前言
今天看脱壳资料, 看人家用OD脚本来干活, 自己也练习下.
OD脚本是模拟手工来干活, 只要手工可以F7, F8, 下断点, go等操作. OD脚本都可以模拟.
OD脚本学习起来很快, 1天就可以写出有实际功能的脚本了.
如果开始对OD脚本命令不熟, 可能调试花些时间.
记录
做了2个OD脚本练习.
* 加法计算器
*一个trace程序流程用的脚本, 如果看cm注册算法实现和流程拐点, 可能有些用. 只针对某个cm, 如果trace其他cm, 脚本里面的EIP范围和函数白名单要改改.
找到了2个OD脚本命令说明文档, 一个英文版, 一个中文版
加法计算器
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
// @filename MyOllyScript_add_calc.txt
// @brief 加法计算器
var Val1 // var => 变量定义
var Val2
var vSum
var vEip
LCLR // 清除Script日志窗口内容
bc * // 清除所有F2断点
GBPR // 得到断点命中的原因
mov vEip, eip
eval "EIP = {vEip}, breakpoint hit reason sn: {$RESULT}"
log $RESULT // log 记录日志
eval "OllyDbgScript {$VERSION}, make add : a + b = c" // eval => 字符串格式化, 不支持中文
log $RESULT
msg $RESULT // msg 弹窗
ask "please input a" // ask => 提示输入, 带输入框
mov Val1, $RESULT
eval "a = {Val1}"
log $RESULT
ask "please input b"
mov Val2, $RESULT // mov => 赋值
eval "b = {Val2}"
log $RESULT
mov vSum, Val1
add vSum, Val2 // add => 加法
eval "{Val1} + {Val2} = {vSum}"
log $RESULT
msg $RESULT
ret // 脚本结束
trace流程的脚本
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
// @filename MyOllyScript_log_trace.txt
// @brief trace主模块流程, 只trace EIP在主模块中的代码, 不trace系统模块的代码
// 等于模拟手工调试程序时的F7,F8, 只F7主模块的call, 遇到调用系统API时, F8
// 还可以在整理一下, 只trace非jmp的代码, 弄好后, 可以对付乱跳
// @note 在EP处执行此脚本, 只针对试验程序, 为了跑的快些, 要go到关心的地址(e.g. 注册码判断流程)再trace, 纯F7, F8从头开始跑, 太慢了.
// 也可以加白名单, 放过一些已经不关心的主模块中的函数, 这个比较容易操作.
// 试验过了, 只有放过已经功能的函数, trace的才能快. 蛮力跑trace, 慢的让人接受不了.
// 做试验的程序,是一个命令行程序,只打印了3句话. 加入白名单放过已经函数后, 快很多, 耗时也能接受了, 1分钟trace完毕.
// 如果是确定了要trace的范围, 而且已经分析出一些已经函数(加入了白名单), 用OD脚本插件进行trace还是蛮好使的
// 如果是对付乱跳, 在trace脚本中, 不trace JMP语句可以实现.
var vDebugCodeLineCntCur // 记录的计数器当前值
var vDebugCodeLineMax // 记录的计数器最大值
var vEP // entry point
var vEIP // EIP
var vDisasmCmd // 反汇编命令
var vOpcodeSize // 反汇编指令字节长度
var vNextCodeAddr // 下一条指令的地址, 如果为0, 就是下一条. 如果不为0, 就要比较是否为DLL中的API地址
var vRegValue // 寄存器的值, e.g. call ebp 的 ebp
var vAddrTraceBegin // trace开始地址
var vAddrTraceEnd // trace结束地址
var vTmp // 临时变量
BEGIN:
LCLR // 清除Script日志窗口内容
bc * // 清除所有F2断点
BPHWCALL // 清除所有硬断点
eval ">> trace begin ..."
log $RESULT
mov vDebugCodeLineCntCur, 0
mov vDebugCodeLineMax, 30
an eip // 先分析一下addr, 防止F7,F8时, OD弹出断点警告框(说断点可以下在数据里)
GMI eip, ENTRY // 得到EP值
mov vEP, $RESULT
eval "EP = {vEP}"
log $RESULT
cmp vEP, eip
je BEGIN1
eval "the script need run from EP({vEP}), but EIP = ({eip})"
log $RESULT
jmp L_LOG_END
BEGIN1:
GMI eip, CODEBASE // 得到主模块代码范围
mov vAddrTraceBegin, $RESULT
mov vAddrTraceEnd, vAddrTraceBegin
eval "CODEBASE = {$vAddrTraceBegin}"
GMI eip, CODESIZE
add vAddrTraceEnd, $RESULT
eval "Code Range [{vAddrTraceBegin}, {vAddrTraceEnd}]"
log $RESULT
L_DO:
mov vEIP, eip
/**
cmp vEIP, 00402621
jne L_DO0_1
go 0040262F // 阻塞执行的
jmp L_DO
*/
L_DO0_1:
GCI eip, COMMAND // 得到当前EIP的汇编命令信息, e.g. "call ebp"
mov vDisasmCmd, $RESULT
eval "{vEIP} {vDisasmCmd}" // 打印当前反汇编命令
log $RESULT
GCI eip, SIZE // 当前指令的字节数 e.g. 2 "ffd5 call ebp"
mov vOpcodeSize, $RESULT
// GCI eip, TYPE // 返回值为0x70, 只说明是一个call 类型, 没大用
GCI eip, DESTINATION // 得到是否为跳转指令
mov vNextCodeAddr, $RESULT
L_DO1:
cmp vNextCodeAddr, 0
je L_MAYBE_IS_MY_CODE_PRE
L_DO2:
cmp vNextCodeAddr, vAddrTraceBegin // 下一条地址不在主模块范围内, 就不trace
jb L_IS_NOT_MY_CODE
cmp vNextCodeAddr, vAddrTraceEnd
ja L_IS_NOT_MY_CODE
// 到这已经是主模块的代码
// 放过一些和程序业务逻辑无关的函数调用, trace的太慢了
// cmp vDisasmCmd, "call 004025B3" 这样无效, 只能比地址(如下)
// pass 一些main函数之前的代码
// pass 00402A05
cmp vNextCodeAddr, 00402A05
je L_PASS_WHITE_NAME_LIST
// pass 0040125B
cmp vNextCodeAddr, 0040125B
je L_PASS_WHITE_NAME_LIST
// pass 004026E5
cmp vNextCodeAddr, 004026E5
je L_PASS_WHITE_NAME_LIST
// pass 004025B3
cmp vNextCodeAddr, 004025B3 // 16进制数,后面不能加h
je L_PASS_WHITE_NAME_LIST
// pass 00402366
cmp vNextCodeAddr, 00402366
je L_PASS_WHITE_NAME_LIST
// 放过 call 004022AD
cmp vNextCodeAddr, 004022AD
je L_PASS_WHITE_NAME_LIST
// pass 004013E2
cmp vNextCodeAddr, 004013E2
je L_PASS_WHITE_NAME_LIST
// 放过 call 00403EF7
cmp vNextCodeAddr, 00403EF7
je L_PASS_WHITE_NAME_LIST
// pass call 00403B33
cmp vNextCodeAddr, 00403B33
