├── 2.02_to_2.03.txt
├── 3.06_to_3.91.txt
├── ASPack 2.xx.txt
├── Armadillo v9.64 Debug-Blocker.txt
├── BeRoEXEPacker1.0.txt
├── Cenega_anti_antidebugger.txt
├── Enigma HWID Bypasser.txt
├── Enigma Version Finder X.XX_by luger
├── FSG1.2.txt
├── FSG1.x1.3x.txt
├── FSG2.0.txt
├── MPRESS X.XX OEP FINDER
├── Mpress2xx.txt
├── PECompact3.txt
├── README.md
├── Safedisc_v1.x_anti_antidebugger.txt
├── SecuROM_2-4_OEP_Finder.txt
├── SecuROM_2.9-4.68_Semi-Automatic_Remover.txt
├── Themida v2.x.x.x OEP Finder.txt
├── UPX X.XX OEP Finder.txt
├── UPack_all.txt
├── UpxUnpacker.cpp
├── UpxUnpacker.py
├── VMProtect 3.5 ThreadHideFromDebugger
├── VMProtect v3.x.x OEP Finder.txt
├── kkrunchy.txt
└── upx391.txt
/2.02_to_2.03.txt:
--------------------------------------------------------------------------------
1 | // Author: Thomas Thelen
2 | // Contact: https://github.com/ThomasThelen
3 | // Comment: Takes you to the OEP of files packed with UPX from versions 2.02 to 2.03
4 | // Date: 8/12/2015
5 | // Instructions: Open the file in x64dbg and run the script.
6 |
7 | //Begin Script
8 | run
9 | bc
10 | bphwc
11 |
12 | //Find the OEP
13 | find CIP, E91B33FFFF// Signature of OEP jump
14 | cmp $result, 0 // Check for success
15 | je error // Error otherwise
16 | bp $result // Set a breakpoint on the jump
17 | run
18 | st
19 | sti // Take jump to OEP
20 | bc // Clear Breakpoints
21 | ret
22 |
23 | error:
24 | msg "Could not find the OEP."
25 | ret
--------------------------------------------------------------------------------
/3.06_to_3.91.txt:
--------------------------------------------------------------------------------
1 | // Author: Thomas Thelen
2 | // Contact: https://github.com/ThomasThelen
3 | // Comment: Takes you to the OEP of files packed with UPX from versions 3.06 to 3.09
4 | // Date: 8/12/2015
5 | // Instructions: Open the file in x64dbg and run the script.
6 |
7 | //Begin Script
8 | run
9 | bc
10 | bphwc
11 |
12 | //Find the OEP
13 | find CIP, E9BA31FFFF// Signature of OEP jump
14 | cmp $result, 0 // Check for success
15 | je error // Error otherwise
16 | bp $result // Set a breakpoint on the jump
17 | run
18 | st
19 | sti // Take jump to OEP
20 | bc // Clear Breakpoints
21 | ret
22 |
23 | error:
24 | msg "Could not find the OEP."
25 | ret
--------------------------------------------------------------------------------
/ASPack 2.xx.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : ASPack 2.xx.txt
3 | // Comment : OEP Find For ASPack 2.xx
4 | // Author : _pusher_
5 | // Date : 2015-07-08
6 | //////////////////////////////////////////////////
7 |
8 | //start
9 | msg "ASPack 2.xx OEP Finder"
10 | msg "make sure you're at the entry point of the program before you continue"
11 | pause
12 |
13 | //clear breakpoints
14 | bc
15 | bphwc
16 |
17 | //find oep jump
18 | find cip,"617508B801000000C20C0068" //some pattern
19 | log "found: {0}", $result
20 | cmp $result,0
21 | je error
22 |
23 | //go there
24 | bp $result
25 | erun
26 | bc
27 |
28 | $dw = 4:[cip+c]
29 | log "OEP: {0}", $dw
30 |
31 | //Go to OEP
32 | bp $dw
33 | erun
34 | //clear breakpoints
35 | bc
36 |
37 | cmt cip,"OEP"
38 | TimeToDump:
39 | msgyn "Successfully found OEP! Wanna use Scylla to dump the target?"
40 | cmp 0,$result
41 | je finishScript
42 | scylla
43 |
44 | finishScript:
45 | //finish script
46 | ret
47 |
48 | error:
49 | msg "didn't find oep jump"
50 | ret
51 |
--------------------------------------------------------------------------------
/Armadillo v9.64 Debug-Blocker.txt:
--------------------------------------------------------------------------------
1 | msg "Armadillo v9.94 Debug-Blocker, start from entry point..."
2 | pause
3 |
4 | //debug blocker
5 | bc
6 | bphwc
7 | hide
8 | bp OpenMutexA
9 | erun
10 | erun
11 | rtr
12 | mov eax,1
13 | erun
14 | bc OpenMutexA
15 |
16 | bp VirtualProtect
17 | erun
18 | bc VirtualProtect
19 |
20 | bp LoadLibraryA
21 | erun
22 | bc LoadLibraryA
23 |
24 | rtr
25 | sti
26 | rtr
27 | sti
28 |
29 | find cip, "68 00 01 00 00"
30 | cmp $result,0
31 | je error
32 |
33 | $patch1 = $result+2
34 | 1:[$patch1]=0
35 |
36 | find $result, "89 08"
37 | cmp $result , 0
38 | je error
39 |
40 | $patch2 = $result
41 | 2:[$patch2] = 9090
42 |
43 | find $result, "EB 03"
44 | cmp $result, 0
45 | je error
46 |
47 | bp $result
48 | erun
49 | bc $result
50 |
51 | 1:[$patch1]=1
52 | 2:[$patch2]=0889
53 |
54 | bp CreateRemoteThreadEx
55 | erun
56 | bc CreateRemoteThreadEx
57 |
58 | bp [esp]
59 | erun
60 | bc eip
61 | rtr
62 | sti
63 | rtr
64 | sti
65 |
66 | find eip,"FF D?"
67 | cmp $result,0
68 | je error
69 | bp $result
70 |
71 | find $result+1, "FF D?"
72 | cmp $result, 0
73 | je error
74 | bp $result
75 |
76 | erun
77 | bc
78 | sti
79 | cmt eip,"OEP"
80 |
81 | ret
82 |
83 | error:
84 | msg "something was wrong.."
