概述
前言
今天看脱壳资料, 看人家用OD脚本来干活, 自己也练习下.
OD脚本是模拟手工来干活, 只要手工可以F7, F8, 下断点, go等操作. OD脚本都可以模拟.
OD脚本学习起来很快, 1天就可以写出有实际功能的脚本了.
如果开始对OD脚本命令不熟, 可能调试花些时间.
记录
做了2个OD脚本练习.
* 加法计算器
*一个trace程序流程用的脚本, 如果看cm注册算法实现和流程拐点, 可能有些用. 只针对某个cm, 如果trace其他cm, 脚本里面的EIP范围和函数白名单要改改.
找到了2个OD脚本命令说明文档, 一个英文版, 一个中文版
加法计算器
// @filename MyOllyScript_add_calc.txt
// @brief 加法计算器
var Val1 // var => 变量定义
var Val2
var vSum
var vEip
LCLR // 清除Script日志窗口内容
bc * // 清除所有F2断点
GBPR // 得到断点命中的原因
mov vEip, eip
eval "EIP = {vEip}, breakpoint hit reason sn: {$RESULT}"
log $RESULT // log 记录日志
eval "OllyDbgScript {$VERSION}, make add : a + b = c" // eval => 字符串格式化, 不支持中文
log $RESULT
msg $RESULT // msg 弹窗
ask "please input a" // ask => 提示输入, 带输入框
mov Val1, $RESULT
eval "a = {Val1}"
log $RESULT
ask "please input b"
mov Val2, $RESULT // mov => 赋值
eval "b = {Val2}"
log $RESULT
mov vSum, Val1
add vSum, Val2 // add => 加法
eval "{Val1} + {Val2} = {vSum}"
log $RESULT
msg $RESULT
ret // 脚本结束
trace流程的脚本
// @filename MyOllyScript_log_trace.txt
// @brief trace主模块流程, 只trace EIP在主模块中的代码, 不trace系统模块的代码
// 等于模拟手工调试程序时的F7,F8, 只F7主模块的call, 遇到调用系统API时, F8
// 还可以在整理一下, 只trace非jmp的代码, 弄好后, 可以对付乱跳
// @note 在EP处执行此脚本, 只针对试验程序, 为了跑的快些, 要go到关心的地址(e.g. 注册码判断流程)再trace, 纯F7, F8从头开始跑, 太慢了.
// 也可以加白名单, 放过一些已经不关心的主模块中的函数, 这个比较容易操作.
// 试验过了, 只有放过已经功能的函数, trace的才能快. 蛮力跑trace, 慢的让人接受不了.
// 做试验的程序,是一个命令行程序,只打印了3句话. 加入白名单放过已经函数后, 快很多, 耗时也能接受了, 1分钟trace完毕.
// 如果是确定了要trace的范围, 而且已经分析出一些已经函数(加入了白名单), 用OD脚本插件进行trace还是蛮好使的
// 如果是对付乱跳, 在trace脚本中, 不trace JMP语句可以实现.
var vDebugCodeLineCntCur // 记录的计数器当前值
var vDebugCodeLineMax // 记录的计数器最大值
var vEP // entry point
var vEIP // EIP
var vDisasmCmd // 反汇编命令
var vOpcodeSize // 反汇编指令字节长度
var vNextCodeAddr // 下一条指令的地址, 如果为0, 就是下一条. 如果不为0, 就要比较是否为DLL中的API地址
var vRegValue // 寄存器的值, e.g. call ebp 的 ebp
var vAddrTraceBegin // trace开始地址
var vAddrTraceEnd // trace结束地址
var vTmp // 临时变量
BEGIN:
LCLR // 清除Script日志窗口内容
bc * // 清除所有F2断点
BPHWCALL // 清除所有硬断点
eval ">> trace begin ..."
log $RESULT
mov vDebugCodeLineCntCur, 0
mov vDebugCodeLineMax, 30
an eip // 先分析一下addr, 防止F7,F8时, OD弹出断点警告框(说断点可以下在数据里)
GMI eip, ENTRY // 得到EP值
mov vEP, $RESULT
eval "EP = {vEP}"
log $RESULT
cmp vEP, eip
je BEGIN1
eval "the script need run from EP({vEP}), but EIP = ({eip})"
log $RESULT
jmp L_LOG_END
BEGIN1:
GMI eip, CODEBASE // 得到主模块代码范围
mov vAddrTraceBegin, $RESULT
mov vAddrTraceEnd, vAddrTraceBegin
eval "CODEBASE = {$vAddrTraceBegin}"
GMI eip, CODESIZE
add vAddrTraceEnd, $RESULT
eval "Code Range [{vAddrTraceBegin}, {vAddrTraceEnd}]"
log $RESULT
L_DO:
mov vEIP, eip
/**
cmp vEIP, 00402621
jne L_DO0_1
go 0040262F // 阻塞执行的
jmp L_DO
*/
L_DO0_1:
GCI eip, COMMAND // 得到当前EIP的汇编命令信息, e.g. "call ebp"
mov vDisasmCmd, $RESULT
eval "{vEIP} {vDisasmCmd}" // 打印当前反汇编命令
log $RESULT
GCI eip, SIZE // 当前指令的字节数 e.g. 2 "ffd5 call ebp"
mov vOpcodeSize, $RESULT
// GCI eip, TYPE // 返回值为0x70, 只说明是一个call 类型, 没大用
GCI eip, DESTINATION // 得到是否为跳转指令
mov vNextCodeAddr, $RESULT
L_DO1:
cmp vNextCodeAddr, 0
je L_MAYBE_IS_MY_CODE_PRE
L_DO2:
cmp vNextCodeAddr, vAddrTraceBegin // 下一条地址不在主模块范围内, 就不trace
jb L_IS_NOT_MY_CODE
cmp vNextCodeAddr, vAddrTraceEnd
ja L_IS_NOT_MY_CODE
// 到这已经是主模块的代码
// 放过一些和程序业务逻辑无关的函数调用, trace的太慢了
// cmp vDisasmCmd, "call 004025B3" 这样无效, 只能比地址(如下)
// pass 一些main函数之前的代码
// pass 00402A05
cmp vNextCodeAddr, 00402A05
je L_PASS_WHITE_NAME_LIST
// pass 0040125B
cmp vNextCodeAddr, 0040125B
je L_PASS_WHITE_NAME_LIST
// pass 004026E5
cmp vNextCodeAddr, 004026E5
je L_PASS_WHITE_NAME_LIST
// pass 004025B3
cmp vNextCodeAddr, 004025B3 // 16进制数,后面不能加h
je L_PASS_WHITE_NAME_LIST
// pass 00402366
cmp vNextCodeAddr, 00402366
je L_PASS_WHITE_NAME_LIST
// 放过 call 004022AD
cmp vNextCodeAddr, 004022AD
je L_PASS_WHITE_NAME_LIST
// pass 004013E2
cmp vNextCodeAddr, 004013E2
je L_PASS_WHITE_NAME_LIST
// 放过 call 00403EF7
cmp vNextCodeAddr, 00403EF7
je L_PASS_WHITE_NAME_LIST
// pass call 00403B33
cmp vNextCodeAddr, 00403B33
je L_PASS_WHITE_NAME_LIST
