/* =============================================================== ActiveMARK™ 6.x - OEP finder script (v0.1) for Windows XP =============================================================== */ var addr var EP1 var EP2 var EP3 var EP4 mov EP1,eip //------------- Debugging trick on Windows XP --------------- gpa "DebugActiveProcess","kernel32.dll" cmp $RESULT,0 je NOT_WINDOWS_XP mov [$RESULT],#33C0C20400# NOT_WINDOWS_XP: //------- ReadProcessMemory trick for detecting tools ------- gpa "ReadProcessMemory","kernel32.dll" cmp $RESULT,0 je ERROR mov [$RESULT],#33C0C21400# //------------------ Let's find EP2 ------------------------- gpa "GetModuleHandleA","kernel32.dll" cmp $RESULT,0 je ERROR mov addr,$RESULT findop addr,#C20400# bp $RESULT CHECK_HANDLE: esto cmp eax,00400000 jne CHECK_HANDLE bc eip sti mov EP2,eip sub EP2,3E //--------------------- Let's find EP3 ----------------------- find eip,#FF25??????00# cmp $RESULT,0 je ERROR mov addr,$RESULT add addr,6 find addr,#FF25??????00# cmp $RESULT,0 je ERROR bp $RESULT esto bc eip sti mov EP3,eip //------------ Let's find EP4=OEP or stolen code ------------- FIND_PUSHAD: sti mov addr,[eip] and addr,0FF cmp addr,60 jne FIND_PUSHAD sti mov addr,esp bphws addr,"r" msg "ActiveMARK window will start now. Click 'Start Free Trial' link to continue script." CHECK_EXCEPTION: esto cmp eip,70000000 ja CHECK_EXCEPTION bphwc addr mov EP4,eip msg "If you are in the some AM section, in front of you is stolen code. Trace to find exact opcodes. Otherwise you are at OEP. Check log for some info." //------------------- Log some info ----------------------- log "==================================================" log " ActiveMARK™ 6.1 OEP SCRIPT" log "==================================================" log " " log "Entry points of protection modules:" log " " log EP1 log EP2 log EP3 log " " log "OEP or EP4 (stolen code):" log " " log EP4 ret ERROR: msg "Error in script! I couldn't find needed information." ret