85 | ret
86 |
--------------------------------------------------------------------------------
/BeRoEXEPacker1.0.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : BeRoEXEPacker1.0.txt
3 | // Comment : OEP Find For BeRoEXEPacker 1.0
4 | // Author : _pusher_
5 | // Date : 2015-12-24
6 | //////////////////////////////////////////////////
7 |
8 | //start
9 | msg "BeRoEXEPacker 1.xx OEP Finder"
10 | msg "make sure you're at the entry point of the program before you continue"
11 | pause
12 |
13 | //clear breakpoints
14 | bc
15 | bphwc
16 |
17 | //find oep jump
18 | find cip,"575051FF15????????5F5A5985C0740BAB83C304EBD883C614EBAA61C361" //some pattern
19 | log "found: {0}", $result
20 | cmp $result,0
21 | je error
22 |
23 | //go there
24 | bp $result+1e
25 | erun
26 | bc
27 | sti
28 |
29 | //clear breakpoints
30 | bc
31 | bphwc
32 |
33 | cmt cip,"OEP"
34 |
35 | //finish script
36 | ret
37 |
38 | error:
39 | msg "didn't find oep jump"
40 | ret
41 |
--------------------------------------------------------------------------------
/Cenega_anti_antidebugger.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : Cenega_anti_antidebugger.txt
3 | // Comment : Defeats Cenega anti-debugging checks
4 | // Author : Luca91 (Luca1991) - Luca D'Amico
5 | // Date : 2024-05-19
6 | // How to use : Load target exe and run this script.
7 | //////////////////////////////////////////////////
8 |
9 | // start
10 | msg "Cenega anti antidebugger"
11 | run // run til the EntryPoint
12 |
13 | // clear breakpoints
14 | bc
15 | bphwc
16 |
17 | // defeats isDebuggerPresent and manual PEB checks
18 | $peb = peb()
19 | set $peb+0x2, #00#
20 |
21 | // find and hook NtQueryInformationProcess
22 | nqip_addr = ntdll.dll:NtQueryInformationProcess
23 | bp nqip_addr
24 | SetBreakpointCommand nqip_addr, "scriptcmd call check_nqip"
25 | erun
26 | ret
27 |
28 | check_nqip:
29 | cmp [esp+8], 7 // 0x7 == ProcessDebugPort
30 | je patch_process_information_buffer
31 | cmp [esp+8], 0x1E // 0x1E == ProcessDebugObjectHandle
32 | je patch_process_debug_object_handle
33 | erun
34 | ret
35 |
36 | patch_process_information_buffer:
37 | log "/!\ DEBUG CHECK FOUND (ProcessDebugPort): NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})"
38 | rtr
39 | set [esp+C], #00 00 00 00#
40 | erun
41 | ret
42 |
43 | patch_process_debug_object_handle:
44 | log "/!\ DEBUG CHECK FOUND (ProcessDebugObjectHandle): NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})"
45 | rtr
46 | set [esp+C], #00 00 00 00#
47 | erun
48 | ret
--------------------------------------------------------------------------------
/Enigma HWID Bypasser.txt:
--------------------------------------------------------------------------------
1 | //Enigma HWID Bypasser by GautamGreat (Ported to x64dbg by Mobile46)
2 | //Always use an anti-anti-debug plugin (SharpOD, ScyllaHide, etc.)
3 |
4 | msg "Enigma HWID Bypasser x86"
5 |
6 | //Clear or disable breakpoints
7 | //bpc
8 | //bphc
9 | //bpmc
10 | bpd
11 | bphd
12 | bpmd
13 |
14 | //Start
15 | bp VirtualFree
16 | erun
17 | bc VirtualFree
18 |
19 | ertr 2
20 | sto
21 |
22 | find cip, "55 8B EC 83 C4 E0 53 56 33 D2"
23 | cmp $result, 0
24 | je error
25 |
26 | find $result, "74 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB ??"
27 | cmp $result, 0
28 | je error
29 |
30 | mov $hwidPatchAddress, $result
31 | mov $result, #75#
32 |
33 | log "VA: {$hwidPatchAddress} - RVA: {mod.rva($hwidPatchAddress)}"
34 | log "Old byte: 74, new byte: 75"
35 | log "HWID patched"
36 | ret
37 |
38 | error:
39 | msg "Pattern not found!"
40 | ret
--------------------------------------------------------------------------------
/Enigma Version Finder X.XX_by luger:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////////////
2 | // FileName : Enigma Version Finder 1.xx,2.xx,3.xx,4.xx,5.xx,6.xx
3 | // Comment : Enigma Protector uygulaması ile packlenmiş Exe'lerde versiyon arar.
4 | // Environment : x32dbg
5 | // Author : by luger
6 | // First_Date : 19.09.2021
7 | // Fix_Date : 21.09.2021
8 | // Version : 0.1
9 | //////////////////////////////////////////////////////////
10 |
11 |
12 | //msg "Enigma Version Finder x.xx by_luger"
13 |
14 | bpd //DisableBPX
15 | bphd //DisableHardwareBreakpoint
16 | bpmd //DisableMemoryBreakpoint
17 |
18 | //Yöntem1(Version 5.00 under)
19 | findallmem 0, #454E49474D41#
20 | cmp $result, 0
21 | je yontem2
22 | mov $bulundu, ref.addr(0)+6
23 | mov $ilk, ReadByte($bulundu)
24 | mov $son, ReadByte($bulundu+1)
25 | log "Enigma versiyonu: {$ilk}.{d:$son} ^_^"
26 | ret
27 |
28 | //Yöntem2(Version 5.00 over)
29 | yontem2:
30 | findallmem 0, #54414747#
31 | cmp $result, 0
32 | je hata
33 | findallmem 0, #01000000??00??00000000002600000001#
34 | cmp $result, 0
35 | je hata
36 | mov $bulundu2, ref.addr(0)+4
37 | mov $ilk2, ReadByte($bulundu2)
38 | mov $son2, ReadByte($bulundu2+2)
39 | log "Enigma versiyonu: {$ilk2}.{d:$son2} ^_^"
40 | ret
41 |
42 | hata:
43 | msg "Enigma koruması olmayabilir.Versiyon tespit edilemedi."