// pass 00402F80
cmp vNextCodeAddr, 00402F80
je L_PASS_WHITE_NAME_LIST
// pass 00401126
cmp vNextCodeAddr, 00401126
je L_PASS_WHITE_NAME_LIST
// pass 00401060
cmp vNextCodeAddr, 00401060
je L_PASS_WHITE_NAME_LIST
// pass 00401090
cmp vNextCodeAddr, 00401090
je L_PASS_WHITE_NAME_LIST
jmp L_IS_MY_CODE
L_PASS_WHITE_NAME_LIST:
jmp L_IS_NOT_MY_CODE
L_MAYBE_IS_MY_CODE_PRE:
// 如果是 call reg, vJmpAddr也是0
// 再判断是不是2字节指令
cmp vOpcodeSize, 2
jne L_IS_NOT_MY_CODE
// 如果是2字节的指令, 就要判断是否为"call register"
// 如果不是"call register", 才可以F7
// 好没有在ollyDbgScript命令集合中找到有效判断"call register"的方法
// e.g. * 是不是"call register"
// * 如果是"call register", 如何快速拿到register的值
// 暂时只能if-else, 一个一个去比对是不是"call register"
cmp vDisasmCmd, "call eax"
jne L_MAYBE_IS_MY_CODE_PRE1
mov vRegValue, eax
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE1:
cmp vDisasmCmd, "call ebx"
jne L_MAYBE_IS_MY_CODE_PRE2
mov vRegValue, ebx
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE2:
cmp vDisasmCmd, "call ecx"
jne L_MAYBE_IS_MY_CODE_PRE3
mov vRegValue, ecx
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE3:
cmp vDisasmCmd, "call edx"
jne L_MAYBE_IS_MY_CODE_PRE4
mov vRegValue, edx
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE4:
cmp vDisasmCmd, "call esi"
jne L_MAYBE_IS_MY_CODE_PRE5
mov vRegValue, esi
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE5:
cmp vDisasmCmd, "call edi"
jne L_MAYBE_IS_MY_CODE_PRE6
mov vRegValue, edi
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE6:
cmp vDisasmCmd, "call ebp"
jne L_IS_MY_CODE
mov vRegValue, ebp
jmp L_MAYBE_IS_MY_CODE_PRE_END
L_MAYBE_IS_MY_CODE_PRE_END:
jmp L_IS_NOT_MY_CODE
L_IS_MY_CODE:
// 下一个地址在主模块范围内, F7
sti // F7
jmp L_WHILE
L_IS_NOT_MY_CODE:
// 下一个地址在不主模块范围内, F8
sto // F8
jmp L_WHILE
L_WHILE:
/**
inc vDebugCodeLineCntCur
cmp vDebugCodeLineMax, vDebugCodeLineCntCur
je L_LOG_END
*/
jmp L_DO
L_LOG_END:
eval "<< trace end :)"
log $RESULT
ret // 脚本结束
找到的OD脚本命令资料
OD脚本命令-中文版
33.1.1 保留变量
------------------------
$RESULT
-------
<RESULT>
保存某些函数的返回值,比如FIND函数,等等。
$VERSION
--------
<VERSION>
保存OllyScript,的版本信息
例:
cmp $VERSION, "0.8" //比较是否大于 0.8版
ja version_above_08
3.1.2 指令
--------------
#INC "文件名"
---------
<INClude>
将一个脚本文件的内容包含到另外一个脚本文件中
例:
#inc "anotherscript.txt"
#LOG
----
<LOG>
开始记录运行指令
指令会显示在OllyDbg的log窗口中,每条记录前都会加上“-->”的前缀
例:
#log
ADD 目的操作数,源操作数
-------------
<ADD>
源操作数与目的操作数相加,并把相加的结果保存到目的操作数中。
例:
add x, 0F
add eax, x
add [401000], 5
add y, " times" // 如果在次之前y="1000" ,则在执行完此指令之后y="1000 times"
AI
--
<Animate Into>
在OllyDbg中执行“自动步入” [Animate into]操作。
例:
ai
AN 地址
-------
<ANalyze>
从指定处,对代码进行分析。
例:
an eip // 相当于在OllyDbg中按 Ctrl+A键
AND 目的操作数, 源操作数
-------------
<AND>
源操作数与目的操作数进行逻辑与操作,并将结果保存到到目的操作数中。
例:
and x, 0F
and eax, x
and [401000], 5
ASK 问题
------------
<ASK>
显示一个提示输入框,让用户输入,并将结果保存转保留变量$RESULT中(如果用户按了取消键,则$RESULT=0)。
例:
ask "Enter new EIP"
cmp $RESULT, 0
je cancel_pressed
mov eip, $RESULT
ASM 地址, 指令
-----------------
<ASseMble>
修改指定地址的指令。
并将修改后的汇编指令长度保存到保留变量$RESULT中
例:
asm eip, "mov eax, ecx" //将当前指令修改为 mov eax,ecx
AO
--
<Animate Over>
在OllyDbg中执行“自动步过” [Animate over]操作。
例:
ao
BC 地址
-------
<BreakPoint Clear>
清除指定地址的断点。
例:
bc 401000
bc x
bc eip
BP addr
--------
<BreakPoint>
在指定地址设断点
例:
bp 401000
bp x
bp eip
BPCND 地址, 条件
----------------
<BreakPoint on CoNDition>
在指定地址处,设置条件断点。
例:
bpcnd 401000, "ECX==1" //当 代码执行到401000且 ecx等于1 时,程序暂停
BPL 地址, 表达式
--------------
<BreakPoint of Logging>
在指定地址处设置记录断点,将表达式的结果记录到记录窗口中。
例:
bpl 401000, "eax" // 每次执行到401000时,都将eax寄存器的结果记录
BPLCND 地址, 表达式, 条件
-----------------------
<BreakPoint of Logging on CoNDition>
在指定地址处设置记录断点,如果条件为真时,将表达式的结果记录到记录窗口中。
例:
bplcnd 401000, "eax", "eax > 1" // 如果执行到401000时,满足eax>1,则将eax寄存器的结果记录
BPMC
----
<BreakPoint Memory Clear>
清除内存断点。
例:
bpmc
BPHWC 地址
----------
<BreakPoint HardWare Clear>
删除指定地址处的硬件断点。
例:
bphwc 401000 //清除 401000处的断点
BPHWS 地址, 模式
----------------
<BreakPoint HardWare Set>
在指定地址,设置硬件断点。有三种模式: "r" - 读取, "w" - 写入 或者 "x" - 执行.
