-
-
[分享]第13章 脱壳技术(13.9 加密壳)与ODbgScript脱ASProtect壳
-
发表于: 2017-7-25 09:15
-
背景:
在看《加密与解密(第三版)》看到13.9.1 ASProtect脱壳,手动使用OD2.01配合书上的说明进行动态调试,但是始终不能按照书上所说定位到P364页 `00A8BA97 push edx` 这个需要打补丁的位置。只能通过 .code段写断点定位到 `00A8BABB mov dword ptr [ebp], eax` 的位置。
每次调试因为ASLR(本人使用win10+OD环境)的原因,地址`00A8BA97`总是动态变化的,想了各种办法,还是不能对此位置下断点。
另外,书上p364最后一段说 “按 Alt + M 打开内存窗口,对代码段再次下内存写断点,如下图所示,本人没有找到啊!!解决办法是 Set access -> Read Only, 然后 OD的选项中 Exception -> Ignore -> Memory access violation 关闭, 然后继续动态调试直到 .code 段内存访问异常。
在P365 页,书上提到 OllyScript,于是想办法使用脚本来解决下断点的问题,也避免每次补丁验证都需要 “下断点 -> 取消断点 -> 重新下断点 -> 配置 OD选项 -> F9/Shifrt-F9->手动编辑补丁代码" 不停的反复体力劳动。
ODbgScript for 光盘程序“
.\13.10.1 ASProtect\Emulate standard system functions\TraceMe_Emulate standard system functions.exe
” 调试源代码
// MSG "[SETOPTION] Ignore Memory access violations" ; first BP of writing .code section GMI eip,CODEBASE ; Get Module Info MOV codebase,$RESULT BPWM codebase,4 RUN STO ; Step Over "REP" command ; BP on decompress func RUN BPMC ; BP on checksum func BPRM codebase,4 RUN BPMC ; BP on Emulate function entry FIND eip,#526A008D4C2418# MOV emu_func, $RESULT BP emu_func RUN BC ; padding code ALLOC 1000 MOV addr_pad, $RESULT MOV pp, addr_pad ASM pp, "pushad" ADD pp, $RESULT GMI codebase, DATABASE ; Get Module Info MOV database, $RESULT ITOA database MOV tmp, "mov esi, "+$RESULT ASM pp, tmp ; IAT start address ADD pp, $RESULT ASM pp, "cmp dword ptr ds:[esi],eax" ; EAX = VA_of_API ADD pp, $RESULT MOV tmp, addr_pad ADD tmp, 17 ITOA tmp MOV tmp, "je short " + $RESULT ASM pp, tmp ADD pp, $RESULT ASM pp, "add esi, 4" ADD pp, $RESULT MOV tmp, database ADD tmp, D0 ITOA tmp MOV tmp, "cmp esi, " + $RESULT ASM pp, tmp ADD pp, $RESULT MOV tmp, addr_pad ADD tmp, 2B ITOA tmp MOV tmp, "ja short " + $RESULT ASM pp, tmp ADD pp, $RESULT MOV tmp, addr_pad ADD tmp, 6 ITOA tmp MOV tmp, "jmp " + $RESULT ASM pp, tmp ADD pp, $RESULT ASM pp, "mov cx, 15FF" ADD pp, $RESULT ASM pp, "mov word ptr ss:[ebp], cx" ADD pp, $RESULT ASM pp, "add ebp, 2" ADD pp, $RESULT ASM pp, "mov dword ptr [ebp], esi" ADD pp, $RESULT ASM pp, "popad" ADD pp, $RESULT MOV tmp, emu_func ADD tmp, 31 ITOA tmp MOV tmp, "jmp " + $RESULT ASM pp, tmp /* ; BP for dump MOV tmp, emu_func ADD tmp, 6A BP tmp */ ; BP for OEP MOV tmp, codebase ADD tmp, 3A0 BP tmp ; redirect eip to padding space LABEL: CMP eip, emu_func JNE END MOV eip, addr_pad RUN JMP LABEL END: PAUSE ; do nothing ;BC ;BPMC
由于写上面代码需要参考官方文档,官方文档存在较多错误,另外部分指令不可用,也未提供指令速览功能,本人对官方文档进行了可读性整理,及修正部分错误。
文档内容[请使用markdown阅读工具收藏查阅]
-------------------------------
[ODbgScript original plugin](http://github.com/odbgscript)
