How to write a Script for Procdump?

Name encryptor:  VGcrypt 0.75 beta 

Availbility : http://protools.cjb.net

Author:  Virogen (Phrozen Crew)

Tools: 
	Procdump 1.5 
	Softice 4.0/BRaIn 

Today, we will continue our  adventure in the writing of scripts for procdump... This blow, I chose VGcrypt 0.75 of Virogen.  This 
trick does not compress the exe:  it's an encrytor only... I  have not found a proggy crypted with this last , I took Notepad.exe, pre-
sent in all  zindaubes ...Note the entry point of the notepad, we will need it : ' entry point = 4010cc' .Now,crypt notepad.exe with 
vgcrypt 0.75 and ROcK'N ROll !

Step 1  

take symbol loader and  open the notepad.   trace the prog with the key F10 and quickly we arrive at this:  

015F:00404FA2  CALL      00404FC2 
015F:00404FA7  MOV       ESP,[ESP+08] 
015F:00404FAB  CALL      00404F8F  
015F:00404FB0  MOV       BYTE PTR [EBP+004026CC],C3 
015F:00404FB7  CALL      00404F07 
015F:00404FBC  JMP       00404ED7  ------------  = E9,16,FF,FF,FF in hexa

While tracing we arrive at the address 408120:  jmp 40803b.  Note the correspondence hexa code:  jmp 40803b= e9,16,ff,ff,ff.  Put 
these bytes on a paper,we will need some...And we continue the trace with the F10 key .  Normally , you should have that under the 
eyes : 

015F:00404ED6  ADD       [EBP+402624BD],CL
015F:00404EDC  ADD       [ECX+0000003B],BH 
015F:00404EE2  REPZ STOSB    
015F:00404EE4  POP       DWORD PTR FS:[0000]
015F:00404EEA  POP       EDX     
015F:00404EEB  MOV       EAX,[EBP+0040270D] 
015F:00404EF1  ADD       [EBP+00402709],EAX
015F:00404EF7  POPAD    
015F:00404EF8  POPFD    
015F:00404EF9  MOV       EBX,[EDX+00402709]
015F:00404EFF  MOV       [EDX+00402709],ECX
015F:00404F05  JMP       EBX  ----------------- Entry point ! jmp ebx=FF,E3 in hexa

Voil!  while tracing with F10,we arrive into 408069 and we see a rather odd jmp ebx... Under softice type :  ? EBX .Sofice must 
indicate 4010cc. Do you remember the correspondance of this value?  Year, 4010cc corresponds to our original entry point    (see 
beginning of article)... we deduce  easily that this JMP EBX is well the last instruction of the unpacking routine  .  We will write a 
script to this little encryptor...

Step 2  

Some recalls on the orders used for this script: 

LOOK:  it is with this order that procdump reference the signature of the cryptor or of the compressor .This command search a 
hexadecimal chain in the exe . If the chain is found, that means it is the good script.

BP:    with this command,you put a breakpoint (even principle that Softice) on the current memory address.  This order is preceded 
by  LOOK.You'll understand in few minutes.

STEP:  it is with this instruction that you will finish your script. STEP starts a step by step analysis of the code, which explains 
sometimes the slowness of the dump.  

WALK:  this command executes an instruction (in the proggy that you dump).

ADD : Allows you to Add a value to the current Address in memory

EIP:   EIP recovers the next address of the proggy as being the original entry point of the program:  VERY practical!... 

If you remember the first un-assembling (see step 1), we arrived at a first jmp: 
015F:00404FBC  JMP       00404ED7  .  we will be use  this jmp to pose our first breakpoint.
JMP 00404ED7=E9,16,FF,FF,FF in hexa.  The beginning of our script is:  

L1=LOOK E9,16,FF,FF,FF ------- Seeks the chain hexa E9,16,FF,FF,FF 
L2=BP ----------------------------- put a breakpoint at the current memory address 

Then, to be on  the good address memory, I have used the order ' WALK'. we thus add a third line in our script:  L3=WALK. Now it 
will be necessary to find the JMP EBX which corresponds to the last instruction of the unpacking routine and at our original entry 
point .  By looking at the un-assembling No2 (step 1), we can to think that a simple LOOK FF,E3 (JMP EBX=FF,E3 in hexa) would 
have is enough to find the original entry point  . Except that here, there is a small problem:  if you make a LOOK FF,E3 procdump 
will crash or you indicate an address which does not correspond to the good address report of JMP EBX...  It will be necessary to 
take 1 byte in more for our LOOK.  The byte (and not the instruction hey!)  who precedes our JMP EBX is one 00.  But   if we take 
1 byte before our JMP EBX, it goes to be necessary to add 1 byte to pose our Breakpoint at the good place...   I used the order ADD 
for this script...  Final script becomes then: 
----------------------------------   cut  ----------------------------

ATTENTION ! REMOVE ALL COMENTS ! (-----blablabla...) 

P1D=VGCrypt 0.75 Beta------- give a name & a number(P1D)   to the script

[VGCrypt 0.75 Beta]--------- name of script
L1=LOOK E9,16,FF,FF,FF------ seek in hexa E9,16,FF,FF,FF
L2=BP ---------------------- put a brakpoint at the  memory adress
L3=WALK -------------------- execut an instruction
L4=LOOK 00,FF,E3------------ seek in hexa 00,FF,E3
L5=ADD 1 ------------------- Add 1  at the  memory adress
L6=BP ---------------------- put a breakpoint at the  memory adress
L7=WALK -------------------- execut an instruction
L8=EIP --------------------- Rcupre la prochaine adresse comme tant le point d'entre original
L9=STEP -------------------- Step by step analasys 
OPTL1=00000000 ----------- some options 
OPTL2=01010001 ----------- settings by defect 
OPTL3=01010001 ----------- for this script (Rebuild 
OPTL4=00030000 ----------- new import table, etc...
OPTL5=00000000  

----------------------------------   cut  ----------------------------

Remark :  if you use this script on VGCrypt 0.75 itself, that will not go:  Virogen was crypted vgcrypt 075 several times ...  If you 
want to unpack it, the original entry point is at 401000 (I believe that there are 3 or 4 pass with vgcrypt....) 

TaMaMBoLo
