This doc is for the following people
  People to dump to understand Script.txt
  People to lazy to read through all Script.txt
  People both to dump and lazy to read through Script.txt (Like me)

				       Ŀ
				        Introduction to Procdump Scripting 
				         

To understand this you'll atleast have to have a working knowledge of proc-
dump and some knowledge of Debugging Abbreviations. 

A Procdump script is a script that will help procdump unpack a win32 execu-
table file (Yeah, only Win32). It is designed like most scripts on rows. 
Read below and you'll get it.

Scripts in procdump are put in the ini file "Script.ini" in a section of it
self with the title of the unpacker, like [Neolite] or something. They are
built around lines with name Lx where x is the line number, so an empty
basic script may look like this:

 [unpackername]
  L1=
  L2=
  L3=

And so on... there is allso a statement called OPTLx wich set's default 
options for your script. But is that all you have to do to get it up and
running? No, you have to add a new line in the [index] section with your
name like:

 [index]
 P1=MyPackerName

Yeah, the abbreviation in the start is Px instead of Lx here. So, how is the
actuall Procdump script written?

				       Ŀ
				            let's kick som phat script ass 
				       

Ok, we'll start of with a real life example before the walkthrough (might
help you a bit):

 [Shrinker 3.2]
  L1=BPX 2672
  L2=STEP
  OPTL1=00000000
  OPTL2=01010001
  OPTL3=01010001
  OPTL4=00020000
  OPTL5=00000000

As you see, a very simple script filled with options :P. Let's step through
this line by line:

[shrinker 3.2]			<-- Well, the beginig section displaying name

  L1=BPX 2672			<-- First we see line 1 mark (L1) then the code
				    wich in this case is a breakpoint on 2672.
  
  L2=STEP			<-- What do we see here? L2 then the STEP
				    command, wich basicly means that the step
				    by step analysis is activated.

  OPTL1=00000000		<-- Options, don't have clue what this means :P

  OPTL2=01010001		<-- More options, still not a clue

  OPTL3=01010001		<-- Gosh, more options

  OPTL4=00020000		<-- Lotta options here

  OPTL5=00000000		<-- Take your best shot ;)

Ok, I know I am not the best tutor in this, just check my Options knowledge...
it SUX. well, this is basicly how a script is built up, nothing more, nothing
less. So, here comes script reference:

				       Ŀ
				                        script definitions 
				       

Let's start of with saying that this is a modified version of the script.txt
script definition, I didn't have the patience to write a new one.

[1] Look 

  the Look function scans for a HEX string in the executable that is beeing
  unpacked. The Address, where this block is found, is stored so that u can
  set a breakpoint at this location.

 Usage:
  Look 0F,85 will search for a JNE long jump. U may want to set a Breakpoint
  via the BP command.

[2] ADD 

  Allows u to Add a value to the current Address in mem (ex: the one spotted
  by the look command or by the POS command).

 Usage:
  ADD 05 will add 05 to the value of the current adr. in memory.

[3] DEC 

  Allows you to Remove a value from the current adress in the memory (se above).

 Usage:
  DEC 05 will decrease 05 to the value of the current adr. in memory

[4] REPL 

  This function apply a patch (HEX Sequence) at the current memory location
  (ex: the one spotted by look command). This may allow u to kick an ADT ;)
  IE. This function will change a definition in memory, such as je to jne
  or je to nop.

 Usage:
  REPL 90,90 will apply a double NOP starting at current memory location.
  REPL 75 will applay a JNE at the current memory location.

[5] BP 

  Set a breakpoint at current memory location.

 Usage:
  BP 
  (No parmaters, just a simple breakpoint).

[6] BPX 

  Set a breakpoint at a given location. The location is depending on object
  start.

 Usage: 
  If loaded executable starts at RVA 66000h, BPX 2672 will set a breakpoint at
  RVA 68672. So this means that to get the real adress where the breakpoint is 
  applied, take starting RVA + BPX Value :P.

[7] BPF (Break On Flag) 

  This function will check each time breakpoint occurs if flag u passed on is
  set/unset. Breakpoint location is the current memory location.

  UnsetSet Meaning
  
   c    C  Carry flag.
   p    P  Positiv Flag.
   a    A  Above Flag.
   z    Z  Zero Flag.
   s    S  Sign Flag.
   d    D  Direction Flag.
   o    O  Overflow Flag.

  U can only test ONE flag.

 Usage:
  BPF z will break if Zero is false. Usefull after setting a value.

[8] BPC 

  Break at Local Eip until counter is reached.

 Usage:
  BPC 15    (Breakpoint 15h times at Local Eip).
  [authors notice:] Unclear about this one, kinda like wait I think, BP 15
  will wait 15h.

[9] BPV 

  Break at Eip until value is reached in Registers.

 Usage:
  BPV EAX=5 Will break until EAX=5 in Registers.

[10] MOVE 

  Set Current EIP. Add param value to current EIP. BE CAREFULL WITH THIS !!!!
  NO CONTROL ARE DONE about the EIP. Try to use this instead of noping a loca-
  tion, IF there was a CRC check u will defeat it ;).

 Usage:  
  MOVE 14  will move current EIP to EIP+14h, that is 14 adresses forward in
  current memory.

[11] POS 

  Set current memory location FOR ALL FUNCTIONS. The location is depending on
  object start. (This functions is allmost never used).

 Usage:
  POS 6599 will set memory location to Start RVA + 6599.  

[12] STEP -

  This set the step by step analyzis. This is used to finished the trace
  generally. BEWARE: Step mode means each lines will be tested -> SLOW !!.
  So SET step mode as late as possible.