例:
bphws 401000, "x" //当执行到此地址时发生中断
BPRM 地址, 大小
---------------
<BreakPoint on Read Memory>
在指定地址处,设置一个内存读取断点。 “大小” 是指内存中的字节大小。
例:
bprm 401000, FF //一个字节
BPWM 地址, 大小
---------------
<BreakPoint on Write Memory>
在指定地址处,设置一个内存写入断点。“大小” 是指内存中的字节大小。
例:
bpwm 401000, FF
CMP 目的操作数, 源操作数
-------------
<CoMPare>
比较 目的操作数与源操作数的大小,和其对应的汇编指令作用相同。
例:
cmp y, x
cmp eip, 401000
CMT 地址, 字符串
--------------
<CoMmenT>
在指定地址处,加入注释。
例:
cmt eip, "这是入口" //当前地址处 加上 “这是入口”的注释
COB
---
<Continue On Breakpoint>
发生中断后,让脚本继续执行(移除EOB指令)
例:
COB
COE
---
<Continue On Exception>
发生异常后,让脚本继续执行(移除EOE指令)
例:
COE
DBH
---
<DeBugger Hided>
隐藏调试器
例:
dbh
DBS
---
<DeBugger Show>
对隐藏的调试器操作进行恢复,不再隐藏。
例:
dbs
DEC 变量
-------
<DECrement by 1>
对变量进行减一操作
例:
dec v
DM 地址, 大小, 文件名
-------------------
<Dump Memory>
从指定地址处开始,在内存中提取指定大小的数据,并保存到指定的文件中
例:
dm 401000, 1F, "c:dump.bin"
DMA 地址, 大小, 文件名
-------------------
<Dump Memory Appended>
从指定地址处开始,在内存中提取指定大小的数据,并保存到指定的文件中;如果指定文件已存在,则将数据追加到指定文件尾部。
例:
dma 401000, 1F, "c:dump.bin"
DPE 文件名, 入口
----------------
<Dump Process with Entry point>
提取执行模块到指定文件中。
“入口”用来设定入口地址。
例:
dpe "c:test.exe", eip //入口为当前地址,保存为C盘下test.exe
EOB 标签
---------
<Execution On Breakpoint>
在下次中断发生时,跳转到指定标签处。
例:
eob SOME_LABEL
EOE 标签
---------
<Execution On Exception>
在下次异常发生时,跳转到指定标签处。
例:
eoe SOME_LABEL
ESTI
----
<Exception STep Into>
相当于在OllyDbg按 SHIFT-F7。
例:
esti
ESTO
----
<Exception STep cOntinue>
相当于在OllyDbg按 SHIFT-F9。
例:
esto
EVAL
----
<EVALuate>
计算含义变量的表达式。
变量必须已经在脚本中声明。插到字符串中时,要放在用大括号{}中。
结果保存在保留变量$RESULT中Sets the reserved $RESULT variable
例:
var x
mov x, 1000
eval "x的值是 {x}" // 执行后$RESULT为 "x的值是 00001000"
EXEC/ENDE
---------
<EXECute/END of Execute>
对当前调试进程,执行在EXEC和ENDE之间的指令。
有大括号的,会被大括号中的变量的值替代。
例:
// 以下是做移动操作
var x
var y
mov x, "eax"
mov y, "0DEADBEEF"
exec
mov {x}, {y} // mov eax, 0DEADBEEF 将被执行
mov ecx, {x} // mov ecx, eax 将被执行
ende
// 以下是调用调试程序的ExitProcess函数
exec
push 0
call ExitProcess
ende
ret
FILL 地址, 长度, 值
---------------------
<FILL>
从指定地址开始,在内存中填充为指定长度的某个值
例:
fill 401000, 10, 90 // 10字节的 NOP 指令
FIND 地址, 查找内容
---------------
<FIND>
从指定地址开始在内存中查找指定的内容。
如果查找成功,地址会保存到保留变量$RESULT中,否则$RESULT将等于 0。
查找的串支持通配符“??”(见下面的例子)。
例:
find eip, #6A00E8# // 查找一个Call,其的第一个参数为0 (push 0)
find eip, #6A??E8# // 查找一个带参数的Call
FINDOP 地址, 查找内容
-----------------
<FIND OPcode>
从指定地址开始查找指定一个指令,这个指令是以指定内容为开始的。
如果查找成功,地址会保存到保留变量$RESULT中,否则$RESULT将等于 0。
查找的串支持通配符“??”(见下面的例子)。
例:
findop 401000, #61# // find next POPAD
findop 401000, #6A??# // find next PUSH of something
译者注:
对比一下FIND 和FINDDOP的区别:
地址 数据 代码
00401007 B8 3300 MOV EAX, 33
0040100C 33F6 XOR ESI, ESI
find 401007, #33# //$RESULT等于401008
finddop 401007, #33# //$RESULT等于40100C
GN 地址
-------
<Get Name>
获得指定地址的符号名(比如指向API函数)。
符号名将保存到保留变量$RESULT中。如果符号名是一个API函数,则$RESULT_1保存链接库名(比如 kernal32)而 $RESULT_2保存符号名(比如 ExitProcess)。
例:
gn 401000
GPA 函数名, 动态链接库名
-------------
<Get Procedure Address>
在指定的动态链接库中,获得指定函数的地址。
如果查找成功,地址会保存到保留变量$RESULT中,否则$RESULT将等于 0。
在设置API函数断点时,这个指令非常有效。
例:
gpa "MessageBoxA", "user32.dll" // 这条指令执行后,$RESULT等于函数MessageBoxA的地址,您可以使用"bp $RESULT"设置断点。
GO 地址
-------
<GO>
执行到指定地址处 (相当于SoftICE中的 G 命令)
例:
go 401005
GMI 地址, 信息
--------------
<Get Module Info>
获得指定地址所在模块的相关信息。
“信息”可以是模块基地址[MODULEBASE], 模块大小[MODULESIZE], 代码段基地址[CODEBASE] 或者 代码段大小[CODESIZE]
(如果您想在将来的版本中,获得更多的信息,请联系我)。
信息会保存到保留变量$RESULT中 (如果没有找到信息,则$RESULT等于0).
例:
GMI eip, CODEBASE // 这条指令执行后,$RESULT等于当前所在模块的代码段基地址。
INC 变量
-------
<INCrement by 1>
对变量进行加一操作
例:
inc v
JA 标签
--------
<Jump if Above>
在cmp命令后使用. 和其对应的汇编指令作用相同.
例:
ja SOME_LABEL
JAE 标签
---------
<jump if Above or Equal>
cmp. 和其对应的汇编指令作用相同.
例:
jae SOME_LABEL
JB 标签
--------
<Jump if Below>
在cmp命令后使用. 和其对应的汇编指令作用相同.
例:
jb SOME_LABEL
JBE 标签
---------
<Jump if Below or Equal>
在cmp命令后使用。和其对应的汇编指令作用相同.
例:
jbe SOME_LABEL
JE 标签
--------
<Jump if Equal>
在cmp命令后使用. 和其对应的汇编指令作用相同.
例:
je SOME_LABEL
JMP 标签
---------
<JuMP>
跳转到指定标签.
例:
jmp SOME_LABEL
JNE 标签
---------
<Jump if Not Equal>
在cmp命令后使用. 和其对应的汇编指令作用相同.
例:
jne SOME_LABEL
LBL 地址, 字符串
--------------
<LaBel Insert>
在指定地址处插入一个标签
例:
lbl eip, "NiceJump"
LOG 源操作数
-------
<log>
将源操作数输出到OllyDbg的记录窗口[log window]中。
如果源操作数 是一个字符串常量,则原样记录。
如果源操作数 是一个变量或一个寄存器,则记录名称及其存放的数值
例:
log "Hello world" // 记录为 "Hello world"
var x
mov x, 10
log x // 记录为 "x = 00000010"
MOV 目的操作数, 源操作数
-------------
<MOVe>
将源操作数移动到目的操作数中。
源操作数可以是一个十六进制序列格式#某个十六进制序列#,例如:#1234#。
提醒:十六进制序列的位长只能是偶数,比如2, 4, 6, 8等等。
例:
mov x, 0F
mov y, "Hello world"
mov eax, ecx
mov [ecx], #00DEAD00BEEF00#
mov !CF, 1
mov !DF, !PF
mov [403000], "Hello world"
MSG 消息
-----------
<MeSsaGe>
将指定消息,显示到一个对话框中。
例:
MSG "脚本暂停"
MSGYN message
-----------
<MeSsaGe Yes or No>
将指定消息,显示到一个对话框中,这个对话框有“是”、“否”按钮。
如果点“是”,保留变量 $RESULT 等于1,否则保留变量$RESULT等于0 。
例:
MSGYN "继续?"
