Mostrar Mensajes

#961

Ingeniería Inversa / Re: duda con VirtualAlloc

1 Septiembre 2011, 20:30 PM

emm mira un poco:
http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/1301-1400/1374-complemento%20introduccion_41_coderedirection%20pelock%20by%20Apuromafo.pdf.7zo

se renombra a 7z..yo por ejemplo use el ollyscript, mira un poco porque esta un poco hardcoded por que ya algo aprendi..

#962

Ingeniería Inversa / Re: duda con ollyscript

1 Septiembre 2011, 20:22 PM

Citarvar x
var y
var temp
mov x,9
mov y,1

mov temp,x
add temp,y
eval " {x}+{y} = {temp}"
msg $RESULT
jmp fin

fin:
ret

un ejemplo importante: PE Header & File Information Script 1.0

Citar////////////////////////Château-Saint-Martin/////////////////////////////////////////////////
// ////////////////////
// FileName : PE Header & File Information Script 1.0 ///////////////////
// Features : //////////////////
// Use this script to get all needed informations /////////////////
// of your loaded target in OllyDBG on one view. ////////////////
// Just open your Olly Log window after finish. ///////////////
// //////////////
// *************************************************** /////////////
// ( 1.) Get All API´s & Module´s * ////////////
// * ///////////
// ( 2.) Programlanguage Scanner * //////////
// * /////////
// ( 3.) Compiler Appendix Exsamples * ////////
// *************************************************** ///////
// Environment : WinXP,OllyDbg V1.10,OllyScript v1.76.3 //////
// /////
// Author : LCF-AT ////
// Date : 2009-23-11 | November ///
// //
// //
///////////////WILLST DU SPAREN,DANN MUßT DU SPAREN!////////////////////
BC
BPMC
BPHWC
call VARS
pause
LC
////////////////////
GPI PROCESSID
mov PROCESSID, $RESULT
GPI PROCESSNAME
mov PROCESSNAME, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
////////////////////
PROCESSNAME_CHECK:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
je PROCESSNAME_CHECK_01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
je PROCESSNAME_CHECK_01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_01:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_02:
readstr [PROCESSNAME_FREE_SPACE_2], 08
mov PROCESSNAME, $RESULT
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
/////
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE
pause
pause
////////////////////
MODULEBASE:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
GPI CURRENTDIR
mov CURRENTDIR, $RESULT
////////////////////
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
////////////////////
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
////////////////////
mov PE_TEMP, PE_INFO_START
////////////////////
////////////////////
mov SECTIONS, [PE_TEMP+06], 01
itoa SECTIONS, 10.
mov SECTIONS, $RESULT
mov ENTRYPOINT, [PE_TEMP+028]
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov IATSTORE, [PE_TEMP+0D8]
cmp IATSTORE, 0
jne NEXT_C
////////////////////
NEXT_B:
mov IATSTORE_SECTION, "IAT NOT PRESENT"
mov IATSTORE, [PE_TEMP+080]
add IATSTORE, IMAGEBASE
add IATSTORE, 10
mov IATSTORE, [IATSTORE]
add IATSTORE, IMAGEBASE
gmemi IATSTORE, MEMORYBASE
mov IATSTORE, $RESULT
sub IATSTORE, IMAGEBASE
mov IATSTORE_2, PE_TEMP+104
////////////////////
A1:
cmp IATSTORE, [IATSTORE_2]
je NEXT_1
add IATSTORE_2, 028
jmp A1
jmp NEXT
////////////////////
NEXT_C:
add IATSTORE, IMAGEBASE
gmemi IATSTORE, MEMORYBASE
mov IATSTORE, $RESULT
sub IATSTORE, IMAGEBASE
mov IATSTORE_2, PE_TEMP+104
////////////////////
A:
cmp IATSTORE, [IATSTORE_2]
je NEXT_1
add IATSTORE_2, 028
jmp A
////////////////////
NEXT_1:
sub IATSTORE_2, 0C
readstr [IATSTORE_2], 08
mov IATSTORE_SECTION, $RESULT
buf IATSTORE_SECTION
mov IATSTORE_SECTION, IATSTORE_SECTION
str IATSTORE_SECTION
mov IATSTORE_SECTION, IATSTORE_SECTION
////////////////////
NEXT:
mov IMPORT_ADDRESS_SIZE, [PE_TEMP+0DC]
mov SECTION_01, PE_TEMP+0F8
readstr [SECTION_01], 08
mov SECTION_01_NAME, $RESULT
buf SECTION_01_NAME
mov SECTION_01_NAME, SECTION_01_NAME
str SECTION_01_NAME
mov SECTION_01_NAME, SECTION_01_NAME
GPI PROCESSNAME
mov PROCESSNAME, $RESULT
mov MAJORLINKERVERSION, [PE_TEMP+01A], 01
mov MINORLINKERVERSION, [PE_TEMP+01B], 01
call PROGRAMLANGUAGE_COMPLIER
////////////////////
log "--------------------------------------------"
log "| LCF-AT INFO
START gRn & SnD |"
log "--------------------------------------------"
eval "CURRENTDIR | {CURRENTDIR}"
log $RESULT,""
eval "PROCESSID | {PROCESSID}"
log $RESULT,""
eval "PROCESSNAME | {PROCESSNAME}"
log $RESULT,""
eval "PE_HEADER | {PE_HEADER}"
log $RESULT,""
eval "CODESECTION | {CODESECTION}"
log $RESULT,""
eval "CODESECTION_SIZE | {CODESECTION_SIZE}"
log $RESULT,""
log " "
eval "PE_SIGNATURE | {PE_SIGNATURE}"
log $RESULT,""
eval "PE_INFO_START | {PE_INFO_START}"
log $RESULT,""
eval "SECTIONS | {SECTIONS}"
log $RESULT,""
eval "ENTRYPOINT | {ENTRYPOINT}"
log $RESULT,""
eval "BASE_OF_CODE | {BASE_OF_CODE}"
log $RESULT,""
eval "IMAGEBASE | {IMAGEBASE}"
log $RESULT,""
eval "SIZE_OF_IMAGE | {SIZE_OF_IMAGE}"
log $RESULT,""
eval "TLS_TABLE_ADDRESS | {TLS_TABLE_ADDRESS}"
log $RESULT,""
eval "TLS_TABLE_SIZE | {TLS_TABLE_SIZE}"
log $RESULT,""
eval "IMPORT_TABLE_ADDRESS | {IMPORT_TABLE_ADDRESS}"
log $RESULT,""
eval "IMPORT_TABLE_SIZE | {IMPORT_TABLE_SIZE}"
log $RESULT,""
eval "IMPORT_ADDRESS_TABLE | {IMPORT_ADDRESS_TABLE}"
log $RESULT,""
eval "IMPORT_ADDRESS_SIZE | {IMPORT_ADDRESS_SIZE}"
log $RESULT,""
eval "SECTION_01 | {SECTION_01}"
log $RESULT,""
eval "SECTION_01_NAME | {SECTION_01_NAME}"
log $RESULT,""
eval "IATSTORE_SECTION IS | {IATSTORE_SECTION}"
log $RESULT,""
log " "
eval "MAJORLINKERVERSION | {MAJORLINKERVERSION}"
log $RESULT,""
eval "MINORLINKERVERSION | {MINORLINKERVERSION}"
log $RESULT,""
eval "PROGRAMLANGUAGE | {PROGRAMLANGUAGE}"
log $RESULT,""
log " "
call IATREAD
call OEPROUTINE
////////////////////
eval "PE Header & File Information Script 1.0 \r\n****************************************************** \r\nScript finished & written \r\nby \r\n\r\nLCF-AT"
msg $RESULT
log ""
log "PE Header & File Information Script 1.0"
log "******************************************************"
log "Script finished & written"
log "by"
log ""
log "LCF-AT"
pause
ret
////////////////////
VARS:
var PROCESSID
var PROCESSNAME
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var IATSTORE_2
var TEMPER
var TEMPER_2
var IAT_SIZE
var IATBEGIN
var IATEND
var IAT_SIZE_GROSS
var TAFER

