Jump to content
Tuts 4 You

TitanScript


cypher

Recommended Posts

Hey folks,


 


here comes something not very new but polished up :P (DLL existed since 2009 but now its usable with the TitanEngine Community Edition)


 


What is TitanScript:


TS is a plugin for the TitanEngine debugging framework. It completly implements the famous OllyDbgScript language and even enhances it with TitanEngine commands for things like IAT AutoSearch, fixing etc..


Basically this means you can load and run your beloved OllyDbgScripts with TitanEngine without rewriting them (well ok, few minor tweaks might be necessary)


It supports OllyDbgScript up to version 1.77. We might bump that to 1.83 but with no ETA


 


How to "install":


- Grab TitanEngine DLL here https://bitbucket.org/mrexodia/titanengine-update/downloads


- Grab TitanScript DLL + GUI here: https://bitbucket.org/cypherpunk/titanscript-update/downloads


- put TitanScript.dll in plugins/x86/TitanScript.dll


- put disasm.dll (the one from Olly) where TitanEngine.dll is


 


How to use:


- Load target.exe and script.txt / script.osc and click RUN


 


Example script:


#log enables logging of every command. otherwise only the "LOG" command logs things



#log GPA "IsDebuggerPresent", "kernel32.dll"
LOG $RESULT

post-77269-0-78168400-1395144201.png


 


Please test it with some scripts. Start with basic ones. Report bugs along with your script and help us improve TitanScript !


 


PS: See the TitanScript doc for more info about available commands. Page 14 to end TitanMist.pdf


Edited by cypher
  • Like 4
  • Thanks 1
Link to comment

For testing I created an automatic unpacker for MPRESS x64. Attached an unpackme + script + complete working environment.

Screenshot:

mpress_example.png

Greetings,

Mr. eXoDia

MPRESSx64Unpacker.rar

Edited by Mr. eXoDia
  • Like 6
Link to comment

Hi,


 


hmmm looks nice on the first view. :) Problem now at the moment is to handle commands which are working for ODBGScript but not for TitanScript.



#log
var GMHA
var BASE
gpa "GetModuleHandleA", "kernel32.dll"
mov GMHA, $RESULT
exec
push 0
call {GMHA}
ende
mov BASE, eax
log BASE
ret

Why is this not working?So it only log till exec command and then the app just runs.Also I don't understand why the Titan author has not used the original OllyScript commands 1:1.Ok I will test more.


 


By the way,if I press copy log then I get a error...



Microsoft Visual C++ Debug Library
Debug Error!
Run Time Check Failure #2 Stack around the variable "buf" was corrupted.

greetz


Link to comment

redownload the GUI, I fixed a memory error but there was already 1 download, probably by you :P


 


concerning the script, I will have a look at it.


 


What do you mean by "not used the original OllyScript commands 1:1" ? they are all available and mapped to TE

  • Like 1
Link to comment

@LCF-AT: The exec command indeed directly runs the target. And no, TitanScript is not 100% equal to ODBGScript, but similar enough to learn quickly when you know how ODBGScript works. TitanScript also contains 90% of all TitanEngine functions, meaning its much more powerful compared to ODBGScript.

Greetings,

Mr. eXoDia

Link to comment

Ok I will check your new GUI. :)


 


So the problem is that I don't know at the moment which commands are not supported original so I did not study the TitanScript file so far and have just make this short test with exec / ende commands which are important for me use them but eXoDia said now that this command does execute the exe itself.How to use it now?



gpa "GetModuleHandleA", "kernel32.dll"
mov GMHA, $RESULT
exec
push 0
call {GMHA}
ende
mov BASE, eax
log BASE or pause
exec
push 0
call GetModuleHandleA
ende

Both are working for OllyScript and how to get it also work for TitanScript?Simple push + call {variable} or call API direct?


 


@ eXoDia


 


Do you have any larger exsample scripts for anything?Just wanna see much different commands in action a little bit + the other features in combination with TitanEngine functions etc so maybe you have some exsample script somewhere which I could read and check. :) Also you could explain me a little bit what kind of advantage I have later if I would use TitanScript instead of OllyScript and why was no titanscripts written till now by somebody?Or are there already some TitanScripts which can unpack something from A - Z?


 


What about AntiDebug stuff?So I tried to run a WL target from the TitanScript GUI but it does not run = pause & Debuging stopped.How to handle that problem now using the GUI instead of Olly + Hide plugins etc?Maybe you both should create a MASTER GUI :) where the user can also control your TitanHide stuff (also via script commands etc or something) or what do you think?


 


greetz


Link to comment

All OllyDBgScript commands up to version 1.77 should be supported. If sth ain't working then it's a bug we need to address like the exec thing.

