diff --git a/Cenega_anti_antidebugger.txt b/Cenega_anti_antidebugger.txt new file mode 100644 index 0000000..06a1247 --- /dev/null +++ b/Cenega_anti_antidebugger.txt @@ -0,0 +1,48 @@ +////////////////////////////////////////////////// +// FileName : Cenega_anti_antidebugger.txt +// Comment : Defeats Cenega anti-debugging checks +// Author : Luca91 (Luca1991) - Luca D'Amico +// Date : 2024-05-19 +// How to use : Load target exe and run this script. +////////////////////////////////////////////////// + +// start +msg "Cenega anti antidebugger" +run // run til the EntryPoint + +// clear breakpoints +bc +bphwc + +// defeats isDebuggerPresent and manual PEB checks +$peb = peb() +set $peb+0x2, #00# + +// find and hook NtQueryInformationProcess +nqip_addr = ntdll.dll:NtQueryInformationProcess +bp nqip_addr +SetBreakpointCommand nqip_addr, "scriptcmd call check_nqip" +erun +ret + +check_nqip: +cmp [esp+8], 7 // 0x7 == ProcessDebugPort +je patch_process_information_buffer +cmp [esp+8], 0x1E // 0x1E == ProcessDebugObjectHandle +je patch_process_debug_object_handle +erun +ret + +patch_process_information_buffer: +log "/!\ DEBUG CHECK FOUND (ProcessDebugPort): NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})" +rtr +set [esp+C], #00 00 00 00# +erun +ret + +patch_process_debug_object_handle: +log "/!\ DEBUG CHECK FOUND (ProcessDebugObjectHandle): NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})" +rtr +set [esp+C], #00 00 00 00# +erun +ret \ No newline at end of file diff --git a/Enigma Version Finder X.XX_by luger b/Enigma Version Finder X.XX_by luger new file mode 100644 index 0000000..385dd6c --- /dev/null +++ b/Enigma Version Finder X.XX_by luger @@ -0,0 +1,44 @@ +////////////////////////////////////////////////////////// +// FileName : Enigma Version Finder 1.xx,2.xx,3.xx,4.xx,5.xx,6.xx +// Comment : Enigma Protector uygulaması ile packlenmiş Exe'lerde versiyon arar. +// Environment : x32dbg +// Author : by luger +// First_Date : 19.09.2021 +// Fix_Date : 21.09.2021 +// Version : 0.1 +////////////////////////////////////////////////////////// + + +//msg "Enigma Version Finder x.xx by_luger" + +bpd //DisableBPX +bphd //DisableHardwareBreakpoint +bpmd //DisableMemoryBreakpoint + +//Yöntem1(Version 5.00 under) +findallmem 0, #454E49474D41# +cmp $result, 0 +je yontem2 +mov $bulundu, ref.addr(0)+6 +mov $ilk, ReadByte($bulundu) +mov $son, ReadByte($bulundu+1) +log "Enigma versiyonu: {$ilk}.{d:$son} ^_^" +ret + +//Yöntem2(Version 5.00 over) +yontem2: +findallmem 0, #54414747# +cmp $result, 0 +je hata +findallmem 0, #01000000??00??00000000002600000001# +cmp $result, 0 +je hata +mov $bulundu2, ref.addr(0)+4 +mov $ilk2, ReadByte($bulundu2) +mov $son2, ReadByte($bulundu2+2) +log "Enigma versiyonu: {$ilk2}.