-------------------------------
1. About OllyScript and ODbgScript
2. Status
2.1 What's new?
3. Documentation
3.1 Language
3.1.1 Reserved variables
3.1.2 Commands
3.2 Labels
3.3 Comments
3.4 Menus
3.5 Script Window
4. Integration with other plugins
5. Contact me
6. License and source code
7. Thanks!
-------------------------------
1. About ODbgScript
-------------------------------
ODbgScript is a plugin for OllyDbg, which is, in our opinion,
the best application-mode debugger out there. One of the best
features of this debugger is the plugin architecture which allows
users to extend its functionality.
ODbgScript is a plugin meant to let you **automate OllyDbg**
by writing scripts in an **assembly-like language**.
Many tasks involve a lot of repetitive work just to
get to some point in the debugged application. By
using this plugin you can write a script once and for all.
-------------------------------
2. Status
-------------------------------
v2.0
ODbgScript for OllyDBG 2, project moved to github
2.1 What's new?
-------------------------------
2.0
+ OllyDBG 2 branch, project moved to github
-------------------------------
3. Documentation
-------------------------------
Example script (sample.osc) is available with this release.
The script will break on LoadLibrary call to debug a SHELL32.DLL function.
Try it on mspaint.exe
3.1 Language
-------------------------------
The scripting language of OllyScript is an assembly-like language.
### In the document below, src and dest can be (unless stated otherwise):
---------------------------
* Constant in the form of a **hex** number without prefixes and suffixes, with leading 0
* **hex** number (i.e. 00FF, not 0x00FF or 00FFh)
* **decimal** values, use the point (i.e. 100. 128.)
* Variable previously declared by **VAR**, or are declared with MOV
* A 32-bit **registers** (one of EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP, EIP).
* A 16-bit register (one of AX, BX, CX, DX, SI, DI, BP, SP)
* A 8-bit register (one of AL, AH, ... DL, DH)
* A **memory** reference in square brackets (i.e. [401000] points to the memory at address 401000, [ecx] points to the memory at address ecx).
* A **flag** with an exclamation mark in front (one of !CF, !PF, !AF, !ZF, !SF, !DF, !OF)
* Sometimes **byte** strings are required.
* Those are scripted as #6A0000# (values between two #) and must have an even number of characters.
* Some byte strings can contain the **wildcard** '?', for example #6A??00# or #6?0000#
### A combination of these values with operators:
-------------------------------
You can use operators in your scripts, +-*/&|^>< for dword and + to concatenate strings.
* Operators **>** and **<** are **shr** and **shl** (>> and << in C/C++)
* Operator **^** is **XOR**
* Operator **&** is **AND**
* Operator **|** is **OR**
3.1.1 Reserved variables
-------------------------------
`$RESULT`
-------------------------------
Return value for some functions like FIND etc.
`$RESULT_1` and `$RESULT_2` are available for some commands.
`$VERSION`
-------------------------------
Contains current version of OllyScript
Example:
```
cmp $VERSION, "0.8"
ja version_above_08
```
3.1.2 Commands
-------------------------------
`#INC file`
-------------------------------
Include a script file in another script file
Example:
```
#inc "anotherscript.txt"
```
`#LOG`
-------------------------------
Enable logging of executed commands.
The commands will appear in OllyDbg log window, and will be prefixed with -->
Example:
```
#log
```
`ADD dest, src`
-------------------------------
Adds src to dest and stores result in dest
Example:
```
add x, 0F
add eax, x
add [401000], 5
add y, " times" // If y was 1000 before this command then y is "1000 times" after it
```
`AI`
-------------------------------
Execute "Animate into" in OllyDbg
Example:
```
ai
```
`ALLOC size`
-------------------------------
Allocate new memory page, you can read/write and execute.