ret
////////////////////
PROGRAMLANGUAGE_COMPLIER:
cmp MAJORLINKERVERSION, 07
je MICRO
ja MICRO
cmp MAJORLINKERVERSION, 06
je VB_OR_MICRO
cmp MAJORLINKERVERSION, 05
je MICRO_OR_TASM_MASM
cmp MAJORLINKERVERSION, 04
je MICRO
cmp MAJORLINKERVERSION, 03
je MICRO
cmp MAJORLINKERVERSION, 02
jne PACK
cmp MINORLINKERVERSION, 19
je Borland Delphi
cmp MINORLINKERVERSION, 32
je MICRO_OLD_A
cmp MINORLINKERVERSION, 37
je MICRO_OLD_B
cmp MINORLINKERVERSION, 38
je MingWin32_special_apuromafo

cmp MINORLINKERVERSION, 02
je Borland Delphi
pause
pause
////////////////////
PACK:
call PACKED
ret
////////////////////
MINORLINKERVERSION:
////////////////////
MICRO:
eval "Microsoft Visual C++ {MAJORLINKERVERSION}"
mov PROGRAMLANGUAGE, $RESULT
ret
////////////////////
VB_OR_MICRO:
eval "Microsoft Visual Basic {MAJORLINKERVERSION} or Microsoft Visual C++ {MAJORLINKERVERSION}"
mov PROGRAMLANGUAGE, $RESULT
ret
////////////////////
MICRO_OR_TASM_MASM:
eval "Microsoft Visual C++ {MAJORLINKERVERSION} or MASM32 / TASM32 {MAJORLINKERVERSION}"
mov PROGRAMLANGUAGE, $RESULT
ret
////////////////////
Borland Delphi:
eval "Borland Delphi {MAJORLINKERVERSION}.25"
mov PROGRAMLANGUAGE, $RESULT
ret
////////////////////
MICRO_OLD_A:
eval "Microsoft Visual C++ {MAJORLINKERVERSION}.50"
mov PROGRAMLANGUAGE, $RESULT
ret
////////////////////
MICRO_OLD_B:
eval "Microsoft Visual C++ {MAJORLINKERVERSION}.55"
mov PROGRAMLANGUAGE, $RESULT
ret
////////////////////
MingWin32_special_apuromafo:
eval " C++ by MingWin32 Dev C++ // {MAJORLINKERVERSION}.55"
mov PROGRAMLANGUAGE, $RESULT
ret
////////////////////