OR 目的操作数, 源操作数
-------------
<OR>
源操作数和目的操作数做逻辑或操作,并将结果保存到到目的操作数中。
例:
or x, 0F
or eax, x
or [401000], 5
PAUSE
-----
<PAUSE>
暂停脚本运行。可以通过插件菜单恢复脚本运行。
例:
pause
REPL addr, find, repl, len
--------------------------
REPL 地址, 查找字符串, 替换字符串, 长度
--------------------------
<REPLace>
在指定地址开始,在指定长度字节内,用“替换字符串”替换“查找字符串”。
允许使用通配符
例:
repl eip, #6a00#, #6b00#, 10
repl eip, #??00#, #??01#, 10
repl 401000, #41#, #90#, 1F
RET
---
<RETurn>
退出脚本。
例:
ret
RTR
---
<Run To Return>
相当于在OllyDbg中执行 "Run to return" [Ctrl+F9]操作。
例:
rtr
RTU
---
<Run To User code>
相当于在OllyDbg中执行 "Run to user code"[Alt+F9] 操作。
例:
rtu
RUN
---
<RUN>
相当于在OllyDbg中按 F9。
例:
run
SHL 目的操作数, n
-------------
左移目的操作数,n比特位;并将结果保存到到目的操作数中。
例:
mov x, 00000010
shl x, 8 // x is now 00001000
SHR目的操作数, n
-------------
<SHift Right>
右移目的操作数,n 比特位;并将结果保存到到目的操作数中。
例:
mov x, 00001000
shr x, 8 // x is now 00000010
STI
---
<STep Into>
相当于在OllyDbg中按 F7,单步步入。
例:
sti
STO
---
<STep Over>
相当于在OllyDbg中按 F8,单步步过。
例:
sto
SUB dest, src
-------------
Substracts src from dest and stores result in dest
Example:
sub x, 0F
sub eax, x
sub [401000], 5
TI
--
<Trace Into>
相当于在OllyDbg中执行 "Trace into" 操作。
例:
ti
TICND cond
----------
<Trace Into Condition>
执行 "Trace into" 操作,直到条件为真时停止。
例:
ticnd "eip > 40100A" // 当 eip > 40100A 时停止
TO
--
<Trace Over>
相当于在OllyDbg中执行 "Trace over" 操作。
例:
to
TOCND cond
----------
<Trace Over Condition>
执行 "Trace over" 操作,直到条件为真时停止。
例:
tocnd "eip > 40100A" // 当 eip > 40100A 时停止
VAR
---
<VARiable>
在脚本中,声明一个变量。
必须在变量使用先声明。
例:
var x
XOR 目的操作数, 源操作数
-------------
<XOR>
源操作数与目的操作数进行异或操作,并将结果保存到到目的操作数中。
例:
xor x, 0F
xor eax, x
xor [401000], 5
3.2 标签
----------
定义标签,要在标签名后面要加上一个冒号.
例:
SOME_LABEL:
3.3 注释
------------
您可以使用“//”在任何地方进行注释。
块注释必须另外起一行并以 “/*”做为开始,以“*/”作为结束,“*/”也必须另起一行。
例:
/*
您的注释
*/
3.4 菜单
---------
OllyScript的主菜单包含了下面几项:
- Run script...[运行脚本...]: 用户选择一个脚本,并运行这个脚本。
- Abort [中止]: 中止脚本运行
- Pause [暂停]: 暂停脚本运行
- Resume[恢复]: 恢复脚本运行
- About [关于]: 显示此插件信息
------------------------------
4. 嵌入其他的插件
---------------------------------
您可以在您的插件中调用OllyScrip,并且运行一个脚本。
使用类似于下面的代码进行调用:
HMODULE hMod = GetModuleHandle("OllyScript.dll");
if(hMod) // 检测是否被其他插件加载
{
// 获得输出函数地址
int (*pFunc)(char*) = (int (*)(char*)) GetProcAddress(hMod, "ExecuteScript");
if(pFunc) // 检查是否获得输出函数
pFunc("myscript.txt"); // 执行输出函数
}
------------------------------OD脚本命令-英文版
#INC,#LOG,$RESULT,$RESULT_1,$RESULT_2,$RESULT_3,$RESULT_4,$VERSION,ADD,AI,ALLOC,AN,AND,AO,JA,ASK,ASM,ASMTXT,ATOI,STR,BC,BD,BEGINSEARCH,BP,BPCND,BPD,BPGOTO,BPHWC,BPHWS,
BPL,BPLCND,BPMC,BPRM,BPWM,BPX,BUF,CMT,CMP,COB,COE,DBH,DBS,DEC,DIV,MODULEBASE,DM,DMA,DPE,EOB,EOE,ERUN,ESTI,EVAL,EXEC,ENDE,FILL,FIND,FINDCALLS,FINDCMD,
FINDCMDS,FINDOP,FINDMEM,FREE,GAPI,GBPM,GBPR,GCI,GCMT,GMA,GMEMI,GMI,GN,GO,GOPI,GPA,GPI,GREF,GRO,HANDLE,HISTORY,INC,ITOA,JAE,JB,JBE,JE,JMP,JNE,KEY,
LBL,LC,LCLR,LEN,LM,LOG,LOGBUF,MOV,MEMCPY,MSG,MSGYN,MUL,NEG,NOT,OR,OPCODE,OPENDUMP,OPENTRACE,PAUSE,POP,PREOP,PUSH,READSTR,REF,REPL,RET,REV,ROL,ROR,
RTR,RTU,RUN,SCMP,SCMPI,SETOPTION,SHL,SHR,STI,STO,SUB,TC,TEST,TI,TICK,TICND,TO,TOCND,UNICODE,VAR,XOR,XCHG,WRT,NAMES,GMIMP,CLOSE,GSTR,
MODULESIZE,CODEBASE,CODESIZE,MEMBASE,MEMSIZE,ENTRY,NSECT,DATABASE,RELOCTABLE,RELOCSIZE,LOADLIB,PID,HWND,GMEXP,ESTEP,GFO,SBP,GSL,BACKUP,
RESBASE,RESSIZE,IDATABASE,IDATATABLE,EDATATABLE,EDATASIZE,NAME,PATH,MEMORYOWNER,VERSION,MEMORYBASE,MEMORYSIZE,STEP,esto,RBP,GLBL,
HPROCESS,PROCESSID,HMAINTHREAD,MAINTHREADID,MAINBASE,PROCESSNAME,EXEFILENAME,CURRENTDIR,SYSTEMDIR,BPHWCALL,WRTA,JZ,JNZ,JG,JGE,POPA,pusha,olly
;;
$RESULT:
-------
Return value for some functions like FIND etc.
$RESULT_1 and $RESULT_2 are available for some commands.
;;
ADD: dest, src
-------------
Adds src to dest and stores result in dest
Example:
add x, 0F
add eax, x
add [401000], 5
add y, " times" // If y was 1000 before this command then y is "1000 times"
after it.
;;
ASK: question
------------
Displays an input box with the specified question and lets user enter a response.
Sets the reserved $RESULT variable (0 if cancel button was pressed).
You have also the length in $RESULT_1 (divised by 2 for hex entries).
Example:
ask "Enter new EIP"
cmp $RESULT, 0
je cancel_pressed
mov eip, $RESULT
;;
ASMTXT: addr, file
-----------------
Assemble a text asm file at some address.
Example:
asmtxt EIP, "myasm.txt"
;;
$VERSION:
--------
Contains current version of OllyScript.
Example:
cmp $VERSION, "0.8"
ja version_above_08
;;
#INC: file
---------
Includes a script file in another script file.
Example:
#inc "anotherscript.txt"
;;
#LOG:
----
Enables logging of executed commands.
The commands will appear in OllyDbg log window, and will be prefixed with -->
Example:
#log
;;
ADD: dest, src
-------------
Adds src to dest and stores result in dest
Example:
add x, 0F
add eax, x
add [401000], 5
add y, " times" // If y was 1000 before this command then y is "1000 times"
after it.
;;
AI:
--
Executes "Animate into" in OllyDbg
Example:
ai
;;
ALLOC: size
----------
Allocate new memory page, you can read/write and execute.
Example:
alloc 1000
free $RESULT, 1000
;;
AN: addr
-------
Analyze module which contains the address addr.
Example:
an eip // Same as pressing CTRL-A.
;;
AND: dest, src
-------------
ANDs src and dest and stores result in dest.
Example:
and x, 0F
and eax, x
and [401000], 5
;;
AO:
--
Executes "Animate over" in OllyDbg
Example:
ao
;;
ASM: addr, command [,version]
----------------------------
Assemble a command at some address.
Change version number (0,1,...) to get alternative code bytes, if possible.
Returns bytes assembled in the reserved $RESULT variable.
Example:
asm eip, "mov eax, ecx"
;;
ASMTXT: addr, file
-----------------
Assemble a text asm file at some address.