Example
```
alloc 1000
free $RESULT, 1000
```
`AN addr`
-------------------------------
Analyze module which contains the address addr.
Example:
```
an eip // Same as pressing CTRL-A
```
`AND dest, src`
-------------------------------
AND's src and dest and stores result in dest
Example:
```
and x, 0F
and eax, x
and [401000], 5
```
`AO`
-------------------------------
Executes "Animate over" in OllyDbg
Example:
ao
`ASK question`
-------------------------------
Display an input box with the specified question and lets user enter a response.
Sets the reserved `$RESULT` variable (0 if cancel button was pressed).
You have also the length in `$RESULT_1` (divided by 2 for hex entries)
Example:
```
ask "Enter new EIP"
cmp $RESULT, 0
je cancel_pressed
mov eip, $RESULT
```
`ASM addr, command [,version]`
-------------------------------
Assemble a command at some address.
Change version number (0,1,...) to get alternative code bytes, if possible.
Returns bytes assembled in the reserved `$RESULT` variable
Example:
```
asm eip, "mov eax, ecx"
```
`ASMTXT addr, file`
-------------------------------
Assemble a text asm file at some address.
Example:
```
asmtxt EIP, "myasm.txt"
```
`ATOI str [, base=16.]`
-------------------------------
Convert a string to integer
Returns the integer in the reserved `$RESULT` variable
Example:
```
atoi "F"
atoi "10", 10.
```
`BACKUP addr [,base,size]`
-------------------------------
Like `OPENDUMP`, create a Dump Window with data at address.
But this dump window keeps a backup of data, which can be used to view changes.
`$RESULT` is the HWND of window, for future use
Note: If you are looking to save data in a file, see the `DM` function (Dump Memory)
Example:
```
BACKUP esp
STO // STep Over
STO
```
`BC [addr]`
-------------------------------
Clear unconditional breakpoint at addr.
Without parameter, the command clears all loaded breakpoints
Example:
```
bc 401000
bc x
bc eip
```
`BD [addr]`
-------------------------------
Disable breakpoint at addr.
Without parameter, the command disables all loaded breakpoints
Example:
```
bp 401000
BD 401000
```
`BEGINSEARCH [start] {commands} ENDSEARCH`
-------------------------------
Create a Copy of Debugged App Memory, Find commands will use this data faster.
You need to use ENDSEARCH before writing to memory and to free this memory copy.
Optimization time is 20% for 5000 loops... but could maybe be optimized
Example:
```
mov count, 0
mov start, eip
beginsearch start
next:
find start, #00# // "FIND addr, what" $RESULT == 0 if nothing found.
cmp $RESULT,0
je end
mov start, $RESULT+1
add count, 1
jmp next
end:
endsearch
msg count
```
`BP addr (ubp)`
-------------------------------
Set unconditional breakpoint at addr.
Example:
```
bp 401000
bp x
bp eip
```
`BPCND addr, cond`
-------------------------------
Set breakpoint on address addr with condition cond.
Example:
```
bpcnd 401000, "ECX==1"
```
`BPD callname`
-------------------------------
Remove breakpoint on dll call set by `BPX`
`BPGOTO addr, label`
-------------------------------
Automatic Jump at label on Breakpoint (Standard(INT3) and Hardware).
`EOB` Like Command
Example:
```
bphws addr
bpgoto addr, MyLabel
NextBP:
RUN
...
MyLabel:
...
jmp NextBP
```
`BPHWC [addr]`
-------------------------------
Delete hardware breakpoint at a specified address.
Without address, clear all hardware breakpoints.
Example:
```
bphwc 401000
```
`BPHWS addr, [mode]`
-------------------------------
Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default).
Example:
```
bphws 401000, "x"
```
`BPL addr, expr`
-------------------------------
Sets logging breakpoint at address addr that logs expression expr.
Example:
```
bpl 401000, "eax" // logs the value of eax everytime this line is passed
```
`BPLCND addr, expr, cond`
-------------------------------
Sets logging breakpoint at address addr that logs expression expr if condition cond is true.
