Cheat Engine UPX OEP Finder (Lua Script)

[atom0s]

I wrote this script when Lua was first introduced into Cheat Engine 6.x as a demonstration that it can be used for more than just game hacking things.

This script will locate the OEP of a UPX 3.x packed file. Just edit the marked line in the code and run it as normal.

Code:

--[[

    Generic UPX 3.x OEP Grabber
    by atom0s [Wiccaan]
    
    This is a demonstrational Lua script showing off
    what Cheat Engine 6.0 can do with Lua.
    
]]--

-- Edit this path to the file that is packed with UPX 3.x
local TargetFile = "C:\\Users\\atom0s\\Desktop\\packed.exe"

--
-- DO NOT EDIT BELOW THIS LINE!!
--

local UPX_Example = { }

----------------------------------------------------------------------------------
-- func: UPX_Example.Main( .. )
-- desc: Prepares script for overall actions.
----------------------------------------------------------------------------------
function UPX_Example.Main( )

    -- UPX 3.x Signature
    UPX_Example.UPX3_Signature = "6A 00 39 C4 75 ?? 83 EC 80 E9 ?? ?? ?? ??";
    
    -- Misc. variables.
    UPX_Example.bFirstBreak = true;
    
    -- Set breakpoint handler.
    debugger_onBreakpoint = UPX_Example.OnBreakpoint;
    
    -- Open target file for debugging.
    createProcess( TargetFile, "", true, true );
    return true;
end

----------------------------------------------------------------------------------
-- func: UPX_Example.OnBreakpoint( .. )
-- desc: Breakpoint handler when CE reaches a breakpoint.
----------------------------------------------------------------------------------
function UPX_Example.OnBreakpoint( )

    -- Entry point breakpoint.
    if( UPX_Example.bFirstBreak == true ) then
        UPX_Example.bFirstBreak = false;
        
        -- Scan for known UPX 3.x signature.
        local scanList = AOBScan( UPX_Example.UPX3_Signature );
        if( scanList == nil ) then
            showMessage( "[ERROR] Failed to locate signature. File not packed with UPX 3.x?" );
            debugger_onBreakpoint = nil;
            return 1;
        end
        
        -- Validate scan list has content.
        local scanCount = stringlist_getCount( scanList );
        if( scanCount == 0 ) then
            showMessage( "[ERROR] Scan list was empty. File not packed with UPX 3.x?" );
            debugger_onBreakpoint = nil;
            return 1;
        end
        
        -- Calculate jump address position.
        local jmpAddr = tonumber( "0x" .. stringlist_getString( scanList, 0 ) );
        jmpAddr = jmpAddr + 10;
        
        -- Read jump offset and calculate new address.
        local jmpOffset = readInteger( jmpAddr );
        jmpOffset = jmpOffset + jmpAddr + 4;
        
        -- Set breakpoint at real OEP.
        debug_setBreakpoint( jmpOffset );
        
        -- Cleanup stringlist.
        object_destroy( scanList );
        return 1;
    end

    -- Real OEP breakpoint. Display to user.
    showMessage( "Assumed real OEP: " .. string.format( "%x", EIP ) );
    
    -- Remove breakpoint handler.
    debugger_onBreakpoint = nil;
    
    -- Pause debugger at breakpoint.
    return 0;
end

-- Execute our script.
UPX_Example.Main();