Example:
asmtxt EIP, "myasm.txt"
;;
ATOI: str [, base=16.]
-----------------
Converts a string to integer,Returns the integer in the reserved $RESULT variable.
Example:
atoi "F"
atoi "10", 10.
;;
BACKUP: addr [,base,size]
------------------------
Like OPENDUMP, create a Dump Window with data at address.
But this dump window keep a backup of data, which can be used to view changes
$RESULT is the HWND of window, for future use
Note: If you are looking to save data in a file, see the DM function (Dump Memory)
Example:
BACKUP esp
STO
STO
;;
BC: [addr]
---------
Clear unconditional breakpoint at addr.Without parameter, the command clears all
loaded breakpoints.
Example:
bc 401000
bc x
bc eip
;;
BD: [addr]
---------
Disables breakpoint at addr.Without parameter, the command disables all loaded
breakpoints.
Example:
bp 401000
BD 401000
;;
BEGINSEARCH: [start]
-------------------
Create a Copy of Debugged App Memory, Find commands will use this data faster.
You need to use ENDSEARCH before writing to memory and to free this memory copy.
Optimization time is 20% for 5000 loops... but could maybe be optimized.
Example:
mov count, 0
mov start, eip
beginsearch start
find #00#, start
...........
endsearch
;;
BP: addr
--------
Set unconditional breakpoint at addr.
Example:
bp 401000
bp x
bp eip
;;
BPCND: addr, cond
----------------
Set breakpoint on address addr with condition cond.
Example:
bpcnd 401000, "ECX==1"
;;
BPD: callname
------------
Remove breakpoint on dll call set by BPX.
;;
BPGOTO: addr, label
------------------
Automatic Jump at label on Breakpoint (Standard(INT3) and Hardware).EOB Like Command.
Example:
bphws addr
bpgoto addr, MyLabel
;;
BPHWC: [addr]
------------
Delete hardware breakpoint at a specified address.Without address, clear all hardware
breakpoints.
Example:
bphwc 401000
;;
BPHWS: addr, [mode]
------------------
Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default).
Example:
bphws 401000, "x"
;;
BPL: addr, expr
--------------
Sets logging breakpoint at address addr that logs expression expr.
Example:
bpl 401000, "eax" // logs the value of eax everytime this line is passed
;;
BPLCND: addr, expr, cond
-----------------------
Sets logging breakpoint at address addr that logs expression expr if condition
cond is true.
Example:
bplcnd 401000, "eax", "eax > 1" // logs the value of eax everytime
this line is passed and eax > 1
;;
BPMC:
----
Clear the memory breakpoint.
Example:
bpmc
;;
BPRM: addr, size
---------------
Set memory breakpoint on read. Size is size of memory in bytes.
Example:
bprm 401000, FF
;;
BPWM: addr, size
---------------
Set memory breakpoint on write. Size is size of memory in bytes.
Example:
bpwm 401000, FF
;;
BPX: callname
------------
Set breakpoint on dll call
;;
BUF: var
-------
Converts string/dword variable to a Buffer.
Example:
mov s, "123"
buf s
log s // output "#313233#
;;
CLOSE: window
------------
Close an Ollydbg MDI window
window parameter can be a constant or a HWND (like $RESULT of OPENDUMP/BACKUP).
SCRIPT, SCRIPTLOG, LOG, CPU
MODULES, MEMORY, THREADS, BREAKPOINTS
REFERENCES, SOURCELIST, WATCHES
WINDOWS, PATCHES, RUNTRACE, CALLSTACK
TEXT, FILE, HANDLES, SEH, SOURCE
;;
CMP: dest, src [,size]
---------------------
Compares dest to src. Works like it's ASM counterpart.see SCMP to compare strings
or memory data.
Example:
cmp y, x
cmp eip, 401000
;;
CMT: addr, text
--------------
Inserts a comment at the specified address.
Example:
cmt eip, "This is the entry point".
;;
COB:
---
Makes script continue execution after a breakpoint has occured (removes EOB).
Example:
COB
;;
COE:
---
Makes script continue execution after an exception has occured (removes EOE).
Example:
COE
;;
DBH:
---
Hides debugger
Example:
dbh
;;
DBS:
---
Unhides debugger
Example:
dbs
;;
DEC: var
-------
Substracts 1 from variable
Example:
dec v
;;
DIV: op1, op2
------------
Sets op1 with op1/op2
Example:
div var, 2
;;
DM: addr, size, file
-------------------
Dumps memory of specified size from specified address to specified file
(default path set from opened app.).
Example:
dm 401000, 1F, "c:dump.bin".
;;
DMA: addr, size, file
--------------------
Dumps memory of specified size from specified address to specified file,appending
to that file if it exists
Example:
dma 401000, 1F, "c:dump.bin".
;;
DPE: filename, ep
----------------
Dumps the executable to file with specified name.Entry point is set to ep.
Example:
dpe "c:test.exe", eip
;;
EOB: label
---------
Transfer execution to some label on next breakpoint.
Example:
eob SOME_LABEL
;;
EOE: label
---------
Transfer execution to some label on next exception.
Example:
eob SOME_LABEL
;;
ERUN:
----
Executes SHIFT-F9 in OllyDbg. Run with Ignore Exceptions.
Example:
erun.
;;
ESTI:
----
Executes SHIFT-F7 in OllyDbg.
Example:
esti
;;
ESTEP:
----
Executes SHIFT-F8 in OllyDbg. Step Over ignoring Exceptions.
Example:
ESTEP
;;
EVAL:
----
Evaluates a string expression that contains variables.The variables that are declared
in the current script can be enclosed in curly braces {} to be inserted.Sets
the reserved $RESULT variable.
Example:
mov x, 1000
eval "The value of x is {x}" // after this $RESULT is "The value of x is 1000"
;;
EXEC:/ENDE
---------
Executes instructions between EXEC and ENDE in the context of the target process.
Values in curly braces {} are replaced by their values.
Examples:
exec
mov {x}, {y} // mov eax, 0DEADBEEF will be executed
mov ecx, {x} // mov ecx, eax will be executed
ende
;;
FILL: addr, len, value
---------------------
Fills len bytes of memory at addr with value
Example:
fill 401000, 10, 90 // NOP 10h bytes
;;
FIND: addr, what
---------------
Searches memory starting at addr for the specified value.When found sets the reserved
$RESULT variable. $RESULT == 0 if nothing found.The search string can also use
the wildcard "??" (see below).
Example:
find eip, #6A00E8# // find a PUSH 0 followed by some kind of call
find eip, #6A??E8# // find a PUSH 0 followed by some kind of call
;;
FINDCALLS: addr [,name]
----------------------
Find all intermodular calls (dll calls) in the disasm area.You can filter results
by label (case insensitive) with the optionnal second parameter.Reference Window
is used and its content changed, Then can use GREF to get results count and retrieve
them.
Example:
findcalls eip, "exit".
;;
FINDCMD: addr, cmdstr
--------------------
Search for asm command(s), you can search for series also with ";" separator.
This command uses "Search for All Sequences" Ollydbg function so could find
relative calls/jmp Reference Window is used and its content changed You can use
GREF to get next results in disasm window range.
Example 1:
findcmd eip, "xor R32,R32"
;;
FINDCMDS:(this function name could be deleted in future versions)
--------
Same as FINDCMD.
;;
FINDOP: addr, what
-----------------
Searches code starting at addr for an instruction that begins with the specified bytes.
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
The search string can also use the wildcard "??" (see below).
Example:
findop 401000, #6A??# // find next PUSH of something.
;;
FINDMEM: what [, StartAddr]
--------------------------
Searches whole memory for the specified value.When found sets the reserved $RESULT
variable. $RESULT == 0 if nothing found.The search string can also use the wildcard
"??" (see below).
