/*

Target      : DotFix NiceProtect 3.x

Date        : 02.03.2009 - v1 public

Environment : Win XP SP3, OllyDbg v1.1, ODbgScript plugin v1.65.4

Author      : k11



Find VM start or OEP



*/



var temp



//Clear Breakpoints

bc

BPHWC



//API IsDebuggerPresent

gpa "IsDebuggerPresent","kernel32.dll"

cmp $RESULT,0

je error

bp $RESULT



//API FindWindowA

gpa "FindWindowA","user32.dll"

cmp $RESULT,0

je error

bp $RESULT



erun



//Disable Anti-Debug IsDebuggerPresent

rtr

mov eax, 0

erun



//Disable Anti-Debug FindWindow

rtr

mov eax, 0

erun



bc



rtr         //execute till return

sto

sto

sto

sti         //step into call



//Right place?

find eip, #6050517405#

cmp $RESULT, 0

je error

cmp $RESULT, eip

jne error



//Find the jump to LOOP

find eip, #68????????C3# // PUSH + RETN = JMP

cmp $RESULT, 0

je error

bp $RESULT

erun

bc $RESULT

sto

sto

mov temp, eip

bphws temp, "x"              //set HW BP

cmt temp, "VM Start"

jmp success





error:

MSG "Error"

ret



success:

MSG "Found VM Start or OEP"

ret