It has been a while since this good debugger is available for download at immunity's homepage. Such debugger has a lot of improvements over his older brother - odbgr. One of such improvements is the ability of coding scripts on python integrated interface that runs over completely the obsolete odbgr scripting. It has got endless potential and I advice you to look elsewhere for more information on the use of immdbg's integrated APIs. Today I am posting a small script I coded to unpack upx code - keep in mind that no iat reconstruction will be preformed as this is merely an ilustrative script that may help you to get started at coding scripts over immunity if you feel interested.
__VERSION__ = '1.0'import immlib import getoptimport immutilsfrom immutils import *imm = immlib.Debugger() #init debugger#functions#maindef main(args): imm.log("Started search for jmp at oep...") imm.updateLog() regtable = imm.getRegs() # gets all register table-like patt = "\x00\x00\x00\x00\x00\x00\x00\x00" #UPX-Target pattern count = 0 eip_curr = regtable["EIP"] #retrives current ep while (count < 768): mem = imm.readMemory(eip_curr+count, 8) if (mem == patt): imm.log("match: %08x" % (eip_curr+count)) break count = count + 1 if (mem != patt): imm.log( "No pattern found: YOU NEED TO BE AT OEP!" ) return "failure" imm.setBreakpoint(eip_curr+count-5) imm.run() imm.stepIn() imm.log( "code ep sucessfully found" ) return "success"
Check the help file for the list of all Immunity API, keep in mind that this list does not describe the behaviour of the APIs - it just lists them. Also the unpacker seems to be working fine - report otherwise