Example:
findmem #6A00E8#, 00400000 // search it after address 0040.0000.
;;
FREE: addr [, size]
------------------
Free memory bloc allocated by ALLOC (or not).
If size not given, drop whole memory bloc.
Example:
alloc 1000
free $RESULT
;;
GAPI: addr #BETA#
---------
## Chinese Translation ##
Obtains the code place API call information,The API information saves in preservation
variable $RESULT.If the symbolic name is a API function, then:
$RESULT saves the API information.
$RESULT_1 save link base/storehouse (for instance kernel32).
$RESULT_2 save symbolic name (for instance ExitProcess).
$RESULT_3 save calling location (for instance call xxxxx).
$RESULT_4 save destination.
;;
GBPM: (beta)
----
Get last memory breakpoint address, affects $RESULT with dword value
;;
GBPR:
----
Get last breakpoint reason, affects $RESULT with dword value
Example:
GBPR
;;
GCI addr, info
--------------
Gets information about asm command
"info" can be :
- COMMAND for asm command string (like OPCODE)
- DESTINATION for Destination of jump/call/return
- SIZE for number of command bytes
- TYPE for asm command string (one of C_xxx, see OllyDbg Plugin API)
Example:
GCI eip, DESTINATION
;;
GCMT: addr
---------
Gets the comment, automatic comment or analyse's comment at specified code address
;;
GFO: addr
--------
Get File Offset of address
;;
GLBL: addr
---------
Get Label at address
;;
GMEXP: moduleaddr, info, [num]
-----------------------------
Get Export Address and Names in a module info can be ADDRESS, LABEL, COUNT
Example:
gma "KERNEL32", MODULEBASE
mov addr, $RESULT
GMEXP addr, COUNT
log $RESULT
GMEXP addr, LABEL, 1
log $RESULT
GMEXP addr, ADDRESS, 1
log $RESULT
;;
GMIMP: moduleaddr, info, [num]
-----------------------------
Get Import address and names in a module info can be ADDRESS, LABEL, MODULE, NAME, COUNT
if LABEL results string like "KERNEL32.CopyFileEx"
MODULE results "KERNEL32"
NAME results "CopyFileEx"
Example:
gma "USER32", MODULEBASE
mov addr, $RESULT
GMIMP addr, COUNT
log $RESULT
GMIMP addr, LABEL, 1
log $RESULT
GMIMP addr, ADDRESS, 1
log $RESULT
;;
GMA: name, info
--------------
Calls GMI, but parameter is short name of the module
;;
GMEMI: addr, info
----------------
Gets information about a memory block to which the specified address belongs.
"info" can be MEMORYBASE, MEMORYSIZE or MEMORYOWNER.Sets the reserved $RESULT
variable (0 if data not found).
Example:
GMEMI addr, MEMORYBASE // After this $RESULT is the address to the memory
base of the memory block to which addr belongs
;;
GMI: addr, info
--------------
Gets information about a module to which the specified address belongs.
"info" can be :
MODULEBASE, MODULESIZE, CODEBASE, CODESIZE, MEMBASE, MEMSIZE,
ENTRY, NSECT, DATABASE, RELOCTABLE, RELOCSIZE,RESBASE, RESSIZE,
IDATABASE, IDATATABLE, EDATATABLE, EDATASIZE.
Example:
GMI eip, CODEBASE // After this $RESULT is the address to the codebase of
the module to which eip belongs
;;
GN: addr
-------
Gets the symbolic name of specified address (ex the API it poits to)Sets the
reserved $RESULT variable to the name. If that name is an API $RESULT_1 is set
to the library (ex kernel32) and $RESULT_2 to the name of the API (ex ExitProcess).
Example:
gn 401000
;;
GO: addr
-------
Executes to specified address (like G in SoftIce)
Example:
go 401005
;;
GOPI: addr, index, info
--------------
Gets information about operands of asm command,"index" is between 1 and 3
"info" can be :
- TYPE Type of operand (extended set DEC_xxx, see OllyDbg Plugin API)
- SIZE Size of operand, bytes
- GOOD Whether address and data valid
- ADDR Address if memory, index if register
- DATA Actual value (only integer operands)
Example:
GOPI eip, 1, SIZE
;;
GPA: proc, lib, [0,1]
--------------------
Gets the address of the specified procedure in the specified library.When found
sets the reserved $RESULT variable. $RESULT == 0 if nothing found.Useful for setting
breakpoints on APIs.
Example:
gpa "MessageBoxA", "user32.dll" // After this $RESULT is the address
of MessageBoxA and you can do "bp $RESULT".
;;
GPI: key
-------
Gets process information, one of :
HPROCESS,PROCESSID,HMAINTHREAD,MAINTHREADID,MAINBASE,PROCESSNAME,EXEFILENAME,
CURRENTDIR,SYSTEMDIR.
;;
GREF: [line]
-----------
Get Address from Reference Window at Line. First line is 1 because 0 is CPU Initial EIP.
Without parameter, GREF results the Reference Window number of entries.
Example:
FINDCMD "push eax"
GREF 1
;;
GRO: addr
--------
Get Relative Offset
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
;;
GSTR: addr, [arg1]
-----------------
Get String returns a null terminated string from addr, the string is at least
arg1 characters returns in
- $RESULT : the string
- $RESULT_1 : len of string
Example:
gstr 401000 ; arg1 in this case is set to default (2 chars)
gstr 401000, 20 ; must be at least 20 chars
;;
GSL: [where]
-----------
Get Selection Limits
returns START/END addresses and SIZE from currently selected line(s) in
CPUASM | CPUDUMP | CPUSTACK window in $RESULT, $RESULT_1 & $RESULT_2
arg can be either : CPUDASM, CPUDUMP, CPUSTACK. Default is CPUDASM
Example:
gsl CPUDUMP
;;
HANDLE: x, y, class
---------------------
Returns the handle of child window of specified class at point x,y
(remember: in hex values).
;;
HISTORY: (0,1)
--------------
Enables or Disables Value history in Script Progress Window, could optimize loops
Example:
history 0 //disable
history 1 //enable
;;
INC: var
-------
Adds 1 to variable
Example:
inc v
;;
ITOA: n [, base=16.]
-----------------
Converts an integer to string,Returns the string in the reserved $RESULT variable.
Example:
itoa F
itoa 10., 10.
;;
JA: label
--------
Use this after cmp. Works like it's asm counterpart.
Example:
ja SOME_LABEL
;;
JAE: label
---------
Use this after cmp. Works like it's asm counterpart.
Example:
jae SOME_LABEL
;;
JB: label
--------
Use this after cmp. Works like it's asm counterpart.
Example:
jb SOME_LABEL
;;
JBE: label
---------
Use this after cmp. Works like it's asm counterpart.
Example:
jbe SOME_LABEL
;;
JE: label (JZ)
--------
Use this after cmp. Works like it's asm counterpart.
Example:
je SOME_LABEL
;;
JMP: label
---------
Unconditionally jump to a label.
Example:
jmp SOME_LABEL
;;
JNE: label (JNZ)
---------
Use this after cmp. Works like it's asm counterpart.
Example:
jne SOME_LABEL
;;
KEY: vkcode [, shift [, ctrl]]
--------------------------
Emulates global keyboard shortcut.
Example:
key 20
key 20, 1 //Shift+space
key 20, 0, 1 //Ctrl+space
;;
LBL: addr, text
--------------
Inserts a label at the specified address
Example:
lbl eip, "NiceJump"
;;
LC:
----
Clear Main Log Window
;;
LCLR:
----
Clear Script Log Window
;;
LEN: str
--------------
Get length of a string
Example:
len "NiceJump"
msg $RESULT
;;
LM: addr, size, filename
-------
load Dm file to mem,LM is the opposite of the DM command.
