Description

OllyScript is a plugin in OllyDbg that enables to automatize some tasks via a script. Several scripts exist to automate the identification of the OEP in a packed executable.

For a list of existing scripts, refer to this page:

http://www.openrce.org/downloads/browse/OllyDbg_OllyScripts.

Example

Here is an example of a malware packed with PE Compact 2:

C:\Documents and Settings\malware\Bureau\windowsxp2>md5sum windowsxp2.exe
f04cb834ac843ad08a1a5c17e4f67ba3 *windowsxp2.exe

Let's use the PEcompact 2.00-2.38 OEP Finder script to try to unpack the malware:

First of all, let's get rid of the warnings in OllyDbg. Go to Options > Debugging Options and check all boxes as follows:

Then open the executable in OllyDbg and go to Plugins > OllyScript > Run script. Then choose the pecompact_2.00-2.38.os.txt script:

After a short while, you should see a similar popup, informing that the OEP has been successfully found. You can now use the OllyDump script to dump the process.