44 | ret
45 |
--------------------------------------------------------------------------------
/FSG1.2.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : FSG1.2.txt
3 | // Comment : OEP Find For FSG v1.2
4 | // Author : _pusher_
5 | // Date : 2015-07-02
6 | //////////////////////////////////////////////////
7 |
8 | //start
9 | msg "FSG 1.2 OEP Finder"
10 | msg "make sure you're at the entry point of the program before you continue"
11 | pause
12 |
13 | //clear breakpoints
14 | bc
15 | bphwc
16 |
17 | //find oep jump
18 | find cip,"8810" //some pattern
19 | cmp $result,0
20 | jne GoOn
21 | find cip,"8816" //some pattern
22 | cmp $result,0
23 | je error
24 |
25 | log "found decrypt place: {0}", $result
26 |
27 | GoOn:
28 | //go to decrypt loop
29 | bp $result
30 | //loop six times to decrypt enough to bpx
31 | erun
32 | erun
33 | erun
34 | erun
35 | erun
36 | erun
37 |
38 | //clear breakpoints
39 | bc
40 |
41 | find cip,"BB" //some pattern
42 | cmp $result,0
43 | je error
44 | bp $result
45 | erun
46 |
47 | bc
48 |
49 | //find oep jump
50 | find cip,"EB09FE??0F84" //some pattern
51 | cmp $result,0
52 | je error
53 | log "found OEP Jump: {0}", $result+4
54 |
55 | //go to OEP jmp
56 | bp $result+4
57 | erun
58 |
59 | //clear breakpoints
60 | bc
61 |
62 |
63 | $dw = 4:[$result+6]
64 | $dest = $result+4 + $dw + 6
65 | log "OEP: {0}", $dest
66 |
67 | //bpx on OEP and go to OEP
68 | bp $dest
69 | erun
70 |
71 | //clear breakpoints
72 | bc
73 |
74 | //comment it
75 | cmt cip,"OEP"
76 |
77 | //finish script
78 | ret
79 |
80 | error:
81 | msg "didn't find oep jump"
82 | ret
83 |
--------------------------------------------------------------------------------
/FSG1.x1.3x.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : FSG1.x1.3x.txt
3 | // Comment : OEP Find For FSG v1.0 v1.1 v1.31 v1.33
4 | // Author : _pusher_
5 | // Date : 2015-07-02
6 | //////////////////////////////////////////////////
7 |
8 | //start
9 | msg "FSG 1.x and 1.3x OEP Finder"
10 | msg "make sure you're at the entry point of the program before you continue"
11 | pause
12 |
13 | //clear breakpoints
14 | bc
15 | bphwc
16 |
17 | //find oep jump
18 | find cip,"EB09FE??0F84" //some pattern
19 | cmp $result,0
20 | je error
21 | log "found OEP Jump: {0}", $result+4
22 |
23 | //go to OEP jmp
24 | bp $result+4
25 | erun
26 |
27 | //clear breakpoints
28 | bc
29 |
30 | $dw = 4:[$result+6]
31 | $dest = $result+4 + $dw + 6
32 | log "OEP: {0}", $dest
33 |
34 | //bpx on OEP and go to OEP
35 | bp $dest
36 | erun
37 |
38 | //clear breakpoints
39 | bc
40 |
41 | //comment it
42 | cmt cip,"OEP"
43 |
44 | //finish script
45 | ret
46 |
47 | error:
48 | msg "didn't find oep jump"
49 | ret
50 |
--------------------------------------------------------------------------------
/FSG2.0.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : FSG2.0.txt
3 | // Comment : OEP Find For FSG v2.0
4 | // Author : _pusher_
5 | // Date : 2015-07-02
6 | //////////////////////////////////////////////////
7 |
8 | //start
9 | msg "FSG 2.0 OEP Finder"
10 | msg "make sure you're at the entry point of the program before you continue"
11 | pause
12 |
13 | //clear breakpoints
14 | bc
15 | bphwc
16 |
17 | //find oep jump
18 | find cip,"FF630C" //some pattern
19 | log "found: {0}", $result
20 | cmp $result,0
21 | je error
22 |
23 | //go to OEP
24 | bp $result
25 | erun
26 | bc
27 | sti
28 |
29 | cmt cip,"OEP"
30 |
31 | //finish script
32 | ret
33 |
34 | error:
35 | msg "didn't find oep jump"
36 | ret
37 |
--------------------------------------------------------------------------------
/MPRESS X.XX OEP FINDER:
--------------------------------------------------------------------------------
1 | ///////////////////////////////////////////
2 | // //
3 | // MPRESS X.XX OEP FINDER //
4 | // //
5 | // supports EXEs & DLLs in x64 & x32 //
6 | // //
7 | ///////////////////////////////////////////
8 | // Prepared by: Blitzkrieg
9 | // Date : 3rd July 2020
10 | // Tested on :
11 | //
12 | // Release | Target
13 | // -----------------------------
14 | // | 64bit | 32bit
15 | // -----------------------------
16 | // 1.27 | EXE | EXE
17 | // 2.18 | EXE/DLL | EXE/DLL
18 | // 2.19 | EXE/DLL | EXE/DLL
19 | ///////////////////////////////////////////
20 | // Notes:
21 | // - use "dbclear" command manually when
22 | // script keeps throwing errors, then
23 | // reload target into x64dbg. Don't use
24 | // it when starting-up x64dbg or it will
25 | // delete your Entry Point Breakpoint
26 | // causing more problems!
27 | // - this script makes use of labels
28 | // instead of conventional comments,
29 | // that's because labels won't interfere
30 | // with your comments. Also labelclear
31 | // won't delete your personal comments.
32 | ///////////////////////////////////////////
33 |
34 | call StartAtEntryPoint
35 | call DisableBreakpoints
36 |
37 | //Finding a long unconditional jump
38 | mov $address,cip
39 | Negative:
40 | find $address+1,"E9"
41 | mov $address,$result
42 | cmp mem.base(cip),dis.imm(dis.imm($address)) //test for jump pointing to an address above base of memory page
43 | jb Negative
44 | cmp mod.base(cip),dis.imm(dis.imm($address)) //test for jump pointing to an address below base address of module
45 | ja Negative
46 | bp $address
47 | lbl $address,"First Pattern"
48 | log "First Pattern found at: {0}",$address
49 | erun
50 | bc cip
51 | sti 2
52 |
53 | //Finding a long unconditional jump
54 | mov $address,cip
55 | Negative2:
56 | find $address+1,"E9"
57 | mov $address,$result
58 | cmp mem.base(cip),dis.imm($address) //test for jump pointing to an address below base of the memory page
59 | ja Negative2
60 | cmp cip,dis.imm($address) //test for jump pointing to an address above cip
61 | jb Negative2
62 | bp $address
63 | lbl $address,"Second Pattern"
64 | log "Second Pattern found at: {0}",$address
65 | erun
66 | bc cip
67 | sti
68 |
69 | //Halting at OEP
70 | lbl cip,"OEP Found :)"
71 | log "OEP for MPRESS found at: {0}",cip
72 | guiupdateenable
73 |
74 | //call TimeToDump
75 | ret
76 |
77 |
78 | ///////////////////////////////////////////
79 | // Tools
80 | // Prepared by: Blitzkrieg
81 | ///////////////////////////////////////////
82 |
83 | //Makes sure that you start at the Entry Point automatically
84 | StartAtEntryPoint:
85 | config Events,EntryBreakpoint,1
86 | NotYetInsideUserModule:
87 | cmp 0,mod.party(cip)
88 | je AlreadyInsideUserModule
89 | erun
90 | jmp NotYetInsideUserModule
91 | AlreadyInsideUserModule:
92 | cmp cip,mod.entry(cip)
93 | je AtUserModuleEntryPoint
94 | erun
95 | jmp NotYetInsideUserModule
96 | AtUserModuleEntryPoint:
97 | ret
98 |
99 | //Disables all kinds of breakpoints
100 | DisableBreakpoints:
101 | bd //use dbclear manually when error thrown here
102 | bphd
103 | bpmd
104 | bpddll
105 | DisableExceptionBPX
106 | labelclear (small addition for preventing label collusions)\
107 | EnableLog
108 | //guiupdatedisable (for faster script execution)
109 | ret
110 |
111 | //Calls a confirmation window for dumping target in Scylla
112 | TimeToDump:
113 | msgyn "Successfully found OEP! Wanna use Scylla to dump the target?"
