/*
Script written by VolX
purpose : This script will make Olly to break on the OEP of your target or on the first
command of the stolen code if it exist
Test Environment : OllyDbg 1.1
ODBGScript 1.47 under WINXP
Thanks : Oleh Yuschuk - author of OllyDbg
SHaG - author of OllyScript
Epsylon3 - author of ODbgScript
*/
//support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3
var tmp1
var tmp2
var imgbase
var 1stsecbase
var 1stsecsize
var dllimgbase
dbh //hide debugger
BPHWCALL //clear hardware breakpoint
GMI eip, MODULEBASE //get imagebase
mov imgbase, $RESULT
log imgbase
mov tmp1, imgbase
add tmp1, 3C //40003C
mov tmp1, [tmp1]
add tmp1, imgbase //tmp1=signature VA
add tmp1, f8 //1st section
add tmp1, 8
mov 1stsecsize, [tmp1]
add tmp1, 4
mov 1stsecbase, [tmp1]
add 1stsecbase, imgbase
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc eip
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
log dllimgbase
find dllimgbase, #C6463401# //search "mov byte[esi+34], 1"
mov tmp2, $RESULT
cmp tmp2, 0
je error
find tmp2, #68????????68????????68#
mov tmp1, $RESULT
cmp tmp1, 0
je error
log tmp1
bp tmp1
eob lab1
eoe lab1
esto
lab1:
cmp eip, tmp1
je lab2
esto
lab2:
bc tmp1
find dllimgbase, #3130330D0A# //search ASCII"103"
mov tmp2, $RESULT
log tmp2
cmp tmp2, 0
je wrongver
find tmp2, #8D00C3# //search "lea eax,[eax]" "ret"
mov tmp1, $RESULT
log tmp1
cmp tmp1, 0
je wrongver
bphws tmp1, "x"
eob lab3
eoe lab3
esto
lab3:
cmp eip, tmp1
je lab4
esto
lab4:
bphwc tmp1
cob
coe
mov tmp1, [esp+8]
cmp tmp1, 0
log tmp1
jne lab5
mov tmp1, [esp+C]
cmp tmp1, 0
je lab6
jmp lab7
lab5:
mov tmp1, [esp+10]
cmp tmp1, 0
jne lab7
//No stolen code at the OEP
lab6:
bprm 1stsecbase, 1stsecsize
esto
bpmc
msg "OEP found, no stolen code at the OEP!"
jmp end
//There are stolen code at the OEP
lab7:
bp tmp1
esto
bc tmp1
msg "Stolen code start!"
jmp end
error:
msg "Error!"
pause
jmp end
wrongver:
msg "Unsupported Aspr version or it is not packed with Aspr?"
pause
jmp end
end:
ret
Ollydbg - Sabre-gold, Works with Themida and EXECryptor
需积分: 4 164 浏览量
2008-02-23
10:34:36
上传
评论
收藏 1.54MB RAR 举报
odbg110 Sabre-Gold.rar (49个子文件) 
odbg110 Sabre-Gold Plugin 
pedumper.dll 212KB HideDebugger.dll 9KB Cmdline.dll 72KB OllyDump.ini 64B ODbgScript.V1.64.By.Epsylon3.dll 264KB ustrref.dll 22KB Script-1.65.dll 268KB Loaddll.dll 4KB CmdBar.dll 64KB CmdBar.ini 37B advancedolly.dll 95KB IsDebug.dll 7KB HideOD.dll 52KB CleanupEx.dll 58KB loadsome.dll 40KB HideDebugger.ini 31B OllyDump.dll 79KB PhantOm.dll 88KB Asm2Clipboard.dll 44KB CleanupEx.ini 23B UDD OLLYDBG.HLP 289KB SABRE-G.ini 14KB
loaddll.exe 8KB BOOKMARK.DLL 55KB Script 
Asprotect 2.xx SKE OEP finder.txt 2KB ASProtect Asprotect.V2.X.UnpacKer.V1.0E.By.Volx.oSc 125KB Asprotect.V2.X.IATfixer.V2.2s.By.Volx.oSc 33KB Thinstall Thinstall.Virtualization.Suite.V3.0X.Single.Main.eXe.UnPacK.oSc 8KB Thinstall V2.73X.oSc 7KB Thinstall V2.5X.oSc 7KB Thinstall V2.7X.oSc 6KB Armadillo Armadillo V4.0-V4.4.DLL.oSc 6KB Armadillo V4.0-V4.42.CopyMem-II.DeCode.oSc 4KB Armadillo V4.0-V4.44.Standard.Protection.oSc 6KB Themida ThemidaScript.for.V1.9.10+.0.4.By.fxyang.oSc 5KB Themida & WinLicen.V1.1.X-1.8.X.By.a__p.oSc 2KB PEncrypt 4.0 OEP finder.OSC 686B ExeCryptor ExeCryptor.2.x.IAT.Rebuilder-PE_Kill.oSc 6KB EXECryptor_v2.x.x_F_ OEP.osc 8KB ExeCryptor.By.okdodo.oSc 5KB Execryptor 2.x IAT rebuilder by KaGra v1.1.oSc 2KB ExeCryptor Bypass AntiDBG OEP.oSc 1KB ExeCryptor 2.0.x-2.3.x OEP finder script by haggar.oSc 3KB NsPack V1.0-V3.5 OEP.txt 707B Execryptor_2xx_OEP_Finder.OSC 9KB OLLYDBG.GID 8KB SABRE-G.exe 1.36MB DBGHELP.DLL 475KB OLLYDBG.EXE 1.07MB
评论0
最新资源