Packer :- PEDiminisher
Type :- PE packer
Level :- Ba$ic
Start with understanding codes Structure:-
This is how "End Routine Table look like" for this packer
POP EBP
POP EDI
POP ESI
POP EDX
POP ECX
POP EBX
JMP EAX
Now Follow The Steps to Unpack:-
- Locate end routine instructions in the packed file by search-sequence of command
- "JMP EAX" is the jump to the OEP so "Press F2" and Set a break point at the JMP instruction
- Press F9 and you break on BP
- Press F7 to step once and then dump the process with "Olly Dump Plugin" to get the unpacked version of the file
Using & Understanding Olly Script:-
Script-
Find eip,#5D5F5E5A595BFFE0#
Bp $RESULT
Run
Sti
Sti
Sti
Sti
Sti
Sti
Sti
Msg”OEP found PEDiminisher,Dump The Target Now!”
Function's-
- find eip, #5D5F5E5A95BFFE0# - locates the instructions(End Routin Table as discuss above)
- bp $RESULT + run -The script then steps through the debugger until it reaches JMP EAX
- sti - We use it 7 time so its step throug End Routin Table and Once it is at JMP EAX, the code steps once and is at the OEP
- msg - Message Box pop up to instruct user that now he can dump the process
Some Useful Codes which help's you to made your own script:-
- sti - F7
- estep - F8
- run - F9
- var - declares a variable
- mov - is similar to assembly
- findop- search for opcode from the specified address & stores the results into a $RESULT variable
- msg - will show a message box -(log should be used but I used msg just for visual pleasure)
Thats all for Today..
Br
Nieo..
