find ipbase,mi 60 | cmp $RESULT,0 61 | je quit 62 | mov ipbase,$RESULT+4 63 | cmp [$RESULT+4],0 64 | jne nxtf 65 | mov i_st,[$RESULT+c] 66 | mov oep,$RESULT-C 67 | mov iatw,[$RESULT+54] 68 | add iatw,imb 69 | 70 | GMEMI eip, MEMORYBASE 71 | mov ldrb,$RESULT 72 | find ldrb,#742481BD54FDFFFF3B1032E3741881BD54FDFFFFAB1CA7D7740C81BD54FDFFFF3C7C33B67533EB01# 73 | cmp $RESULT,0 74 | je quit 75 | mov patch,$RESULT 76 | find ldrb,#8B4DF02BC88B45D08908EB01# 77 | cmp $RESULT,0 78 | je quit 79 | mov padr,$RESULT+A 80 | mov pend,$RESULT+22 81 | find ldrb,#8945E8837DE800750733C0# 82 | cmp $RESULT,0 83 | je quit 84 | mov pf,$RESULT 85 | find ldrb,#405B5FC9C3558BEC81EC5001000053565733F68D511C8B028BF8C1CF0881E700FF00FF# 86 | mov pendoep,$RESULT+4 87 | 88 | fill patch,24,90 89 | mov [patch+24],#EB# 90 | 91 | bp padr 92 | bp pf 93 | bp pend 94 | erun 95 | mov [eip],#cc# 96 | mov mh,[esp+8] 97 | bp mh 98 | erun 99 | bc eip 100 | 101 | add eip,0D 102 | 103 | 104 | 105 | 106 | erun 107 | 108 | jmp wrimp 109 | proci: 110 | 111 | bp pend 112 | erun 113 | cmp eip,pend 114 | je end 115 | cmp eip,padr 116 | je mem_adr 117 | cmp eip,pf 118 | je wrimp 119 | 120 | 121 | mem_adr: 122 | mov addr,eax-1 123 | mov [addr],#FF15# 124 | mov [addr+2],fn 125 | jmp proci 126 | 127 | wrimp: 128 | mov fn,eax 129 | find iatw,fn 130 | cmp $RESULT,0 131 | je end 132 | mov fn,$RESULT 133 | jmp proci 134 | 135 | 136 | end: 137 | //pause 138 | 139 | bp pendoep 140 | cmt pendoep,"if Show Nag push try:)" 141 | 142 | l: 143 | 144 | erun 145 | cmp oep,[esp+4] 146 | jne l 147 | 148 | mov oep,[oep] 149 | add oep,imb 150 | mov eip,oep 151 | 152 | sub oep,imb 153 | 154 | mov counter,imb 155 | add counter,3C 156 | mov counter,[counter] 157 | add counter,imb 158 | add counter,28 159 | mov [counter],oep 160 | add counter,58 161 | mov [counter],i_st 162 | dpe nm, eip 163 | 164 | msg "File Unpacked" 165 | ret 166 | quit: 167 | ret -------------------------------------------------------------------------------- /eXPressor/eXPressor 1.x OEP Finder.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/eXPressor/eXPressor 1.x OEP Finder.txt -------------------------------------------------------------------------------- /ollydbg-scripts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ThomasThelen/OllyDbg-Scripts/5b6bdfc9ea2b1b6e40623aae9cfb32008b86d928/ollydbg-scripts.png --------------------------------------------------------------------------------