PDA

View Full Version : Script for PESpin v0.7

hacnho
June 30th, 2004, 01:32
/*
////////////////////////////////////////////////////////////////////// ///////////////////////
// PESpin v0.7 OEP finder
// Author: hacnho/VCT2k4
// Email : hacnho@hotmail.com
// Website: http://nhandan.info/hacnho ("http://nhandan.info/hacnho")
// OS : WinXP Pro, OllyDbg 1.10 Final, OllyScript v0.85
//You can download my unpackme at http://nhandan.info/hacnho/tuts/unpackme_PESpin_07.zip ("http://nhandan.info/hacnho/tuts/unpackme_PESpin_07.zip") for //test this script.
//Note: Not work with Delphi (OllyDBG will be crash when loading).
////////////////////////////////////////////////////////////////////// ////////////////////////
*/
MSG "Do not clear memory breakpoint! Thanx for using my script!"
var temp
sti
sti
findop eip, #61E9#
bphws esp,"r"
mov temp,esp
run
eob Break1

Break1:
run
esto
esto
esto
esto
eob Break2

Break2:
esto
esto
esto
esto
esto
eob exit

jmp exit
exit:
log eip
cmt eip, "Script by hacnho/VCT2k4"
MSG "Please press Shift+F9 one times! When you trace to a jump (E9 XXXXXXXX). Press Enter, you'll still on OEP! Ctrl+A for analyze."
ret
loveboom
July 4th, 2004, 06:04
I has one,and i wll post it,
Pansemuckl
July 5th, 2004, 06:49
Tried on PeSpin v0.7 -> endless loop
Check it yourself:

h**p://cyanid.de/rn/todo/simpleapi[pespin.v.0.7].zip
hacnho
July 6th, 2004, 20:06
Your packed file is simple for find OEP. Because i am busy now, so i can not write a script for find OEP. But i can show the way for find OEP.

- 1. In Olly Options, choose SFX tab, check radio button " Stop at entry of selt-extractor"!

- 2. Load simpleapiP.exe into OllyDBG!

- 3. Press Shif+F9. A dialog will appear. Choose "No"!

- 4. Press F8 two times!

- 5. We now need to get to the address in the ESP register and set a hardware breakpoint.
click on the Hex dump window and do Ctrl+G and type in the value from the ESP register then enter.
you will end up here. Highlite the first two values in dumpscreen,
(these values are from the EDI register and is how we will find the OEP.)
right click on the values and select Breakpoint -> Hardware, on Access -> Word.

- 6. Press F9 to run.

- 7. Press Shift+F9 7 times! You will still here:

Quote:

00417088 - E9 53A0FEFF JMP simpleap.004010E0 ---> Jump to OEP...
0041708D A2 F94B8EE5 MOV BYTE PTR DS:[E58E4BF9],AL
00417092 26:37 AAA ; Superfluous prefix
00417094 20F9 AND CL,BH
00417096 54 PUSH ESP
00417097 6E OUTS DX,BYTE PTR ES:[EDI] ; I/O command
00417098 D4 5E AAM 5E
0041709A 21FC AND ESP,EDI
0041709C 90 NOP
0041709D 2F DAS
0041709E B4 F4 MOV AH,0F4
004170A0 C079 BC 83 SAR BYTE PTR DS:[ECX-44],83 ; Shift constant out of range 1..31
004170A4 3F AAS




- 8. Just press Enter! You will still on OEP.

Quote:

004010E0 /EB 10 JMP SHORT simpleap.004010F2
004010E2 |66:623A BOUND DI,DWORD PTR DS:[EDX]
004010E5 |43 INC EBX
004010E6 |2B2B SUB EBP,DWORD PTR DS:[EBX]
004010E8 |48 DEC EAX
004010E9 |4F DEC EDI
004010EA |4F DEC EDI
004010EB |4B DEC EBX
004010EC |90 NOP
004010ED -|E9 98A04000 JMP 0080B18A


Use PEiD detect : Borland C++ 1999

Regards

hacnho
Mario555
July 7th, 2004, 06:09
For PESpin.exe, simpleapi[pespin.v.0.7] and other progs with "jmp..."
-------------------------
var temp
var l
var wr_addr

mov l, eip
shr l, 8
shl l,8
eoe lab1
eob lab1
esto

lab1:
cmp [eip], FFFFFFFF
log [eip]
je lab2
esto

lab2:
mov wr_addr, l
add wr_addr, 99a
mov [wr_addr], #807FFF007413807FFFE975E766C747FFFF258957018902EB03890290595FC3#
mov wr_addr, l
add wr_addr, 0f69
mov [wr_addr], #9090909090#
find l, #041FEBFB7C8304240CC3E861# // signature of "start Stolen code "
mov l, $RESULT
add l, 0c
log l
bp l
eob lab3
eoe lab3
esto

lab3:
mov temp, eip
sub temp,4
mov temp, [temp]
cmp temp, 61e8c30c
je loc_end
esto

loc_end:
bc l
msg "Stolen bytes here and you may set EP here "
ret
-------------------------

If file use PESpin_iat you must add in dump function for redirect and recombine Orig_iat on PESpin_iat. And set EP on start of this function.