|You are here:|
OllyScript is a plugin in OllyDbg that enables to automatize some tasks via a script. Several scripts exist to automate the identification of the OEP in a packed executable.
For a list of existing scripts, refer to this page:
Here is an example of a malware packed with PE Compact 2:
C:\Documents and Settings\malware\Bureau\windowsxp2>md5sum windowsxp2.exe f04cb834ac843ad08a1a5c17e4f67ba3 *windowsxp2.exe
Let's use the PEcompact 2.00-2.38 OEP Finder script to try to unpack the malware:
First of all, let's get rid of the warnings in OllyDbg. Go to Options > Debugging Options and check all boxes as follows:
Then open the executable in OllyDbg and go to Plugins > OllyScript > Run script. Then choose the pecompact_2.00-2.38.os.txt script:
After a short while, you should see a similar popup, informing that the OEP has been successfully found. You can now use the OllyDump script to dump the process.