je L_PASS_WHITE_NAME_LIST
// pass 00402F80
cmp vNextCodeAddr, 00402F80
je L_PASS_WHITE_NAME_LIST
// pass 00401126
cmp vNextCodeAddr, 00401126
je L_PASS_WHITE_NAME_LIST
// pass 00401060
cmp vNextCodeAddr, 00401060
je L_PASS_WHITE_NAME_LIST
// pass 00401090
cmp vNextCodeAddr, 00401090
je L_PASS_WHITE_NAME_LIST
jmp L_IS_MY_CODE
L_PASS_WHITE_NAME_LIST:
jmp L_IS_NOT_MY_CODE
L_MAYBE_IS_MY_CODE_PRE:
// 如果是 call reg, vJmpAddr也是0
// 再判断是不是2字节指令
cmp vOpcodeSize, 2
jne L_IS_NOT_MY_CODE
// 如果是2字节的指令, 就要判断是否为"call register"
// 如果不是"call register", 才可以F7
// 好没有在ollyDbgScript命令集合中找到有效判断"call register"的方法
// e.g. * 是不是"call register"
// * 如果是"call register", 如何快速拿到register的值
// 暂时只能if-else, 一个一个去比对是不是"call register"
cmp vDisasmCmd, "call eax"
jne L_MAYBE_IS_MY_CODE_PRE1
mov vRegValue, eax
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE1:
cmp vDisasmCmd, "call ebx"
jne L_MAYBE_IS_MY_CODE_PRE2
mov vRegValue, ebx
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE2:
cmp vDisasmCmd, "call ecx"
jne L_MAYBE_IS_MY_CODE_PRE3
mov vRegValue, ecx
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE3:
cmp vDisasmCmd, "call edx"
jne L_MAYBE_IS_MY_CODE_PRE4
mov vRegValue, edx
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE4:
cmp vDisasmCmd, "call esi"
jne L_MAYBE_IS_MY_CODE_PRE5
mov vRegValue, esi
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE5:
cmp vDisasmCmd, "call edi"
jne L_MAYBE_IS_MY_CODE_PRE6
mov vRegValue, edi
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE6:
cmp vDisasmCmd, "call ebp"
jne L_IS_MY_CODE
mov vRegValue, ebp
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE_END:
jmp L_IS_NOT_MY_CODE
L_IS_MY_CODE:
// 下一个地址在主模块范围内, F7
sti // F7
jmp L_WHILE
L_IS_NOT_MY_CODE:
// 下一个地址在不主模块范围内, F8
sto // F8
jmp L_WHILE
L_WHILE:
/**
inc vDebugCodeLineCntCur
cmp vDebugCodeLineMax, vDebugCodeLineCntCur
je L_LOG_END
*/
jmp L_DO
L_LOG_END:
eval "<< trace end :)"
log $RESULT
ret // 脚本结束
找到的OD脚本命令资料
OD脚本命令-中文版
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
33.1.1 保留变量
------------------------
$RESULT
-------
<RESULT>
保存某些函数的返回值,比如FIND函数,等等。
$VERSION
--------
<VERSION>
保存OllyScript,的版本信息
例:
cmp $VERSION, "0.8" //比较是否大于 0.8版
ja version_above_08
3.1.2 指令
--------------
#INC "文件名"
---------
<INClude>
将一个脚本文件的内容包含到另外一个脚本文件中
例:
#inc "anotherscript.txt"
#LOG
----
<LOG>
开始记录运行指令
指令会显示在OllyDbg的log窗口中,每条记录前都会加上“-->”的前缀
例:
#log
ADD 目的操作数,源操作数
-------------
<ADD>
源操作数与目的操作数相加,并把相加的结果保存到目的操作数中。
例:
add x, 0F
add eax, x
add [401000], 5
add y, " times" // 如果在次之前y="1000" ,则在执行完此指令之后y="1000 times"
AI
--
<Animate Into>
在OllyDbg中执行“自动步入” [Animate into]操作。
例:
ai
AN 地址
-------
<ANalyze>
从指定处,对代码进行分析。
例:
an eip // 相当于在OllyDbg中按 Ctrl+A键
AND 目的操作数, 源操作数
-------------
<AND>
源操作数与目的操作数进行逻辑与操作,并将结果保存到到目的操作数中。
例:
and x, 0F
and eax, x
and [401000], 5
ASK 问题
------------
<ASK>
显示一个提示输入框,让用户输入,并将结果保存转保留变量$RESULT中(如果用户按了取消键,则$RESULT=0)。
例:
ask "Enter new EIP"
cmp $RESULT, 0
je cancel_pressed
mov eip, $RESULT
ASM 地址, 指令
-----------------
<ASseMble>
修改指定地址的指令。
并将修改后的汇编指令长度保存到保留变量$RESULT中
例:
asm eip, "mov eax, ecx" //将当前指令修改为 mov eax,ecx
AO
--
<Animate Over>
在OllyDbg中执行“自动步过” [Animate over]操作。
例:
ao
BC 地址
-------
<BreakPoint Clear>
清除指定地址的断点。
例:
bc 401000
bc x
bc eip
BP addr
--------
<BreakPoint>
在指定地址设断点
例:
bp 401000
bp x
bp eip
BPCND 地址, 条件
----------------
<BreakPoint on CoNDition>
在指定地址处,设置条件断点。
例:
bpcnd 401000, "ECX==1" //当 代码执行到401000且 ecx等于1 时,程序暂停
BPL 地址, 表达式
--------------
<BreakPoint of Logging>
在指定地址处设置记录断点,将表达式的结果记录到记录窗口中。
例:
bpl 401000, "eax" // 每次执行到401000时,都将eax寄存器的结果记录
BPLCND 地址, 表达式, 条件
-----------------------
<BreakPoint of Logging on CoNDition>
在指定地址处设置记录断点,如果条件为真时,将表达式的结果记录到记录窗口中。
例:
bplcnd 401000, "eax", "eax > 1" // 如果执行到401000时,满足eax>1,则将eax寄存器的结果记录
BPMC
----
<BreakPoint Memory Clear>
清除内存断点。
例:
bpmc
BPHWC 地址
----------
<BreakPoint HardWare Clear>
删除指定地址处的硬件断点。
例:
bphwc 401000 //清除 401000处的断点
BPHWS 地址, 模式
----------------
<BreakPoint HardWare Set>
在指定地址,设置硬件断点。有三种模式: "r" - 读取, "w" - 写入 或者 "x" - 执行.
