Page 1 of 1

Cheat Engine 6.x UPX OEP Finder

Posted: Fri Jan 09, 2015 10:11 am
by atom0s
  1. --[[
  2.  
  3.     Generic UPX 3.x OEP Grabber
  4.     by atom0s [Wiccaan]
  5.    
  6.     This is a demonstrational Lua script showing off
  7.     what Cheat Engine 6.0 can do with Lua.
  8.    
  9. ]]--
  10.  
  11. -- Edit this path to the file that is packed with UPX 3.x
  12. local TargetFile = "C:\\Users\\atom0s\\Desktop\\packed.exe"
  13.  
  14. --
  15. -- DO NOT EDIT BELOW THIS LINE!!
  16. --
  17.  
  18. local UPX_Example = { }
  19.  
  20. ----------------------------------------------------------------------------------
  21. -- func: UPX_Example.Main( .. )
  22. -- desc: Prepares script for overall actions.
  23. ----------------------------------------------------------------------------------
  24. function UPX_Example.Main( )
  25.  
  26.     -- UPX 3.x Signature
  27.     UPX_Example.UPX3_Signature = "6A 00 39 C4 75 ?? 83 EC 80 E9 ?? ?? ?? ??";
  28.    
  29.     -- Misc. variables.
  30.     UPX_Example.bFirstBreak = true;
  31.    
  32.     -- Set breakpoint handler.
  33.     debugger_onBreakpoint = UPX_Example.OnBreakpoint;
  34.    
  35.     -- Open target file for debugging.
  36.     createProcess( TargetFile, "", true, true );
  37.     return true;
  38. end
  39.  
  40. ----------------------------------------------------------------------------------
  41. -- func: UPX_Example.OnBreakpoint( .. )
  42. -- desc: Breakpoint handler when CE reaches a breakpoint.
  43. ----------------------------------------------------------------------------------
  44. function UPX_Example.OnBreakpoint( )
  45.  
  46.     -- Entry point breakpoint.
  47.     if( UPX_Example.bFirstBreak == true ) then
  48.         UPX_Example.bFirstBreak = false;
  49.        
  50.         -- Scan for known UPX 3.x signature.
  51.         local scanList = AOBScan( UPX_Example.UPX3_Signature );
  52.         if( scanList == nil ) then
  53.             showMessage( "[ERROR] Failed to locate signature. File not packed with UPX 3.x?" );
  54.             debugger_onBreakpoint = nil;
  55.             return 1;
  56.         end
  57.        
  58.         -- Validate scan list has content.
  59.         local scanCount = stringlist_getCount( scanList );
  60.         if( scanCount == 0 ) then
  61.             showMessage( "[ERROR] Scan list was empty. File not packed with UPX 3.x?" );
  62.             debugger_onBreakpoint = nil;
  63.             return 1;
  64.         end
  65.        
  66.         -- Calculate jump address position.
  67.         local jmpAddr = tonumber( "0x" .. stringlist_getString( scanList, 0 ) );
  68.         jmpAddr = jmpAddr + 10;
  69.        
  70.         -- Read jump offset and calculate new address.
  71.         local jmpOffset = readInteger( jmpAddr );
  72.         jmpOffset = jmpOffset + jmpAddr + 4;
  73.        
  74.         -- Set breakpoint at real OEP.
  75.         debug_setBreakpoint( jmpOffset );
  76.        
  77.         -- Cleanup stringlist.
  78.         object_destroy( scanList );
  79.         return 1;
  80.     end
  81.  
  82.     -- Real OEP breakpoint. Display to user.
  83.     showMessage( "Assumed real OEP: " .. string.format( "%x", EIP ) );
  84.    
  85.     -- Remove breakpoint handler.
  86.     debugger_onBreakpoint = nil;
  87.    
  88.     -- Pause debugger at breakpoint.
  89.     return 0;
  90. end
  91.  
  92. -- Execute our script.
  93. UPX_Example.Main();