Example:
```
bplcnd 401000, "eax", "eax > 1"
// logs the value of eax everytime this line is passed and eax > 1
```
`BPMC`
-------------------------------
Clear the memory breakpoint.
Example:
```
bpmc
```
`BPRM addr, size`
-------------------------------
Set memory breakpoint on read. Size is size of memory in bytes.
Example:
```
bprm 401000, FF
```
`BPWM addr, size`
-------------------------------
Set memory breakpoint on write. Size is size of memory in bytes.
Example:
```
bpwm 401000, FF
```
`BPX callname`
-------------------------------
Set breakpoint on every api calls found in current module.
Then you can clear these breakpoints with `BPD`
Example:
```
bpx "GetModuleHandleA"
```
`BUF var`
-------------------------------
Converts string/dword variable to a Buffer
Example:
```
mov s, "123"
buf s
log s // output #313233#
```
```python
In [3]: list(map(lambda x: hex(ord(x)), '123')) # python
Out[3]: ['0x31', '0x32', '0x33']
```
`CALL label`
-------------------------------
jumps to the given label and runs it. The only difference to jmp is that it'll return if a `RET` is executed.
`Call` & `Ret` will help you structured and organises ya scripts.
Example 1 - a procedure with a body and a parameter:
```
var myArg1
mov myArg1, 5
call PROC_myproc2 // Arg1 is 'passed' byReference
log myArg1
Ret // Exit the script
PROC_myproc2:
add myArg1, 1
RET // Just exit 'PROC_myproc2'
```
(Okay well actually Arg1 is just a global Var that is not really passed to the function.)
-------------------------------
Example2 - DIY-function like this `Func_myFunc1(myArg1, 3)`
```
var myArg1
mov myArg1, 5
push myArg1 // Arg1
push 3 // Arg2
Call Func_myFunc1
log $RESULT // Show return value
log Local1 // if that were a real local that shouldn't work
Ret
Func_myFunc1:
var Local2 // Passing Arg2 byValue
pop Local2 // Local2=Arg2
var Local1 // Passing Arg1 byValue
pop Local1 // Local1=Arg1
sub Local1, Local2
mov $RESULT, Local1
RET
```
`CLOSE window`
-------------------------------
Close an Ollydbg MDI window
window parameter can be a `constant` or a `HWND` (like `$RESULT` of `OPENDUMP`/`BACKUP`).
```
SCRIPT, SCRIPTLOG, LOG, CPU
MODULES, MEMORY, THREADS, BREAKPOINTS
REFERENCES, SOURCELIST, WATCHES
WINDOWS, PATCHES, RUNTRACE, CALLSTACK
TEXT, FILE, HANDLES, SEH, SOURCE
```
`CMP dest, src [,size]`
-------------------------------
Compares dest and src. Works like its `ASM` counterpart.
see `SCMP` to compare strings or memory data
Example:
```
cmp y, x
cmp eip, 401000
je label
cmp cx, x, 2
je label
```
`CMT addr, text`
-------------------------------
Inserts a comment at the specified address
Example:
```
cmt eip, "This is the entry point"
```
`COB`
-------------------------------
Makes script continue execution after a breakpoint has occured (removes EOB)
Example:
```
COB
```
`COE`
-------------------------------
Makes script continue execution after an exception has occured (removes EOE)
Example:
```
COE
```
`CRET`
-------------------------------
Clear stack of calls, to terminate script in a function.
Example:
```
CRET
RET
```
`DBH`
-------------------------------
Hides debugger against `kernel32!IsDebuggerPresent()`
(Note that's done through [BYTE [[FS:18]+30]+2] = 0)
Example:
```
dbh
```
`DBS`
-------------------------------
Unhides debugger so kernel32!IsDebuggerPresent() will find it.
(Note that's done through [BYTE [[FS:18]+30]+2] = 1).
Example:
```
dbs
```
`DEC var`
-------------------------------
Subtracts 1 from variable
Example:
```
dec v
```
`DIV op1, op2`
-------------------------------
Sets op1 with op1/op2
Example:
```
div var, 2
```
`DM addr, size, file`
-------------------------------
Dumps memory of specified size from specified address to specified file (default path set from opened app.)