例:
bphws 401000, "x" //当执行到此地址时发生中断
BPRM 地址, 大小
---------------
<BreakPoint on Read Memory>
在指定地址处,设置一个内存读取断点。 “大小” 是指内存中的字节大小。
例:
bprm 401000, FF //一个字节
BPWM 地址, 大小
---------------
<BreakPoint on Write Memory>
在指定地址处,设置一个内存写入断点。“大小” 是指内存中的字节大小。
例:
bpwm 401000, FF
CMP 目的操作数, 源操作数
-------------
<CoMPare>
比较 目的操作数与源操作数的大小,和其对应的汇编指令作用相同。
例:
cmp y, x
cmp eip, 401000
CMT 地址, 字符串
--------------
<CoMmenT>
在指定地址处,加入注释。
例:
cmt eip, "这是入口" //当前地址处 加上 “这是入口”的注释
COB
---
<Continue On Breakpoint>
发生中断后,让脚本继续执行(移除EOB指令)
例:
COB
COE
---
<Continue On Exception>
发生异常后,让脚本继续执行(移除EOE指令)
例:
COE
DBH
---
<DeBugger Hided>
隐藏调试器
例:
dbh
DBS
---
<DeBugger Show>
对隐藏的调试器操作进行恢复,不再隐藏。
例:
dbs
DEC 变量
-------
<DECrement by 1>
对变量进行减一操作
例:
dec v
DM 地址, 大小, 文件名
-------------------
<Dump Memory>
从指定地址处开始,在内存中提取指定大小的数据,并保存到指定的文件中
例:
dm 401000, 1F, "c:dump.bin"
DMA 地址, 大小, 文件名
-------------------
<Dump Memory Appended>
从指定地址处开始,在内存中提取指定大小的数据,并保存到指定的文件中;如果指定文件已存在,则将数据追加到指定文件尾部。
例:
dma 401000, 1F, "c:dump.bin"
DPE 文件名, 入口
----------------
<Dump Process with Entry point>
提取执行模块到指定文件中。
“入口”用来设定入口地址。
例:
dpe "c:test.exe", eip //入口为当前地址,保存为C盘下test.exe
EOB 标签
---------
<Execution On Breakpoint>
在下次中断发生时,跳转到指定标签处。
例:
eob SOME_LABEL
EOE 标签
---------
<Execution On Exception>
在下次异常发生时,跳转到指定标签处。
例:
eoe SOME_LABEL
ESTI
----
<Exception STep Into>
相当于在OllyDbg按 SHIFT-F7。
例:
esti
ESTO
----
<Exception STep cOntinue>
相当于在OllyDbg按 SHIFT-F9。
例:
esto
EVAL
----
<EVALuate>
计算含义变量的表达式。
变量必须已经在脚本中声明。插到字符串中时,要放在用大括号{}中。
结果保存在保留变量$RESULT中Sets the reserved $RESULT variable
例:
var x
mov x, 1000
eval "x的值是 {x}" // 执行后$RESULT为 "x的值是 00001000"
EXEC/ENDE
---------
<EXECute/END of Execute>
对当前调试进程,执行在EXEC和ENDE之间的指令。
有大括号的,会被大括号中的变量的值替代。
例:
// 以下是做移动操作
var x
var y
mov x, "eax"
mov y, "0DEADBEEF"
exec
mov {x}, {y} // mov eax, 0DEADBEEF 将被执行
mov ecx, {x} // mov ecx, eax 将被执行
ende
// 以下是调用调试程序的ExitProcess函数
exec
push 0
call ExitProcess
ende
ret
FILL 地址, 长度, 值
---------------------
<FILL>
从指定地址开始,在内存中填充为指定长度的某个值
例:
fill 401000, 10, 90 // 10字节的 NOP 指令
FIND 地址, 查找内容
---------------
<FIND>
从指定地址开始在内存中查找指定的内容。
如果查找成功,地址会保存到保留变量$RESULT中,否则$RESULT将等于 0。
查找的串支持通配符“??”(见下面的例子)。
例:
find eip, #6A00E8# // 查找一个Call,其的第一个参数为0 (push 0)
find eip, #6A??E8# // 查找一个带参数的Call
FINDOP 地址, 查找内容
-----------------
<FIND OPcode>
从指定地址开始查找指定一个指令,这个指令是以指定内容为开始的。
如果查找成功,地址会保存到保留变量$RESULT中,否则$RESULT将等于 0。
查找的串支持通配符“??”(见下面的例子)。
例:
findop 401000, #61# // find next POPAD
findop 401000, #6A??# // find next PUSH of something
译者注:
对比一下FIND 和FINDDOP的区别:
地址 数据 代码
00401007 B8 3300 MOV EAX, 33
0040100C 33F6 XOR ESI, ESI
find 401007, #33# //$RESULT等于401008
finddop 401007, #33# //$RESULT等于40100C
GN 地址
-------
<Get Name>
获得指定地址的符号名(比如指向API函数)。
符号名将保存到保留变量$RESULT中。如果符号名是一个API函数,则$RESULT_1保存链接库名(比如 kernal32)而 $RESULT_2保存符号名(比如 ExitProcess)。
例:
gn 401000
GPA 函数名, 动态链接库名
-------------
<Get Procedure Address>
在指定的动态链接库中,获得指定函数的地址。
如果查找成功,地址会保存到保留变量$RESULT中,否则$RESULT将等于 0。
在设置API函数断点时,这个指令非常有效。
例:
gpa "MessageBoxA", "user32.dll" // 这条指令执行后,$RESULT等于函数MessageBoxA的地址,您可以使用"bp $RESULT"设置断点。
GO 地址
-------
<GO>
执行到指定地址处 (相当于SoftICE中的 G 命令)
例:
go 401005
GMI 地址, 信息
--------------
<Get Module Info>
获得指定地址所在模块的相关信息。
“信息”可以是模块基地址[MODULEBASE], 模块大小[MODULESIZE], 代码段基地址[CODEBASE] 或者 代码段大小[CODESIZE]
(如果您想在将来的版本中,获得更多的信息,请联系我)。
信息会保存到保留变量$RESULT中 (如果没有找到信息,则$RESULT等于0).
例:
GMI eip, CODEBASE // 这条指令执行后,$RESULT等于当前所在模块的代码段基地址。
INC 变量
-------
<INCrement by 1>
对变量进行加一操作
例:
inc v
JA 标签
--------
<Jump if Above>
在cmp命令后使用. 和其对应的汇编指令作用相同.
例:
ja SOME_LABEL
JAE 标签
---------
<jump if Above or Equal>
cmp. 和其对应的汇编指令作用相同.
例:
jae SOME_LABEL
JB 标签
--------
<Jump if Below>
在cmp命令后使用. 和其对应的汇编指令作用相同.
例:
jb SOME_LABEL
JBE 标签
---------
<Jump if Below or Equal>
在cmp命令后使用。和其对应的汇编指令作用相同.
例:
jbe SOME_LABEL
JE 标签
--------
<Jump if Equal>
在cmp命令后使用. 和其对应的汇编指令作用相同.
例:
je SOME_LABEL
JMP 标签
---------
<JuMP>
跳转到指定标签.
例:
jmp SOME_LABEL
JNE 标签
---------
<Jump if Not Equal>
在cmp命令后使用. 和其对应的汇编指令作用相同.
例:
jne SOME_LABEL
LBL 地址, 字符串
--------------
<LaBel Insert>
在指定地址处插入一个标签
例:
lbl eip, "NiceJump"
LOG 源操作数
-------
<log>
将源操作数输出到OllyDbg的记录窗口[log window]中。
如果源操作数 是一个字符串常量,则原样记录。
如果源操作数 是一个变量或一个寄存器,则记录名称及其存放的数值
例:
log "Hello world" // 记录为 "Hello world"
var x
mov x, 10
log x // 记录为 "x = 00000010"
MOV 目的操作数, 源操作数
-------------
<MOVe>
将源操作数移动到目的操作数中。
源操作数可以是一个十六进制序列格式#某个十六进制序列#,例如:#1234#。
提醒:十六进制序列的位长只能是偶数,比如2, 4, 6, 8等等。
例:
mov x, 0F
mov y, "Hello world"
mov eax, ecx
mov [ecx], #00DEAD00BEEF00#
mov !CF, 1
mov !DF, !PF
mov [403000], "Hello world"
MSG 消息
-----------
<MeSsaGe>
将指定消息,显示到一个对话框中。
例:
MSG "脚本暂停"
MSGYN message
-----------
<MeSsaGe Yes or No>
将指定消息,显示到一个对话框中,这个对话框有“是”、“否”按钮。
如果点“是”,保留变量 $RESULT 等于1,否则保留变量$RESULT等于0 。
例:
MSGYN "继续?"
