ODbgScript
脚本可以更加灵活的控制OllyDBG
,以下根据《加密与解密(第三版)》ISO的第二章和官方文档而写。相关文件:OllyScript
《加密与解密》的光盘中的OllyDBG
自带ODbgScript
插件,这里使用ODbgScript的1.82版本。参看ODbgScript入门系列.chm和ODBGScript.chm给出下面的ODbgScript
和注释
。
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118cmp $VERSION,"1.60" ;jae jump if above or equal jae ver_ok msg "error" ret ver_ok: ;msg "ok" var entry ;bp 0100137B alloc 1000 log $RESULT free $RESULT,1000 gpa "GetDlgItemTextA","user32.dll" ;GPA proc, lib, [0,1] Get the address of the specified procedure in the specified library bp $RESULT log $RESULT ;esto ;Executes SHIFT-F9 in OllyDbg. Run with Ignore Exceptions e run ;Shift+F9 Pass exception to standard handler and run bc $RESULT ;GMI addr, info ;Get information about a module to which the specified address belongs. ; MODULEBASE, MODULESIZE ; CODEBASE, CODESIZE ; ENTRY, NSECT, DATABASE ; EDATATABLE, EDATASIZE IDATABASE, IDATATABLE ; RESBASE, RESSIZE, RELOCTABLE, RELOCSIZE gmi eip,codebase gmi eip,codesize gmi 01002000,codesize ;GPI key ;Get process information, one of : ;HPROCESS, PROCESSID, HMAINTHREAD, MAINTHREADID, MAINBASE, PROCESSNAME, EXEFILENAME, CURRENTDIR, SYSTEMDIR gpi MAINTHREADID ;x command ;asm eip, "call 01001811" ;asm eip, "mov eax, ecx" ;EXEC/ENDE ;Executes instructions between EXEC and ENDE in the context of the target process. Values in curly braces {} are replaced by their values. ;PUSHA / POPA commands could be useful when you use this. ;exec ;mov eip,[eax] ;ende ;越过ODbgScript直接跳入进程,对进程进行直接控制. 取当前进程的信息进行保存,然后新分配一个代码内存区. ;mov x, "eax" ;mov y, DEADBEEF ;exec ; mov {x}, {y} mov eax, 0DEADBEEF will be executed ; mov ecx, {x} mov ecx, eax will be executed ;ende ;msg eax ;DPE filename, ep ; Dumps the executable to file with specified name. ; Entry point is set to ep. ; Path is relative to the path of the currently loaded executable. ; Notes: * uses PEFileInfo.dwSizeOfImage ; * Applies dumpfix to PE.sectionHdr ; (PointerToRawData = VirtualAddress ; SizeOfRawData = VirtualSize) ;dpe "D:download2019-09-15Reverse02.exe", eip ;BPHWS addr, [mode] ;Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default) ;bphws 401000, "x" var ImageBase var PEheader gmi eip,MODULEBASE mov ImageBase,$RESULT find ImageBase,#50450000# mov PEheader,$RESULT ; mov DOSstub,[modulebase],2 只取2个字节 ; cmp DOSstub,5a4d "MZ" ; jne end ; end: ; ret log "ImageBase:" log ImageBase log "PEheader" log PEheader eval "ImageBase={ImageBase}" wrt "PE.txt",$RESULT msgyn "你是选择pushad/popad方式吗(是)?还是狭义ESP方式(否)" cmp $RESULT,1 je esp jne esp esp: msg $RESULT ret ;tocnd "eax == 0A280105" ;find eip,#0040??00# log cl sto ;clear log window ;lclr
最后
以上就是细心彩虹最近收集整理的关于ODbgScript学习的全部内容,更多相关ODbgScript学习内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复