PACKED:
mov PROGRAMLANGUAGE, "NO PROGRAMM LANGUAGE FOUND! APP IS MAYBE MANIPULATED"
ret
////////////////////
OEPROUTINE:
cmp MAJORLINKERVERSION, 09
je MICRO_09
cmp MAJORLINKERVERSION, 08
je MICRO_09
cmp MAJORLINKERVERSION, 07
je MICRO_07
cmp MAJORLINKERVERSION, 06
je MICRO_VB
cmp MAJORLINKERVERSION, 05
je MICRO_TASM
cmp MAJORLINKERVERSION, 53
je MICRO_SHORT
cmp MAJORLINKERVERSION, 02
je BORLAND_MICRO
cmp MAJORLINKERVERSION, 03
je MICRO_3
pause
pause
////////////////////
MICRO_3:
log "----------------------------------------------"
log "| OEP_ROUTINE_LOOK_EXSAMPLE_FOR_EXE_FILES: |"
log "----------------------------------------------"
log "MOV EAX,DWORD PTR FS:[0]"
log "PUSH EBP"
log "MOV EBP,ESP"
log "PUSH -1"
log "PUSH 4C84218"
log "PUSH 4C82BC4"
log "PUSH EAX"
log "MOV DWORD PTR FS:[0],ESP"
log "SUB ESP,60"
log "PUSH EBX"
log "PUSH ESI"
log "PUSH EDI"
log "MOV DWORD PTR SS:[EBP-18],ESP"
log "CALL DWORD PTR DS:[4C84094] ; kernel32.GetVersion"
log ""
log "OR"
log ""
log "PUSH EBP"
log "MOV EBP,ESP"
log "SUB ESP,44"
log "PUSH ESI"
log "CALL DWORD PTR DS:[40D0B8] ; kernel32.GetCommandLineA"
log "MOV ESI,EAX"
log "MOV AL,BYTE PTR DS:[EAX]"
log "CMP AL,22"
log "JNZ SHORT 004010F4"
log "INC ESI"
log "MOV AL,BYTE PTR DS:[ESI]"
log "TEST AL,AL"
log "JE SHORT 004010EC"
log "CMP AL,22"
log "JNZ SHORT 004010E1"
log "CMP BYTE PTR DS:[ESI],22"
log "JNZ SHORT 004010FE"
log "INC ESI"
log "JMP SHORT 004010FE"
log "CMP AL,20"
log "JLE SHORT 004010FE"
log "INC ESI"
log "CMP BYTE PTR DS:[ESI],20"
log "JG SHORT 004010F8"
log "CMP BYTE PTR DS:[ESI],0"
log "JE SHORT 0040110E"
log "CMP BYTE PTR DS:[ESI],20"
log "JG SHORT 0040110E"
log "INC ESI"
log "CMP BYTE PTR DS:[ESI],0"
log "JNZ SHORT 00401103"
log "MOV DWORD PTR SS:[EBP-18],0"
log "LEA ECX,DWORD PTR SS:[EBP-44]"
log "PUSH ECX"
log "CALL DWORD PTR DS:[40D0BC] ; kernel32.GetStartupInfoA"
log "TEST BYTE PTR SS:[EBP-18],1"
log "MOV EAX,0A"
log "JE SHORT 0040112E"
log "MOVZX EAX,WORD PTR SS:[EBP-14]"
log "PUSH EAX"
log "PUSH ESI"
log "PUSH 0"
log "PUSH 0"
log "CALL DWORD PTR DS:[40D0C0] ; kernel32.GetModuleHandleA"
ret
////////////////////
MICRO_09:
log "----------------------------------------------"
log "| OEP_ROUTINE_LOOK_EXSAMPLE_FOR_EXE_FILES: |"
log "----------------------------------------------"
log "CALL XXXXXXXX // A"
log "JMP XXXXXXXX"
log " "
log "MOV EDI,EDI // A"
log "PUSH EBP"
log "MOV EBP,ESP"
log "SUB ESP,18"
log "MOV DWORD PTR SS:[EBP-8],0"
log "MOV DWORD PTR SS:[EBP-4],0"
log "CMP DWORD PTR DS:[75D494],BB40E"
log "JE SHORT 00680671"
log "MOV EAX,DWORD PTR DS:[75D494]"
log "AND EAX,FFFF0000"
log "JE SHORT 00680671"
log "MOV ECX,DWORD PTR DS:[75D494]"
log "NOT ECX"
log "MOV DWORD PTR DS:[75D498],ECX"
log "JMP 00680707"
log "LEA EDX,DWORD PTR SS:[EBP-8]"
log "PUSH EDX"
log "CALL DWORD PTR DS:[863310] ; kernel32.GetSystemTimeAsFileTime"
ret
////////////////////
MICRO_07:
