API tools faq
paste
Guest User

DiabloHorn http://diablohorn.wordpress.com

a guest
Jun 11th, 2010
454
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.41 KB | None | 0 0
raw download clone embed print report
  1. """
  2.    DiabloHorn http://diablohorn.wordpress.com
  3.    Educational purposes only.
  4.    - learn about immunitydebugger scripting
  5.    - learn about function recognition
  6. """
  7. __VERSION__ = "0.1"
  8.  
  9. import immlib
  10. from librecognition import *
  11.  
  12. #main called by debugger
  13. def main():    
  14.     imd = immlib.Debugger() #create debugger instance
  15.     imd.Log("%s" % "Started KeygenMe Universal Patch Prepare")
  16.     found = imd.searchFunctionByName("KeygenMe.serial_calc",75,"KeygenMe") #search for the dreaded function
  17.     lfound = len(found)
  18.     if lfound == 0:
  19.         imd.Log("No matching function found")
  20.         return
  21.     imd.Log("Amount of matching functions: %i" % lfound)
  22.    
  23.     if lfound != 1:
  24.         imd.log("Too much functions found, manual assistance needed")
  25.         return
  26.        
  27.     #due to previous check we are sure it's 1 match only
  28.     for off,heur in found:
  29.         keepstepping = True
  30.         imd.Log("Found Function at: %08X" % off)
  31.         #so we found the function by now, let's find the CALL references to it
  32.         srchstr = str("CALL %08X" % off)
  33.         imd.Log("Searching references using string: " + srchstr)
  34.         calls = imd.searchCommands(srchstr)
  35.         for call in calls:
  36.             result=imd.disasm(call[0])
  37.             if result.result == str("CALL KeygenMe.%08X" % off):
  38.                 imd.Log("Found %s at 0x%X (%s)"% (result.result, call[0], call[2]), address=call[0],  focus=1)
  39.                 #go to the call reference we found, and start running
  40.                 imd.Run(call[0])
  41.                 imd.deleteBreakpoint(imd.getCurrentAddress()) #disable the breakpoints set by the call to .Run()
  42.                 while keepstepping:
  43.                     imd.stepOver()
  44.                     curaddr = imd.getCurrentAddress()
  45.                     opcode = imd.Disasm(curaddr)
  46.                     #here we search for the first comparison afte the call to the protection function
  47.                     if opcode.isConditionalJmp():
  48.                         #set a breakpoint on the opcode that needs to be patched
  49.                         imd.setBreakpoint(curaddr)
  50.                         break;
  51.         imd.restartProcess(-2)  #make sure it's a silent restart
  52.         imd.Log("Go ahead run the app, it will automatically break on the correct Jxx opcodes.")
  53.                
  54.    
  55.    
  56. if __name__ == "__main__":
  57.     print "This file is only intended to be loaded by Immunity Debugger"
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!