Example:
```
dm 401000, 1F, "c:\dump.bin"
```
`DMA addr, size, file`
-------------------------------
Dumps memory of specified size from specified address to specified file appending to that file if it exists
Example:
```
dma 401000, 1F, "c:\dump.bin"
```
`DPE filename, ep`
-------------------------------
Dumps the executable to file with specified name.
* Entry Point is set to EP.
* Path is relative to the path of the currently loaded executable.
* Notes:
* uses PEFileInfo.dwSizeOfImage
* Applies dumpfix to PE.sectionHdr
(PointerToRawData = VirtualAddress
SizeOfRawData = VirtualSize)
Example:
```
dpe "c:\test.exe", eip
```
`ELSE/ENDIF`
-------------------------------
See `IFxx` commands
`EOB label`
-------------------------------
Transfer execution to some label on next breakpoint.
(see `BPGOTO` command to assign a label to a breakpoint)
Example:
```
eob SOME_LABEL
```
`EOE label`
-------------------------------
Transfer execution to some label on next exception.
Example:
```
eob SOME_LABEL
```
`ERUN [formerly ESTO]`
-------------------------------
Executes `SHIFT-F9` in OllyDbg. Run with Ignore Exceptions.
Note: Was ESTO before, but the command is depreciated
Example:
```
erun
```
`ESTEP`
-------------------------------
Executes `SHIFT-F8` in OllyDbg. Step Over ignoring Exceptions.
Example:
```
estep
```
`ESTI`
-------------------------------
Executes SHIFT-F7 in OllyDbg. Step Into ignoring Exceptions.
Example:
```
esti
```
`EVAL`
-------------------------------
Evaluates a string expression that contains variables.
The variables that are declared in the current script can be enclosed in curly braces `{var}` to be inserted.
Sets the reserved `$RESULT` variable
Example:
```
var x
mov x, 1000
eval "The value of x is {x}" // after this $RESULT is "The value of x is 1000"
```
`EXEC/ENDE`
-------------------------------
Executes instructions between `EXEC` and `ENDE` in the context of the target process.
Values in curly braces `{}` are replaced by their values.
`pusha` / `popa` commands could be useful when you use this.
Examples:
```
// This does some mov's
mov x, "eax"
mov y, DEADBEEF // hex constant cwithout prefix '0'
exec
mov {x}, {y} // "mov eax, 0DEADBEEF" will be executed
mov ecx, {x} // "mov ecx, eax" will be executed
ende
// This calls ExitProcess in the debugged application
exec
push 0
call ExitProcess
ende
ret
```
`FILL addr, len, value`
-------------------------------
Fills len bytes of memory at addr with value
Example:
```
fill 401000, 10, 90 // NOP 10h bytes
```
`FIND addr, what`
-------------------------------
Searches memory starting at addr for the specified value.
When found sets the reserved `$RESULT` variable. `$RESULT == 0` if nothing found.
The search string can also use the wildcard `??` (see below).
Example:
```
find eip, #6A00E8# // find a PUSH 0 followed by some kind of call
find eip, #6A??E8# // find a PUSH 0 followed by some kind of call
```
`FINDCALLS addr [,name]`
-------------------------------
Find all intermodular calls (dll calls) in the disasm area.
You can filter results by label (case insensitive) with the optionnal second parameter.
Reference Window is used and its content changed
Then can use `GREF` to get results count and retrieve them.
Example:
```
findcalls eip, "exit"
gref // Get REFerence of "findcalls"
msg $RESULT
```
`FINDCMD addr, cmdstr`
-------------------------------
Search for asm command(s), you can search for series also with ";" separator.
This command uses "Search for All Sequences" Ollydbg function so could find relative `calls`/`jmp`
Reference Window is used and its content changed.
You can use `GREF` to get next results in disasm window range.