OR 目的操作数, 源操作数
-------------
<OR>
源操作数和目的操作数做逻辑或操作,并将结果保存到到目的操作数中。
例:
or x, 0F
or eax, x
or [401000], 5
PAUSE
-----
<PAUSE>
暂停脚本运行。可以通过插件菜单恢复脚本运行。
例:
pause
REPL addr, find, repl, len
--------------------------
REPL 地址, 查找字符串, 替换字符串, 长度
--------------------------
<REPLace>
在指定地址开始,在指定长度字节内,用“替换字符串”替换“查找字符串”。
允许使用通配符
例:
repl eip, #6a00#, #6b00#, 10
repl eip, #??00#, #??01#, 10
repl 401000, #41#, #90#, 1F
RET
---
<RETurn>
退出脚本。
例:
ret
RTR
---
<Run To Return>
相当于在OllyDbg中执行 "Run to return" [Ctrl+F9]操作。
例:
rtr
RTU
---
<Run To User code>
相当于在OllyDbg中执行 "Run to user code"[Alt+F9] 操作。
例:
rtu
RUN
---
<RUN>
相当于在OllyDbg中按 F9。
例:
run
SHL 目的操作数, n
-------------
左移目的操作数,n比特位;并将结果保存到到目的操作数中。
例:
mov x, 00000010
shl x, 8 // x is now 00001000
SHR目的操作数, n
-------------
<SHift Right>
右移目的操作数,n 比特位;并将结果保存到到目的操作数中。
例:
mov x, 00001000
shr x, 8 // x is now 00000010
STI
---
<STep Into>
相当于在OllyDbg中按 F7,单步步入。
例:
sti
STO
---
<STep Over>
相当于在OllyDbg中按 F8,单步步过。
例:
sto
SUB dest, src
-------------
Substracts src from dest and stores result in dest
Example:
sub x, 0F
sub eax, x
sub [401000], 5
TI
--
<Trace Into>
相当于在OllyDbg中执行 "Trace into" 操作。
例:
ti
TICND cond
----------
<Trace Into Condition>
执行 "Trace into" 操作,直到条件为真时停止。
例:
ticnd "eip > 40100A" // 当 eip > 40100A 时停止
TO
--
<Trace Over>
相当于在OllyDbg中执行 "Trace over" 操作。
例:
to
TOCND cond
----------
<Trace Over Condition>
执行 "Trace over" 操作,直到条件为真时停止。
例:
tocnd "eip > 40100A" // 当 eip > 40100A 时停止
VAR
---
<VARiable>
在脚本中,声明一个变量。
必须在变量使用先声明。
例:
var x
XOR 目的操作数, 源操作数
-------------
<XOR>
源操作数与目的操作数进行异或操作,并将结果保存到到目的操作数中。
例:
xor x, 0F
xor eax, x
xor [401000], 5
3.2 标签
----------
定义标签,要在标签名后面要加上一个冒号.
例:
SOME_LABEL:
3.3 注释
------------
您可以使用“//”在任何地方进行注释。
块注释必须另外起一行并以 “/*”做为开始,以“*/”作为结束,“*/”也必须另起一行。
例:
/*
您的注释
*/
3.4 菜单
---------
OllyScript的主菜单包含了下面几项:
- Run script...[运行脚本...]: 用户选择一个脚本,并运行这个脚本。
- Abort [中止]: 中止脚本运行
- Pause [暂停]: 暂停脚本运行
- Resume[恢复]: 恢复脚本运行
- About [关于]: 显示此插件信息
------------------------------
4. 嵌入其他的插件
---------------------------------
您可以在您的插件中调用OllyScrip,并且运行一个脚本。
使用类似于下面的代码进行调用:
HMODULE hMod = GetModuleHandle("OllyScript.dll");
if(hMod) // 检测是否被其他插件加载
{
// 获得输出函数地址
int (*pFunc)(char*) = (int (*)(char*)) GetProcAddress(hMod, "ExecuteScript");
if(pFunc) // 检查是否获得输出函数
pFunc("myscript.txt"); // 执行输出函数
}
------------------------------OD脚本命令-英文版
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
#INC,#LOG,$RESULT,$RESULT_1,$RESULT_2,$RESULT_3,$RESULT_4,$VERSION,ADD,AI,ALLOC,AN,AND,AO,JA,ASK,ASM,ASMTXT,ATOI,STR,BC,BD,BEGINSEARCH,BP,BPCND,BPD,BPGOTO,BPHWC,BPHWS,
BPL,BPLCND,BPMC,BPRM,BPWM,BPX,BUF,CMT,CMP,COB,COE,DBH,DBS,DEC,DIV,MODULEBASE,DM,DMA,DPE,EOB,EOE,ERUN,ESTI,EVAL,EXEC,ENDE,FILL,FIND,FINDCALLS,FINDCMD,
FINDCMDS,FINDOP,FINDMEM,FREE,GAPI,GBPM,GBPR,GCI,GCMT,GMA,GMEMI,GMI,GN,GO,GOPI,GPA,GPI,GREF,GRO,HANDLE,HISTORY,INC,ITOA,JAE,JB,JBE,JE,JMP,JNE,KEY,
LBL,LC,LCLR,LEN,LM,LOG,LOGBUF,MOV,MEMCPY,MSG,MSGYN,MUL,NEG,NOT,OR,OPCODE,OPENDUMP,OPENTRACE,PAUSE,POP,PREOP,PUSH,READSTR,REF,REPL,RET,REV,ROL,ROR,
RTR,RTU,RUN,SCMP,SCMPI,SETOPTION,SHL,SHR,STI,STO,SUB,TC,TEST,TI,TICK,TICND,TO,TOCND,UNICODE,VAR,XOR,XCHG,WRT,NAMES,GMIMP,CLOSE,GSTR,
MODULESIZE,CODEBASE,CODESIZE,MEMBASE,MEMSIZE,ENTRY,NSECT,DATABASE,RELOCTABLE,RELOCSIZE,LOADLIB,PID,HWND,GMEXP,ESTEP,GFO,SBP,GSL,BACKUP,
RESBASE,RESSIZE,IDATABASE,IDATATABLE,EDATATABLE,EDATASIZE,NAME,PATH,MEMORYOWNER,VERSION,MEMORYBASE,MEMORYSIZE,STEP,esto,RBP,GLBL,
HPROCESS,PROCESSID,HMAINTHREAD,MAINTHREADID,MAINBASE,PROCESSNAME,EXEFILENAME,CURRENTDIR,SYSTEMDIR,BPHWCALL,WRTA,JZ,JNZ,JG,JGE,POPA,pusha,olly
;;
$RESULT:
-------
Return value for some functions like FIND etc.
$RESULT_1 and $RESULT_2 are available for some commands.
;;
ADD: dest, src
-------------
Adds src to dest and stores result in dest
Example:
add x, 0F
add eax, x
add [401000], 5
add y, " times" // If y was 1000 before this command then y is "1000 times"
after it.
;;
ASK: question
------------
Displays an input box with the specified question and lets user enter a response.
Sets the reserved $RESULT variable (0 if cancel button was pressed).
You have also the length in $RESULT_1 (divised by 2 for hex entries).
Example:
ask "Enter new EIP"
cmp $RESULT, 0
je cancel_pressed
mov eip, $RESULT
;;
ASMTXT: addr, file
-----------------
Assemble a text asm file at some address.
Example:
asmtxt EIP, "myasm.txt"
;;
$VERSION:
--------
Contains current version of OllyScript.
Example:
cmp $VERSION, "0.8"
ja version_above_08
;;
#INC: file
---------
Includes a script file in another script file.
Example:
#inc "anotherscript.txt"
;;
#LOG:
----
Enables logging of executed commands.
The commands will appear in OllyDbg log window, and will be prefixed with -->
Example:
#log
;;
ADD: dest, src
-------------
Adds src to dest and stores result in dest
Example:
add x, 0F
add eax, x
add [401000], 5
add y, " times" // If y was 1000 before this command then y is "1000 times"
after it.
;;
AI:
--
Executes "Animate into" in OllyDbg
Example:
ai
;;
ALLOC: size
----------
Allocate new memory page, you can read/write and execute.
Example:
alloc 1000
free $RESULT, 1000
;;
AN: addr
-------
Analyze module which contains the address addr.
Example:
an eip // Same as pressing CTRL-A.
;;
AND: dest, src
-------------
ANDs src and dest and stores result in dest.
Example:
and x, 0F
and eax, x
and [401000], 5
;;
AO:
--
Executes "Animate over" in OllyDbg
Example:
ao
;;
ASM: addr, command [,version]
----------------------------
Assemble a command at some address.
Change version number (0,1,...) to get alternative code bytes, if possible.
Returns bytes assembled in the reserved $RESULT variable.
Example:
asm eip, "mov eax, ecx"
;;
ASMTXT: addr, file
-----------------
Assemble a text asm file at some address.
