/* Script written by VolX purpose : This script will make Olly to break on the OEP of your target or on the first command of the stolen code if it exist Test Environment : OllyDbg 1.1 ODBGScript 1.47 under WINXP Thanks : Oleh Yuschuk - author of OllyDbg SHaG - author of OllyScript Epsylon3 - author of ODbgScript */ //support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3 var tmp1 var tmp2 var imgbase var 1stsecbase var 1stsecsize var dllimgbase dbh //hide debugger BPHWCALL //clear hardware breakpoint GMI eip, MODULEBASE //get imagebase mov imgbase, $RESULT log imgbase mov tmp1, imgbase add tmp1, 3C //40003C mov tmp1, [tmp1] add tmp1, imgbase //tmp1=signature VA add tmp1, f8 //1st section add tmp1, 8 mov 1stsecsize, [tmp1] add tmp1, 4 mov 1stsecbase, [tmp1] add 1stsecbase, imgbase gpa "GetSystemTime", "kernel32.dll" bp $RESULT esto bc eip rtr sti GMEMI eip, MEMORYOWNER mov dllimgbase, $RESULT cmp dllimgbase, 0 je error log dllimgbase find dllimgbase, #C6463401# //search "mov byte[esi+34], 1" mov tmp2, $RESULT cmp tmp2, 0 je error find tmp2, #68????????68????????68# mov tmp1, $RESULT cmp tmp1, 0 je error log tmp1 bp tmp1 eob lab1 eoe lab1 esto lab1: cmp eip, tmp1 je lab2 esto lab2: bc tmp1 find dllimgbase, #3130330D0A# //search ASCII"103" mov tmp2, $RESULT log tmp2 cmp tmp2, 0 je wrongver find tmp2, #8D00C3# //search "lea eax,[eax]" "ret" mov tmp1, $RESULT log tmp1 cmp tmp1, 0 je wrongver bphws tmp1, "x" eob lab3 eoe lab3 esto lab3: cmp eip, tmp1 je lab4 esto lab4: bphwc tmp1 cob coe mov tmp1, [esp+8] cmp tmp1, 0 log tmp1 jne lab5 mov tmp1, [esp+C] cmp tmp1, 0 je lab6 jmp lab7 lab5: mov tmp1, [esp+10] cmp tmp1, 0 jne lab7 //No stolen code at the OEP lab6: bprm 1stsecbase, 1stsecsize esto bpmc msg "OEP found, no stolen code at the OEP!" jmp end //There are stolen code at the OEP lab7: bp tmp1 esto bc tmp1 msg "Stolen code start!" jmp end error: msg "Error!" pause jmp end wrongver: msg "Unsupported Aspr version or it is not packed with Aspr?" pause jmp end end: ret