114 | cmp 0,$result
115 | je noscylla
116 | scylla
117 | noscylla:
118 | ret
119 |
--------------------------------------------------------------------------------
/Mpress2xx.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : Mpress2xx.txt
3 | // Comment : OEP Find For MPress v2.xx
4 | // Author : _pusher_
5 | // Date : 2015-12-10
6 | //////////////////////////////////////////////////
7 |
8 | //start
9 | msg "Mpress 2.xx OEP Finder"
10 | msg "make sure you're at the entry point of the program before you continue"
11 | pause
12 |
13 | //clear breakpoints
14 | bc
15 | bphwc
16 |
17 | //find jump ret
18 | find cip,"83C47C5B5E5F5DC3E9" //some pattern
19 | cmp $result,0
20 | jnz AllOK
21 | find cip,"8B45F85EC9C20400E9" //another pattern
22 | cmp $result,0
23 | jnz AllOK
24 |
25 | jmp error1
26 |
27 |
28 |
29 | AllOK:
30 | log "found: {0}", $result+8
31 | //go to jump
32 | bp $result+8
33 | erun
34 | bc
35 | sti
36 |
37 | //find OEP Jump
38 | find cip,"AAB8?E010000AB61E9" //some pattern
39 | log "found: {0}", $result+8
40 | cmp $result,0
41 | je error2
42 |
43 | bc
44 | //go to OEP
45 | bp $result+8
46 | erun
47 | bc
48 | sti
49 |
50 | cmt cip,"OEP"
51 |
52 | //finish script
53 | ret
54 |
55 | error1:
56 | msg "didn't find jump"
57 | ret
58 |
59 | error2:
60 | msg "didn't find oep jump"
61 | ret
62 |
--------------------------------------------------------------------------------
/PECompact3.txt:
--------------------------------------------------------------------------------
1 | ///////////////////////////////////////////////////////////////////////////////////////
2 | // //
3 | // PECompact v3.02.2 OEP Finder //
4 | // n2u [brc] //
5 | // //
6 | // Before running the script, make sure you: //
7 | // - Are at the program's entrypoint //
8 | // - Have Scylla plugin enabled with at least one option set (we need Scylla hook) //
9 | // //
10 | ///////////////////////////////////////////////////////////////////////////////////////
11 |
12 | find cip, "B8????????5064FF"
13 | log " [PECompact v3 OEP Finder] Found PECompact EP pattern at {p:0}", $result
14 | cmp $result, 0
15 | je err_notfound
16 |
17 | bpc
18 | bphc
19 |
20 | step // Execute a single instruction
21 | bph cip-5 // Put a HW BP at the previous instruction (EP)
22 | erun // Run the program
23 | cmt cip, "OEP" // HW BP will trigger with the uncompressed code
24 | d // Show the disassembly window
25 |
26 | bpc
27 | bphc
28 | ret
29 |
30 | err_notfound:
31 | msg "PECompact v3 EP pattern not found"
32 | ret
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # scripts
2 |
3 | a collection of x64dbg scripts
4 |
5 | ## UPX
6 | Website: http://upx.sourceforge.net/
7 |
8 | ### Unpackers
9 | 2.02_to_2.03.txt
10 |
11 | Ability: Unpack UPX vesions 2.02 to 2.03
12 |
13 | Instructions: Load the exe and run the script.
14 |
15 |
16 | 3.06_to_3.91.txt
17 |
18 | Ability: Unpack UPX versions 3.06 through 3.91.
19 |
20 | Instructions: Load the exe and run the script.
21 |
22 |
23 | upx391.txt
24 |
25 | Ability: Unpack version 3.931.
26 |
27 | Instructions:
28 |
29 | ## FSG
30 | Website:
31 |
32 | ### Unpackers
33 | FSG1.x1.3x.txt
34 |
35 | Ability: Unpack any 1.x and 1.3x version
36 |
37 | Instructions: Begin at the entry point.
38 |
39 |
40 | FSG1.2.txt
41 |
42 | Ability: Unpack FSG 1.2
43 |
44 | Instructions: Begin at the entry point.
45 |
46 |
47 | FSG2.0.txt
48 |
49 | Ability: Unpack FSG 2.0
50 |
51 | Instructions: Begin at the entry point.
52 |
53 | ## ASPack
54 | Website: http://www.aspack.com/
55 |
56 | ### Unpackers
57 | ASPack 2.xx.txt
58 |
59 | Ability: Unpack all versions 2.xx of ASPack
60 |
61 | Instructions: Begin at the entry point.
62 |
--------------------------------------------------------------------------------
/Safedisc_v1.x_anti_antidebugger.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : Safedisc_v1.x_anti_antidebugger.txt
3 | // Comment : Defeats Safedisc v1.x anti-debugging checks
4 | // Author : Luca91 (Luca1991) - Luca D'Amico
5 | // Date : 2022-02-01
6 | // How to use : Load GAME.EXE and run this script. Once ingame, you can attach a second instance of x32dbg to GAME.ICD.
7 | // Tested on Safedisc v1.06-v1.50
8 | //////////////////////////////////////////////////
9 |
10 | // start
11 | msg "Safedisc v1.x anti antidebugger"
12 | run // run til the EntryPoint
13 |
14 | // clear breakpoints
15 | bc
16 | bphwc
17 |
18 | // defeats isDebuggerPresent and manual PEB checks
19 | $peb = peb()
20 | set $peb+0x2, #00#
21 |
22 | // find and hook NtQueryInformationProcess
23 | nqip_addr = ntdll.dll:NtQueryInformationProcess
24 | bp nqip_addr
25 | SetBreakpointCommand nqip_addr, "scriptcmd call check_nqip"
26 | erun
27 | ret
28 |
29 | check_nqip:
30 | log "NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})"
31 | cmp [esp+8], 7 // 0x7 == ProcessDebugPort
32 | je patch_process_information_buffer
33 | erun
34 | ret
35 |
36 | patch_process_information_buffer:
37 | rtr
38 | set [esp+C], #00 00 00 00#
39 | erun
40 | ret
41 |
--------------------------------------------------------------------------------
/SecuROM_2-4_OEP_Finder.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : SecuROM_2-4_OEP_Finder.txt
3 | // Comment : SecuROM 2.91 - 4.x OEP Finder
4 | // Author : Luca91 (Luca1991) - Luca D'Amico
5 | // Date : 2023-04-23
6 | // How to use : First of all configure x32db to ignore all exceptions (this is important!).
