struppigel · November 17, 2024 07:00
diff --git a/gistfile1.txt b/gistfile1.txt
 // for sample https://malshare.com/sample.php?action=detail&hash=20946142795ea4b9fafad9a279e5da0e2f491f567380d7f37570d451f3aa6b8f
 bc
 bphwc

 bp WriteProcessMemory
 run
 bc
 mov $payload,[esp+c]

 // calc size of dump area
 mov $pageend, mem.base($payload)
 add $pageend, mem.size($payload)

 mov $size, $pageend
 sub $size, $payload

 savedata "dump.tmp", $payload, $size

 init "dump.tmp"
 bphwc

 run // run until entry point

 step
 bph csp,r,1
 run
 bphwc

 find cip,"E9"
 run $result
 step
 scylla
	// for sample https://malshare.com/sample.php?action=detail&hash=20946142795ea4b9fafad9a279e5da0e2f491f567380d7f37570d451f3aa6b8f
	bc
	bphwc

	bp WriteProcessMemory
	run
	bc
	mov $payload,[esp+c]

	// calc size of dump area
	mov $pageend, mem.base($payload)
	add $pageend, mem.size($payload)

	mov $size, $pageend
	sub $size, $payload

	savedata "dump.tmp", $payload, $size

	init "dump.tmp"
	bphwc

	run // run until entry point

	step
	bph csp,r,1
	run
	bphwc

	find cip,"E9"
	run $result
	step
	scylla