Jump to content
Tuts 4 You

xSRTsect's Blog

  • entry
    1
  • comments
    4
  • views
    7,448

Immdbg - scripting

xSRTsect

5,551 views

It has been a while since this good debugger is available for download at immunity's homepage. Such debugger has a lot of improvements over his older brother - odbgr. One of such improvements is the ability of coding scripts on python integrated interface that runs over completely the obsolete odbgr scripting. It has got endless potential and I advice you to look elsewhere for more information on the use of immdbg's integrated APIs. Today I am posting a small script I coded to unpack upx code - keep in mind that no iat reconstruction will be preformed as this is merely an ilustrative script that may help you to get started at coding scripts over immunity if you feel interested.

__VERSION__ = '1.0'import immlib import getoptimport immutilsfrom immutils import *imm = immlib.Debugger() #init debugger#functions#maindef main(args):	imm.log("Started search for jmp at oep...")	imm.updateLog()	regtable = imm.getRegs() # gets all register table-like	patt = "\x00\x00\x00\x00\x00\x00\x00\x00" #UPX-Target pattern	count = 0	eip_curr = regtable["EIP"] #retrives current ep	while (count < 768):		mem = imm.readMemory(eip_curr+count, 8)		if (mem == patt):			imm.log("match: %08x" % (eip_curr+count))			break		count = count + 1		if (mem != patt):		imm.log( "No pattern found: YOU NEED TO BE AT OEP!" )		return "failure"		imm.setBreakpoint(eip_curr+count-5)	imm.run()	imm.stepIn()	imm.log( "code ep sucessfully found" )	return "success"

Check the help file for the list of all Immunity API, keep in mind that this list does not describe the behaviour of the APIs - it just lists them. Also the unpacker seems to be working fine - report otherwise

  • Like 2


4 Comments


Recommended Comments

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×