Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- """
- DiabloHorn http://diablohorn.wordpress.com
- Educational purposes only.
- - learn about immunitydebugger scripting
- - learn about function recognition
- """
- __VERSION__ = "0.1"
- import immlib
- from librecognition import *
- #main called by debugger
- def main():
- imd = immlib.Debugger() #create debugger instance
- imd.Log("%s" % "Started KeygenMe Universal Patch Prepare")
- found = imd.searchFunctionByName("KeygenMe.serial_calc",75,"KeygenMe") #search for the dreaded function
- lfound = len(found)
- if lfound == 0:
- imd.Log("No matching function found")
- return
- imd.Log("Amount of matching functions: %i" % lfound)
- if lfound != 1:
- imd.log("Too much functions found, manual assistance needed")
- return
- #due to previous check we are sure it's 1 match only
- for off,heur in found:
- keepstepping = True
- imd.Log("Found Function at: %08X" % off)
- #so we found the function by now, let's find the CALL references to it
- srchstr = str("CALL %08X" % off)
- imd.Log("Searching references using string: " + srchstr)
- calls = imd.searchCommands(srchstr)
- for call in calls:
- result=imd.disasm(call[0])
- if result.result == str("CALL KeygenMe.%08X" % off):
- imd.Log("Found %s at 0x%X (%s)"% (result.result, call[0], call[2]), address=call[0], focus=1)
- #go to the call reference we found, and start running
- imd.Run(call[0])
- imd.deleteBreakpoint(imd.getCurrentAddress()) #disable the breakpoints set by the call to .Run()
- while keepstepping:
- imd.stepOver()
- curaddr = imd.getCurrentAddress()
- opcode = imd.Disasm(curaddr)
- #here we search for the first comparison afte the call to the protection function
- if opcode.isConditionalJmp():
- #set a breakpoint on the opcode that needs to be patched
- imd.setBreakpoint(curaddr)
- break;
- imd.restartProcess(-2) #make sure it's a silent restart
- imd.Log("Go ahead run the app, it will automatically break on the correct Jxx opcodes.")
- if __name__ == "__main__":
- print "This file is only intended to be loaded by Immunity Debugger"
Add Comment
Please, Sign In to add comment