ODbgScript脚本可以更加灵活的控制OllyDBG,以下根据《加密与解密(第三版)》ISO的第二章和官方文档而写。相关文件:OllyScript
《加密与解密》的光盘中的OllyDBG自带ODbgScript插件,这里使用ODbgScript的1.82版本。参看ODbgScript入门系列.chm和ODBGScript.chm给出下面的ODbgScript和注释。
cmp $VERSION,"1.60"
;jae jump if above or equal
jae ver_ok
msg "error"
ret
ver_ok:
;msg "ok"
var entry
;bp 0100137B
alloc 1000
log $RESULT
free $RESULT,1000
gpa "GetDlgItemTextA","user32.dll"
;GPA proc, lib, [0,1] Get the address of the specified procedure in the specified library
bp $RESULT
log $RESULT
;esto
;Executes SHIFT-F9 in OllyDbg. Run with Ignore Exceptions e run
;Shift+F9 Pass exception to standard handler and run
bc $RESULT
;GMI addr, info
;Get information about a module to which the specified address belongs.
; MODULEBASE, MODULESIZE
; CODEBASE, CODESIZE
; ENTRY, NSECT, DATABASE
; EDATATABLE, EDATASIZE IDATABASE, IDATATABLE
; RESBASE, RESSIZE, RELOCTABLE, RELOCSIZE
gmi eip,codebase
gmi eip,codesize
gmi 01002000,codesize
;GPI key
;Get process information, one of :
;HPROCESS, PROCESSID, HMAINTHREAD, MAINTHREADID, MAINBASE, PROCESSNAME, EXEFILENAME, CURRENTDIR, SYSTEMDIR
gpi MAINTHREADID
;x command
;asm eip, "call 01001811"
;asm eip, "mov eax, ecx"
;EXEC/ENDE
;Executes instructions between EXEC and ENDE in the context of the target process. Values in curly braces {} are replaced by their values.
;PUSHA / POPA commands could be useful when you use this.
;exec
;mov eip,[eax]
;ende
;越过ODbgScript直接跳入进程,对进程进行直接控制. 取当前进程的信息进行保存,然后新分配一个代码内存区.
;mov x, "eax"
;mov y, DEADBEEF
;exec
; mov {x}, {y} mov eax, 0DEADBEEF will be executed
; mov ecx, {x} mov ecx, eax will be executed
;ende
;msg eax
;DPE filename, ep
; Dumps the executable to file with specified name.
; Entry point is set to ep.
; Path is relative to the path of the currently loaded executable.
; Notes: * uses PEFileInfo.dwSizeOfImage
; * Applies dumpfix to PE.sectionHdr
; (PointerToRawData = VirtualAddress
; SizeOfRawData = VirtualSize)
;dpe "D:download2019-09-15Reverse02.exe", eip
;BPHWS addr, [mode]
;Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default)
;bphws 401000, "x"
var ImageBase
var PEheader
gmi eip,MODULEBASE
mov ImageBase,$RESULT
find ImageBase,#50450000#
mov PEheader,$RESULT
; mov DOSstub,[modulebase],2 只取2个字节
; cmp DOSstub,5a4d "MZ"
; jne end
; end:
; ret
log "ImageBase:"
log ImageBase
log "PEheader"
log PEheader
eval "ImageBase={ImageBase}"
wrt "PE.txt",$RESULT
msgyn "你是选择pushad/popad方式吗(是)?还是狭义ESP方式(否)"
cmp $RESULT,1
je esp
jne esp
esp:
msg $RESULT
ret
;tocnd "eax == 0A280105"
;find eip,#0040??00#
log cl
sto
;clear log window
;lclr
最后
以上就是细心彩虹最近收集整理的关于ODbgScript学习的全部内容,更多相关ODbgScript学习内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
![ollyScript脱壳脚本 for ABC Cryptor(1.0)[-]](/uploads/reation/bcimg14.png)
发表评论 取消回复