Example:
asmtxt EIP, "myasm.txt"
;;
ATOI: str [, base=16.]
-----------------
Converts a string to integer,Returns the integer in the reserved $RESULT variable.
Example:
atoi "F"
atoi "10", 10.
;;
BACKUP: addr [,base,size]
------------------------
Like OPENDUMP, create a Dump Window with data at address.
But this dump window keep a backup of data, which can be used to view changes
$RESULT is the HWND of window, for future use
Note: If you are looking to save data in a file, see the DM function (Dump Memory)
Example:
BACKUP esp
STO
STO
;;
BC: [addr]
---------
Clear unconditional breakpoint at addr.Without parameter, the command clears all
loaded breakpoints.
Example:
bc 401000
bc x
bc eip
;;
BD: [addr]
---------
Disables breakpoint at addr.Without parameter, the command disables all loaded
breakpoints.
Example:
bp 401000
BD 401000
;;
BEGINSEARCH: [start]
-------------------
Create a Copy of Debugged App Memory, Find commands will use this data faster.
You need to use ENDSEARCH before writing to memory and to free this memory copy.
Optimization time is 20% for 5000 loops... but could maybe be optimized.
Example:
mov count, 0
mov start, eip
beginsearch start
find #00#, start
...........
endsearch
;;
BP: addr
--------
Set unconditional breakpoint at addr.
Example:
bp 401000
bp x
bp eip
;;
BPCND: addr, cond
----------------
Set breakpoint on address addr with condition cond.
Example:
bpcnd 401000, "ECX==1"
;;
BPD: callname
------------
Remove breakpoint on dll call set by BPX.
;;
BPGOTO: addr, label
------------------
Automatic Jump at label on Breakpoint (Standard(INT3) and Hardware).EOB Like Command.
Example:
bphws addr
bpgoto addr, MyLabel
;;
BPHWC: [addr]
------------
Delete hardware breakpoint at a specified address.Without address, clear all hardware
breakpoints.
Example:
bphwc 401000
;;
BPHWS: addr, [mode]
------------------
Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default).
Example:
bphws 401000, "x"
;;
BPL: addr, expr
--------------
Sets logging breakpoint at address addr that logs expression expr.
Example:
bpl 401000, "eax" // logs the value of eax everytime this line is passed
;;
BPLCND: addr, expr, cond
-----------------------
Sets logging breakpoint at address addr that logs expression expr if condition
cond is true.
Example:
bplcnd 401000, "eax", "eax > 1" // logs the value of eax everytime
this line is passed and eax > 1
;;
BPMC:
----
Clear the memory breakpoint.
Example:
bpmc
;;
BPRM: addr, size
---------------
Set memory breakpoint on read. Size is size of memory in bytes.
Example:
bprm 401000, FF
;;
BPWM: addr, size
---------------
Set memory breakpoint on write. Size is size of memory in bytes.
Example:
bpwm 401000, FF
;;
BPX: callname
------------
Set breakpoint on dll call
;;
BUF: var
-------
Converts string/dword variable to a Buffer.
Example:
mov s, "123"
buf s
log s // output "#313233#
;;
CLOSE: window
------------
Close an Ollydbg MDI window
window parameter can be a constant or a HWND (like $RESULT of OPENDUMP/BACKUP).
SCRIPT, SCRIPTLOG, LOG, CPU
MODULES, MEMORY, THREADS, BREAKPOINTS
REFERENCES, SOURCELIST, WATCHES
WINDOWS, PATCHES, RUNTRACE, CALLSTACK
TEXT, FILE, HANDLES, SEH, SOURCE
;;
CMP: dest, src [,size]
---------------------
Compares dest to src. Works like it's ASM counterpart.see SCMP to compare strings
or memory data.
Example:
cmp y, x
cmp eip, 401000
;;
CMT: addr, text
--------------
Inserts a comment at the specified address.
Example:
cmt eip, "This is the entry point".
;;
COB:
---
Makes script continue execution after a breakpoint has occured (removes EOB).
Example:
COB
;;
COE:
---
Makes script continue execution after an exception has occured (removes EOE).
Example:
COE
;;
DBH:
---
Hides debugger
Example:
dbh
;;
DBS:
---
Unhides debugger
Example:
dbs
;;
DEC: var
-------
Substracts 1 from variable
Example:
dec v
;;
DIV: op1, op2
------------
Sets op1 with op1/op2
Example:
div var, 2
;;
DM: addr, size, file
-------------------
Dumps memory of specified size from specified address to specified file
(default path set from opened app.).
Example:
dm 401000, 1F, "c:dump.bin".
;;
DMA: addr, size, file
--------------------
Dumps memory of specified size from specified address to specified file,appending
to that file if it exists
Example:
dma 401000, 1F, "c:dump.bin".
;;
DPE: filename, ep
----------------
Dumps the executable to file with specified name.Entry point is set to ep.
Example:
dpe "c:test.exe", eip
;;
EOB: label
---------
Transfer execution to some label on next breakpoint.
Example:
eob SOME_LABEL
;;
EOE: label
---------
Transfer execution to some label on next exception.
Example:
eob SOME_LABEL
;;
ERUN:
----
Executes SHIFT-F9 in OllyDbg. Run with Ignore Exceptions.
Example:
erun.
;;
ESTI:
----
Executes SHIFT-F7 in OllyDbg.
Example:
esti
;;
ESTEP:
----
Executes SHIFT-F8 in OllyDbg. Step Over ignoring Exceptions.
Example:
ESTEP
;;
EVAL:
----
Evaluates a string expression that contains variables.The variables that are declared
in the current script can be enclosed in curly braces {} to be inserted.Sets
the reserved $RESULT variable.
Example:
mov x, 1000
eval "The value of x is {x}" // after this $RESULT is "The value of x is 1000"
;;
EXEC:/ENDE
---------
Executes instructions between EXEC and ENDE in the context of the target process.
Values in curly braces {} are replaced by their values.
Examples:
exec
mov {x}, {y} // mov eax, 0DEADBEEF will be executed
mov ecx, {x} // mov ecx, eax will be executed
ende
;;
FILL: addr, len, value
---------------------
Fills len bytes of memory at addr with value
Example:
fill 401000, 10, 90 // NOP 10h bytes
;;
FIND: addr, what
---------------
Searches memory starting at addr for the specified value.When found sets the reserved
$RESULT variable. $RESULT == 0 if nothing found.The search string can also use
the wildcard "??" (see below).
Example:
find eip, #6A00E8# // find a PUSH 0 followed by some kind of call
find eip, #6A??E8# // find a PUSH 0 followed by some kind of call
;;
FINDCALLS: addr [,name]
----------------------
Find all intermodular calls (dll calls) in the disasm area.You can filter results
by label (case insensitive) with the optionnal second parameter.Reference Window
is used and its content changed, Then can use GREF to get results count and retrieve
them.
Example:
findcalls eip, "exit".
;;
FINDCMD: addr, cmdstr
--------------------
Search for asm command(s), you can search for series also with ";" separator.
This command uses "Search for All Sequences" Ollydbg function so could find
relative calls/jmp Reference Window is used and its content changed You can use
GREF to get next results in disasm window range.
Example 1:
findcmd eip, "xor R32,R32"
;;
FINDCMDS:(this function name could be deleted in future versions)
--------
Same as FINDCMD.
;;
FINDOP: addr, what
-----------------
Searches code starting at addr for an instruction that begins with the specified bytes.
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
The search string can also use the wildcard "??" (see below).
Example:
findop 401000, #6A??# // find next PUSH of something.
;;
FINDMEM: what [, StartAddr]
--------------------------
Searches whole memory for the specified value.When found sets the reserved $RESULT
variable. $RESULT == 0 if nothing found.The search string can also use the wildcard
"??" (see below).
Example:
findmem #6A00E8#, 00400000 // search it after address 0040.0000.
