cypher Posted March 13, 2014 Posted March 13, 2014 (edited) Hey folks, here comes something not very new but polished up (DLL existed since 2009 but now its usable with the TitanEngine Community Edition) What is TitanScript: TS is a plugin for the TitanEngine debugging framework. It completly implements the famous OllyDbgScript language and even enhances it with TitanEngine commands for things like IAT AutoSearch, fixing etc.. Basically this means you can load and run your beloved OllyDbgScripts with TitanEngine without rewriting them (well ok, few minor tweaks might be necessary) It supports OllyDbgScript up to version 1.77. We might bump that to 1.83 but with no ETA How to "install": - Grab TitanEngine DLL here https://bitbucket.org/mrexodia/titanengine-update/downloads - Grab TitanScript DLL + GUI here: https://bitbucket.org/cypherpunk/titanscript-update/downloads - put TitanScript.dll in plugins/x86/TitanScript.dll - put disasm.dll (the one from Olly) where TitanEngine.dll is How to use: - Load target.exe and script.txt / script.osc and click RUN Example script: #log enables logging of every command. otherwise only the "LOG" command logs things #log GPA "IsDebuggerPresent", "kernel32.dll" LOG $RESULT Please test it with some scripts. Start with basic ones. Report bugs along with your script and help us improve TitanScript ! PS: See the TitanScript doc for more info about available commands. Page 14 to end TitanMist.pdf Edited March 18, 2014 by cypher 4 1
GIV Posted March 13, 2014 Posted March 13, 2014 That is great news.Olly2 for example lacks the script support witch IMHO is a major drawback.
mrexodia Posted March 13, 2014 Posted March 13, 2014 (edited) For testing I created an automatic unpacker for MPRESS x64. Attached an unpackme + script + complete working environment. Screenshot: Greetings, Mr. eXoDia MPRESSx64Unpacker.rar Edited March 13, 2014 by Mr. eXoDia 6
mrexodia Posted March 13, 2014 Posted March 13, 2014 @besoeso: x64_dbg has it's own scripting language. It's stable, but requires some additional commands.
LCF-AT Posted March 13, 2014 Posted March 13, 2014 Hi, hmmm looks nice on the first view. Problem now at the moment is to handle commands which are working for ODBGScript but not for TitanScript. #log var GMHA var BASE gpa "GetModuleHandleA", "kernel32.dll" mov GMHA, $RESULT exec push 0 call {GMHA} ende mov BASE, eax log BASE ret Why is this not working?So it only log till exec command and then the app just runs.Also I don't understand why the Titan author has not used the original OllyScript commands 1:1.Ok I will test more. By the way,if I press copy log then I get a error... Microsoft Visual C++ Debug Library Debug Error! Run Time Check Failure #2 Stack around the variable "buf" was corrupted. greetz
cypher Posted March 13, 2014 Author Posted March 13, 2014 redownload the GUI, I fixed a memory error but there was already 1 download, probably by you concerning the script, I will have a look at it. What do you mean by "not used the original OllyScript commands 1:1" ? they are all available and mapped to TE 1
mrexodia Posted March 13, 2014 Posted March 13, 2014 @LCF-AT: The exec command indeed directly runs the target. And no, TitanScript is not 100% equal to ODBGScript, but similar enough to learn quickly when you know how ODBGScript works. TitanScript also contains 90% of all TitanEngine functions, meaning its much more powerful compared to ODBGScript. Greetings, Mr. eXoDia
LCF-AT Posted March 13, 2014 Posted March 13, 2014 Ok I will check your new GUI. So the problem is that I don't know at the moment which commands are not supported original so I did not study the TitanScript file so far and have just make this short test with exec / ende commands which are important for me use them but eXoDia said now that this command does execute the exe itself.How to use it now? gpa "GetModuleHandleA", "kernel32.dll" mov GMHA, $RESULT exec push 0 call {GMHA} ende mov BASE, eax log BASE or pause exec push 0 call GetModuleHandleA ende Both are working for OllyScript and how to get it also work for TitanScript?Simple push + call {variable} or call API direct? @ eXoDia Do you have any larger exsample scripts for anything?Just wanna see much different commands in action a little bit + the other features in combination with TitanEngine functions etc so maybe you have some exsample script somewhere which I could read and check. Also you could explain me a little bit what kind of advantage I have later if I would use TitanScript instead of OllyScript and why was no titanscripts written till now by somebody?Or are there already some TitanScripts which can unpack something from A - Z? What about AntiDebug stuff?So I tried to run a WL target from the TitanScript GUI but it does not run = pause & Debuging stopped.How to handle that problem now using the GUI instead of Olly + Hide plugins etc?Maybe you both should create a MASTER GUI where the user can also control your TitanHide stuff (also via script commands etc or something) or what do you think? greetz
cypher Posted March 13, 2014 Author Posted March 13, 2014 All OllyDBgScript commands up to version 1.77 should be supported. If sth ain't working then it's a bug we need to address like the exec thing. Exodia is doing a Hider plugin that works with this GUIWe mainly need TS for unit testing TE and did the GUI for you guys. Your testing helps us improve it so everybody winsI will have a look at exec bug later tonight.