{d:$son2} ^_^" +ret + +hata: +msg "Enigma koruması olmayabilir.Versiyon tespit edilemedi." +ret diff --git a/Safedisc_v1.x_anti_antidebugger.txt b/Safedisc_v1.x_anti_antidebugger.txt new file mode 100644 index 0000000..a71440a --- /dev/null +++ b/Safedisc_v1.x_anti_antidebugger.txt @@ -0,0 +1,40 @@ +////////////////////////////////////////////////// +// FileName : Safedisc_v1.x_anti_antidebugger.txt +// Comment : Defeats Safedisc v1.x anti-debugging checks +// Author : Luca91 (Luca1991) - Luca D'Amico +// Date : 2022-02-01 +// How to use : Load GAME.EXE and run this script. Once ingame, you can attach a second instance of x32dbg to GAME.ICD. +// Tested on Safedisc v1.06-v1.50 +////////////////////////////////////////////////// + +// start +msg "Safedisc v1.x anti antidebugger" +run // run til the EntryPoint + +// clear breakpoints +bc +bphwc + +// defeats isDebuggerPresent and manual PEB checks +$peb = peb() +set $peb+0x2, #00# + +// find and hook NtQueryInformationProcess +nqip_addr = ntdll.dll:NtQueryInformationProcess +bp nqip_addr +SetBreakpointCommand nqip_addr, "scriptcmd call check_nqip" +erun +ret + +check_nqip: +log "NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})" +cmp [esp+8], 7 // 0x7 == ProcessDebugPort +je patch_process_information_buffer +erun +ret + +patch_process_information_buffer: +rtr +set [esp+C], #00 00 00 00# +erun +ret diff --git a/SecuROM_2-4_OEP_Finder.txt b/SecuROM_2-4_OEP_Finder.txt new file mode 100644 index 0000000..f33517f --- /dev/null +++ b/SecuROM_2-4_OEP_Finder.txt @@ -0,0 +1,72 @@ +////////////////////////////////////////////////// +// FileName : SecuROM_2-4_OEP_Finder.txt +// Comment : SecuROM 2.91 - 4.x OEP Finder +// Author : Luca91 (Luca1991) - Luca D'Amico +// Date : 2023-04-23 +// How to use : First of all configure x32db to ignore all exceptions (this is important!). +// Load your SecuROM 2-4 protected game and run this script. You will get to the OEP. +////////////////////////////////////////////////// + +$driveChecked = 0 + + +run // run til the EntryPoint + + +// clear breakpoints +bc +bphwc + + +// find and hook WriteProcessMemory and GetDriveTypeA +$writeProcessMemoryAddr = kernel32.dll:WriteProcessMemory +bp $writeProcessMemoryAddr+0x2 +SetBreakpointCommand $writeProcessMemoryAddr+0x2, "scriptcmd call WriteProcessMemoryHook" +$getDriveTypeAAddr = kernel32.dll:GetDriveTypeA +bp $getDriveTypeAAddr+0x2 +SetBreakpointCommand $getDriveTypeAAddr+0x2, "scriptcmd call GetDriveTypeAHook" +erun +ret + + +WriteProcessMemoryHook: +cmp $driveChecked, 1 +jne WpmhContinue +log "WriteProcessMemory({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})" +$currentBufferAddr = [esp+C] +$currentBufferSize = [esp+10] +log "analyzing buffer located at {$currentBufferAddr} of size {$currentBufferSize}" +find $currentBufferAddr, 558BEC6AFF, $currentBufferSize +cmp $result, 0 +jne PatchBuffer +WpmhContinue: +erun +ret + + +GetDriveTypeAHook: +$driveChecked = 1 +erun +ret + + +PatchBuffer: +$oepAddressInBuffer = $result +$oepAddr = [esp+8] + ($oepAddressInBuffer - $currentBufferAddr) +msg "OEP = {$oepAddr}" +set $oepAddressInBuffer, #EB FE# +rtr +bc +bphwc +bp $oepAddr +SetBreakpointCommand $oepAddr, "scriptcmd call RestoreOepBytes" +erun +ret + + +RestoreOepBytes: +set eip, #55 8B# +lbl eip,"OEP" +bc +bphwc +ret diff --git a/SecuROM_2.9-4.68_Semi-Automatic_Remover.txt b/SecuROM_2.9-4.68_Semi-Automatic_Remover.txt new file mode 100644 index 0000000..f1ae7dd --- /dev/null +++ b/SecuROM_2.9-4.68_Semi-Automatic_Remover.txt @@ -0,0 +1,88 @@ +////////////////////////////////////////////////// +// FileName : SecuROM_2.9-4.68_Semi-Automatic_Remover.txt +// Comment : Remove SecuROM (2.9-4.68) Protection +// Author : Luca91 (Luca1991) - Luca D'Amico +// Date : 2023-11-04 +// How to use : 1) Before running this script make sure that you are at the OEP (EIP==OEP)! +// You can use my "SecuROM_2-4_OEP_Finder" script to do this. +// 2) Edit the CONFIG section of this script, filling in the IAT START/END VA. +// Find these values manually, or use Scylla IAT Autosearch. +// 3) Launch this script, then use Scylla to DUMP/FIX DUMP as usual. +// Features : * Works form SecuROM 2.9 up to (and including) SecuROM 4.68. +// * Uses chunking to avoid being detected by SecuROM 4.68 additional checks. +// Limitations : * You have to provide IAT START/END VA +// * This script will not remove SecuROM triggers if present!!! +////////////////////////////////////////////////// + + +///// CONFIG - PLEASE EDIT THIS SECTION ///// +$IAT_START = 0x0 // IAT START VA (eg. 0x4CC000) +$IAT_END = 0x0 // IAT END VA (eg. 0x4CC218) +///////////////////////////////////////////// + +$OEP = cip + +$SECUROM_PATTERN = 0 + +///// FIND SECUROM API JUMP ///// +findallmem mem.base(cip), 5F5E5B8BE55DFFE05F5E5B8BE55DC3, -1, user +cmp $result, 0 +je _securom_jmp_not_found +$SECUROM_API_JMP = $SECUROM_API_JMP = ref.addr(0) + 0x6 +log "SECUROM API FOUND AT {$SECUROM_API_JMP}" +bphws $SECUROM_API_JMP +SetHardwareBreakpointSilent $SECUROM_API_JMP, 1 +SetHardwareBreakpointFastResume $SECUROM_API_JMP, 1 +///////////////////////////////// + +///// FIND ALL SECUROM CALLS PATTERN ///// +find $OEP, FF15???????? +$SECUROM_PATTERN = bswap([$result+0x2]) +findall mem.base(cip), FF15{$SECUROM_PATTERN}, mem.size(cip) +////////////////////////////////////////// + +///// SETUP CHUNKS TO AVOID DETECTION ///// +$chunks = 6 +$chunk_size = ref.count()/$chunks +$chunks_remainder = ref.count()%$chunks +$current_chunk = 5 +////////////////////////////////////////////////// + +///// API FIXING ///// +_start: + $current_pattern = $current_chunk * $chunk_size + $current_chunk_stop = $current_pattern + $chunk_size + $chunks_remainder + $chunks_remainder = 0 +_start_fixing: + eip = ref.addr($current_pattern) + erun +_iat_search: + $CURRENT_THUNK = $IAT_START +_compare_thunk: + cmp 4:[$CURRENT_THUNK], eax + je _patch_api + add $CURRENT_THUNK, 4 + cmp $CURRENT_THUNK, $IAT_END + jl _compare_thunk + msg "ERROR: THUNK NOT FOUND :(" + ret +_patch_api: + set [ref.addr($current_pattern)+0x2], $CURRENT_THUNK + inc $current_pattern + cmp $current_pattern, $current_chunk_stop + jne _start_fixing + log "CHUNK {$current_chunk} COMPLETED :)" + dec $current_chunk + cmp $current_chunk, 0xFFFFFFFF + jne _start + msgyn "COMPLETED :) Do you want to launch Scylla now?" + cmp 0,$result + je _noscylla + scylla +_noscylla: + ret + +_securom_jmp_not_found: + msg "ERROR: SECUROM API JUMP NOT FOUND :(" + ret +////////////////////// diff --git a/UPX X.XX OEP Finder.txt b/UPX X.XX OEP Finder.txt index 2a24122..1932126 100644 --- a/UPX X.XX OEP Finder.txt +++ b/UPX X.XX OEP