simple script fail

[Jhonjhon_123]

Hi,

I'm writing a simple script to search the OEP of MPRESS, something very basic. but not if I'm doing some wrong command, or a bug.
The problem is that in line 6 does not run correctly and does nothing, then the comment should be in the OEP is set to the jump just before going to the OEP

Image: http://i.imgur.com/izPmah3.jpg

// start
msg "MPRESS OEP Finder v1.0 By Jhonjhon_123"

// clear all bph
bc
bphc

// go
run
sti
bphws esp,rw
run
sti
cmt eip,"OEP; MPRESS OEP Finder v1.0 By Jhonjhon_123"

// end
ret

I attached the sample crackme which is not working.

I am using Windows XP SP3.

Thank you.

CrackeMeby°Designer Shoes°.zip

Edited November 27, 2015 by Jhonjhon_123

[SmilingWolf]

Always check your scripts for spelling mistakes.

Hint: bphwc

EDIT: nope, not that the problem, just checked the docs and x64dbg allows some more flexibility in the command names. Ook, back to the drawing board.

EDIT2: you are setting a breakpoint on a register with "bphws esp, rw", while you want to set a bphw on the location in memory that register points to (in the docs: Introduction -> Input -> memory locations). Moreover, the second argoment is wrong too: you have to specify EITHER "r" OR "w". Using the esp trick you essentially need to know when the data ESP was pointing to is being read, so the correct flag is "r".
Therefore, the correct command is "bphws [esp], r"

One last thing: when you reference a line in a description please either explicit its content, tell how you are counting the lines or include a copy of the script (or whatever document you are referring to) with prepended line numbers. From here at a quick glance at "line 6" I read "bphc" because I'm counting from the top and including comments and white lines.

Edited November 27, 2015 by SmilingWolf

[GIV]

// Mpress OEP - GIV
// giv@reversing.ro
// For OllyScript


bc
bphwc
bpmc

find eip, #E8#
bp $RESULT
erun
estep
bc
find eip, #E8??????00#
bp $RESULT
erun
bc
estep
findmem #AB61E9??????00#, 401000
bp $RESULT
erun
esti
esti
esti
cmt eip, "<-------This is the entry point - GIV"

Here is a OllyScript for your file:

 

 

[Jhonjhon_123]

@SmilingWolf I have corrected the spelling mistake, try to correct the line "bphws esp,rw" but changing "esp" with "[esp]" I came out this error:

Image: http://i.imgur.com/yUwaHsI.jpg

line works for me:

"bphws esp,r"

This is my code now works fine (only I have proven in this case):

01. // MPRESS OEP Finder v1.0 By Jhonjhon_123
02. // For x64dbg
03. // start
04. msg "MPRESS OEP Finder v1.0 By Jhonjhon_123"
05. 
06. // clear all bph
07. bphwc
08. 
09. // go
10. run
11. sti
12. bphws esp,r
13. run
14. // delete bph
15. bphwc
16. // two sti
17. sti
18. sti
19. cmt eip,"OEP; MPRESS OEP Finder v1.0 By Jhonjhon_123"
29. 
21. // end
22. ret

on line 17 and 18 is not that happens, cbecause the first does not recognize.

@GIV your script works perfect in OllyDbg, but do not quite understand, I continue analyzing it.

Edited November 27, 2015 by Jhonjhon_123

[mrexodia]

These scripts might be of help to some of you. Feel free to add your own script by forking and sending a pull request.

https://github.com/x64dbg/Scripts

[Jhonjhon_123]

@Mr. eXoDia thanks for the link, I looked at the files. but even I can not explain the behavior of the lines 17 and 18.

[mrexodia]

In that case go to http://help.x64dbg.com

Sti is step into http://x64dbg.com/help/scr/StepInto.htm