/* ================================================================================= Obsidium 1.2.5.0 - OEP finder script , haggar BIW reversing ================================================================================= */ var RemoteDebugger var IsDebugger var UnhandledException var FindWindow var counter var opcode msg "Ignore ALL exceptions EXCEPT 'Intiger division by 0' in Olly options!!!" //---------------------------- Placing breakpoints ------------------------------ gpa "CheckRemoteDebuggerPresent","kernel32.dll" findop $RESULT,#c20800# mov RemoteDebugger,$RESULT gpa "UnhandledExceptionFilter","kernel32.dll" find $RESULT,#50ff15????????85c00f8c# mov UnhandledException,$RESULT gpa "FindWindowA","user32.dll" findop $RESULT,#c20800# mov FindWindow,$RESULT gpa "IsDebuggerPresent","kernel32.dll" findop $RESULT,#c3# mov IsDebugger,$RESULT bp RemoteDebugger bp IsDebugger bp UnhandledException bp FindWindow //------------------------- Finding last exception ------------------------- mov counter,0 //11(0b) is what I want. GO_FREAKY: esto cmp eip,RemoteDebugger jne NEXT_01 mov eax,0 jmp GO_FREAKY NEXT_01: cmp eip,IsDebugger jne NEXT_02 mov eax,0 jmp GO_FREAKY NEXT_02: cmp eip,UnhandledException jne NEXT_03 mov eax,0 jmp GO_FREAKY NEXT_03: cmp eip,FindWindow jne NEXT_04 mov eax,0 jmp GO_FREAKY NEXT_04: mov opcode,[eip] and opcode,0FFFF cmp opcode,0F0F7 jne GO_FREAKY add counter,1 cmp counter,0B jne GO_FREAKY //---------------------- Finding jump to OEP ------------------------- find eip,#00000000000000000000000000000000E8??000000# cmp $RESULT,0 je ERROR add $RESULT,10 bp $RESULT esto bc eip sti find eip,#0F85????FFFF# cmp $RESULT,0 je ERROR bp $RESULT esto bc eip find eip,#C3# cmp $RESULT,0 je ERROR bp $RESULT esto bc eip sti findop eip,#FFE7# cmp $RESULT,0 je ERROR bphws $RESULT,"x" esto bphwc eip sti sti sti sti sti sti sti sti sti sti sti sti sti sti sti an eip cmt eip,"<--- False OEP is found!" ret ERROR: msg "Some error occured in script. Exiting..." ret