/*
==========================================================
  ExeCryptor 2.0.x - 2.4  OEP finder script by HAGGAR
==========================================================
Features:

- Script bypass all anti-debug tricks in ExeCryptor;
- Script attempt to find OEP of protected file or, in
  such case, STOLEN_OEP_CODE start address.

Instructions:

1. You need to have NT based operating system;
2. Configure OllyDbg in "Debugging Options"->"Events" to
   "Make first pause at - System breakpoint";
3. Ignore all exceptions and add to custom this one
   C000001E (INVALID LOCK SEQUENCE)
4. Remove or disable all plugins which purpose is to hide
   OllyDbg from protecors. ExeCryptor detects modified
   imports and by that most such plugins are detected.
5. Now load target in OllyDbg. Remove all breakpoints
   (hardware, memory, software). OllyDbg sets one bp
   on OEP by default and ExeCryptor checks that. Hit
   Alt+B to see is that breakpoint listed there. If
   it is, remove it.
6. Now, run this script :).

===========================================================
*/

var bak_eip
var bak_1
var bak_2
var addr
var temp
var proc
var image_base
var entry_point
var ec_iat
var decompressor
var jc_modify

log " "
log "------------------------------------------------------"
log " ExeCryptor 2.0.x - 2.4 OEP finder script by HAGGAR"
log "------------------------------------------------------"

//-------------- Patch what can be patched -----------------
gpa "FindWindowA","user32.dll"
mov [$RESULT],#8BFF5533C05DC20800#
gpa "OutputDebugStringA","kernel32.dll"
mov [$RESULT],#8BFF5533C05DC20400#
gpa "ReadProcessMemory","kernel32.dll"
mov [$RESULT],#8BFF5533C05DC21400#
gpa "CreateThread","kernel32.dll"
mov [$RESULT],#8BFF555DC21800#
gpa "CloseHandle","kernel32.dll"
mov [$RESULT],#8BFF555DC20400#
gpa "CheckRemoteDebuggerPresent","kernel32.dll"
mov [$RESULT],#8BFF5533C05DC20800#
gpa "KiRaiseUserExceptionDispatcher","ntdll.dll"
mov [$RESULT],#C390909090#

//--------- Find block with process information ------------
mov bak_eip,eip     //Backup current EIP (SYSTEM_BP).

mov bak_1,eip       //Backup original bytes at SYSTEM_BP.
mov bak_2,bak_1
add bak_2,4
mov bak_1,[bak_1]
mov bak_2,[bak_2]
mov [eip],#5064A11800000058# //Little hack to obtain data block.
sti
sti
mov addr,eax                 //Take pointer.
sti
mov eip,bak_eip              //Restore original EIP.
mov [eip],bak_1              //Restore original bytes.
add eip,4
mov [eip],bak_2
sub eip,4
add addr,30
mov addr,[addr]

//---------------------- Erase debug bits ------------------------
mov temp,[addr]         //BeingDebugged
and temp,0ff00ffff
mov [addr],temp
mov temp,addr           //HeapFlag
add temp,18
mov temp,[temp]
add temp,10
mov [temp],0
mov temp,addr           //NtGlobalFlag
add temp,68
mov [temp],0

//---------- Erase EP bp that OllyDbg sets by default ------------
mov temp,addr
add temp,8
mov temp,[temp]                               //Module base.
mov image_base,temp
    log " "
    log "Module base of protected file is:"
    log image_base
add temp,3C
add temp,[temp]                               //PE signature offset.
sub temp,3C
add temp,28
mov temp,[temp]                               //EP offset.
add addr,8
add temp,[addr]                               //Virtual offset.
mov entry_point,temp
sub addr,8 
    log " "
    log "EntryPoint of protected file is:"
    log entry_point
bp temp  //Set bp.
bc temp  //Erase bp. That erases default OllyDbg bp on EP.

//------------ Find IAT of protected application ----------------
mov ec_iat,image_base
add ec_iat,3c
mov ec_iat,[ec_iat]
add ec_iat,image_base
add ec_iat,80
mov ec_iat,[ec_iat]
add ec_iat,image_base
    log " "
    log "IAT of protected application is at:"
    log ec_iat

mov addr,ec_iat
add addr,40
mov temp,[addr]
add addr,10
xor temp,[addr]
add addr,12
xor temp,[addr]
add addr,10
xor temp,[addr]
add addr,14
xor temp,[addr]
add addr,40
xor temp,[addr]
 cmp temp,65533612
 je IAT_PROTECTED
 cmp temp,8d342fdf
 je IAT_PROTECTED
    log "IAT is not protected by ExeCryptor."
 jmp COMPRESSION_TEST
 IAT_PROTECTED:
    log "IAT is protected by ExeCryptor."

COMPRESSION_TEST:
//--------------- Find is application compressed -----------------
 find ec_iat,#558BEC83C4ECFC5357568945FC8955F889C689D766813E4A43#
 mov decompressor,$RESULT
 cmp decompressor,0
jne COMPRESSED
 find ec_iat,#56575331DB89C689D70FB60689C283E01FC1EA05742D4A7415#
 mov decompressor,$RESULT
 cmp decompressor,0
je NOT_COMPRESSED
COMPRESSED:
    log " "
    log "Application is probably compressed. Decompression algo is at:"
    log decompressor
jmp JUMP_MODIFIER
NOT_COMPRESSED:
    log " "
    log "Application is not compressed."

JUMP_MODIFIER:
//--------------- Find jump and calls corrector -----------------
 find ec_iat,#89C689D183E904FCACD0E880F874750E#
 mov jc_modify,$RESULT
 cmp jc_modify,0
je NO_JC
    log " "
    log "Jump and call corrector is found:"
    log jc_modify
jmp EXECUTE_APP
NO_JC:
    log " "
    log "Couldn't find jump and call corrector."
ret

//---------------- Let's try to find OEP --------------------
EXECUTE_APP:            //This is unfinished function in script.
ret
ERROR:
msg "ERROR! Error in my script (haggar)!"
ret