;;
FREE: addr [, size]
------------------
Free memory bloc allocated by ALLOC (or not).
If size not given, drop whole memory bloc.
Example:
alloc 1000
free $RESULT
;;
GAPI: addr #BETA#
---------
## Chinese Translation ##
Obtains the code place API call information,The API information saves in preservation
variable $RESULT.If the symbolic name is a API function, then:
$RESULT saves the API information.
$RESULT_1 save link base/storehouse (for instance kernel32).
$RESULT_2 save symbolic name (for instance ExitProcess).
$RESULT_3 save calling location (for instance call xxxxx).
$RESULT_4 save destination.
;;
GBPM: (beta)
----
Get last memory breakpoint address, affects $RESULT with dword value
;;
GBPR:
----
Get last breakpoint reason, affects $RESULT with dword value
Example:
GBPR
;;
GCI addr, info
--------------
Gets information about asm command
"info" can be :
- COMMAND for asm command string (like OPCODE)
- DESTINATION for Destination of jump/call/return
- SIZE for number of command bytes
- TYPE for asm command string (one of C_xxx, see OllyDbg Plugin API)
Example:
GCI eip, DESTINATION
;;
GCMT: addr
---------
Gets the comment, automatic comment or analyse's comment at specified code address
;;
GFO: addr
--------
Get File Offset of address
;;
GLBL: addr
---------
Get Label at address
;;
GMEXP: moduleaddr, info, [num]
-----------------------------
Get Export Address and Names in a module info can be ADDRESS, LABEL, COUNT
Example:
gma "KERNEL32", MODULEBASE
mov addr, $RESULT
GMEXP addr, COUNT
log $RESULT
GMEXP addr, LABEL, 1
log $RESULT
GMEXP addr, ADDRESS, 1
log $RESULT
;;
GMIMP: moduleaddr, info, [num]
-----------------------------
Get Import address and names in a module info can be ADDRESS, LABEL, MODULE, NAME, COUNT
if LABEL results string like "KERNEL32.CopyFileEx"
MODULE results "KERNEL32"
NAME results "CopyFileEx"
Example:
gma "USER32", MODULEBASE
mov addr, $RESULT
GMIMP addr, COUNT
log $RESULT
GMIMP addr, LABEL, 1
log $RESULT
GMIMP addr, ADDRESS, 1
log $RESULT
;;
GMA: name, info
--------------
Calls GMI, but parameter is short name of the module
;;
GMEMI: addr, info
----------------
Gets information about a memory block to which the specified address belongs.
"info" can be MEMORYBASE, MEMORYSIZE or MEMORYOWNER.Sets the reserved $RESULT
variable (0 if data not found).
Example:
GMEMI addr, MEMORYBASE // After this $RESULT is the address to the memory
base of the memory block to which addr belongs
;;
GMI: addr, info
--------------
Gets information about a module to which the specified address belongs.
"info" can be :
MODULEBASE, MODULESIZE, CODEBASE, CODESIZE, MEMBASE, MEMSIZE,
ENTRY, NSECT, DATABASE, RELOCTABLE, RELOCSIZE,RESBASE, RESSIZE,
IDATABASE, IDATATABLE, EDATATABLE, EDATASIZE.
Example:
GMI eip, CODEBASE // After this $RESULT is the address to the codebase of
the module to which eip belongs
;;
GN: addr
-------
Gets the symbolic name of specified address (ex the API it poits to)Sets the
reserved $RESULT variable to the name. If that name is an API $RESULT_1 is set
to the library (ex kernel32) and $RESULT_2 to the name of the API (ex ExitProcess).
Example:
gn 401000
;;
GO: addr
-------
Executes to specified address (like G in SoftIce)
Example:
go 401005
;;
GOPI: addr, index, info
--------------
Gets information about operands of asm command,"index" is between 1 and 3
"info" can be :
- TYPE Type of operand (extended set DEC_xxx, see OllyDbg Plugin API)
- SIZE Size of operand, bytes
- GOOD Whether address and data valid
- ADDR Address if memory, index if register
- DATA Actual value (only integer operands)
Example:
GOPI eip, 1, SIZE
;;
GPA: proc, lib, [0,1]
--------------------
Gets the address of the specified procedure in the specified library.When found
sets the reserved $RESULT variable. $RESULT == 0 if nothing found.Useful for setting
breakpoints on APIs.
Example:
gpa "MessageBoxA", "user32.dll" // After this $RESULT is the address
of MessageBoxA and you can do "bp $RESULT".
;;
GPI: key
-------
Gets process information, one of :
HPROCESS,PROCESSID,HMAINTHREAD,MAINTHREADID,MAINBASE,PROCESSNAME,EXEFILENAME,
CURRENTDIR,SYSTEMDIR.
;;
GREF: [line]
-----------
Get Address from Reference Window at Line. First line is 1 because 0 is CPU Initial EIP.
Without parameter, GREF results the Reference Window number of entries.
Example:
FINDCMD "push eax"
GREF 1
;;
GRO: addr
--------
Get Relative Offset
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
;;
GSTR: addr, [arg1]
-----------------
Get String returns a null terminated string from addr, the string is at least
arg1 characters returns in
- $RESULT : the string
- $RESULT_1 : len of string
Example:
gstr 401000 ; arg1 in this case is set to default (2 chars)
gstr 401000, 20 ; must be at least 20 chars
;;
GSL: [where]
-----------
Get Selection Limits
returns START/END addresses and SIZE from currently selected line(s) in
CPUASM | CPUDUMP | CPUSTACK window in $RESULT, $RESULT_1 & $RESULT_2
arg can be either : CPUDASM, CPUDUMP, CPUSTACK. Default is CPUDASM
Example:
gsl CPUDUMP
;;
HANDLE: x, y, class
---------------------
Returns the handle of child window of specified class at point x,y
(remember: in hex values).
;;
HISTORY: (0,1)
--------------
Enables or Disables Value history in Script Progress Window, could optimize loops
Example:
history 0 //disable
history 1 //enable
;;
INC: var
-------
Adds 1 to variable
Example:
inc v
;;
ITOA: n [, base=16.]
-----------------
Converts an integer to string,Returns the string in the reserved $RESULT variable.
Example:
itoa F
itoa 10., 10.
;;
JA: label
--------
Use this after cmp. Works like it's asm counterpart.
Example:
ja SOME_LABEL
;;
JAE: label
---------
Use this after cmp. Works like it's asm counterpart.
Example:
jae SOME_LABEL
;;
JB: label
--------
Use this after cmp. Works like it's asm counterpart.
Example:
jb SOME_LABEL
;;
JBE: label
---------
Use this after cmp. Works like it's asm counterpart.
Example:
jbe SOME_LABEL
;;
JE: label (JZ)
--------
Use this after cmp. Works like it's asm counterpart.
Example:
je SOME_LABEL
;;
JMP: label
---------
Unconditionally jump to a label.
Example:
jmp SOME_LABEL
;;
JNE: label (JNZ)
---------
Use this after cmp. Works like it's asm counterpart.
Example:
jne SOME_LABEL
;;
KEY: vkcode [, shift [, ctrl]]
--------------------------
Emulates global keyboard shortcut.
Example:
key 20
key 20, 1 //Shift+space
key 20, 0, 1 //Ctrl+space
;;
LBL: addr, text
--------------
Inserts a label at the specified address
Example:
lbl eip, "NiceJump"
;;
LC:
----
Clear Main Log Window
;;
LCLR:
----
Clear Script Log Window
;;
LEN: str
--------------
Get length of a string
Example:
len "NiceJump"
msg $RESULT
;;
LM: addr, size, filename
-------
load Dm file to mem,LM is the opposite of the DM command.
