Script Extension for ProcDump32 :


 Technically the goal of such script is to :

     Ŀ
     1) defeat ADT                                                   
     2) -> Find Last instruction BEFORE jumping to ORIGINAL CODE <-  
     3) Run step mode as later as possible to speed up tracing       
     

A) Function Definitions :


 1) Look function.

  the Look function scan for an HEX string in the loader object. The Address,
 where this block is found, is stored so that u can set a breakpoint at this
 location.

 Ex:

  Look 0F,85 will search for a JNE long jump. U may want to set a Breakpoint
  via the BP command.

 2) ADD function.

  Allows u to Add a value to the current Address in mem (ex: the one spotted
 by the look command or by the POS command).

 3) DEC function.

  Guess ;)

 4) REPL function.

  This function apply a patch (HEX Sequence) at the current memory location
 (ex: the one spotted by look command). This may allow u to kick an ADT ;).

 Ex:

  REPL 90,90 will apply a double NOP starting at current memory location.

 5) BP function.

  Set a breakpoint at current memory location.

 6) BPX function.

  Set a breakpoint at a given location. The location is depending on object
 start.

 Ex: If loader object start at RVA 66000h, BPX 2672 will set a breakpoint at
 RVA 68672.

 7) BPF function (Break On Flag).

  This function will check each time breakpoint occurs if flag u passed on is
 set/unset. Breakpoint location is the current memory location.

 UnsetSet Meaning
 
  c    C  Carry flag.
  p    P  Positiv Flag.
  a    A  Above Flag.
  z    Z  Zero Flag.
  s    S  Sign Flag.
  d    D  Direction Flag.
  o    O  Overflow Flag.

 U can only test ONE flag.

 8) BPC function

  Break at Local Eip until counter is reached.

        BPC 15    (Breakpoint 15h times at Local Eip).

 9) BPV function

  Break at Eip until value is reached in Registers.

        BPV EAX=5 (Breakpoint when EAX=5 at Local Eip).

 10) MOVE Function

  Set Current EIP. Add param value to current EIP. BE CAREFULL WITH THIS !!!!
 NO CONTROL ARE DONE about the EIP. Try to use this instead of noping a loca-
 tion, IF there was a CRC check u will defeat it ;).

  Ex: MOVE 14  will move current EIP to EIP+14h

 11) POS function.

  Set current memory location FOR ALL FUNCTIONS. The location is depending on
 object start.

 12) STEP function.

  This set the step by step analyzis. This is used to finished the trace
 generally. BEWARE: Step mode means each lines will be tested -> SLOW !!.
 So SET step mode as later as possible.

 13) OBJR function.

  This set the base memory to start to scan. Affect LOOK command.

 14) BPREG

  Set a breakpoint at Register value.

 15) WALK

  Execute the next instruction and return control to ProcDump32.

 16) EIP

  Say that next EIP has to be used as Original EntryPoint.

  Note : After a breakpoint, the next EIP is the breakpoint address itself !

 17) Launch external file for helping.

  Launch an external file with specifics params. An ini file of ur choice is
  created on the fly with specifics values (HEX). It contains :

  . Pid of the Process.
  . All registers value including EIP.
  . Local EIP value.

  Example :

   in script :

    ...
    L5=HELP PDHelp.Exe Helper.ini
    ...

    Command line of ur helper will contain <Path to helper.ini>\"helper.ini".

   in helper.ini :

    [REG]
    Dr0=00000000
    Dr1=00000000
    Dr2=00000000
    Dr3=00000000
    Dr6=00000000
    Dr7=00000000
    SegGs=00000000
    SegFs=00000FDF
    SegEs=00000167
    SegDs=00000167
    Edi=00000000
    Esi=8161D244
    Ebx=00000000
    Edx=8161D2A4
    Ecx=8161D264
    Eax=0043E9B4
    Ebp=00456000
    Eip=00456264
    SegCs=0000015F
    Flags=00000216
    Esp=0068FE34
    SegSs=00000167
    Pid=FFC1E943
    Local=00456264

  I think this is quite flexible ;).

  Note : Command Line is limited to 512 chars for both helper EXE & helper
         INI path. This limitation is internal to ProcDump, It is however
	 possible that WINDOWS API is limited to a path of 256 chars.

B) Options format in a script entry :


 Options are stored in DWORD format and start with OPTL.

 OPTL1 = 
  DWORD : represent the Delay in ms for AutoDump.

 OPTL2 =
  BYTE  : Auto EIP 
  BYTE  : Ignore Faults
  BYTE  : FastMode Dump
  BYTE  : ExternalPredump

 OPTL3 =
  BYTE  : Optimize PE
  BYTE  : Auto Compute Objects
  BYTE  : Trace API
  BYTE  : Auto Layer

 OPTL4 =
  BYTE  : Raw Mode
  BYTE  : Import Rebuild Type
  BYTE  : Restore Header
  BYTE  : Restore Relocs 

 OPTL5 =
  BYTE  : Reserved
  BYTE  : Reserved
  BYTE  : Check Header
  BYTE  : Merge Code

 For more details... check ProcDump Options explanations.

C) How to set ur own protectors/packers definitions :


 1) Update Index section :
 

  Add a Pxx statement .... be carefull the xx value must follow the previous
 protector one.

 Example :

 before

  [INDEX]
  P1=Shrinker 3.3
  P2=Wwpack32 Beta 9
  P3=Wwpack32 1.0

 after

  [INDEX]
  P1=Shrinker 3.3
  P2=Wwpack32 Beta 9
  P3=Wwpack32 1.0
  P4=My Own definition

 2) Add ur definition :
 

  A definition is composed of lines statements which must be something like
 Lxx.

 Ex:

  [My own definition]

  L1=Look 0F,85,DB,FF,FF
  L2=BP
  L3=STEP

 You can add too default options for this definition. Add the OPTLx in this
 section as well to do that. If no default options are specified,  ProcDump
 will use the actual ones.
