Hi folks,

This time it is really a newbie and dumb post but maybe my brain is really damaged, been trying to write some Procdump scripts but they just dont work... the Procdump helpfile (what help file?? skimpy notes by GRom I mean) was really minimal... I have looked at demo scripts and try to figure out what is going but i am not sure about certain things.. so guess i'll post a question here...

Okie, here is a sample script
[Aspack108.3]
L1=OBJR : set eip (aka OEP) as base??
L2=LOOK 6A,00,50 ;does it search for this pattern from
the base set above forwards only? is
the result the first found?
L3=JZ 5
L4=QUIT
L5=BP
L6=OBJR
L7=LOOK 50,C3
L8=ADD 1
L9=BP
LA=WALK ;Is it equivalent to F8 in sice??? Or F10?
LB=OBJR
LC=LOOK 50,C3
LD=ADD 1
LE=BP
LF=STEP

Also command like
BPX 123 ;set breakpoint at 123h bytes from the
current base? or is it eip???

Thanx a lot,

P.S : Also is there anyway of "debugging" the script to know what wgoes wrong? Thanx

Heya binh81,

Eternal Bliss wrote a tute on unpacking pecompact using softice and procdump which shows you how to write the script .
See the attachement

Thanx esther,

A nice tutorial :>, though it doesnt answer my exact questions, it does show some insight of Procdump scripting... shall work further on it..

thanx

I'm not sure if you already read this and it didn't help either but there's a procdump for dummies text which you can find on protools (right by the procdump dl link).

Hi there binh81/others:

It is interesting to note that somebody else has also come up with the idea of studying the scripting technique of ProcDump. I believe ProcDump is one of the finest pieces of software ever written (apart from IceDUMP and RV of course ). A brief look at the various options and scripting functionality is enough to conclude that this tool is way out of its times....

However, pls correct me if i'm wrong: ProcDumps tracer is easily detected by most packers anti-tracing code and the app simply crashes or produces an invalid dump.

In such a case, what good is a scripting tool apart from, of course, learning purposes. Now, if icedump had such a scripting tool, that would be something

Signed,
-- FoxThree

heya binh81,
>L1=OBJR : set eip (aka OEP) as base??

5) OBJR function.
This set the base memory to start to scan. Affect LOOK command.

>L2=LOOK 6A,00,50 ;does it search for this pattern from
the base set above forwards only? is
the result the first found?

1) Look function.
the Look function scan for an HEX string in the loader object. The Address,
where this block is found, is stored so that u can set a breakpoint at this
location. Wildcard usage is allowed for BYTE. Search result is handled
internally and u may use the conditional jmp to handle yourself result.
Example:
- Look 0F,85 will search for a JNE long jump. You may want to set a
Breakpoint via the BP command.
- Look EB,? will seacrh for a short jump.

>LA=WALK ;Is it equivalent to F8 in sice??? Or F10?

4) WALK
Execute the next instruction and return control to ProcDump32


>Also command like
>BPX 123 ;set breakpoint at 123h bytes from the
>current base? or is it eip???

>3) BP function.
Set a breakpoint at current memory location.

EB's explaination is quite clear bout the commands in the script.

>[QUOTE]Originally posted by foxthree
>[B]Hi there binh81/others:

>It is interesting to note that somebody else has also come up >with the idea of studying the scripting technique of ProcDump. I >believe ProcDump is one of the finest pieces of software ever >written (apart from IceDUMP and RV of course ). A brief look at >the various options and scripting functionality is enough to >conclude that this tool is way out of its times....

Yeah maybe its out if time as you said but its convient to those who are non programmers which want to write a script for "generic unpackers"...

>However, pls correct me if i'm wrong: ProcDumps tracer is easily >detected by most packers anti-tracing code and the app simply >crashes or produces an invalid dump.

>In such a case, what good is a scripting tool apart from, of >course, learning purposes. Now, if icedump had such a scripting >tool, that would be something

Anti-debugging and tracer is a very "generic" to packers nowadays even "anti"-icedump .

>Now, if icedump had such a scripting >tool, that would be >something
of coz it is