log "----------------------------------------------"
log "| OEP_ROUTINE_LOOK_EXSAMPLE_FOR_EXE_FILES: |"
log "----------------------------------------------"
log "PUSH 70"
log "PUSH 10015E0"
log "CALL 010127C8"
log "XOR EBX,EBX"
log "PUSH EBX"
log "MOV EDI,DWORD PTR DS:[1001020] ; kernel32.GetModuleHandleA"
log "CALL EDI"
log "CMP WORD PTR DS:[EAX],5A4D"
log "JNZ SHORT 010124B2"
log "MOV ECX,DWORD PTR DS:[EAX+3C]"
log "ADD ECX,EAX"
log "CMP DWORD PTR DS:[ECX],4550"
log "JNZ SHORT 010124B2"
log "MOVZX EAX,WORD PTR DS:[ECX+18]"
log "CMP EAX,10B"
log "JE SHORT 010124CA"
log "CMP EAX,20B"
log ""
log "OR"
log ""
log "PUSH 60"
log "PUSH 1002B78"
log "CALL 01008D18"
log "MOV EDI,94"
log "MOV EAX,EDI"
log "CALL 01008D70"
log "MOV DWORD PTR SS:[EBP-18],ESP"
log "MOV ESI,ESP"
log "MOV DWORD PTR DS:[ESI],EDI"
log "PUSH ESI"
log "CALL DWORD PTR DS:[10010A8] ; kernel32.GetVersionExA"
log ""
log "OR"
log ""
log "PUSH 60"
log "PUSH 1005778"
log "CALL 0100C54C"
log "XOR EBX,EBX"
log "MOV DWORD PTR SS:[EBP-4],EBX"
log "LEA EAX,DWORD PTR SS:[EBP-5C]"
log "PUSH EAX"
log "CALL DWORD PTR DS:[100111C] ; kernel32.GetStartupInfoA"
log ""
log "OR"
log ""
log "PUSH EBP"
log "MOV EBP,ESP"
log "SUB ESP,44"
log "PUSH ESI"
log "CALL DWORD PTR DS:[401000] ; kernel32.GetCommandLineA"
ret
////////////////////
MICRO_VB:
log "----------------------------------------------"
log "| OEP_ROUTINE_LOOK_EXSAMPLE_FOR_EXE_FILES: |"
log "----------------------------------------------"
log "PUSH EBP"
log "MOV EBP,ESP"
log "PUSH -1"
log "PUSH 41DD30"
log "PUSH 409C98"
log "MOV EAX,DWORD PTR FS:[0]"
log "PUSH EAX"
log "MOV DWORD PTR FS:[0],ESP"
log "ADD ESP,-58"
log "PUSH EBX"
log "PUSH ESI"
log "PUSH EDI"
log "MOV DWORD PTR SS:[EBP-18],ESP"
log "CALL DWORD PTR DS:[41C1A0] ; kernel32.GetVersion"
log ""
log "OR"
log ""
log "PUSH ECX"
log "PUSH ESI"
log "PUSH 0"
log "CALL DWORD PTR DS:[414100] ; kernel32.GetModuleHandleA"
log "MOV DWORD PTR DS:[41E75C],EAX"
log "CALL 00404410"
log "MOV ESI,DWORD PTR DS:[4190D8] ; kernel32.ExitProcess"
log "TEST EAX,EAX"
log "JNZ SHORT 00404362"
log "PUSH -1"
log "CALL ESI"
log ""
log "OR IN VB"
log ""
log "PUSH 402720 ; VB5!"
log "CALL 004013FA ; <JMP.&MSVBVM60.ThunRTMain>"
ret
////////////////////
MICRO_TASM:
log "----------------------------------------------"
log "| OEP_ROUTINE_LOOK_EXSAMPLE_FOR_EXE_FILES: |"
log "----------------------------------------------"
log "MOV EAX,DWORD PTR FS:[0]"
log "PUSH EBP"
log "MOV EBP,ESP"
log "PUSH -1"
log "PUSH 40A000"
log "PUSH 407548"
log "PUSH EAX"
log "MOV DWORD PTR FS:[0],ESP"
log "SUB ESP,60"
log "PUSH EBX"
log "PUSH ESI"
log "PUSH EDI"
log "MOV DWORD PTR SS:[EBP-18],ESP"
log "CALL DWORD PTR DS:[40C428] ; kernel32.GetVersion"
log ""
log "OR"
log ""
log "PUSH EBP"
log "MOV EBP,ESP"
log "PUSH -1"
log "PUSH 1002BD8"
log "PUSH 10114F0"
log "MOV EAX,DWORD PTR FS:[0]"
log "PUSH EAX"
log "MOV DWORD PTR FS:[0],ESP"