Example 1:
```
mov line, 1
findcmd eip, "push edi"
next:
gref line
cmp $RESULT, 0
je finished
inc line
jmp next
finished:
msg "finished!"
Example 2:
findcmd 401000, "nop;nop;nop"
msg $RESULT
```
`FINDCMDS`
-------------------------------
Same as FINDCMD.
`FINDCMDS`(this function name could be deleted in future versions)
`FINDOP addr, what [, maxsize]`
-------------------------------
Searches code starting at addr for an instruction that begins with the specified bytes.
It sets the reserved `$RESULT` variable to the start of the found instruction. If `$RESULT == 0` nothing was found.
The search string can also use the wildcard `??` (see below).
Use maxsize to limit that search range.
Examples:
```
findop 401000, #61# // find next POPAD
findop 401000, "1" // = #61#
findop 401000, #6A??# // find next PUSH of something
```
`FINDOPREV addr, what`
-------------------------------
Searches code backwards starting at addr for an instruction that begins with the specified bytes.
It sets the reserved `$RESULT` variable to the start of the found instruction. If `$RESULT == 0` nothing was found.
The search string can also use the wildcard `??` (see below).
Example:
```
FINDOPREV eip, #68??????00# // find next PUSH 00xxxxxx backwards
```
`FINDMEM what [, StartAddr]`
-------------------------------
Searches whole memory for the specified value.
When found sets the reserved `$RESULT` variable. `$RESULT == 0` if nothing found.
The search string can also use the wildcard "??" (see below).
Example:
```
findmem #6A00E8# // find a PUSH 0 followed by some kind of call
findmem #6A00E8#, 00400000 // search it after address 0040.0000
```
`FREE addr [, size]`
-------------------------------
Free memory block allocated by `ALLOC` (or not).
If size not given, drop whole memory block.
Example:
```
alloc 1000
free $RESULT
```
`GAPI addr #BETA#`
-------------------------------
Obtains the code place API call information.
The API information saves in preservation variable `$RESULT`.
If the symbolic name is a API function, then.
`$RESULT` saves the API information.
`$RESULT_1` save link base/storehouse (for instance kernel32).
`$RESULT_2` save symbolic name (for instance ExitProcess).
`$RESULT_3` save calling location (for instance call xxxxx).
`$RESULT_4` save destination.
Notice: This and the GN difference is GN must point to the IAT address
But GAPI gives the code address to be possible directly to obtain API
Also has, if you have gotten down the software break point in here, please first clear the break point to use this sentence again, because the software break point modified the code is CC
If here does not clear here the software break point, will create this not to be able the very good recognition.
Example:
```
GAPI 401000 (call kernel32.ExitProcess)
GAPI EIP
// examined whether the current code is API calls, is not then returns to 0
```
`GBPM #BETA#`
-------------------------------
Get last memory breakpoint address, affects `$RESULT` with dword value
`GBPR #BETA#`
-------------------------------
Get last breakpoint reason, affects `$RESULT` with dword value
Example:
```
GBPR
cmp $RESULT, 10
je SelectNormalBP
cmp $RESULT, 20
je SelectMemBP
cmp $RESULT, 40
je SelectHwBP
jmp NextBP
```
`GCI addr, info`
-------------------------------
Get Command Information of asm instruction at "addr".
"info" specifies what data should be returned in `$RESULT`:
* `COMMAND` for asm command string (like OPCODE)
* `CONDITION` {disasm.condition}
* `DESTINATION` for Destination of jump/call/return
* `SIZE` for number of command bytes
* `TYPE` for asm command string (one of C_xxx, see OllyDbg Plugin API)
Example:
```
GCI eip, DESTINATION
```
`GCMT addr`
-------------------------------
Get the comment, automatic comment or analyses comment at specified code address
`GMA name, info`
-------------------------------
Call `GMI`(`GMI addr, info`, Get Module Info), but parameter is short name of the module
Example:
```
GMA "KERNEL32", MODULEBASE
```
`GFO addr`
-------------------------------
Get File Offset of address
`GLBL addr`
-------------------------------
Get Label at address
`GMEMI addr, info`
-------------------------------
Get information about a memory block to which the specified address belongs.