Example:
lm 0x401000, 0x100, "test.bin"
;;
LOADLIB: dllname
---------------
Load a dll into debugged program memory
Could be usefull to set breakpoints on dynamically loaded library
Returns address of loaded library
Example:
pusha
loadlib "user32.dll"
popa
;;
LOG: src [,prefix]
-------
Logs src to OllyDbg log window.If src is a constant string the string is logged
as it is.If src is a variable or register its logged with its name.You can replace
default prefix with the optional second parameter.
Example:
log "Hello world" // The string "Hello world" is logged
;;
LOGBUF: var [,linecount [,separator]]
------------------------------------
Logs a string or buffer like a memory dump, usefull for long data
;;
MOV: dest, src [,size]
---------------------
Move src to dest.
Src can be a long hex string in the format #<some hex numbers>#, for example #1234#.
Remember that the number of digits in the hex string must be even, i.e. 2, 4, 6, 8 etc.
Example:
mov x, 0F
mov y, "Hello world"
;;
MEMCPY: dest,src,size
--------------------
Copy app. memory from "src" address to "dst" address.This function is same as
mov [dst],[src],size
Example:
MEMCPY dst,base,size
;;
MSG: message
-----------
Display a message box with specified message
Example:
MSG "Script paused"
;;
MSGYN: message
-------------
Display a message box with specified message and YES and NO buttons.Sets the reserved
$RESULT variable to 1 if YES is selected and 0 otherwise.
Example:
MSGYN "Continue?"
;;
MUL: op1, op2
------------
Sets op1 with op1*op2
Example:
mul op1, 10
;;
NAMES: addr
----------
Open names Window for module (Like Ctrl + N)
addr is the module address
;;
NEG: op
------
Assembly Operation "neg eax"
NOT: op
------
Assembly Operation "not eax"
;;
OLLY: info
---------
Gets information about ollydbg
"info" can be :
- PID retrieve the Ollydbg Process ID
- HWND retrieve the main Ollydbg HWND
Example:
OLLY PID
mov pid, $RESULT
OLLY HWND
mov hwnd, $RESULT
;;
OR: dest, src
------------
ORs src and dest and stores result in dest
Example:
or x, 0F
or eax, x
or [401000], 5
;;
OPCODE: addr
-----------
OPCODE sets the $RESULT variable to the opcode bytes, $RESULT_1 variable to mnemonic
opcode (i.e. "MOV ECX,EAX") and $RESULT_2 to the length of the opcode. If an invalid
opcode appears, $RESULT_2 should be 0. addr is increased by the length of the opcode
(disassemble command). With this function you can step forward through code.
Example:
opcode 00401000
;;
OPENDUMP: addr [,base,size]
--------------------------
Create a new Dump Window with data at address.
;;
OPENTRACE:
---------
Opens run trace window
;;
PAUSE:
-----
Pauses script execution. Script can be resumed from plugin menu.
Example:
pause
;;
POP: dw
------
Retrieve dword from stack
;;
POPA:
-----
RESTORE all registers from plugin memory (saved with PUSHA)
;;
PUSHA:
-----
Save all register in plugin memory (to be restored by POPA)
Stack is not used by this command
;;
PREOP: addr
----------
Get asm command line address just before specified address.
Attention: Will not give real executed command eip before the jump.
Example:
preop eip
;;
PUSH: dw
-------
Add dword to stack
;;
RBP: [arg1]
----------
Restore Break Points
arg1 = may be STRICT or nothing Restores all hardware and software breakpoints
if arg1 == 'STRICT', all soft bp set by script will be deleted and only those
have been set before it runs will be restored.
If no argument set, previous soft bp will be appended to those set by script
Return in:
- $RESULT number of restored swbp
- $RESULT_1 number of restored hwbp
Example:
rbp
rbp STRICT
;;
READSTR: str, len
-------
Copy len chars of str into $RESULT
;;
REF: addr, [LOCATION]
--------------------
REF addr works as "Find references to .. Selected command" and "Find references", Ctrl R, in OllyDbg.
Search LOCATION could be the MEMORY bloc (default), CODE of module, or whole MODULE
$RESULT variable is set to the first reference addr
$RESULT_1 to the opcode (text asm command)
$RESULT_2 to the comment (like reference window).
Repeat "REF addr" until $RESULT=0 to get next refs
REF value counter is reset when addr changes or forced with addr = 0
Example:
REF 0 // RESET REF
continue:
REF eip,CODE
log $RESULT
log $RESULT_1
log $RESULT_2
cmp $RESULT,0
jne continue
;;
REPL: addr, find, repl, len
--------------------------
Replace "find" with "repl" starting at "addr" for "len" bytes.
Wildcards are allowed
Example:
repl eip, #6a00#, #6b00#, 10
repl eip, #??00#, #??01#, 10
repl 401000, #41#, #90#, 1F
;;
RET:
---
Exits script or return from CALL.
Example:
ret
;;
REV: what
--------
Reverse dword bytes.
Example:
rev 01020304
//$RESULT = 04030201
;;
ROL: op, count
-------------
Assembly Operation "rol eax, cl"
save in the target (first) operand.
;;
ROR: op, count
-------------
Assembly Operation "ror eax, cl"
Example:
mov x, 00000010
ROR x, 8
;;
RTR:
---
Executes "Run to return" in OllyDbg, [Ctrl+F9] operation.
Example:
rtr
;;
RTU:
---
Executes "Run to user code" in OllyDbg, [Alt+F9] operation.
Example:
rtu
;;
RUN:
---
Executes F9 in OllyDbg, you can also use ERUN to ignore exceptions
Example:
run
;;
SBP:
---
Store Break Points
stores all hardware and software breakpoints, to be restored with RBP
return in:
- $RESULT number of stored swbp
- $RESULT_1 number of stored hwbp
;;
SCMP: dest, src [,size]
-------------
Compares strings dest to src. Works like it's ASM counterpart.
Example:
cmp x, "KERNEL32.DLL"
cmp [eax], "Hello World", 11.
je Label
;;
SCMPI: dest, src [,size]
-------------
Compares strings dest to src (case insentitive). Works like it's ASM counterpart.
Example:
cmp sVar, "KERNEL32.DLL"
cmp [eax], "Hello", 5
jne Label
;;
SETOPTION:
---------
Open the OllyDBG Options Window, to change debugging parameters.
Script will continue on close.
;;
SHL: dest, src
-------------
Shifts dest to the left src times and stores the result in dest.
Example:
mov x, 00000010
shl x, 8 // x is now 00001000
;;
SHR: dest, src
-------------
Shifts dest to the right src times and stores the result in dest.
Example:
mov x, 00001000
shr x, 8 // x is now 00000010
;;
STEP:
---
Execute F8 in OllyDbg. Same as STO
Example:
STEP
;;
STI:
---
Execute F7 in OllyDbg. STep Into.
Example:
sti
;;
STO:
---
Execute F8 in OllyDbg. STep Over.
Example:
sto
;;
STR: var
-------
Converts variable to a String (buffer or dword)
;;
SUB: dest, src
-------------
Reduce src from dest.
Example:
sub x, 0F
sub eax, x
sub [401000], 5
;;
TC:
--
Cancels run trace in OllyDbg
Example:
tc
;;
TEST: dest,src
-------------
Performs a logical AND of the two operands updating the flags register
without saving the result.
(Modifies Flags: CF OF PF SF ZF (AF undefined))
;;
TI:
--
Executes "Trace into" in OllyDbg, CTRL-F7 in OllyDbg.
Example:
ti
;;
TICK: [var [,reftime]]
-------------------
Set variable with script execution time (microsec),if reftime parameter is set,
set $RESULT with time since reftime.
if no parameter is set, function set $RESULT with execution time in text,
in "<ssss mmm> ms" format ,var is declared automatically.
