Wednesday, July 22, 2009

Ollyscript Tutorial - Unpack UPX

This is the simplest Ollyscript tutorial to demonstrate how to write Ollydbg script.

var hwdBP // Local variable to store hardware breakpoint
var softBP
// Local variable to strore software breakpoint
sti
// Step into F7 command
findop eip, #61#
// find next POPAD
mov hwdBP, $RESULT
// Store $RESULT to hardware breakpoint local variable
bphws hwdBP, "x"
// Set hardware breakpoint (execute) on the next POPAD
run
// Run F9 command
findop eip, #E9????????#
// Find the next JMP
mov softBP, $RESULT
// Store $RESULT to software breakpoint local variable
bp softBP
run
// Run to JMP instruction
sti
// Step into the OEP
cmt eip, "<<>>"
msg "OEP found, you can dump the file starting from this address"
ret

Downloads:

Ollyscript Editor V2.0
Ollyscript Plugin V0.94 - ORIGINAL_README.txt - List of Ollyscript Commands by SHaG
ARTeam_eZine_Number2.rar - Page 36 - Writing OllyDbg Scripts, Buzifer of Team RESURRECTiON from ARTeam

Signing off
~x9090

Tuesday, July 21, 2009

Joke?Malware?

I found an interesting malware, but strictly speaking it is not really a malware. Instead it plays joke on the machine and does not lead to any harmful activities.

This is the latest scan result from Virscan.

video

I manage to reverse it and produce the source code. The source code is attached.

Attachment: Joke.c

Have fun! ;)

Signing off
~x9090