-
Notifications
You must be signed in to change notification settings - Fork 110
/
UPX X.XX OEP Finder.txt
99 lines (89 loc) · 2.65 KB
/
UPX X.XX OEP Finder.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
///////////////////////////////////////////
// //
// UPX X.XX OEP FINDER //
// //
// supports EXEs & DLLs in x64 & x32 //
// //
///////////////////////////////////////////
// Prepared by: Blitzkrieg
// Date : 4th July 2023
// Tested on :
//
// Release | Target
// -----------------------------
// | 64bit | 32bit
// -----------------------------
// 1.20 | - | EXE
// 1.24 | - | EXE
// 1.25 | - | EXE
// 2.02 | - | EXE/DLL
// 2.03 | - | EXE/DLL
// 3.06 | - | EXE/DLL
// 3.07 | - | EXE/DLL
// 3.08 | - | EXE/DLL
// 3.09 | - | EXE/DLL
// 3.91 | - | EXE/DLL
// 3.95 | EXE/DLL | EXE/DLL
// 3.96 | EXE/DLL | EXE/DLL
// 4.00 | EXE/DLL | EXE/DLL
// 4.01 | EXE/DLL | EXE/DLL
// 4.02 | EXE/DLL | EXE/DLL
///////////////////////////////////////////
// Notes:
// - use "dbclear" command manually when
// script keeps throwing errors, then
// reload target into x64dbg. Don't use
// it when starting-up x64dbg or it will
// delete your Entry Point Breakpoint
// causing more problems!
// - this script makes use of labels
// instead of conventional comments,
// that's because labels won't interfere
// with your comments. Also labelclear
// won't delete your personal comments.
///////////////////////////////////////////
//START AT THE ENTRY POINT!
call DisableBreakpoints
//Finding a long unconditional jump
mov $address,cip
notlongunconditionaljump:
find $address+1,"E9"
mov $address,$result
cmp cip,dis.imm($address) //test for jump pointing to an address above CIP
jb notlongunconditionaljump
cmp mod.base(cip)+mem.size(mod.base(cip)),dis.imm($address) //test for jump pointing to an address below base address of the current module
ja notlongunconditionaljump
bp $address
erun
bc cip
sti
//Halting at OEP
cmt cip,"OEP Found :)"
log "OEP for UPX found at: {a:cip}"
guiupdateenable
d cip
call TimeToDump
ret
///////////////////////////////////////////
// Tools
// Prepared by: Blitzkrieg
///////////////////////////////////////////
//Disables all kinds of breakpoints
DisableBreakpoints:
bd //use dbclear manually when error thrown here
bphd
bpmd
bpddll
DisableExceptionBPX
labelclear (small addition for preventing label collusions)
EnableLog
//guiupdatedisable (for faster script execution)
ret
//Displays a confirmation window for dumping PE file with Scylla
TimeToDump:
msgyn "Successfully found OEP! Wanna use Scylla to dump the PE file?"
cmp 0,$result
je noscylla
scylla
noscylla:
ret