7 | // Load your SecuROM 2-4 protected game and run this script. You will get to the OEP.
8 | //////////////////////////////////////////////////
9 |
10 | $driveChecked = 0
11 |
12 |
13 | run // run til the EntryPoint
14 |
15 |
16 | // clear breakpoints
17 | bc
18 | bphwc
19 |
20 |
21 | // find and hook WriteProcessMemory and GetDriveTypeA
22 | $writeProcessMemoryAddr = kernel32.dll:WriteProcessMemory
23 | bp $writeProcessMemoryAddr+0x2
24 | SetBreakpointCommand $writeProcessMemoryAddr+0x2, "scriptcmd call WriteProcessMemoryHook"
25 | $getDriveTypeAAddr = kernel32.dll:GetDriveTypeA
26 | bp $getDriveTypeAAddr+0x2
27 | SetBreakpointCommand $getDriveTypeAAddr+0x2, "scriptcmd call GetDriveTypeAHook"
28 | erun
29 | ret
30 |
31 |
32 | WriteProcessMemoryHook:
33 | cmp $driveChecked, 1
34 | jne WpmhContinue
35 | log "WriteProcessMemory({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})"
36 | $currentBufferAddr = [esp+C]
37 | $currentBufferSize = [esp+10]
38 | log "analyzing buffer located at {$currentBufferAddr} of size {$currentBufferSize}"
39 | find $currentBufferAddr, 558BEC6AFF, $currentBufferSize
40 | cmp $result, 0
41 | jne PatchBuffer
42 | WpmhContinue:
43 | erun
44 | ret
45 |
46 |
47 | GetDriveTypeAHook:
48 | $driveChecked = 1
49 | erun
50 | ret
51 |
52 |
53 | PatchBuffer:
54 | $oepAddressInBuffer = $result
55 | $oepAddr = [esp+8] + ($oepAddressInBuffer - $currentBufferAddr)
56 | msg "OEP = {$oepAddr}"
57 | set $oepAddressInBuffer, #EB FE#
58 | rtr
59 | bc
60 | bphwc
61 | bp $oepAddr
62 | SetBreakpointCommand $oepAddr, "scriptcmd call RestoreOepBytes"
63 | erun
64 | ret
65 |
66 |
67 | RestoreOepBytes:
68 | set eip, #55 8B#
69 | lbl eip,"OEP"
70 | bc
71 | bphwc
72 | ret
73 |
--------------------------------------------------------------------------------
/SecuROM_2.9-4.68_Semi-Automatic_Remover.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : SecuROM_2.9-4.68_Semi-Automatic_Remover.txt
3 | // Comment : Remove SecuROM (2.9-4.68) Protection
4 | // Author : Luca91 (Luca1991) - Luca D'Amico
5 | // Date : 2023-11-04
6 | // How to use : 1) Before running this script make sure that you are at the OEP (EIP==OEP)!
7 | // You can use my "SecuROM_2-4_OEP_Finder" script to do this.
8 | // 2) Edit the CONFIG section of this script, filling in the IAT START/END VA.
9 | // Find these values manually, or use Scylla IAT Autosearch.
10 | // 3) Launch this script, then use Scylla to DUMP/FIX DUMP as usual.
11 | // Features : * Works form SecuROM 2.9 up to (and including) SecuROM 4.68.
12 | // * Uses chunking to avoid being detected by SecuROM 4.68 additional checks.
13 | // Limitations : * You have to provide IAT START/END VA
14 | // * This script will not remove SecuROM triggers if present!!!
15 | //////////////////////////////////////////////////
16 |
17 |
18 | ///// CONFIG - PLEASE EDIT THIS SECTION /////
19 | $IAT_START = 0x0 // IAT START VA (eg. 0x4CC000)
20 | $IAT_END = 0x0 // IAT END VA (eg. 0x4CC218)
21 | /////////////////////////////////////////////
22 |
23 | $OEP = cip
24 |
25 | $SECUROM_PATTERN = 0
26 |
27 | ///// FIND SECUROM API JUMP /////
28 | findallmem mem.base(cip), 5F5E5B8BE55DFFE05F5E5B8BE55DC3, -1, user
29 | cmp $result, 0
30 | je _securom_jmp_not_found
31 | $SECUROM_API_JMP = $SECUROM_API_JMP = ref.addr(0) + 0x6
32 | log "SECUROM API FOUND AT {$SECUROM_API_JMP}"
33 | bphws $SECUROM_API_JMP
34 | SetHardwareBreakpointSilent $SECUROM_API_JMP, 1
35 | SetHardwareBreakpointFastResume $SECUROM_API_JMP, 1
36 | /////////////////////////////////
37 |
38 | ///// FIND ALL SECUROM CALLS PATTERN /////
39 | find $OEP, FF15????????
40 | $SECUROM_PATTERN = bswap([$result+0x2])
41 | findall mem.base(cip), FF15{$SECUROM_PATTERN}, mem.size(cip)
42 | //////////////////////////////////////////
43 |
44 | ///// SETUP CHUNKS TO AVOID DETECTION /////
45 | $chunks = 6
46 | $chunk_size = ref.count()/$chunks
47 | $chunks_remainder = ref.count()%$chunks
48 | $current_chunk = 5
49 | //////////////////////////////////////////////////
50 |
51 | ///// API FIXING /////
52 | _start:
53 | $current_pattern = $current_chunk * $chunk_size
54 | $current_chunk_stop = $current_pattern + $chunk_size + $chunks_remainder
55 | $chunks_remainder = 0
56 | _start_fixing:
57 | eip = ref.addr($current_pattern)
58 | erun
59 | _iat_search:
60 | $CURRENT_THUNK = $IAT_START
61 | _compare_thunk:
62 | cmp 4:[$CURRENT_THUNK], eax
63 | je _patch_api
64 | add $CURRENT_THUNK, 4
65 | cmp $CURRENT_THUNK, $IAT_END
66 | jl _compare_thunk
67 | msg "ERROR: THUNK NOT FOUND :("
68 | ret
69 | _patch_api:
70 | set [ref.addr($current_pattern)+0x2], $CURRENT_THUNK
71 | inc $current_pattern
72 | cmp $current_pattern, $current_chunk_stop
73 | jne _start_fixing
74 | log "CHUNK {$current_chunk} COMPLETED :)"
75 | dec $current_chunk
76 | cmp $current_chunk, 0xFFFFFFFF
77 | jne _start
78 | msgyn "COMPLETED :) Do you want to launch Scylla now?"
