ODbgScript学习

101 阅读 0 评论 67 点赞

我是靠谱客的博主细心彩虹，这篇文章主要介绍ODbgScript学习，现在分享给大家，希望可以做个参考。

ODbgScript脚本可以更加灵活的控制OllyDBG,以下根据《加密与解密（第三版）》ISO的第二章和官方文档而写。相关文件：OllyScript

《加密与解密》的光盘中的OllyDBG自带ODbgScript插件，这里使用ODbgScript的1.82版本。参看ODbgScript入门系列.chm和ODBGScript.chm给出下面的ODbgScript和注释。

复制代码

cmp $VERSION,"1.60"
;jae jump if above or equal
jae ver_ok
	msg "error"
	ret
ver_ok:
	;msg "ok"

var entry

;bp 0100137B
alloc 1000
log $RESULT
free $RESULT,1000

gpa "GetDlgItemTextA","user32.dll"

;GPA proc, lib, [0,1]		Get the address of the specified procedure in the specified library
bp $RESULT
log $RESULT

;esto
;Executes SHIFT-F9 in OllyDbg. Run with Ignore Exceptions    e run
;Shift+F9	Pass exception to standard handler and run
bc $RESULT

;GMI addr, info
;Get information about a module to which the specified address belongs.
; MODULEBASE, MODULESIZE
; CODEBASE,   CODESIZE
; ENTRY, NSECT, DATABASE
; EDATATABLE, EDATASIZE    IDATABASE, IDATATABLE  
; RESBASE,    RESSIZE,     RELOCTABLE, RELOCSIZE
gmi eip,codebase
gmi eip,codesize
gmi 01002000,codesize

;GPI key
;Get process information, one of :
;HPROCESS, PROCESSID, HMAINTHREAD, MAINTHREADID, MAINBASE, PROCESSNAME, EXEFILENAME, CURRENTDIR, SYSTEMDIR

gpi MAINTHREADID
;x command
;asm eip, "call    01001811"
;asm eip, "mov eax, ecx"

;EXEC/ENDE
;Executes instructions between EXEC and ENDE in the context of the target process. Values in curly braces {} are replaced by their values.
;PUSHA / POPA commands could be useful when you use this.

;exec
;mov eip,[eax]
;ende
;越过ODbgScript直接跳入进程,对进程进行直接控制. 取当前进程的信息进行保存,然后新分配一个代码内存区.

;mov x, "eax"
;mov y, DEADBEEF
;exec
; 	mov {x}, {y} 	mov eax, 0DEADBEEF will be executed
; 	mov ecx, {x} 	mov ecx, eax will be executed
;ende
;msg eax

;DPE filename, ep
; Dumps the executable to file with specified name.
; Entry point is set to ep.
; Path is relative to the path of the currently loaded executable.
; Notes: * uses PEFileInfo.dwSizeOfImage
;   * Applies dumpfix to PE.sectionHdr
;     (PointerToRawData = VirtualAddress
;         SizeOfRawData = VirtualSize)

;dpe "D:download2019-09-15Reverse02.exe", eip

;BPHWS addr, [mode]
;Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default)
;bphws 401000, "x"

var ImageBase
var PEheader

gmi eip,MODULEBASE
mov ImageBase,$RESULT
find ImageBase,#50450000#
mov PEheader,$RESULT

; mov DOSstub,[modulebase],2    只取2个字节
; cmp DOSstub,5a4d              "MZ"
; jne end
; end:
; ret

log "ImageBase:"
log ImageBase
log "PEheader"
log PEheader

eval "ImageBase={ImageBase}"
wrt "PE.txt",$RESULT

msgyn "你是选择pushad/popad方式吗(是)?还是狭义ESP方式(否)"
cmp $RESULT,1
je esp
jne esp
esp:
	msg $RESULT
	ret

;tocnd "eax == 0A280105"
;find eip,#0040??00#

log cl
sto

;clear log window
;lclr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
cmp $VERSION,"1.60"
;jae jump if above or equal
jae ver_ok
	msg "error"
	ret
ver_ok:
	;msg "ok"

var entry

;bp 0100137B
alloc 1000
log $RESULT
free $RESULT,1000

gpa "GetDlgItemTextA","user32.dll"

;GPA proc, lib, [0,1]		Get the address of the specified procedure in the specified library
bp $RESULT
log $RESULT

;esto
;Executes SHIFT-F9 in OllyDbg. Run with Ignore Exceptions    e run
;Shift+F9	Pass exception to standard handler and run
bc $RESULT

;GMI addr, info
;Get information about a module to which the specified address belongs.
; MODULEBASE, MODULESIZE
; CODEBASE,   CODESIZE
; ENTRY, NSECT, DATABASE
; EDATATABLE, EDATASIZE    IDATABASE, IDATATABLE  
; RESBASE,    RESSIZE,     RELOCTABLE, RELOCSIZE
gmi eip,codebase
gmi eip,codesize
gmi 01002000,codesize

;GPI key
;Get process information, one of :
;HPROCESS, PROCESSID, HMAINTHREAD, MAINTHREADID, MAINBASE, PROCESSNAME, EXEFILENAME, CURRENTDIR, SYSTEMDIR

gpi MAINTHREADID
;x command
;asm eip, "call    01001811"
;asm eip, "mov eax, ecx"

;EXEC/ENDE
;Executes instructions between EXEC and ENDE in the context of the target process. Values in curly braces {} are replaced by their values.
;PUSHA / POPA commands could be useful when you use this.

;exec
;mov eip,[eax]
;ende
;越过ODbgScript直接跳入进程,对进程进行直接控制. 取当前进程的信息进行保存,然后新分配一个代码内存区. 

;mov x, "eax"
;mov y, DEADBEEF
;exec
; 	mov {x}, {y} 	mov eax, 0DEADBEEF will be executed
; 	mov ecx, {x} 	mov ecx, eax will be executed
;ende
;msg eax


;DPE filename, ep
; Dumps the executable to file with specified name.
; Entry point is set to ep.
; Path is relative to the path of the currently loaded executable.
; Notes: * uses PEFileInfo.dwSizeOfImage
;   * Applies dumpfix to PE.sectionHdr
;     (PointerToRawData = VirtualAddress
;         SizeOfRawData = VirtualSize)

;dpe "D:download2019-09-15Reverse02.exe", eip

;BPHWS addr, [mode]
;Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default)
;bphws 401000, "x"

var ImageBase
var PEheader

gmi eip,MODULEBASE
mov ImageBase,$RESULT
find ImageBase,#50450000#
mov PEheader,$RESULT

; mov DOSstub,[modulebase],2    只取2个字节
; cmp DOSstub,5a4d              "MZ"
; jne end
; end:
; ret

log "ImageBase:"
log ImageBase
log "PEheader"
log PEheader

eval "ImageBase={ImageBase}"
wrt "PE.txt",$RESULT

msgyn "你是选择pushad/popad方式吗(是)?还是狭义ESP方式(否)"
cmp $RESULT,1
je esp
jne esp
esp:
	msg $RESULT
	ret

;tocnd "eax == 0A280105"
;find eip,#0040??00#

log cl
sto

;clear log window
;lclr