Script Extension for ProcDump32 :
���������������������������������

Technically the goal of such script is to :

�����������������������������������������������������������������ż
ł1) defeat ADT ł
ł2) -> Find Last instruction BEFORE jumping to ORIGINAL CODE <- ł
ł3) Run step mode as later as possible to speed up tracing ł
Ą����������������������������������������������������������������Ł

A) Function Definitions :
�������������������������

1) Look function.

the Look function scan for an HEX string in the loader object. The Address,
where this block is found, is stored so that u can set a breakpoint at this
location.

Ex:

Look 0F,85 will search for a JNE long jump. U may want to set a Breakpoint
via the BP command.

2) ADD function.

Allows u to Add a value to the current Address in mem (ex: the one spotted
by the look command or by the POS command).

3) DEC function.

Guess ;)

4) REPL function.

This function apply a patch (HEX Sequence) at the current memory location
(ex: the one spotted by look command). This may allow u to kick an ADT ;).

Ex:

REPL 90,90 will apply a double NOP starting at current memory location.

5) BP function.

Set a breakpoint at current memory location.

6) BPX function.

Set a breakpoint at a given location. The location is depending on object
start.

Ex: If loader object start at RVA 66000h, BPX 2672 will set a breakpoint at
RVA 68672.

7) BPF function (Break On Flag).

This function will check each time breakpoint occurs if flag u passed on is
set/unset. Breakpoint location is the current memory location.

UnsetłSetł Meaning
��������������������������
c ł C ł Carry flag.
p ł P ł Positiv Flag.
a ł A ł Above Flag.
z ł Z ł Zero Flag.
s ł S ł Sign Flag.
d ł D ł Direction Flag.
o ł O ł Overflow Flag.

U can only test ONE flag.

8) BPC function

Break at Local Eip until counter is reached.

BPC 15 (Breakpoint 15h times at Local Eip).

9) BPV function

Break at Eip until value is reached in Registers.

BPV EAX=5 (Breakpoint when EAX=5 at Local Eip).

10) MOVE Function

Set Current EIP. Add param value to current EIP. BE CAREFULL WITH THIS !!!!
NO CONTROL ARE DONE about the EIP. Try to use this instead of noping a loca-
tion, IF there was a CRC check u will defeat it ;).

Ex: MOVE 14 will move current EIP to EIP+14h

11) POS function.

Set current memory location FOR ALL FUNCTIONS. The location is depending on
object start.

12) STEP function.

This set the step by step analyzis. This is used to finished the trace
generally. BEWARE: Step mode means each lines will be tested -> SLOW !!.
So SET step mode as later as possible.

13) OBJR function.

This set the base memory to start to scan. Affect LOOK command.

14) BPREG

Set a breakpoint at Register value.

15) WALK

Execute the next instruction and return control to ProcDump32.

16) EIP

Say that next EIP has to be used as Original EntryPoint.

Note : After a breakpoint, the next EIP is the breakpoint address itself !

17) Launch external file for helping.

Launch an external file with specifics params. An ini file of ur choice is
created on the fly with specifics values (HEX). It contains :

. Pid of the Process.
. All registers value including EIP.
. Local EIP value.

Example :

in script :

...
L5=HELP PDHelp.Exe Helper.ini
...

Command line of ur helper will contain \"helper.ini".

in helper.ini :

[REG]
Dr0=00000000
Dr1=00000000
Dr2=00000000
Dr3=00000000
Dr6=00000000
Dr7=00000000
SegGs=00000000
SegFs=00000FDF
SegEs=00000167
SegDs=00000167
Edi=00000000
Esi=8161D244
Ebx=00000000
Edx=8161D2A4
Ecx=8161D264
Eax=0043E9B4
Ebp=00456000
Eip=00456264
SegCs=0000015F
Flags=00000216
Esp=0068FE34
SegSs=00000167
Pid=FFC1E943
Local=00456264

I think this is quite flexible ;).

Note : Command Line is limited to 512 chars for both helper EXE & helper
INI path. This limitation is internal to ProcDump, It is however
possible that WINDOWS API is limited to a path of 256 chars.

B) Options format in a script entry :
�������������������������������������

Options are stored in DWORD format and start with OPTL.

OPTL1 =
DWORD : represent the Delay in ms for AutoDump.

OPTL2 =
BYTE : Auto EIP
BYTE : Ignore Faults
BYTE : FastMode Dump
BYTE : ExternalPredump

OPTL3 =
BYTE : Optimize PE
BYTE : Auto Compute Objects
BYTE : Trace API
BYTE : Auto Layer

OPTL4 =
BYTE : Raw Mode
BYTE : Import Rebuild Type
BYTE : Restore Header
BYTE : Restore Relocs

OPTL5 =
BYTE : Reserved
BYTE : Reserved
BYTE : Check Header
BYTE : Merge Code

For more details... check ProcDump Options explanations.

C) How to set ur own protectors/packers definitions :
�����������������������������������������������������

1) Update Index section :
�������������������������

Add a Pxx statement .... be carefull the xx value must follow the previous
protector one.

Example :

before

[INDEX]
P1=Shrinker 3.3
P2=Wwpack32 Beta 9
P3=Wwpack32 1.0

after

[INDEX]
P1=Shrinker 3.3
P2=Wwpack32 Beta 9
P3=Wwpack32 1.0
P4=My Own definition

2) Add ur definition :
����������������������

A definition is composed of lines statements which must be something like
Lxx.

Ex:

[My own definition]

L1=Look 0F,85,DB,FF,FF
L2=BP
L3=STEP

You can add too default options for this definition. Add the OPTLx in this
section as well to do that. If no default options are specified, ProcDump
will use the actual ones.