Post two script for new version ollyscript(oscv0.7 [Archive]

View Full Version : Post two script for new version ollyscript(oscv0.7

loveboom

April 13th, 2004, 05:05

Thank psycko,now post two script.Enjoy it!

My script for svkp 1.3x can fix stolen code,If target is delphi's program.
/*
//////////////////////////////////////////////////
SVKP 1.3x -> Pavol Cerven stolen code Finder v0.1
Author: loveboom
Email : bmd2chen@tom.com
OS : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.7
Date : 2004-4-13
Config: Ignore all exceptions.hide your debug.
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var addr
var espval //esp
var espval1
var esptmp
var cbase
var csize

gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
mov espval,esp

start:
run

lbl1:
bprm cbase,csize
eob lbl2
esto

lbl2:
bpmc
mov espval1,esp
add espval1,58
cmp [espval1],espval
jne lblabort
eob lbl3
bphws espval1,"r"
run

lbl3:
run
bphwc espval1

lbl4:
mov esptmp,espval
sub esptmp,4
cmp esptmp,ebp
je lbl5
sti
jmp lbl4

lbl5:
cmt eip,"Now run trace,please waite!"
find eip,#FF6424FC# //find command JMP DWORD PTR SS:[ESP-4]
cmp $RESULT,0
je lblabort
eob lbl6
bp $RESULT
ti

lbl6:
bc $RESULT
sto
msgyn "Do you want fix stolen code(for Delphi only)?"
log $RESULT
cmp $RESULT,1
jne lblend
mov addr,eip
sub addr,b
asm addr,"push ebp"
add addr,1
asm addr,"mov ebp,esp"
add addr,2
mov [addr],#83EC#
mov esptmp,ebp
sub esptmp,esp
add addr,2
mov [addr],esptmp
add addr,1
mov [addr],#B8#
add addr,1
mov [addr],eax

lblend:
cmt eip,"Script finished!"
msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"
ret

lblabort:
msg "Error,script abort.Maybe target is not protect by SVKP1.3x or your forgot Ignore all exceptions."
ret

/*
//////////////////////////////////////////////////
MoleBox 2.x.x Fix IAT+OEP Finder v0.1
Author:loveboom
Email : bmd2chen@tom.com
OS : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.7
Date : 2004-4-13
Config: N/A
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/

start:
gpa "LoadLibraryA","kernel32.dll"
bp $RESULT
cmp $RESULT,0
je lblabort
run

lbl1:
bc $RESULT
rtu

lbl2:
find eip,#E8DB050000#
cmp $RESULT,0
je lblabort
go $RESULT
eob lbl3
sti

lbl3:
asm eip,"ret"
find eip,#FFE0#
cmp $RESULT,0
je lblabort
eob lbl4
bp $RESULT
run

lbl4:
sto

lblend:
cmt eip,"OEP found!please dumped it!"
msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"
ret

lblabort:
msg "Error,maybe target is not packed by MoleBox 2.x.x.Script abort!"
ret

psyCK0

April 13th, 2004, 08:26

loveboom: as usually, your scripts are amazing! =)

loveboom

April 15th, 2004, 03:13

I think i am a unpack fans(Not cracker).^_^
my script for molebox 2.0 fix a bug,and post a new script for pc-guard v5.0
/*
//////////////////////////////////////////////////
MoleBox 2.x.x fix IAT+OEP Finder v0.11
Author: loveboom
Email : bmd2chen@tom.com
OS : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.7
Date : 2004-3-29
Config: N/A
Note : Thank David!If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var addr

start:
gpa "LoadLibraryA","kernel32.dll"
bp $RESULT
cmp $RESULT,0
je lblabort
run

lbl1:
bc $RESULT
rtu

lbl2:
find eip,#05000083C408E9#
cmp $RESULT,0
je lblabort
mov addr,$RESULT
sub addr,2
go addr
eob lbl3
sti

lbl3:
asm eip,"ret"
find eip,#FFE0#
cmp $RESULT,0
je lblabort
eob lbl4
bp $RESULT
run

lbl4:
sto

lblend:
cmt eip,"OEP found!please dumped it!"
msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"
ret

lblabort:
msg "Error,maybe target is not packed by MoleBox 2.x.x.Script abort!"
ret
---------------------------------------
PC-GUARD V5.0

/*
//////////////////////////////////////////////////
PC-Guard v5.0 OEP Finder v0.1
Author: loveboom
Email : bmd2chen@tom.com
OS : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.7
Date : 2004-4-15
Config: Ignore all Exceptions,hide your OllyDbg.
Action: Fix import function,found target's OEP
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/

var espval //esp value
var cbase
var csize
var addr

mov espval,esp
sub espval,4
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
start:
gpa "LoadLibraryA","Kernel32.dll"
bp $RESULT
run

lbl1:
bc $RESULT
rtu
find eip,#8918#
cmp $RESULT,0
je lblabort
mov addr,$RESULT
mov [addr],#9090#
eob lbl2
go addr

lbl2:
bphws espval,"r"
eob lbl3
run

lbl3:
bphwc espval
eob lbl4
eoe lbl4
bprm cbase,csize
run

lbl4:
bpmc

lblend:
cmt eip,"OEP found,please dumped it and then use importrec Get import functions,cut a invliad function."
msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"
ret

lblabort:
msg "Error,Script abort!Maybe target is not protect by PC-Guard v5.0.

"
ret

loveboom

April 17th, 2004, 05:23

script for PC-Guard v0.5 has a bug
lbl1:
bc $RESULT
rtu //here
rtu //if system is winxp,add it.
find eip,#8918#

psyCK0

June 8th, 2004, 05:39

My god, Anonymous, you should really consider joining some kind of anti-Mensa - your IQ can't be higher than that of a mentally chalenged maggot. Have you ever heard about "board rules"? Then READ THEM BEFORE POSTING.
Let me rephraze a scene from Pulp Fiction:
psyCK0: Did you see a sign on this board saying "We crack on request"?
Anonymous: Duh...
psYCK0: I said, did you see a sign on this board saying "We crack on request"?
Anonymous: No...
psyCK0: Do you know why?
Anonymous: *looks stupid*
psyCK0: BECAUSE CRACKING ON REQUEST AIN'T OUR FUCKING BUSINESS!!!

Anonymous

July 2nd, 2004, 09:43

msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"