 Usage:
  STEP
  (No parameters). This is used as late as possible in the script.

[13] OBJR 

  This set the base memory to start to scan. Affect LOOK command.

 Usage:
  OBJR
  (No parameters). Often used in begining of script to set base to start scan
  from.

[14] BPREG 

  Set a breakpoint at Register value. Not a very common command this either.

 Usage:
  BPREG
  (I think No parameters, correct me if I'm wrong). Allmost never used.

[15] WALK 

  Execute the next instruction and return control to ProcDump32.

 Usage:
  WALK
  (No parameters). Used often to jump over a few crap instructions.

[16] EIP 

  Say that next EIP has to be used as Original EntryPoint.
  Note : After a breakpoint, the next EIP is the breakpoint address itself !

 Usage:
  EIP
  (No parameters). The current script will work from this RVA as Original
  Entry Point instead of the real original entry point.

[17] HELP 

  Execute a standalone helper file to help procdump. Used if procdump can't
  handle it. It executes the file and creates a temp .ini containing:

   Pid Of The Process
   All registers values (Including EIP)
   Local EIP values

  It looks like this:
    [REG]
    Dr0=00000000
    Dr1=00000000
    Dr2=00000000
    Dr3=00000000
    Dr6=00000000
    Dr7=00000000
    SegGs=00000000
    SegFs=00000FDF
    SegEs=00000167
    SegDs=00000167
    Edi=00000000
    Esi=8161D244
    Ebx=00000000
    Edx=8161D2A4
    Ecx=8161D264
    Eax=0043E9B4
    Ebp=00456000
    Eip=00456264
    SegCs=0000015F
    Flags=00000216
    Esp=0068FE34
    SegSs=00000167
    Pid=FFC1E943
    Local=00456264

  Sending different options. Now this is really advanced and so so I won't go
  through it to good. Well, let's start from the beginning, Drx I don't have
  a clue :P. SEGxs I think gives the adresses of thoose segments (correct me
  please). Edi, Esi, Ebx... contains the registers values. Local is local EIP
  values, flags is flags for the current memory place and Pid is pid value.

 Usage:
  HELP ExternalUnpacker.Exe MyIniChoice.ini
  ExternalUnpacker is the name of your external unpacker (do'h) like upak.exe
  or something, MyIniChoice.ini is what you'd like to call the .ini, like 
  prcommands.ini.

				       Ŀ
				                   we write our own script 
				       

Ok, not really, I'm to lazy to write one from the bottom up today, so we'll
just snatch a script from "Script.ini". The script we will "make" is for 
Aspack 1.08.2. We'll start by making an entity in [index]:

 [index]
 ...
 P14=Aspack 1.08.2
 ...

Now, let's get down to scripting:

 ...
 [Aspack108.2]
  L1=OBJR				<-- Set base memory for scan
  L2=LOOK E9				<-- Looking for Hex E9
  L3=BP					<-- Set a breakpoint there.
  L4=WALK				<-- Jump through a function.
  L5=OBJR				<-- Set base memory for scan.
  L6=LOOK E8,8A,02,00,00,E8		<-- Looks for thoose patterns.
  L7=BP					<-- If found, set breakpoint.
  L8=MOVE 0F				<-- Moves EIP to EIP + 0F
  L9=STEP				<-- Enter step by step analysis.
  OPTL1=00000000			   __
  OPTL2=01010001			   |
  OPTL3=01010001			<--| Thoose darn options :P
  OPTL4=00030000			   | Gotta figure them out.
  OPTL5=00000000			   |_
 ...

Ok, so what this basicly does (in text) is:

 Set base memory.
 If Hex E9 found set BPX on location. Execute next instruction.
 Set base memory. Look for pattern, If found set breakpoint.
 Move memory to memory + 0Fh and start step by step analysis.

Hope this helped you a bit. If not, here comes a table :P

				       Ŀ
				              Cheat Sheet (function index) 
				       
ͻ
 Function Name:     Type:              Description:                  Usage:            
͹
 ADD                Memory Editing     Add x to cur. mem             add x             
͹
 BP                 Breakpoint         Sets breakpoint at cur. mem   bp                
͹
 BPX                Breakpoint         Sets breakpoint on adr. x     bpx x             
͹
 BPREG              Breakpoint         Sets breakpoint with regval.  bpreg x           
͹
 BPF                Breakpoint         Sets breakpoint on flag       bpf flag          
͹
 BPC                Breakpoint         Sets breakpoint until...      bpc x             
͹
 BPV                Breakpoint         Break until regval = regval   bpv               
͹
 DEC                Memory Editing     Remove x from cur. mem        dec x             
͹
 EIP                Memory Editing     Use next eip as oep           eip               
͹
 HELP               External           Execute external helper       help exec inifile 
͹
 OBJR               Memory Search      Search mem starting at cur... objr searchstring 
͹
 LOOK               Memory Search      Look for a hex value          look hex          
͹
 MOVE               Memory Editing     eip = eip + param             move x            
͹
 POS                Memory Editing     Set local adress value        pos x             
͹
 REPL               Memory Editing     Modify h at cur. adress       repl hex          
͹
 STEP               Memory Search      Exec. Step by step analysis   step              
͹
 WALK               Memory Search      Exec. next instruction        walk              
͹
  
ͼ



				       Ŀ
				                          Greetz and stuff 
				       

Well that's all from me! This "tutor" was written by:
	cokine
	achrya@hotmail.com
	efnet irc: #cracking4newbies, #c.i.a, #rsc