-
Notifications
You must be signed in to change notification settings - Fork 110
/
Copy pathSecuROM_2-4_OEP_Finder.txt
72 lines (57 loc) · 1.7 KB
/
SecuROM_2-4_OEP_Finder.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
//////////////////////////////////////////////////
// FileName : SecuROM_2-4_OEP_Finder.txt
// Comment : SecuROM 2.91 - 4.x OEP Finder
// Author : Luca91 (Luca1991) - Luca D'Amico
// Date : 2023-04-23
// How to use : First of all configure x32db to ignore all exceptions (this is important!).
// Load your SecuROM 2-4 protected game and run this script. You will get to the OEP.
//////////////////////////////////////////////////
$driveChecked = 0
run // run til the EntryPoint
// clear breakpoints
bc
bphwc
// find and hook WriteProcessMemory and GetDriveTypeA
$writeProcessMemoryAddr = kernel32.dll:WriteProcessMemory
bp $writeProcessMemoryAddr+0x2
SetBreakpointCommand $writeProcessMemoryAddr+0x2, "scriptcmd call WriteProcessMemoryHook"
$getDriveTypeAAddr = kernel32.dll:GetDriveTypeA
bp $getDriveTypeAAddr+0x2
SetBreakpointCommand $getDriveTypeAAddr+0x2, "scriptcmd call GetDriveTypeAHook"
erun
ret
WriteProcessMemoryHook:
cmp $driveChecked, 1
jne WpmhContinue
log "WriteProcessMemory({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})"
$currentBufferAddr = [esp+C]
$currentBufferSize = [esp+10]
log "analyzing buffer located at {$currentBufferAddr} of size {$currentBufferSize}"
find $currentBufferAddr, 558BEC6AFF, $currentBufferSize
cmp $result, 0
jne PatchBuffer
WpmhContinue:
erun
ret
GetDriveTypeAHook:
$driveChecked = 1
erun
ret
PatchBuffer:
$oepAddressInBuffer = $result
$oepAddr = [esp+8] + ($oepAddressInBuffer - $currentBufferAddr)
msg "OEP = {$oepAddr}"
set $oepAddressInBuffer, #EB FE#
rtr
bc
bphwc
bp $oepAddr
SetBreakpointCommand $oepAddr, "scriptcmd call RestoreOepBytes"
erun
ret
RestoreOepBytes:
set eip, #55 8B#
lbl eip,"OEP"
bc
bphwc
ret