79 | cmp 0,$result
80 | je _noscylla
81 | scylla
82 | _noscylla:
83 | ret
84 |
85 | _securom_jmp_not_found:
86 | msg "ERROR: SECUROM API JUMP NOT FOUND :("
87 | ret
88 | //////////////////////
89 |
--------------------------------------------------------------------------------
/Themida v2.x.x.x OEP Finder.txt:
--------------------------------------------------------------------------------
1 | //Tested on Themida v2.4.6.0
2 | //Always use an anti-anti-debug plugin (SharpOD, ScyllaHide, etc.)
3 |
4 | msg "Themida v2.x.x.x OEP Finder by Yildo & Mobile46"
5 |
6 | //Clear or disable breakpoints
7 | //bpc
8 | //bphc
9 | //bpmc
10 | bpd
11 | bphd
12 | bpmd
13 |
14 | //Start
15 | mov $sectionAddress, mod.main() + mem.size(mod.main())
16 |
17 | cmp mem.isvalid($sectionAddress), 0
18 | je error
19 |
20 | cmp mem.iscode($sectionAddress), 0
21 | je error
22 |
23 | mov $backup, [$sectionAddress]
24 | bph VirtualProtect
25 |
26 | loop:
27 | erun
28 | cmp [$sectionAddress], $backup
29 | jne continue
30 |
31 | jmp loop
32 |
33 | continue:
34 | erun
35 | erun
36 |
37 | bphc VirtualProtect
38 | bpm $sectionAddress, x
39 |
40 | erun
41 | d
42 | cmt cip, "OEP"
43 | ret
44 |
45 | error:
46 | msg "This PE file is not supported!"
47 | ret
--------------------------------------------------------------------------------
/UPX X.XX OEP Finder.txt:
--------------------------------------------------------------------------------
1 | ///////////////////////////////////////////
2 | // //
3 | // UPX X.XX OEP FINDER //
4 | // //
5 | // supports EXEs & DLLs in x64 & x32 //
6 | // //
7 | ///////////////////////////////////////////
8 | // Prepared by: Blitzkrieg
9 | // Date : 4th July 2023
10 | // Tested on :
11 | //
12 | // Release | Target
13 | // -----------------------------
14 | // | 64bit | 32bit
15 | // -----------------------------
16 | // 1.20 | - | EXE
17 | // 1.24 | - | EXE
18 | // 1.25 | - | EXE
19 | // 2.02 | - | EXE/DLL
20 | // 2.03 | - | EXE/DLL
21 | // 3.06 | - | EXE/DLL
22 | // 3.07 | - | EXE/DLL
23 | // 3.08 | - | EXE/DLL
24 | // 3.09 | - | EXE/DLL
25 | // 3.91 | - | EXE/DLL
26 | // 3.95 | EXE/DLL | EXE/DLL
27 | // 3.96 | EXE/DLL | EXE/DLL
28 | // 4.00 | EXE/DLL | EXE/DLL
29 | // 4.01 | EXE/DLL | EXE/DLL
30 | // 4.02 | EXE/DLL | EXE/DLL
31 | ///////////////////////////////////////////
32 | // Notes:
33 | // - use "dbclear" command manually when
34 | // script keeps throwing errors, then
35 | // reload target into x64dbg. Don't use
36 | // it when starting-up x64dbg or it will
37 | // delete your Entry Point Breakpoint
38 | // causing more problems!
39 | // - this script makes use of labels
40 | // instead of conventional comments,
41 | // that's because labels won't interfere
42 | // with your comments. Also labelclear
43 | // won't delete your personal comments.
44 | ///////////////////////////////////////////
45 |
46 | //START AT THE ENTRY POINT!
47 |
48 | call DisableBreakpoints
49 |
50 | //Finding a long unconditional jump
51 | mov $address,cip
52 | notlongunconditionaljump:
53 | find $address+1,"E9"
54 | mov $address,$result
55 | cmp cip,dis.imm($address) //test for jump pointing to an address above CIP
56 | jb notlongunconditionaljump
57 | cmp mod.base(cip)+mem.size(mod.base(cip)),dis.imm($address) //test for jump pointing to an address below base address of the current module
58 | ja notlongunconditionaljump
59 | bp $address
60 | erun
61 | bc cip
62 | sti
63 |
64 | //Halting at OEP
65 | cmt cip,"OEP Found :)"
66 | log "OEP for UPX found at: {a:cip}"
67 | guiupdateenable
68 | d cip
69 |
70 | call TimeToDump
71 | ret
72 |
73 |
74 |
75 | ///////////////////////////////////////////
76 | // Tools
77 | // Prepared by: Blitzkrieg
78 | ///////////////////////////////////////////
79 |
80 | //Disables all kinds of breakpoints
81 | DisableBreakpoints:
82 | bd //use dbclear manually when error thrown here
83 | bphd
84 | bpmd
85 | bpddll
86 | DisableExceptionBPX
87 | labelclear (small addition for preventing label collusions)
88 | EnableLog
89 | //guiupdatedisable (for faster script execution)
90 | ret
91 |
92 | //Displays a confirmation window for dumping PE file with Scylla
93 | TimeToDump:
94 | msgyn "Successfully found OEP! Wanna use Scylla to dump the PE file?"
95 | cmp 0,$result
96 | je noscylla
97 | scylla
98 | noscylla:
99 | ret
100 |
--------------------------------------------------------------------------------
/UPack_all.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : UPack_all.txt
3 | // Comment : OEP find for *all* UPack
4 | // Author : _pusher_
5 | // Date : 2015-12-25
6 | // Its abit messy i know.
