forked from x64dbg/Scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
MPRESS X.XX OEP FINDER
118 lines (108 loc) · 3.04 KB
/
MPRESS X.XX OEP FINDER
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
///////////////////////////////////////////
// //
// MPRESS X.XX OEP FINDER //
// //
// supports EXEs & DLLs in x64 & x32 //
// //
///////////////////////////////////////////
// Prepared by: Blitzkrieg
// Date : 3rd July 2020
// Tested on :
//
// Release | Target
// -----------------------------
// | 64bit | 32bit
// -----------------------------
// 1.27 | EXE | EXE
// 2.18 | EXE/DLL | EXE/DLL
// 2.19 | EXE/DLL | EXE/DLL
///////////////////////////////////////////
// Notes:
// - use "dbclear" command manually when
// script keeps throwing errors, then
// reload target into x64dbg. Don't use
// it when starting-up x64dbg or it will
// delete your Entry Point Breakpoint
// causing more problems!
// - this script makes use of labels
// instead of conventional comments,
// that's because labels won't interfere
// with your comments. Also labelclear
// won't delete your personal comments.
///////////////////////////////////////////
call StartAtEntryPoint
call DisableBreakpoints
//Finding a long unconditional jump
mov $address,cip
Negative:
find $address+1,"E9"
mov $address,$result
cmp mem.base(cip),dis.imm(dis.imm($address)) //test for jump pointing to an address above base of memory page
jb Negative
cmp mod.base(cip),dis.imm(dis.imm($address)) //test for jump pointing to an address below base address of module
ja Negative
bp $address
lbl $address,"First Pattern"
log "First Pattern found at: {0}",$address
erun
bc cip
sti 2
//Finding a long unconditional jump
mov $address,cip
Negative2:
find $address+1,"E9"
mov $address,$result
cmp mem.base(cip),dis.imm($address) //test for jump pointing to an address below base of the memory page
ja Negative2
cmp cip,dis.imm($address) //test for jump pointing to an address above cip
jb Negative2
bp $address
lbl $address,"Second Pattern"
log "Second Pattern found at: {0}",$address
erun
bc cip
sti
//Halting at OEP
lbl cip,"OEP Found :)"
log "OEP for MPRESS found at: {0}",cip
guiupdateenable
//call TimeToDump
ret
///////////////////////////////////////////
// Tools
// Prepared by: Blitzkrieg
///////////////////////////////////////////
//Makes sure that you start at the Entry Point automatically
StartAtEntryPoint:
config Events,EntryBreakpoint,1
NotYetInsideUserModule:
cmp 0,mod.party(cip)
je AlreadyInsideUserModule
erun
jmp NotYetInsideUserModule
AlreadyInsideUserModule:
cmp cip,mod.entry(cip)
je AtUserModuleEntryPoint
erun
jmp NotYetInsideUserModule
AtUserModuleEntryPoint:
ret
//Disables all kinds of breakpoints
DisableBreakpoints:
bd //use dbclear manually when error thrown here
bphd
bpmd
bpddll
DisableExceptionBPX
labelclear (small addition for preventing label collusions)\
EnableLog
//guiupdatedisable (for faster script execution)
ret
//Calls a confirmation window for dumping target in Scylla
TimeToDump:
msgyn "Successfully found OEP! Wanna use Scylla to dump the target?"
cmp 0,$result
je noscylla
scylla
noscylla:
ret