Example:
tick time
;;
TICND: cond
----------
Traces into calls until cond is true
Example:
ticnd "eip > 40100A" // will stop when eip > 40100A
;;
TO:
--
Executes "Trace over" in OllyDbg
Example:
to
;;
TOCND: cond
----------
Traces over calls until cond is true
Example:
tocnd "eip > 40100A" // will stop when eip > 40100A
;;
UNICODE: enable
--------------
Set Unicode Mode, not used for the moment
Example:
UNICODE 1
;;
VAR:
---
Declare a variable to be used in the script.
Example:
var x
;;
XOR: dest, src
-------------
XORs src and dest and stores result in dest
Example:
xor x, 0F
xor eax, x
xor [401000], 5
;;
XCHG: dest, src
--------------
Exchanges contents of source and destination.
;;
WRT: file, data
--------------
Write to file (replace existing one) the only accepted symbol is "rn"
Numbers are wrote as strings... for the moment
Example:
wrt "out.txt", "Data:rnOkrn"
wrt sFile, ebx
;;
WRTA: file, data [, separator]
-----------------------------
Append to file, default separator is "n"
Example:
wrta sFile, "hello world"
wrta sFile, ABCD, ""
wrta sFile, "Windows CR, "rn"
;;
MODULEBASE:
a parameter of GMI to get information about a module.
;;
MODULESIZE:
a parameter of GMI to get information about a module.
;;
CODEBASE:
a parameter of GMI to get information about a module.
;;
CODESIZE:
a parameter of GMI to get information about a module.
;;
MEMBASE:
a parameter of GMI to get information about a module.
;;
MEMSIZE:
a parameter of GMI to get information about a module.
;;
ENTRY:
a parameter of GMI to get information about a module.
;;
NSECT:
a parameter of GMI to get information about a module.
;;
DATABASE:
a parameter of GMI to get information about a module.
;;
RELOCTABLE:
a parameter of GMI to get information about a module.
;;
RELOCSIZE:
a parameter of GMI to get information about a module.
;;
RESBASE:
a parameter of GMI to get information about a module.
;;
RESSIZE:
a parameter of GMI to get information about a module.
;;
IDATABASE:
a parameter of GMI to get information about a module.
;;
IDATATABLE:
a parameter of GMI to get information about a module.
;;
EDATATABLE:
a parameter of GMI to get information about a module.
;;
EDATASIZE:
a parameter of GMI to get information about a module.
;;
NAME:
a parameter of GMI to get information about a module.
;;
PATH:
a parameter of GMI to get information about a module.
;;
VERSION:
a parameter of GMI to get information about a module.
;;
MEMORYBASE:
a parameter of GMEMI to get information about a memory block to which the specified
address belongs.
;;
MEMORYSIZE:
a parameter of GMEMI to get information about a memory block to which the specified
address belongs.
;;
MEMORYOWNER:
a parameter of GMEMI to get information about a memory block to which the specified
address belongs.
;;
HPROCESS:
a parameter of GPI to Gets process information.
;;
PROCESSID:
a parameter of GPI to Gets process information.
;;
HMAINTHREAD:
a parameter of GPI to Gets process information.
;;
MAINTHREADID:
a parameter of GPI to Gets process information.
;;
MAINBASE:
a parameter of GPI to Gets process information.
;;
PROCESSNAME:
a parameter of GPI to Gets process information.
;;
EXEFILENAME:
a parameter of GPI to Gets process information.
;;
CURRENTDIR:
-----------
a parameter of GPI to Gets process information.
;;
SYSTEMDIR:
----------
a parameter of GPI to Gets process information.
;;
NOT: op
-------
Assembly Operation "not eax"
;;
ENDE:
Ends the assembly excution started by EXEC.
;;
BPHWCALL:
---------
Clears all hardware breakpoint.
;;;
created: by britedream on 12/12/2009
2017_0617_1456
在玩cm时,找到一些要api的调用点,下断点在API调用处。
体力活只干一次,写了一个设置断点的脚本。脚本中只有bp指令.
程序载入OD后,载入脚本,程序跑起来,经过关心的API的调用点,只有几处,再看这几个调用点的上下文,会得到流程的逻辑。
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
// @filename setbp_setWindowTextA.osc
// @brief 对cm中调用SetWindowTextA的调用点下断点
// .text:00418A7C call fnSetWindowTextA_491C85
bp 00418A7C
// .text:004197F5 call fnSetWindowTextA_491C85
bp 004197F5
// .text:0041A1A5 call fnSetWindowTextA_491C85
bp 0041A1A5
// .text:0041A61F call fnSetWindowTextA_491C85
bp 0041A61F
// .text:0041B26A call fnSetWindowTextA_491C85
bp 0041B26A
// .text:0041BFBC call fnSetWindowTextA_491C85
bp 0041BFBC
// .text:0041E504 call fnSetWindowTextA_491C85
bp 0041E504
// .text:00421015 call fnSetWindowTextA_491C85
bp 00421015
// .text:004222C5 call fnSetWindowTextA_491C85
bp 004222C5
// .text:00423160 call fnSetWindowTextA_491C85
bp 00423160
// .text:0042329B call fnSetWindowTextA_491C85
bp 0042329B
// .text:004234F7 call fnSetWindowTextA_491C85
bp 004234F7
// .text:0042472D call fnSetWindowTextA_491C85
bp 0042472D
// .text:0042662E call fnSetWindowTextA_491C85
bp 0042662E
// .text:0042F59D call fnSetWindowTextA_491C85
bp 0042F59D
// .text:00436925 call fnSetWindowTextA_491C85
bp 00436925
// .text:0043775B call fnSetWindowTextA_491C85
bp 0043775B
// .text:00437B02 call fnSetWindowTextA_491C85
bp 00437B02
// .text:00437B16 call fnSetWindowTextA_491C85
bp 00437B16
// .text:00437B2B call fnSetWindowTextA_491C85
bp 00437B2B
// .text:00437C4A call fnSetWindowTextA_491C85
bp 00437C4A
// .text:00437CFE call fnSetWindowTextA_491C85
bp 00437CFE
// .text:0044E784 call fnSetWindowTextA_491C85
bp 0044E784
// .text:0044E953 call fnSetWindowTextA_491C85
bp 0044E953
// .text:0044ED88 call fnSetWindowTextA_491C85
bp 0044ED88
// .text:0044EDAB call fnSetWindowTextA_491C85
bp 0044EDAB
// .text:0044EDCE call fnSetWindowTextA_491C85
bp 0044EDCE
// .text:0044EDF1 call fnSetWindowTextA_491C85
bp 0044EDF1
// .text:0044EE34 call fnSetWindowTextA_491C85
bp 0044EE34
// .text:0044EE5A call fnSetWindowTextA_491C85
bp 0044EE5A
// .text:0044EE80 call fnSetWindowTextA_491C85
bp 0044EE80
// .text:0044EEB2 call fnSetWindowTextA_491C85
bp 0044EEB2
// .text:0044EF62 call fnSetWindowTextA_491C85
bp 0044EF62
// .text:0044EF8C call fnSetWindowTextA_491C85
bp 0044EF8C
// .text:0044F004 call fnSetWindowTextA_491C85
bp 0044F004
// .text:0044F12F call fnSetWindowTextA_491C85
bp 0044F12F
// .text:0044F15C call fnSetWindowTextA_491C85
bp 0044F15C
// .text:00453F8A call fnSetWindowTextA_491C85
bp 00453F8A
// .text:0045BC09 call fnSetWindowTextA_491C85
bp 0045BC09
// .text:0045C8AB call fnSetWindowTextA_491C85
bp 0045C8AB
// .text:0046A167 call fnSetWindowTextA_491C85
bp 0046A167
最后
以上就是包容火最近收集整理的关于OllyScript脚本练习的全部内容,更多相关OllyScript脚本练习内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
![ollyScript脱壳脚本 for ABC Cryptor(1.0)[-]](/uploads/reation/bcimg14.png)
发表评论 取消回复