Example:
lm 0x401000, 0x100, "test.bin"
;;
LOADLIB: dllname
---------------
Load a dll into debugged program memory
Could be usefull to set breakpoints on dynamically loaded library
Returns address of loaded library
Example:
pusha
loadlib "user32.dll"
popa
;;
LOG: src [,prefix]
-------
Logs src to OllyDbg log window.If src is a constant string the string is logged
as it is.If src is a variable or register its logged with its name.You can replace
default prefix with the optional second parameter.
Example:
log "Hello world" // The string "Hello world" is logged
;;
LOGBUF: var [,linecount [,separator]]
------------------------------------
Logs a string or buffer like a memory dump, usefull for long data
;;
MOV: dest, src [,size]
---------------------
Move src to dest.
Src can be a long hex string in the format #<some hex numbers>#, for example #1234#.
Remember that the number of digits in the hex string must be even, i.e. 2, 4, 6, 8 etc.
Example:
mov x, 0F
mov y, "Hello world"
;;
MEMCPY: dest,src,size
--------------------
Copy app. memory from "src" address to "dst" address.This function is same as
mov [dst],[src],size
Example:
MEMCPY dst,base,size
;;
MSG: message
-----------
Display a message box with specified message
Example:
MSG "Script paused"
;;
MSGYN: message
-------------
Display a message box with specified message and YES and NO buttons.Sets the reserved
$RESULT variable to 1 if YES is selected and 0 otherwise.
Example:
MSGYN "Continue?"
;;
MUL: op1, op2
------------
Sets op1 with op1*op2
Example:
mul op1, 10
;;
NAMES: addr
----------
Open names Window for module (Like Ctrl + N)
addr is the module address
;;
NEG: op
------
Assembly Operation "neg eax"
NOT: op
------
Assembly Operation "not eax"
;;
OLLY: info
---------
Gets information about ollydbg
"info" can be :
- PID retrieve the Ollydbg Process ID
- HWND retrieve the main Ollydbg HWND
Example:
OLLY PID
mov pid, $RESULT
OLLY HWND
mov hwnd, $RESULT
;;
OR: dest, src
------------
ORs src and dest and stores result in dest
Example:
or x, 0F
or eax, x
or [401000], 5
;;
OPCODE: addr
-----------
OPCODE sets the $RESULT variable to the opcode bytes, $RESULT_1 variable to mnemonic
opcode (i.e. "MOV ECX,EAX") and $RESULT_2 to the length of the opcode. If an invalid
opcode appears, $RESULT_2 should be 0. addr is increased by the length of the opcode
(disassemble command). With this function you can step forward through code.
Example:
opcode 00401000
;;
OPENDUMP: addr [,base,size]
--------------------------
Create a new Dump Window with data at address.
;;
OPENTRACE:
---------
Opens run trace window
;;
PAUSE:
-----
Pauses script execution. Script can be resumed from plugin menu.
Example:
pause
;;
POP: dw
------
Retrieve dword from stack
;;
POPA:
-----
RESTORE all registers from plugin memory (saved with PUSHA)
;;
PUSHA:
-----
Save all register in plugin memory (to be restored by POPA)
Stack is not used by this command
;;
PREOP: addr
----------
Get asm command line address just before specified address.
Attention: Will not give real executed command eip before the jump.
Example:
preop eip
;;
PUSH: dw
-------
Add dword to stack
;;
RBP: [arg1]
----------
Restore Break Points
arg1 = may be STRICT or nothing Restores all hardware and software breakpoints
if arg1 == 'STRICT', all soft bp set by script will be deleted and only those
have been set before it runs will be restored.
If no argument set, previous soft bp will be appended to those set by script
Return in:
- $RESULT number of restored swbp
- $RESULT_1 number of restored hwbp
Example:
rbp
rbp STRICT
;;
READSTR: str, len
-------
Copy len chars of str into $RESULT
;;
REF: addr, [LOCATION]
--------------------
REF addr works as "Find references to .. Selected command" and "Find references", Ctrl R, in OllyDbg.
Search LOCATION could be the MEMORY bloc (default), CODE of module, or whole MODULE
$RESULT variable is set to the first reference addr
$RESULT_1 to the opcode (text asm command)
$RESULT_2 to the comment (like reference window).
Repeat "REF addr" until $RESULT=0 to get next refs
REF value counter is reset when addr changes or forced with addr = 0
Example:
REF 0 // RESET REF
continue:
REF eip,CODE
log $RESULT
log $RESULT_1
log $RESULT_2
cmp $RESULT,0
jne continue
;;
REPL: addr, find, repl, len
--------------------------
Replace "find" with "repl" starting at "addr" for "len" bytes.
Wildcards are allowed
Example:
repl eip, #6a00#, #6b00#, 10
repl eip, #??00#, #??01#, 10
repl 401000, #41#, #90#, 1F
;;
RET:
---
Exits script or return from CALL.
Example:
ret
;;
REV: what
--------
Reverse dword bytes.
Example:
rev 01020304
//$RESULT = 04030201
;;
ROL: op, count
-------------
Assembly Operation "rol eax, cl"
save in the target (first) operand.
;;
ROR: op, count
-------------
Assembly Operation "ror eax, cl"
Example:
mov x, 00000010
ROR x, 8
;;
RTR:
---
Executes "Run to return" in OllyDbg, [Ctrl+F9] operation.
Example:
rtr
;;
RTU:
---
Executes "Run to user code" in OllyDbg, [Alt+F9] operation.
Example:
rtu
;;
RUN:
---
Executes F9 in OllyDbg, you can also use ERUN to ignore exceptions
Example:
run
;;
SBP:
---
Store Break Points
stores all hardware and software breakpoints, to be restored with RBP
return in:
- $RESULT number of stored swbp
- $RESULT_1 number of stored hwbp
;;
SCMP: dest, src [,size]
-------------
Compares strings dest to src. Works like it's ASM counterpart.
Example:
cmp x, "KERNEL32.DLL"
cmp [eax], "Hello World", 11.
je Label
;;
SCMPI: dest, src [,size]
-------------
Compares strings dest to src (case insentitive). Works like it's ASM counterpart.
Example:
cmp sVar, "KERNEL32.DLL"
cmp [eax], "Hello", 5
jne Label
;;
SETOPTION:
---------
Open the OllyDBG Options Window, to change debugging parameters.
Script will continue on close.
;;
SHL: dest, src
-------------
Shifts dest to the left src times and stores the result in dest.
Example:
mov x, 00000010
shl x, 8 // x is now 00001000
;;
SHR: dest, src
-------------
Shifts dest to the right src times and stores the result in dest.
Example:
mov x, 00001000
shr x, 8 // x is now 00000010
;;
STEP:
---
Execute F8 in OllyDbg. Same as STO
Example:
STEP
;;
STI:
---
Execute F7 in OllyDbg. STep Into.
Example:
sti
;;
STO:
---
Execute F8 in OllyDbg. STep Over.
Example:
sto
;;
STR: var
-------
Converts variable to a String (buffer or dword)
;;
SUB: dest, src
-------------
Reduce src from dest.
Example:
sub x, 0F
sub eax, x
sub [401000], 5
;;
TC:
--
Cancels run trace in OllyDbg
Example:
tc
;;
TEST: dest,src
-------------
Performs a logical AND of the two operands updating the flags register
without saving the result.
(Modifies Flags: CF OF PF SF ZF (AF undefined))
;;
TI:
--
Executes "Trace into" in OllyDbg, CTRL-F7 in OllyDbg.
Example:
ti
;;
TICK: [var [,reftime]]
-------------------
Set variable with script execution time (microsec),if reftime parameter is set,
set $RESULT with time since reftime.
if no parameter is set, function set $RESULT with execution time in text,
in "<ssss mmm> ms" format ,var is declared automatically.