"info" can be `MEMORYBASE`, `MEMORYSIZE` or `MEMORYOWNER` (if you want other info in the future versions plz tell me).
Sets the reserved `$RESULT` variable (0 if data not found).
Example:
```
GMEMI addr, MEMORYBASE
// After this $RESULT is the address to the memory base of the memory block to which addr belongs
```
`GMEXP moduleaddr, info, [num]`
-------------------------------
Get Export Address and Names in a module.
info can be `ADDRESS`, `LABEL`, `COUNT`
Example:
```
gma "KERNEL32", MODULEBASE
mov addr, $RESULT
GMEXP addr, COUNT
log $RESULT
GMEXP addr, LABEL, 1
log $RESULT
GMEXP addr, ADDRESS, 1
log $RESULT
```
`GMI addr, info`
-------------------------------
Get information about a module to which the specified address belongs.
`info` can be :
```
;ExampleData from some *.exe
MODULEBASE, MODULESIZE ;00400000 00031000
CODEBASE, CODESIZE ;00401000 00024000
ENTRY, NSECT, DATABASE ;0041AC04 00000003 00425000(.rdata-section)
EDATATABLE, EDATASIZE IDATABASE, IDATATABLE
RESBASE, RESSIZE, RELOCTABLE, RELOCSIZE
```
...and strings:
```
NAME, PATH, VERSION ; "Sample_a" "C:\myApps\Sample_app.exe" ""
```
(if you want other info in the future versions plz tell me).
Sets the reserved `$RESULT` variable (0 if data not found).
Example:
```
GMI eip, CODEBASE
// After this $RESULT is the address to the codebase of the module to which eip belongs
GMI eip, VERSION
// instead of that you may also just use $VERSION
```
`GMIMP moduleaddr, info, [num]`
-------------------------------
Get Import address and names in a module.
info can be `ADDRESS, LABEL, MODULE, NAME, COUNT`.
if `LABEL` results string like `KERNEL32.CopyFileEx `
`MODULE` results `KERNEL32`.
NAME results "CopyFileEx"
Example:
```
gma "USER32", MODULEBASE
mov addr, $RESULT
GMIMP addr, COUNT
log $RESULT
GMIMP addr, LABEL, 1
log $RESULT
GMIMP addr, ADDRESS, 1
log $RESULT
```
`GN addr`
-------------------------------
Get the symbolic name of specified address (ex the API it points to).
Set the reserved `$RESULT` variable to the name. If that name is an API.
`$RESULT_1` is set to the library (ex kernel32) and `$RESULT_2` to the name of the API (ex ExitProcess).
Example:
```
gn 401000
```
`GO addr`
-------------------------------
Execute to specified address (like G in SoftIce)
Example:
```
go 401005
```
`GOPI addr, index, info`
-------------------------------
Get information about operands of asm command
`index` is between 1 and 3
`info` can be :
- TYPE Type of operand (extended set DEC_xxx, see OllyDbg Plugin API)
- SIZE Size of operand, bytes
- GOOD Whether address and data valid
- ADDR Address if memory, index if register
- DATA Actual value (only integer operands)
Example:
```
GOPI eip, 1, SIZE
```
Okay some more infomation about `TYPE` (from plugin.h):
```
DEC_TYPEMASK 0x1F // Type of memory byte
DEC_UNKNOWN 0x00 // Unknown type
DEC_BYTE 0x01 // Accessed as byte
DEC_WORD 0x02 // Accessed as short
DEC_NEXTDATA 0x03 // Subsequent byte of data
DEC_DWORD 0x04 // Accessed as long
DEC_FLOAT4 0x05 // Accessed as float
DEC_FWORD 0x06 // Accessed as descriptor/long pointer
DEC_FLOAT8 0x07 // Accessed as double
DEC_QWORD 0x08 // Accessed as 8-byte integer
DEC_FLOAT10 0x09 // Accessed as long double
DEC_TBYTE 0x0A // Accessed as 10-byte integer
DEC_STRING 0x0B // Zero-terminated ASCII string
DEC_UNICODE 0x0C // Zero-terminated UNICODE string
DEC_3DNOW 0x0D // Accessed as 3Dnow operand
DEC_SSE 0x0E // Accessed as SSE operand
DEC_TEXT 0x10 // For use in t_result only
DEC_BYTESW 0x11 // Accessed as byte index to switch
DEC_NEXTCODE 0x13 // Subsequent byte of command
DEC_COMMAND 0x1D // First byte of command
DEC_JMPDEST 0x1E // Jump destination
DEC_CALLDEST 0x1F // Call (and maybe jump) destination
DEC_PROCMASK 0x60 // Procedure analysis
DEC_PROC 0x20 // Start of procedure
DEC_PBODY 0x40 // Body of procedure
DEC_PEND 0x60 // End of procedure
DEC_CHECKED 0x80 // Byte was analysed
DEC_SIGNED 0x100 // For use in t_result only
```
`GPA proc, lib, [0,1]`
-------------------------------
Get the address of the specified procedure in the specified library.
