ExeCryptor 2.0.x - 2.3.x OEP finder v0.2.txt

1、/*=ExeCryptor 2.0.x - 2.3.x OEP finder script by HAGGAR=Features:- Script bypass all anti-debug tricks in ExeCryptor;- Script attempt to find OEP of protected file or, insuch case, STOLEN_OEP_CODE start address.Instructions:1. You need to have NT based operating system;2. Configure OllyDbg in Debugg

2、ing Options-Events toMake first pause at - System breakpoint;3. Ignore all exceptions and add to custom this oneC000001E (INVALID LOCK SEQUENCE)4. Remove or disable all plugins which purpose is to hideOllyDbg from protecors. ExeCryptor detects modifiedimports and by that most such plugins are detect

3、ed.5. Now load target in OllyDbg. Remove all breakpoints(hardware, memory, software). OllyDbg sets one bpon OEP by default and ExeCryptor checks that. HitAlt+B to see is that breakpoint listed there. Ifit is, remove it.6. Now, run this script .=*/var bak_eipvar bak_1var bak_2var EPvar addrvar tempva

4、r proclog log -log ExeCryptor 2.0.x - 2.3.x OEP finder script by HAGGARlog -/- Patch what can be patched -gpa FindWindowA,user32.dllmov $RESULT,#8BFF5533C05DC20800#gpa OutputDebugStringA,kernel32.dllmov $RESULT,#8BFF5533C05DC20400#gpa ReadProcessMemory,kernel32.dllmov $RESULT,#8BFF5533C05DC21400#gpa

5、 CreateThread,kernel32.dllmov $RESULT,#8BFF555DC21800#gpa CloseHandle,kernel32.dllmov $RESULT,#8BFF555DC20400#gpa CheckRemoteDebuggerPresent,kernel32.dllmov $RESULT,#8BFF5533C05DC20800#gpa KiRaiseUserExceptionDispatcher,ntdll.dllmov $RESULT,#C390909090#/- Find block with process information -mov bak

6、_eip,eip /Backup current EIP (SYSTEM_BP).mov bak_1,eip /Backup original bytes at SYSTEM_BP.mov bak_2,bak_1add bak_2,4mov bak_1,bak_1mov bak_2,bak_2mov eip,#5064A11800000058# /Little hack to obtain data block.stistimov addr,eax /Take pointer.stimov eip,bak_eip /Restore original EIP.mov eip,bak_1 /Res

7、tore original bytes.add eip,4mov eip,bak_2sub eip,4add addr,30mov addr,addr/- Erase debug bits -mov temp,addr /BeingDebuggedand temp,0ff00ffffmov addr,tempmov temp,addr /HeapFlagadd temp,18mov temp,tempadd temp,10mov temp,0mov temp,addr /NtGlobalFlagadd temp,68mov temp,0/- Erase EP bp that OllyDbg s

8、ets by default -mov temp,addradd temp,8mov temp,temp /Module base.log log Module base of protected file is:log tempadd temp,3Cadd temp,temp /PE signature offset.sub temp,3Cadd temp,28mov temp,temp /EP offset.add addr,8add temp,addr /Virtual offset.sub addr,8 log log EntryPoint of protected file is:log tempbp temp /Set bp.bc temp /Erase bp. That erases default OllyDbg bp on EP.retERROR:msg ERROR! Error in my script (haggar)!ret