Example:
tick time
;;
TICND: cond
----------
Traces into calls until cond is true
Example:
ticnd "eip > 40100A" // will stop when eip > 40100A
;;
TO:
--
Executes "Trace over" in OllyDbg
Example:
to
;;
TOCND: cond
----------
Traces over calls until cond is true
Example:
tocnd "eip > 40100A" // will stop when eip > 40100A
;;
UNICODE: enable
--------------
Set Unicode Mode, not used for the moment
Example:
UNICODE 1
;;
VAR:
---
Declare a variable to be used in the script.
Example:
var x
;;
XOR: dest, src
-------------
XORs src and dest and stores result in dest
Example:
xor x, 0F
xor eax, x
xor [401000], 5
;;
XCHG: dest, src
--------------
Exchanges contents of source and destination.
;;
WRT: file, data
--------------
Write to file (replace existing one) the only accepted symbol is "rn"
Numbers are wrote as strings... for the moment
Example:
wrt "out.txt", "Data:rnOkrn"
wrt sFile, ebx
;;
WRTA: file, data [, separator]
-----------------------------
Append to file, default separator is "n"
Example:
wrta sFile, "hello world"
wrta sFile, ABCD, ""
wrta sFile, "Windows CR, "rn"
;;
MODULEBASE:
a parameter of GMI to get information about a module.
;;
MODULESIZE:
a parameter of GMI to get information about a module.
;;
CODEBASE:
a parameter of GMI to get information about a module.
;;
CODESIZE:
a parameter of GMI to get information about a module.
;;
MEMBASE:
a parameter of GMI to get information about a module.
;;
MEMSIZE:
a parameter of GMI to get information about a module.
;;
ENTRY:
a parameter of GMI to get information about a module.
;;
NSECT:
a parameter of GMI to get information about a module.
;;
DATABASE:
a parameter of GMI to get information about a module.
;;
RELOCTABLE:
a parameter of GMI to get information about a module.
;;
RELOCSIZE:
a parameter of GMI to get information about a module.
;;
RESBASE:
a parameter of GMI to get information about a module.
;;
RESSIZE:
a parameter of GMI to get information about a module.
;;
IDATABASE:
a parameter of GMI to get information about a module.
;;
IDATATABLE:
a parameter of GMI to get information about a module.
;;
EDATATABLE:
a parameter of GMI to get information about a module.
;;
EDATASIZE:
a parameter of GMI to get information about a module.
;;
NAME:
a parameter of GMI to get information about a module.
;;
PATH:
a parameter of GMI to get information about a module.
;;
VERSION:
a parameter of GMI to get information about a module.
;;
MEMORYBASE:
a parameter of GMEMI to get information about a memory block to which the specified
address belongs.
;;
MEMORYSIZE:
a parameter of GMEMI to get information about a memory block to which the specified
address belongs.
;;
MEMORYOWNER:
a parameter of GMEMI to get information about a memory block to which the specified
address belongs.
;;
HPROCESS:
a parameter of GPI to Gets process information.
;;
PROCESSID:
a parameter of GPI to Gets process information.
;;
HMAINTHREAD:
a parameter of GPI to Gets process information.
;;
MAINTHREADID:
a parameter of GPI to Gets process information.
;;
MAINBASE:
a parameter of GPI to Gets process information.
;;
PROCESSNAME:
a parameter of GPI to Gets process information.
;;
EXEFILENAME:
a parameter of GPI to Gets process information.
;;
CURRENTDIR:
-----------
a parameter of GPI to Gets process information.
;;
SYSTEMDIR:
----------
a parameter of GPI to Gets process information.
;;
NOT: op
-------
Assembly Operation "not eax"
;;
ENDE:
Ends the assembly excution started by EXEC.
;;
BPHWCALL:
---------
Clears all hardware breakpoint.
;;;
created: by britedream on 12/12/2009
2017_0617_1456
在玩cm时,找到一些要api的调用点,下断点在API调用处。
体力活只干一次,写了一个设置断点的脚本。脚本中只有bp指令.
程序载入OD后,载入脚本,程序跑起来,经过关心的API的调用点,只有几处,再看这几个调用点的上下文,会得到流程的逻辑。
// @filename setbp_setWindowTextA.osc
// @brief 对cm中调用SetWindowTextA的调用点下断点
// .text:00418A7C call fnSetWindowTextA_491C85
bp 00418A7C
// .text:004197F5 call fnSetWindowTextA_491C85
bp 004197F5
// .text:0041A1A5 call fnSetWindowTextA_491C85
bp 0041A1A5
// .text:0041A61F call fnSetWindowTextA_491C85
bp 0041A61F
// .text:0041B26A call fnSetWindowTextA_491C85
bp 0041B26A
// .text:0041BFBC call fnSetWindowTextA_491C85
bp 0041BFBC
// .text:0041E504 call fnSetWindowTextA_491C85
bp 0041E504
// .text:00421015 call fnSetWindowTextA_491C85
bp 00421015
// .text:004222C5 call fnSetWindowTextA_491C85
bp 004222C5
// .text:00423160 call fnSetWindowTextA_491C85
bp 00423160
// .text:0042329B call fnSetWindowTextA_491C85
bp 0042329B
// .text:004234F7 call fnSetWindowTextA_491C85
bp 004234F7
// .text:0042472D call fnSetWindowTextA_491C85
bp 0042472D
// .text:0042662E call fnSetWindowTextA_491C85
bp 0042662E
// .text:0042F59D call fnSetWindowTextA_491C85
bp 0042F59D
// .text:00436925 call fnSetWindowTextA_491C85
bp 00436925
// .text:0043775B call fnSetWindowTextA_491C85
bp 0043775B
// .text:00437B02 call fnSetWindowTextA_491C85
bp 00437B02
// .text:00437B16 call fnSetWindowTextA_491C85
bp 00437B16
// .text:00437B2B call fnSetWindowTextA_491C85
bp 00437B2B
// .text:00437C4A call fnSetWindowTextA_491C85
bp 00437C4A
// .text:00437CFE call fnSetWindowTextA_491C85
bp 00437CFE
// .text:0044E784 call fnSetWindowTextA_491C85
bp 0044E784
// .text:0044E953 call fnSetWindowTextA_491C85
bp 0044E953
// .text:0044ED88 call fnSetWindowTextA_491C85
bp 0044ED88
// .text:0044EDAB call fnSetWindowTextA_491C85
bp 0044EDAB
// .text:0044EDCE call fnSetWindowTextA_491C85
bp 0044EDCE
// .text:0044EDF1 call fnSetWindowTextA_491C85
bp 0044EDF1
// .text:0044EE34 call fnSetWindowTextA_491C85
bp 0044EE34
// .text:0044EE5A call fnSetWindowTextA_491C85
bp 0044EE5A
// .text:0044EE80 call fnSetWindowTextA_491C85
bp 0044EE80
// .text:0044EEB2 call fnSetWindowTextA_491C85
bp 0044EEB2
// .text:0044EF62 call fnSetWindowTextA_491C85
bp 0044EF62
// .text:0044EF8C call fnSetWindowTextA_491C85
bp 0044EF8C
// .text:0044F004 call fnSetWindowTextA_491C85
bp 0044F004
// .text:0044F12F call fnSetWindowTextA_491C85
bp 0044F12F
// .text:0044F15C call fnSetWindowTextA_491C85
bp 0044F15C
// .text:00453F8A call fnSetWindowTextA_491C85
bp 00453F8A
// .text:0045BC09 call fnSetWindowTextA_491C85
bp 0045BC09
// .text:0045C8AB call fnSetWindowTextA_491C85
bp 0045C8AB
// .text:0046A167 call fnSetWindowTextA_491C85
bp 0046A167
最后
以上就是包容火为你收集整理的OllyScript脚本练习的全部内容,希望文章能够帮你解决OllyScript脚本练习所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
![ollyScript脱壳脚本 for ABC Cryptor(1.0)[-]](/uploads/reation/bcimg14.png)
发表评论 取消回复