7 | //////////////////////////////////////////////////
8 |
9 | //start
10 | msg "UPack *all* OEP Finder"
11 | msg "make sure you're at the entry point of the program before you continue"
12 | pause
13 |
14 | //clear breakpoints
15 | bc
16 | bphwc
17 | sti
18 |
19 | //find oep code
20 | find cip,"74 1F 51 56 97 FF D1 93 AC 84 C0 75 FB 38 06 74 EA 8B C6 79 05 46 33 C0 66 AD 50 53 FF D5 AB EB E7 C3" //some pattern
21 | log "found: {0}", $result
22 | cmp $result,0
23 | jnz a0
24 |
25 | //0.34
26 | find cip,"F3 AB C1 E0 0A B5 ?? F3 AB BF ?? ?? ?? ?? E9" //some pattern
27 | log "found: {0}", $result
28 | cmp $result,0
29 | jnz aw0
30 |
31 | //find oep code
32 | find cip,"74 30 51 56 97 FF D1 93 AC 84 C0 75 FB 38 06 74 EA 8B C6 79 05 46 33 C0 66 AD 50 53 FF D5 AB EB E7 33 C0 40 8D 54 85 00 FF 16 13 C0 3B C1 72 F4 2B C1 C3" //some pattern
33 | log "found: {0}", $result
34 | cmp $result,0
35 | jnz a1
36 |
37 | //find oep code
38 | find cip,"E2 FA 5B 03 DA 43 59 89 5D 0C 56 8B F7 2B F3 F3 A4 AC 5E B1 80 AA 3B 7E 2C 73 03 FF 66 28 58 8B 4E 30 5F E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 1C 2B C7 AB E2 E5 8B 5E 34 8B 76 38 46 AD ?? C0 0F 84" //some pattern
39 | log "found: {0}", $result
40 | cmp $result,0
41 | jnz a2
42 |
43 | //find oep code
44 | find cip,"8B 5E 28 56 52 8B 76 2C 46 AD 85 C0 5A 74 22 03 C2 52 56 97 FF 53 FC 95 AC 84 C0 75 FB 38 06 74 E7 8B C6 79 05 46 33 C0 66 AD 50 55 FF 13 AB EB E7 59 5F 8B 49 44 E3 0D 33 C0 AC 3C 04 72 0C 03 F8 01 17 E2 F3 61 E9" //some pattern
45 | log "found: {0}", $result
46 | cmp $result,0
47 | jnz a3
48 |
49 |
50 | //finish script
51 | ret
52 |
53 | a3:
54 | bp $result+46
55 | erun
56 | bc
57 | sti
58 | cmt cip,"OEP"
59 | //finish script
60 | ret
61 |
62 | a2:
63 | bp $result+4a
64 | erun
65 | bc
66 | $dw = 4:[$result+4c]
67 | $dest = $result+4 + $dw + 4c
68 | log "OEP: {0}", $dest
69 | bp $dest
70 | erun
71 | cmt cip,"OEP"
72 | //finish script
73 | ret
74 |
75 | a1:
76 | //find oep code
77 | find cip,"57 51 E9" //some pattern
78 | log "found: {0}", $result
79 | cmp $result,0
80 | jz error2
81 | //go to JMP
82 | bp $result+2
83 | erun
84 | bc
85 | sti
86 | find cip,"74 1F 51 56 97 FF D1 93 AC 84 C0 75 FB 38 06 74 EA 8B C6 79 05 46 33 C0 66 AD 50 53 FF D5 AB EB E7 C3" //some pattern
87 | log "found: {0}", $result
88 | cmp $result,0
89 | jz error1
90 | bp $result+21
91 | erun
92 | bc
93 | sti
94 | cmt cip,"OEP"
95 | //finish script
96 | ret
97 |
98 | aw0:
99 | //find oep code
100 | find cip,"F3 AB C1 E0 0A B5 ?? F3 AB BF ?? ?? ?? ?? E9" //some pattern
101 | log "found: {0}", $result
102 | cmp $result,0
103 | jz error2
104 | //go to JMP
105 | bp $result+e
106 | erun
107 | bc
108 | sti
109 | find cip,"74 1F 51 56 97 FF D1 93 AC 84 C0 75 FB 38 06 74 EA 8B C6 79 05 46 33 C0 66 AD 50 53 FF D5 AB EB E7 C3" //some pattern
110 | log "found: {0}", $result
111 | cmp $result,0
112 | jz test2
113 | bp $result+21
114 | erun
115 | bc
116 | sti
117 | cmt cip,"OEP"
118 | ret
119 | test2:
120 | //0.33 ..
121 | //find jb loop then ret code
122 | find cip,"F3 A4 AC 5E B1 80 AA 81 FF ?? ?? ?? ?? 0F 82" //some pattern
123 | log "found: {0}", $result
124 | cmp $result,0
125 | jz error1
126 | bp $result+13
127 | erun
128 | bc
129 |
130 |
131 |
132 | find cip,"74 30 51 56 97 FF D1 93 AC 84 C0 75 FB 38 06 74 EA 8B C6 79 05 46 33 C0 66 AD 50 53 FF D5 AB EB E7 33 C0 40 8D 54 85 00 FF 16 13 C0 3B C1 72 F4 2B C1 C3" //some pattern
133 | log "found: {0}", $result
134 | cmp $result,0
135 | jz error1
136 | bp $result+32
137 | erun
138 | bc
139 | sti
140 | cmt cip,"OEP"
141 | //finish script
142 | ret
143 |
144 |
145 |
146 |
147 | a0:
148 | //find oep code
149 | find cip,"57 51 E9" //some pattern
150 | log "found: {0}", $result
151 | cmp $result,0
152 | jz error2
153 | //go to JMP
154 | bp $result+2
155 | erun
156 | bc
157 | sti
158 | find cip,"74 1F 51 56 97 FF D1 93 AC 84 C0 75 FB 38 06 74 EA 8B C6 79 05 46 33 C0 66 AD 50 53 FF D5 AB EB E7 C3" //some pattern
159 | log "found: {0}", $result
160 | cmp $result,0
161 | jz error1
162 | bp $result+21
163 | erun
164 | bc
165 | sti
166 | cmt cip,"OEP"
167 | //finish script
168 | ret
169 |
170 | error2:
171 | msg "didn't find JMP code"
172 | ret
173 |
174 | error1:
175 | msg "didn't find OEP code"
176 | ret
177 |
--------------------------------------------------------------------------------
/UpxUnpacker.cpp:
--------------------------------------------------------------------------------
1 | //Script DLL example. Put the 'pluginsdk' directory from the snapshot in the same directory as this file and compile as a DLL.
