/* =============================================================== ActiveMARK(TM) 6.x - OEP finder script (v0.2) for Windows XP =============================================================== */ var addr var EP1 var EP2 var EP3 var EP4 mov EP1,eip //------------- Hide from IsDebuggerPresent ----------------- dbh //------------- Debugging trick on Windows XP --------------- gpa "DebugActiveProcess","kernel32.dll" cmp $RESULT,0 je ERROR mov [$RESULT],#33C0C20400# //------- ReadProcessMemory trick for detecting tools ------- gpa "ReadProcessMemory","kernel32.dll" cmp $RESULT,0 je ERROR mov [$RESULT],#33C0C21400# //------------------ Let's find EP2 ------------------------- gpa "GetModuleHandleA","kernel32.dll" cmp $RESULT,0 je ERROR mov addr,$RESULT findop addr,#C20400# bp $RESULT CHECK_HANDLE: esto cmp eax,00400000 jne CHECK_HANDLE bc eip sti mov EP2,eip sub EP2,3E //--------------------- Let's find EP3 ----------------------- find eip,#FF25??????00# cmp $RESULT,0 je ERROR mov addr,$RESULT add addr,6 find addr,#FF25??????00# cmp $RESULT,0 je ERROR bp $RESULT esto bc eip sti mov EP3,eip //------------ Let's find EP4=OEP or stolen code ------------- FIND_PUSHAD: sti mov addr,[eip] and addr,0FF cmp addr,60 jne FIND_PUSHAD sti mov addr,esp bphws addr,"r" msg "ActiveMARK window will start now. Click 'Start Free Trial' link to continue script." CHECK_EXCEPTION: esto cmp eip,70000000 ja CHECK_EXCEPTION bphwc addr mov EP4,eip //--------- Patch GetTickCount (usefull for later) ----------- gpa "GetTickCount","kernel32.dll" mov [$RESULT],#33C033D2C3# msg "Script has finished. Check log for further instructions." //------------------- Log some info ----------------------- log "==================================================" log " ActiveMARK(TM) 6.1 OEP SCRIPT" log "==================================================" log " " log "Entry points of protection modules:" log " " log EP1 log EP2 log EP3 log " " log "EP4 is OEP or stolen code:" log " " log EP4 log " " log "You are at the EP4, ei. addres where is OEP or" log "stolen opcodes. Trace to find correct bytes." log "Suspend all threads except main thread before" log "going with IAT decrypting." ret ERROR: msg "Error in script! I couldn't find needed information." ret