Created
September 9, 2016 15:01
-
-
Save mrexodia/ccf9544f1fb4e473c8404d0788074637 to your computer and use it in GitHub Desktop.
Unpacking UPX with x64dbgpy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from x64dbgpy.pluginsdk import * | |
| import sys | |
| cip = register.GetCIP() | |
| if memory.ReadByte(cip) != 0x60: | |
| gui.Message("Start at UPX entry point (1:[CIP]==0x60)") | |
| exit(0) | |
| x64dbg.DbgCmdExecDirect("bc") | |
| x64dbg.DbgCmdExecDirect("bphwc") | |
| found = pattern.FindMem(cip, 0x1000, "83 EC ?? E9"); | |
| if found == 0: | |
| gui.Message("Could not find pattern!"); | |
| exit(0) | |
| debug.SetBreakpoint(found + 3) | |
| debug.Run() | |
| debug.StepIn() | |
| cip = register.GetCIP() | |
| comment.Set(cip, "OEP Found by Python!") | |
| gui.Message("Reached OEP. Use Scylla to dump and restore imports!") | |
| x64dbg.DbgCmdExec("scylla") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
would you please update this for the last UPX?
thanks