2 |
3 | #include "pluginsdk/_scriptapi_debug.h"
4 | #include "pluginsdk/_scriptapi_memory.h"
5 | #include "pluginsdk/_scriptapi_register.h"
6 | #include "pluginsdk/_scriptapi_pattern.h"
7 | #include "pluginsdk/_scriptapi_comment.h"
8 | #include "pluginsdk/_scriptapi_gui.h"
9 | #include "pluginsdk/bridgemain.h"
10 |
11 | #ifdef _WIN64
12 | #pragma comment(lib, "pluginsdk/x64dbg.lib")
13 | #pragma comment(lib, "pluginsdk/x64bridge.lib")
14 | #else
15 | #pragma comment(lib, "pluginsdk/x32dbg.lib")
16 | #pragma comment(lib, "pluginsdk/x32bridge.lib")
17 | #endif //_WIN64
18 |
19 | using namespace Script;
20 |
21 | #define Cmd(x) DbgCmdExecDirect(x)
22 |
23 | extern "C" __declspec(dllexport) void AsyncStart() //async because we are using debug features
24 | {
25 | Debug::Wait(); //wait until the user paused
26 | auto cip = Register::GetCIP(); //get CIP
27 | if (Memory::ReadByte(cip) == 0x60) //check for UPX signature (could be better but it's just an example)
28 | {
29 | Cmd("bc"); //clear breakpoints
30 | Cmd("bphwc"); //clear hardware breakpoints
31 | auto found = Pattern::FindMem(cip, 0x1000, "83 EC ?? E9"); //find OEP jump pattern
32 | if (found) //check if the OEP jump was found
33 | {
34 | Debug::SetBreakpoint(found + 3); //set a breakpoint on the OEP jump
35 | Debug::Run(); //let UPX unpack
36 | Debug::StepIn(); //step to OEP
37 | Comment::Set(Register::GetCIP(), "OEP"); //comment on OEP
38 | Gui::Message("Reached OEP. Use Scylla to dump and restore imports!"); //give the user a message
39 | Cmd("scylla"); //run Scylla
40 | }
41 | else
42 | Gui::Message("Couldn't find OEP jump (83 EC ?? E9)..."); //fail with a message
43 | }
44 | else
45 | Gui::Message("Put EIP on a UPX entry point (0x60) to continue..."); //fail with a message
46 | }
47 |
--------------------------------------------------------------------------------
/UpxUnpacker.py:
--------------------------------------------------------------------------------
1 | from x64dbgpy.pluginsdk import *
2 | import sys
3 |
4 | cip = register.GetCIP()
5 | if memory.ReadByte(cip) != 0x60:
6 | gui.Message("Start at UPX entry point (1:[CIP]==0x60)")
7 | exit(0)
8 |
9 | x64dbg.DbgCmdExecDirect("bc")
10 | x64dbg.DbgCmdExecDirect("bphwc")
11 | found = pattern.FindMem(cip, 0x1000, "83 EC ?? E9");
12 | if found == 0:
13 | gui.Message("Could not find pattern!");
14 | exit(0)
15 |
16 | debug.SetBreakpoint(found + 3)
17 | debug.Run()
18 | debug.StepIn()
19 |
20 | cip = register.GetCIP()
21 | comment.Set(cip, "OEP Found by Python!")
22 | gui.Message("Reached OEP. Use Scylla to dump and restore imports!")
23 | x64dbg.DbgCmdExec("scylla")
24 |
--------------------------------------------------------------------------------
/VMProtect 3.5 ThreadHideFromDebugger:
--------------------------------------------------------------------------------
1 | msg "VMP 3.5 x64 bypasser from Dark_Bull, bypass trick with ThreadHideFromDebugger"
2 |
3 | find mem.base(cip), "0F0568"
4 |
5 | cmp $result, 0
6 | je error
7 |
8 | bp_loop:
9 | bp $result
10 | find $result + 1, "0F0568"
11 | cmp $result, 0
12 | jne bp_loop
13 |
14 | rax_loop:
15 | erun
16 | cmp RAX, 0xD
17 | jne rax_loop
18 | d
19 | msg "We find valid syscall"
20 | RDX = 0x9
21 | cmt cip, "ThreadHideFromDebugger"
22 | bpc
23 | run
24 | run
25 | run
26 | msg "Set breakpoint on OEP and run :)"
27 | ret
28 |
29 | error:
30 | msg "Couldn't find the pattern. Exactly VMP 3.5 x64 1213?"
31 | ret
32 |
33 |
--------------------------------------------------------------------------------
/VMProtect v3.x.x OEP Finder.txt:
--------------------------------------------------------------------------------
1 | //Tested on VMProtect v3.3.1
2 | //Always use an anti-anti-debug plugin (SharpOD, ScyllaHide, etc.)
3 |
4 | msg "VMProtect v3.x.x OEP Finder by Yildo & Mobile46"
5 |
6 | //Clear or disable breakpoints
7 | //bpc
8 | //bphc
9 | //bpmc
10 | bpd
11 | bphd
12 | bpmd
13 |
14 | //Start
15 | bp GetCommandLineA
16 | erun
17 | bc GetCommandLineA
18 |
19 | ertr 2
20 | sto
21 |
22 | find cip, "E8 ?? ?? ?? ??"
23 | cmp $result, 0
24 | je error
25 |
26 | bph $result + 5
27 |
28 | erun
29 | bphc
30 |
31 | mov $tmp, 0
32 | loop:
33 | ertr
34 | sto
35 |
36 | cmp $tmp, 3
37 | inc $tmp
38 | jb loop
39 |
40 | d
41 | cmt cip, "OEP"
42 | ret
43 |
44 | error:
45 | msg "Couldn't find the pattern!"
46 | ret
--------------------------------------------------------------------------------
/kkrunchy.txt:
--------------------------------------------------------------------------------
1 | //////////////////////////////////////////////////
2 | // FileName : kkrunchy.txt
3 | // Comment : OEP Find For kkrunchy 023
4 | // Author : _pusher_
5 | // Date : 2015-12-13
6 | //////////////////////////////////////////////////
7 |
8 | //start
9 | msg "kkrunchy 023 OEP Finder"
10 | msg "make sure you're at the entry point of the program before you continue"
11 | pause
12 |
13 | //clear breakpoints
14 | bc
15 | bphwc
16 |
17 | //find ret code
18 | find cip,"4631C066AD50EBEB5DC3" //some pattern
19 | log "found: {0}", $result
20 | cmp $result,0
21 | je error1
22 |
23 | //go to OEP
24 | bp $result+8
25 | erun
26 | bc
27 | sti
28 | sti
29 |
30 | //find OEP jump
31 | find cip,"3B75000F84" //some pattern
32 | log "found: {0}", $result
33 | cmp $result,0
34 | je error2
35 |
36 | $dw = 4:[$result+5]
37 | $dest = $result+4 + $dw + 5
38 | log "OEP: {0}", $dest
39 |
40 | bphws $dest
41 | erun
42 |
43 | cmt cip,"OEP"
44 |
45 | //finish script
46 | ret
47 |
48 | error1:
49 | msg "didn't find return code"
50 | ret
51 |
52 | error2:
53 | msg "didn't find oep jump"
54 | ret
55 |
--------------------------------------------------------------------------------
/upx391.txt:
--------------------------------------------------------------------------------
1 | //start
2 | msg "upx (3.91) unpacker"
3 | msg "make sure you're at the entry point of the program before you continue"
4 | pause
5 |
6 | //clear breakpoints
7 | bc
8 | bphwc
9 |
10 | //script start
11 | step
12 | bphws csp,r
13 | erun
14 | bphwc
15 |
16 | //find oep jump
17 | find cip,"80E9" //some pattern
18 | cmp $result,0
19 | je error
20 |
21 | //go to OEP
22 | bp $result+1
23 | erun
24 | bc
25 | sti
26 |
27 | //finish script
28 | ret
29 |
30 |
31 | error:
32 | msg "didn't find oep jump"
33 | ret
34 |
--------------------------------------------------------------------------------