cypher Posted March 13, 2014 Author Posted March 13, 2014 (edited) Advantage over ollydbg would be extra commands like auto iat search and fix and a tiny GUI. There arent any TitanScripts in the wild because TE was full of bugs and there wasnt an easy way to use TS. It was only used in TitanMist Edited March 14, 2014 by cypher
cypher Posted March 14, 2014 Author Posted March 14, 2014 (edited) @LCF-AT please try attached TitanScript.dll with exec/ende TitanScript.rar For me it works now (also tried your call {GMHA} test successfully) #logmov eax,1log eaxexecxor eax,eaxendelog eaxmov eax,3log eax########################--> mov eax,1--> log eaxeax: 00000001--> execException debug event @ 2C0002Exception debug event @ 12C1376--> ende--> log eaxeax: 00000000--> mov eax,3--> log eaxeax: 00000003Debugging stopped Ignore the exception logs. Thats probably sth we need to disable. they are internal exceptions which should be there. In case you wonder, logging of the actual exec commands is not possible because they are assembled to temp memory, jumped to and jumped back to real eip. So exec to ende is not under script control Edited March 14, 2014 by cypher
LCF-AT Posted March 14, 2014 Posted March 14, 2014 Hmmm no does not work for me. I get only 4 lines logged with your small script. --> mov eax,1 --> log eax eax: 00000001 --> exec Thats all and also the exsample file [notepad.exe of XP SP3] does start.If I now press the copy log button then I have this in the clipboard... --> mov eax,1 --> log eax eax: 00000001 --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec --> exec ....?Something seems to be wrong.What could be the problem?So I also just copied the dll msvcr100d.dll into the same folder so this dll was needed by our GUI. msvcr100d.dll 10.00.21003.1 msvcr100d_clr0400.dll Microsoft® Visual Studio® 2010 Englisch (USA) Is this dll version ok?Should be not the probem or?The other files I did download from your links.So it seems to work till the exec command and after this not more.Maybe you can find the reason. PS: I use XP SP3 greetz
Aguila Posted March 14, 2014 Posted March 14, 2014 (edited) @LCF-ATThe GUI had some bugs, linking against msvcr100d.dll was a mistake. Here you have the fixed GUI. The TitanScript.dll however could still have bugs.TitanScriptRelease.rar Edited March 14, 2014 by Aguila
cypher Posted March 14, 2014 Author Posted March 14, 2014 @LCF-AT I tested on my Win7 32bit and XP 32bit. works for me. what system do you have? Did you test on any other ?
cypher Posted March 14, 2014 Author Posted March 14, 2014 Heres another test for UPX 3.x. For me it works. directly dumps and fixes. --> var diroep--> var filename--> var Dumped--> cmp $VERSION, "1.47"--> jb odbgver--> find eip,#61#--> cmp $RESULT,0--> je Exit--> mov diroep,$RESULT--> bp diroep--> run--> bc diroep--> find eip,#E9????????#--> cmp $RESULT,0--> je Exit--> mov diroep,$RESULT--> bp diroep--> run--> bc diroep--> sto--> an eip--> dnfZ:\__dev\titanengine-update\Release\x32\NOTEPAD_upx.unpacked.EXEDumping done!IAT Start: 0x01001000IAT Size: 0x344Imports fixed!--> msg "OEP reach and dumped and fixed"--> StopDebug--> retDebugging stopped it was a OllyDbgScript which I added the dnf and StopDebug special commands to: dnf dumps-and-iat-fixes and StopDebug prevents the target from being executed after script finished titanscript_upx-test.rar 1
LCF-AT Posted March 14, 2014 Posted March 14, 2014 Hi again, thanks for the new files.Ok so I have test your new 2 version and now your attached UPX Set is working with your added script and UPX file. But the problem with exec / ende is still that the file just starts after executing these commands...why?Can you fix this? Also I see this.... #log log eax log ecx pause pause ....if I exe this small peace then the exe also runs after...why this?So in the window it logs till first pause command and then the file just runs.Is there any problem or do I something wrong etc? greetz
cypher Posted March 14, 2014 Author Posted March 14, 2014 what OS are you testing exec on ? for me it works under win7 32bit and xp32bit on 32bit cpu
deepzero Posted March 15, 2014 Posted March 15, 2014 @cypher the problem is not related to exec/ende, if you run this script: pausepause the application runs afterwards, too. It looks like you resume the script from a callback that is executed when you hit a breakpoint. In addition to that, you dont appear to pause the debugger on breakpoints at all.
GIV Posted March 15, 2014 Posted March 15, 2014 Make sure that you try to be compatible with most of OdbgScript commands. I try to run a script of my own and get this error. If a single command from the script cannot be run all script is unusable.
mrexodia Posted March 15, 2014 Posted March 15, 2014 (edited) @giv: 95% of the commands are supported. ifa is not even a real command, its the same as 'ja' if im correct. If you really need titanscript it's easy enough to make your script working. edit: nevermind, its not the same greetings Edited March 15, 2014 by Mr. eXoDia 1
Aguila Posted March 15, 2014 Posted March 15, 2014 Here is a new release with more commands. The only missing commands are: ana findoprev inir iniw gstrwTitanScriptRelease.rar
GIV Posted March 15, 2014 Posted March 15, 2014 The findoprev command i cannot make works on original Olly plugin even i looked close at the description in the documentation. Is anyone who used this command in a script successfuly?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now