Exodia is doing a Hider plugin that works with this GUI

We mainly need TS for unit testing TE and did the GUI for you guys.

Your testing helps us improve it so everybody wins

I will have a look at exec bug later tonight.

Link to comment

Advantage over ollydbg would be extra commands like auto iat search and fix and a tiny GUI.


 


There arent any TitanScripts in the wild because TE was full of bugs and there wasnt an easy way to use TS. It was only used in TitanMist


Edited by cypher
Link to comment

@LCF-AT please try attached TitanScript.dll with exec/ende TitanScript.rar

 

For me it works now (also tried your call {GMHA} test successfully)

 

#logmov eax,1
log eax
exec
xor eax,eax
ende
log eax
mov eax,3
log eax

########################

--> mov eax,1
--> log eax
eax: 00000001
--> exec
Exception debug event @ 2C0002
Exception debug event @ 12C1376
--> ende
--> log eax
eax: 00000000
--> mov eax,3
--> log eax
eax: 00000003
Debugging stopped
 

 

Ignore the exception logs. Thats probably sth we need to disable. they are internal exceptions which should be there. In case you wonder, logging of the actual exec commands is not possible because they are assembled to temp memory, jumped to and jumped back to real eip. So exec to ende is not under script control

Edited by cypher
Link to comment

Hmmm no does not work for me. :( I get only 4 lines logged with your small script.



--> mov eax,1
--> log eax
eax: 00000001
--> exec

Thats all and also the exsample file [notepad.exe of XP SP3] does start.If I now press the copy log button then I have this in the clipboard...



--> mov eax,1
--> log eax
eax: 00000001
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec
--> exec

....?Something seems to be wrong.What could be the problem?So I also just copied the dll msvcr100d.dll into the same folder so this dll was needed by our GUI.



msvcr100d.dll
10.00.21003.1
msvcr100d_clr0400.dll
Microsoft® Visual Studio® 2010
Englisch (USA)

Is this dll version ok?Should be not the probem or?The other files I did download from your links.So it seems to work till the exec command and after this not more.Maybe you can find the reason.


 


PS: I use XP SP3


 


greetz


Link to comment

Heres another test for UPX 3.x. For me it works. directly dumps and fixes.

 

 

--> var diroep
--> var filename
--> var Dumped
--> cmp $VERSION, "1.47"
--> jb odbgver
--> find eip,#61#
--> cmp $RESULT,0
--> je Exit
--> mov diroep,$RESULT
--> bp diroep
--> run
--> bc diroep
--> find eip,#E9????????#
--> cmp $RESULT,0
--> je Exit
--> mov diroep,$RESULT
--> bp diroep
--> run
--> bc diroep
--> sto
--> an eip
--> dnf
Z:\__dev\titanengine-update\Release\x32\NOTEPAD_upx.unpacked.EXE
Dumping done!
IAT Start: 0x01001000
IAT Size: 0x344
Imports fixed!
--> msg "OEP reach and dumped and fixed"
--> StopDebug
--> ret
Debugging stopped
 

 

it was a OllyDbgScript which I added the dnf and StopDebug special commands to: dnf dumps-and-iat-fixes and StopDebug prevents the target from being executed after script finished

 

titanscript_upx-test.rar

  • Like 1
Link to comment

Hi again,


 


thanks for the new files.Ok so I have test your new 2 version and now your attached UPX Set is working with your added script and UPX file. :) But the problem with exec / ende is still that the file just starts after executing these commands...why?Can you fix this?


 


Also I see this....



#log
log eax
log ecx
pause
pause

....if I exe this small peace then the exe also runs after...why this?So in the window it logs till first pause command and then the file just runs.Is there any problem or do I something wrong etc?


 


greetz


Link to comment

@cypher

 

the problem is not related to exec/ende, if you run this script:

 

pause
pause

 

the application runs afterwards, too.

 

 

It looks like you resume the script from a callback that is executed when you hit a breakpoint. In addition to that, you dont appear to pause the debugger on breakpoints at all.

Link to comment

Make sure that you try to be compatible with most of OdbgScript commands.


I try to run a script of my own and get this error.


If a single command from the script cannot be run all script is unusable.


post-31931-0-49285700-1394870997.jpg

Link to comment

@giv: 95% of the commands are supported. ifa is not even a real command, its the same as 'ja' if im correct. If you really need titanscript it's easy enough to make your script working.

edit: nevermind, its not the same :D

greetings

Edited by Mr. eXoDia
  • Like 1
Link to comment

The findoprev command i cannot make works on original Olly plugin even i looked close at the description in the documentation. Is anyone who used this command in a script successfuly?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...