log "ADD ESP,-68"
log "PUSH EBX"
log "PUSH ESI"
log "PUSH EDI"
log "MOV DWORD PTR SS:[EBP-18],ESP"
log "MOV DWORD PTR SS:[EBP-4],0"
log "PUSH 2"
log "CALL DWORD PTR DS:[1001208] ; MSVCRT.__set_app_type"
log ""
log "OR IN TASM32 / MASM32"
log ""
log "PUSH 0"
log "CALL 00401E70 ; <JMP.&KERNEL32.GetModuleHandleA>"
ret
////////////////////
MICRO_SHORT:
log "----------------------------------------------"
log "| OEP_ROUTINE_LOOK_EXSAMPLE_FOR_EXE_FILES: |"
log "----------------------------------------------"
log "PUSH EBP"
log "MOV EBP,ESP"
log "PUSH -1"
log "PUSH 40A000"
log "PUSH 407548"
log "PUSH EAX"
log "MOV DWORD PTR FS:[0],ESP"
log "SUB ESP,60"
log "PUSH EBX"
log "PUSH ESI"
log "PUSH EDI"
log "MOV DWORD PTR SS:[EBP-18],ESP"
log "CALL DWORD PTR DS:[40C428] ; kernel32.GetVersion"
ret
////////////////////
BORLAND_MICRO:
log "----------------------------------------------"
log "| OEP_ROUTINE_LOOK_EXSAMPLE_FOR_EXE_FILES: |"
log "----------------------------------------------"
log "MOV EAX,DWORD PTR FS:[0]"
log "PUSH EBP"
log "MOV EBP,ESP"
log "PUSH -1"
log "PUSH 40A000"
log "PUSH 407548"
log "PUSH EAX"
log "MOV DWORD PTR FS:[0],ESP"
log "SUB ESP,60"
log "PUSH EBX"
log "PUSH ESI"
log "PUSH EDI"
log "MOV DWORD PTR SS:[EBP-18],ESP"
log "CALL DWORD PTR DS:[40C428] ; kernel32.GetVersion"
log ""
log "OR IN BORLAND DELPHI"
log ""
log "PUSH EBP"
log "MOV EBP,ESP"
log "ADD ESP,-0C"
log "MOV EAX,56D710"
log "CALL 004063E4 // GetModuleHandleA"
ret
////////////////////
IATREAD:
cmp IMPORT_TABLE_ADDRESS, 0
jne IATREAD_NOTHING
cmp IMPORT_ADDRESS_TABLE, 0
je IATREAD_NOTHING
log "----------------------------------------------"
log "| IAT-START / DIRECT API / MODULE / API NAME |"
log "----------------------------------------------"
add IMPORT_ADDRESS_TABLE, IMAGEBASE
add IMPORT_ADDRESS_TABLE_END, IMPORT_ADDRESS_TABLE
add IMPORT_ADDRESS_TABLE_END, IMPORT_ADDRESS_SIZE
mov API_IN, [IMPORT_ADDRESS_TABLE]
mov IATBEGIN, IMPORT_ADDRESS_TABLE
mov IAT_SIZE, IMPORT_ADDRESS_SIZE
mov IATEND, IATBEGIN
add IATEND, IAT_SIZE
gn API_IN
mov API_NAME, $RESULT
cmp API_NAME, 0
jne IAT_COUNTER
cmp API_IN, 0
jne IAT_COUNTER
inc MODULE
////////////////////
IAT_COUNTER:
cmp API_IN, 0
je IAT_COUNTER_1
inc IMPORT_FUNCTIONS
mov TAFER, 01
////////////////////
IAT_COUNTER_1:
eval "* {IMPORT_ADDRESS_TABLE} {API_IN} {API_NAME}"
log $RESULT, ""
add IMPORT_ADDRESS_TABLE, 04
mov API_IN, [IMPORT_ADDRESS_TABLE]
gn API_IN
mov API_NAME, $RESULT
cmp API_NAME, 0
jne IAT_COUNTER_2
cmp API_IN, 0
jne IAT_COUNTER_2
cmp TAFER, 0
je IAT_COUNTER_2
inc MODULE
////////////////////
IAT_COUNTER_2:
mov TAFER, 0
cmp IMPORT_ADDRESS_TABLE, IMPORT_ADDRESS_TABLE_END
jne IAT_COUNTER
log " "
itoa IMPORT_FUNCTIONS, 10.
mov IMPORT_FUNCTIONS, $RESULT
// dec MODULE
itoa MODULE, 10.
mov MODULE, $RESULT
////////////////////
log " "
log "----------------------------------------------"