Finder.txt @@ -6,27 +6,28 @@ // // /////////////////////////////////////////// // Prepared by: Blitzkrieg -// Date : 6th July 2020 +// Date : 4th July 2023 // Tested on : // // Release | Target // ----------------------------- // | 64bit | 32bit // ----------------------------- -// 1.20 | EXE/DLL | EXE/DLL +// 1.20 | - | EXE +// 1.24 | - | EXE // 1.25 | - | EXE -// 1.91 | - | EXE -// 1.92 | - | EXE -// 2.00 | - | EXE -// 2.01 | - | EXE -// 2.02 | EXE/DLL | EXE/DLL -// 2.90 | - | EXE -// 3.00 | - | EXE -// 3.01 | - | EXE -// 3.03 | - | EXE -// 3.04 | - | EXE -// 3.06 | EXE/DLL | EXE/DLL +// 2.02 | - | EXE/DLL +// 2.03 | - | EXE/DLL +// 3.06 | - | EXE/DLL +// 3.07 | - | EXE/DLL +// 3.08 | - | EXE/DLL +// 3.09 | - | EXE/DLL +// 3.91 | - | EXE/DLL +// 3.95 | EXE/DLL | EXE/DLL // 3.96 | EXE/DLL | EXE/DLL +// 4.00 | EXE/DLL | EXE/DLL +// 4.01 | EXE/DLL | EXE/DLL +// 4.02 | EXE/DLL | EXE/DLL /////////////////////////////////////////// // Notes: // - use "dbclear" command manually when @@ -42,56 +43,40 @@ // won't delete your personal comments. /////////////////////////////////////////// -call StartAtEntryPoint +//START AT THE ENTRY POINT! + call DisableBreakpoints //Finding a long unconditional jump mov $address,cip -Negative: +notlongunconditionaljump: find $address+1,"E9" mov $address,$result -cmp mem.base(cip),dis.imm($address) //test for jump pointing to an address below base of the memory page -jb Negative -cmp mod.base(cip),dis.imm($address) //test for jump pointing to an address above base address of the module -ja Negative +cmp cip,dis.imm($address) //test for jump pointing to an address above CIP +jb notlongunconditionaljump +cmp mod.base(cip)+mem.size(mod.base(cip)),dis.imm($address) //test for jump pointing to an address below base address of the current module +ja notlongunconditionaljump bp $address -lbl $address,"First Pattern" -log "First Pattern found at: {0}",$address erun bc cip sti //Halting at OEP -lbl cip,"OEP Found :)" -log "OEP for UPX found at: {0}",cip +cmt cip,"OEP Found :)" +log "OEP for UPX found at: {a:cip}" guiupdateenable -d +d cip -//call TimeToDump +call TimeToDump ret + /////////////////////////////////////////// // Tools // Prepared by: Blitzkrieg /////////////////////////////////////////// -//Makes sure that you start at the Entry Point automatically -StartAtEntryPoint: -config Events,EntryBreakpoint,1 -NotYetInsideUserModule: -cmp 0,mod.party(cip) -je AlreadyInsideUserModule -erun -jmp NotYetInsideUserModule -AlreadyInsideUserModule: -cmp cip,mod.entry(cip) -je AtUserModuleEntryPoint -erun -jmp NotYetInsideUserModule -AtUserModuleEntryPoint: -ret - //Disables all kinds of breakpoints DisableBreakpoints: bd //use dbclear manually when error thrown here @@ -104,9 +89,9 @@ EnableLog //guiupdatedisable (for faster script execution) ret -//Calls a confirmation window for dumping target in Scylla +//Displays a confirmation window for dumping PE file with Scylla TimeToDump: -msgyn "Successfully found OEP! Wanna use Scylla to dump the target?" +msgyn "Successfully found OEP! Wanna use Scylla to dump the PE file?" cmp 0,$result je noscylla scylla