Script Extension for ProcDump32 : トトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトト Technically the goal of such script is to : レトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトソ ウ1) defeat ADT ウ ウ2) -> Find Last instruction BEFORE jumping to ORIGINAL CODE <- ウ ウ3) Run step mode as later as possible to speed up tracing ウ タトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトル A) Function Definitions : トトトトトトトトトトトトトトトトトトトトトトトトト 1) Look function. the Look function scan for an HEX string in the loader object. The Address, where this block is found, is stored so that u can set a breakpoint at this location. Wildcard usage is allowed for BYTE. Search result is handled internally and u may use the conditionnal jmp to handle urself result. Ex: Look 0F,85 will search for a JNE long jump. U may want to set a Breakpoint via the BP command. Look EB,? will seacrh for a short jump. 2) ADD function. Allows u to Add a value to the current Address in mem (ex: the one spotted by the look command or by the POS command). 3) DEC function. Guess ;) 4) REPL function. This function apply a patch (HEX Sequence) at the current memory location (ex: the one spotted by look command). This may allow u to kick an ADT ;). Ex: REPL 90,90 will apply a double NOP starting at current memory location. 5) BP function. Set a breakpoint at current memory location. 6) BPX function. Set a breakpoint at a given location. The location is depending on object start. Ex: If loader object start at RVA 66000h, BPX 2672 will set a breakpoint at RVA 68672. 7) BPF function (Break On Flag). This function will check each time breakpoint occurs if flag u passed on is set/unset. Breakpoint location is the current memory location. UnsetウSetウ Meaning トトトトトナトトトナトトトトトトトトトトトトトトトト c ウ C ウ Carry flag. p ウ P ウ Positiv Flag. a ウ A ウ Above Flag. z ウ Z ウ Zero Flag. s ウ S ウ Sign Flag. d ウ D ウ Direction Flag. o ウ O ウ Overflow Flag. U can only test ONE flag. 8) BPC function Break at Local Eip until counter is reached. BPC 15 (Breakpoint 15h times at Local Eip). 9) BPV function Break at Eip until value is reached in Registers. BPV EAX=5 (Breakpoint when EAX=5 at Local Eip). 10) MOVE Function Set Current EIP. Add param value to current EIP. BE CAREFULL WITH THIS !!!! NO CONTROL ARE DONE about the EIP. Try to use this instead of noping a loca- tion, IF there was a CRC check u will defeat it ;). Ex: MOVE 14 will move current EIP to EIP+14h 11) POS function. Set current memory location FOR ALL FUNCTIONS. The location is depending on object start. 12) STEP function. This set the step by step analyzis. This is used to finished the trace generally. BEWARE: Step mode means each lines will be tested -> SLOW !!. So SET step mode as later as possible. 13) OBJR function. This set the base memory to start to scan. Affect LOOK command. 14) BPREG Set a breakpoint at Register value. 15) WALK Execute the next instruction and return control to ProcDump32. 16) EIP Say that next EIP has to be used as Original EntryPoint. Note : After a breakpoint, the next EIP is the breakpoint address itself ! 17) Launch external file for helping. Launch an external file with specifics params. An ini file of ur choice is created on the fly with specifics values (HEX). It contains : . Pid of the Process. . All registers value including EIP. . Local EIP value. Example : in script : ... L5=HELP PDHelp.Exe Helper.ini ... Command line of ur helper will contain <Path to helper.ini>\"helper.ini". in helper.ini : [REG] Dr0=00000000 Dr1=00000000 Dr2=00000000 Dr3=00000000 Dr6=00000000 Dr7=00000000 SegGs=00000000 SegFs=00000FDF SegEs=00000167 SegDs=00000167 Edi=00000000 Esi=8161D244 Ebx=00000000 Edx=8161D2A4 Ecx=8161D264 Eax=0043E9B4 Ebp=00456000 Eip=00456264 SegCs=0000015F Flags=00000216 Esp=0068FE34 SegSs=00000167 Pid=FFC1E943 Local=00456264 I think this is quite flexible ;). Note : Command Line is limited to 512 chars for both helper EXE & helper INI path. This limitation is internal to ProcDump, It is however possible that WINDOWS API is limited to a path of 256 chars. 18) JMP, JZ, JN Command Allow u to move at a given script line. for conditionnal jump, the flag from Look command will be used : If search was sucessfull, Z flag is set otherwise it is unset. Ex: L1=JMP 5 L5=LOOK EB,? L6=JZ 8 L7=QUIT L8=.... 19) Quit command. Abort script interpretation, Ie if a look command failed or whatever. B) Options format in a script entry : トトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトト Options are stored in DWORD format and start with OPTL. OPTL1 = DWORD : represent the Delay in ms for AutoDump. OPTL2 = BYTE : Auto EIP BYTE : Ignore Faults BYTE : FastMode Dump BYTE : ExternalPredump OPTL3 = BYTE : Optimize PE BYTE : Auto Compute Objects BYTE : Trace API BYTE : Auto Layer OPTL4 = BYTE : Raw Mode BYTE : Import Rebuild Type BYTE : Restore Header BYTE : Restore Relocs OPTL5 = BYTE : Reserved BYTE : Reserved BYTE : Check Header BYTE : Merge Code For more details... check ProcDump Options explanations. C) How to set ur own protectors/packers definitions : トトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトトト 1) Update Index section : トトトトトトトトトトトトトトトトトトトトトトトトト Add a Pxx statement .... be carefull the xx value must follow the previous protector one. Example : before [INDEX] P1=Shrinker 3.3 P2=Wwpack32 Beta 9 P3=Wwpack32 1.0 after [INDEX] P1=Shrinker 3.3 P2=Wwpack32 Beta 9 P3=Wwpack32 1.0 P4=My Own definition 2) Add ur definition : トトトトトトトトトトトトトトトトトトトトトト A definition is composed of lines statements which must be something like Lxx. Ex: [My own definition] L1=Look 0F,85,DB,FF,FF L2=BP L3=STEP You can add too default options for this definition. Add the OPTLx in this section as well to do that. If no default options are specified, ProcDump will use the actual ones.
kazbiel