log "| IAT | API * & * SIZE RESULTS | IMPREC DATA |"
log "----------------------------------------------"
log " "
eval "* FOUND {MODULE} VALID MODULE | {IMPORT_FUNCTIONS} IMPORT_FUNCTIONS | IAT_SIZE {IAT_SIZE} "
log $RESULT, ""
log ""
eval "* IAT START: {IATBEGIN} | IAT END: {IATEND} | IAT SIZE: {IAT_SIZE}"
log $RESULT, ""
log ""
// eval "* FOUND {MODULE} VALID MODULE & {IMPORT_FUNCTIONS} IMPORT_FUNCTIONS"
// log $RESULT, ""
// log ""
sub IMPORT_ADDRESS_TABLE, IMAGEBASE
sub IMPORT_ADDRESS_TABLE, IMPORT_ADDRESS_SIZE
ret
////////////////////
IATREAD_NOTHING:
log "*"
log "----------------------------------------------"
log "| READ IAT EXTERN / NOT ARRANGED! |"
log "----------------------------------------------"
log "*"
log "----------------------------------------------"
log "| IAT-START / DIRECT API / MODULE / API NAME |"
log "----------------------------------------------"
log "*"
mov IMPORT_TABLE_ADDRESS_END, IMPORT_TABLE_ADDRESS
add IMPORT_TABLE_ADDRESS_END, IMPORT_TABLE_SIZE
add IMPORT_TABLE_ADDRESS_END, IMAGEBASE
mov IMPORT_TABLE_ADDRESS_CALC, IMPORT_TABLE_ADDRESS
////////////////////
LOG_START:
add IMPORT_TABLE_ADDRESS_CALC, 10
add IMPORT_TABLE_ADDRESS_CALC, IMAGEBASE
mov TEMPER, IMPORT_TABLE_ADDRESS_CALC
cmp TEMPER, IMPORT_TABLE_ADDRESS_END
je IATREAD_END
ja IATREAD_END
cmp [TEMPER], 0
je LOG_START
inc MODULE
mov TEMPER_2, [TEMPER]
add TEMPER_2, IMAGEBASE
mov API_IN, [TEMPER_2]
gn API_IN
mov API_NAME, $RESULT
cmp API_NAME, 0
je NEXT_MODULE
////////////////////
LOG_IT:
inc IMPORT_FUNCTIONS
eval "* {TEMPER_2} {API_IN} {API_NAME}"
log $RESULT, ""
cmp IATBEGIN, 0
je LOG_IT_NEXT
cmp IATBEGIN, TEMPER_2
jb LOG_IT_NEXT_2
////////////////////
LOG_IT_NEXT:
mov IATBEGIN, TEMPER_2
////////////////////
LOG_IT_NEXT_2:
cmp IATEND, TEMPER_2
ja LOG_IT_NEXT_3
mov IATEND, TEMPER_2
////////////////////
LOG_IT_NEXT_3:
add TEMPER_2, 04
mov API_IN, [TEMPER_2]
gn API_IN
mov API_NAME, $RESULT
cmp API_NAME, 0
je NEXT_MODULE
// inc IMPORT_FUNCTIONS
jmp LOG_IT
////////////////////
NEXT_MODULE:
eval "* {TEMPER_2} {API_IN} {API_NAME}"
log $RESULT, ""
sub IMPORT_TABLE_ADDRESS_CALC, IMAGEBASE
add IMPORT_TABLE_ADDRESS_CALC, 04
jmp LOG_START
////////////////////
IATREAD_END:
sub IATEND, IATBEGIN
mov IAT_SIZE_GROSS, IATEND
add IAT_SIZE_GROSS, 04
add IATEND, IATBEGIN
add IATEND, 04
mov IAT_SIZE, IMPORT_FUNCTIONS
mul IAT_SIZE, 04
add IAT_SIZE, 04
log " "
log "----------------------------------------------"
log "| IAT | API * & * SIZE RESULTS | IMPREC DATA |"
log "----------------------------------------------"
log " "
itoa IMPORT_FUNCTIONS, 10.
mov IMPORT_FUNCTIONS, $RESULT
itoa MODULE, 10.
mov MODULE, $RESULT
eval "* FOUND {MODULE} VALID MODULE | {IMPORT_FUNCTIONS} IMPORT_FUNCTIONS | NET(TO) IAT_SIZE {IMPORT_TABLE_SIZE} "
log $RESULT, ""
log ""
eval "* IAT START: {IATBEGIN} | IAT END: {IATEND} | IAT SIZE GROSS: {IAT_SIZE_GROSS}"
log $RESULT, ""
log ""
ret

#963

Ingeniería Inversa / Re: Como poner un BP en la siguiente instrucción con OllyScript?

1 Septiembre 2011, 20:19 PM

Citarsti
bp eip

Citarsto
bp eip

Citaresto
bp eip

si necesitas implementaciones

aqui hay un ejemplo de upx, por ejemplo

Citar//UPX v1.25 unpacking script by Mr. eXoDia modded by Apuromafo

bc //clear all BP
bphwc //clear all HWBP
cmp [eip],60,1
je goodsign_0
msg "the eip is not in pushad!!!"
goodsign_0:
asking:
ask "UPX v1.25 by Mr. eXoDia, pick your method (1 or 2)" //ask for input
cmp $RESULT, 0 //cmp result with 0
jne pickmethod //jump if not equal pickmethod
asking0:
msg "Error, please enter a value between 1 and 2" //else give error message
jmp asking
pickmethod:
cmp $RESULT, 2 //check if 2 is entered
je method2 //je to method 2
cmp $RESULT, 1 //check if 2 is entered
je method1
jmp asking0
method1:
//else do method 1
estep //F8
bphws esp, "r" //HWBP on access
erun //run
bphwc //clear HWBPs
mov $RESULT,eip //testing
jmp noerrors
estep //F8
an eip //Analyse this!
jmp end //jmp to end

method2: //a label for jumps in a script
find eip, #??61# //search for popad, jmp ????????
cmp $RESULT, 0 //if not found
jne noerrors //give error if no result
msg "Error in script"

noerrors:
mov buscar,$RESULT
find buscar, #E9????????#
cmp $RESULT, 0 //if not found
jne noerrors1 //give error if no result
msg "Error in script1"
noerrors1:

bp $RESULT //BP on result
erun //F9
bc //clear bp (if not you will get an error)
estep //F8
//esti //Step into (F7)
an eip //ctrl+a

end: //label
msg "This is OEP only dump & fix needed!"
ret
//its nice for newbies to comment your scripts so they can learn from it!

#964

Ingeniería Inversa / Re: duda ollyscript, saber si saltó o no

1 Septiembre 2011, 16:07 PM

idea 1 , comparar la direccion

Citarvar direccion1
var direccion2
mov direccion1,00457b4
mov direccion1,00457b5// este deberia ser debajo del salto
//bp direccion1
//bp direccion1
cmp eip,direccion1
je estamosendireccion1
cmp eip,direccion2
je estamosendireccion2
eval "que raro estamos en {eip}!!!"
msg $RESULT
jmp fin
estamosendireccion1:
eval "estamos en {direccion1}"
msg $RESULT
//bc direccion1
jmp fin
estamosendireccion2:
eval "estamos en {direccion2}"
msg $RESULT
//bc direccion2
jmp fin
fin:
ret

idea 2 comparar por ejecucion eob y run/erun/ bpgoto

idea 3 comparar los flags

idea 4, comparar por bytes y destinos.

etc.

#965

Ingeniería Inversa / Re: duda con VirtualAlloc

1 Septiembre 2011, 15:57 PM

te acuerdas de pelock? busca toda la informacion de ese packer (de los tutoriales) y veras bastante apuntes,
marciano, hizo un tutorial bueno, entre otros

virtualalloc reserva un espacio de memoria y virtual free lo libera..
el tema delicado aveces es re-calcularlo para que caiga en la sección , o bien usar el mismo puede llevar muchos lios..revisa como lo hizo ricardo en ese mismo tipo

yo hace no mucho preferi parcharlo manualmente una redireccion porque tenia tiempo, pero no se tu, pero es complejo un poco llegar agregar la api, agregar la importacion, luego colocar el injerto y probar en mas de un s.o.

versus agregar la sección , calcular los rva ,luego parchar en los errores.

saludos Apuromafo

#966

Ingeniería Inversa / Re: Crackme Tinkipinki Ver. 4.1

28 Agosto 2011, 04:53 AM

jiji puse tu nick como charset en el 4.2 y la letra correcta es la "k" de kilo,

el procedimiento es lo mismo:
004016E4 75 2E JNZ SHORT 00401714

vemos la comparacion, pero a diferencia de la vez anterior revise el string real:
DS:[0040B200]=0040F4A8 (Tinkipin.0040F4A8), ASCII "8ce4b16b22b58894aa86c421e8759df3{"

en este caso el md5 real seria "8ce4b16b22b58894aa86c421e8759df3"

saludos Apuromafo

#967

Ingeniería Inversa / Re: Máquina virtual con xp que funcione 100% ollydbg?

27 Agosto 2011, 02:52 AM

Cita de: .:UND3R:. en 27 Agosto 2011, 02:30 AM
dame el serial! xd

o buscar alguno por aqui:
http://ricardonarvaja.info/WEB/buscador.php

#968

Ingeniería Inversa / Re: Duda con simple script

26 Agosto 2011, 23:31 PM

ahora por las excepciones y todo suele usarse los bp en memory y muchas veces otros comandos, pero mas que eso no

/COE/COB/EOB son comandos mas o menos poco usadosm actualmente
se suele usar:"BPGOTO"

saludos Apuromafo

+info:

//
COB // Continue On Break
Makes the script continue execution after a breakpoint has occurred. This will override the execute on break (EOB) command. (removes EOB)
Example:
COB

//
COE // Continue On Exception
Makes the script continue execution after an exception has occurred. This will override the execute on exception (EOE) command. (removes EOE)
Example:
COE

//
EOB label // Execute On Break
Transfers execution to label on next breakpoint.
(see BPGOTO command to assign a label to a breakpoint)
Example:
EOB label
eob SOME_LABEL

//

BPGOTO addr, label // Breakpoint Goto
------------------
Automatic Jump at label on Breakpoint (Standard(INT3) and Hardware).
//Transfer execution to label when breakpoint at addr is reached.
EOB Like Command
Example:
bphws addr
bpgoto addr, MyLabel
NextBP:
RUN
...
MyLabel:
...
jmp NextBP

//////////////////////////////////
Example2:
BP addr
BPGOTO addr, Do2
RUN
NextBP2:
RUN
...
Do2:
...
JMP NextBP2

--

BPHWS addr, [mode="x"] // Breakpoint Hardware Set
Sets a hardware breakpoint at addr.
Mode can be
"r" read,
"w" write or
"x" execute

(defaults to "x" if omitted).
--

ERUN // Exception (Handling) Run // [formerly ESTO]
Executes "SHIFT+F9" in OllyDbg (Run with exceptions ignored).
Note: Was ESTO before, but the command is depreciated
Example:
ERUN

---

MSGYN str // Message Yes No
Displays a message box with "Yes" and "No" buttons containing the text str.
$RESULT is set to 0 if the user selects "No".
$RESULT is set to 1 if the user selects "Yes".
$RESULT is set to 2 if the user selects "Cancel".
Example:
MSGYN "Auto search for IAT?"
CMP $RESULT, 0
JE AskIAT
CMP $RESULT, 1
JE FindIAT
CMP $RESULT, 2
JE Exit

#969

Ingeniería Inversa / Re: No existe activador porque el binario está en .net

26 Agosto 2011, 22:09 PM

un amigo alguna vez lo hizo pro,
pero es demo en algunas partes,
con respecto al programa en si la gran mayoria si lo compra no tanto por lo demas, sino por el soporte e ideas que le dan cuando se consulta

con respecto al dato:
refieren que la version
The version is "3.0.0.32906 Standard Edition"
Working fine till now.

http://www.artshade.ro/Artisteer3artshade.zip
1)download Harddisk serial no changer
http://www.multiupload.com/QKVH1MQ1TM

si fuera que se pudiera hacer, deberia estar bastante interesado en esa aplicacion..de veras yo creo que los master en .net ya hacen bastantes cosas con PEBROWSER y IDA...

#970

Ingeniería Inversa / Re: Crackme Tinkipinki Ver. 4.1

26 Agosto 2011, 21:38 PM

no estoy interesado en el programa, pero deberia ser mas o menos asi:
desempacado (upx -d o bien cff explorer) , pues te posicionas en :004079F0
en este caso coloque la letra "a" la cual el hash md5 es 0cc175b9c0f1b6a831c399e269772661

vease los registros:
EAX 00000041
ECX 009008B8 ASCII "0cc175b9c0f1b6a831c399e269772661"
EDX 009008D9 ASCII "b7feb8292a31608dbfe0c2ba9c4a34de"
EBX 00000003
ESP 0012FFC0
EBP 0000001A
ESI 0012CE70
EDI 00570380
EIP 004079F0 Tinkipin.004079F0

no pille el hash del serial correcto en el Recurso "P" -*>

"b7feb8292a31608dbfe0c2ba9c4a34de" en las bases de MD5,

el password correcto se ve en una comparacion hecha con MD5

del cual luego de descifrar deberia mostrar algun mensaje desde temporales
en mi pc crea una carpeta:
C:\Documents and Settings\usuario\Configuración local\Temp\66.tmp

que deberia llamarse luego Tinkipinki4.bat
del contenido del recurso "B" deberia ser decodificado...

saludos Apuromafo

Test Foro de elhacker.net SMF 2.1

Mensajes - apuromafo CLS

Ingeniería Inversa / Re: duda con VirtualAlloc

Ingeniería Inversa / Re: duda con ollyscript

Ingeniería Inversa / Re: Como poner un BP en la siguiente instrucción con OllyScript?

Ingeniería Inversa / Re: duda ollyscript, saber si saltó o no

Ingeniería Inversa / Re: duda con VirtualAlloc

Ingeniería Inversa / Re: Crackme Tinkipinki Ver. 4.1

Ingeniería Inversa / Re: Máquina virtual con xp que funcione 100% ollydbg?

Ingeniería Inversa / Re: Duda con simple script

Ingeniería Inversa / Re: No existe activador porque el binario está en .net

Ingeniería Inversa / Re: Crackme Tinkipinki Ver. 4.1