When found sets the reserved `$RESULT` variable. `$RESULT == 0` if nothing found.
Useful for setting breakpoints on APIs.
Set third param to 1 if you want to keep library in memory
Example:
```
gpa "MessageBoxA", "user32.dll"
// After this `$RESULT` is the address of MessageBoxA and
// you can do "bp `$RESULT`".
```
`GOTO label`
-------------------------------
Alias for JMP
`GPP proc, lib, [0,1] `
-------------------------------
Calls GPA and tries to find API parameters count and types of the API.
`$RESULT` = ref->addr
`$RESULT_1` = disasm.result //command text
`$RESULT_2` = disasm.comment
`GPI key`
-------------------------------
Get process information, one of :
```
HPROCESS, PROCESSID, HMAINTHREAD, MAINTHREADID, MAINBASE,
PROCESSNAME, EXEFILENAME, CURRENTDIR, SYSTEMDIR
```
`GREF [line]`
-------------------------------
Get Address from Reference Window at Line. First line is 1 because 0 is CPU Initial EIP.
Without parameter, GREF results the Reference Window number of entries.
Example:
```
FINDCMD "push eax"
GREF 1
msg $RESULT
GREF 2
msg $RESULT
```
`GRO addr`
-------------------------------
Get Relative Offset
When found sets the reserved `$RESULT` variable. `$RESULT == 0` if nothing found.
`GSL [where]`
-------------------------------
Get Selection Limits
returns START/END addresses and SIZE from currently selected line(s) in CPUASM | CPUDUMP | CPUSTACK window in `$RESULT`, `$RESULT_1` & `$RESULT_2`
arg can be either : CPUDASM, CPUDUMP, CPUSTACK. Default is CPUDASM
Example:
```
gsl CPUDUMP
```
`GSTR addr, [arg1]`
-------------------------------
Get String returns a null terminated string from addr, the string is at least arg1 characters
returns in
- `$RESULT` : the string
- `$RESULT_1` : len of string
Example:
```
gstr 401000 ; arg1 in this case is set to default (2 chars)
gstr 401000, 20 ; must be at least 20 chars
```
`GSTRW addr, [arg1]`
-------------------------------
Get String returns a unicode string from addr, the string is at least arg1 characters
returns in
- `$RESULT` : the string (ascii)
- `$RESULT_1` : len of string
- `$RESULT_2` : unicode string
Example:
```
gstrw 401000 ; arg1 in this case is set to default (2 chars)
gstrw 401000, 20 ; must be at least 20 chars
```
`HANDLE x, y, class`
-------------------------------
Returns the handle of child window of specified class at point x,y (remember: in hex values).
`HISTORY (0,1)`
-------------------------------
Enable or Disable Value history in Script Progress Window, could optimize loops
Example:
```
history 0 //disable
history 1 //enable
```
`IFA,IFAE,IFB,IFBE x, y, [z]`
-------------------------------
Conditions similar to JA, JAE, JB, JBE
See CMP for parameters
Without parameter, IF commands use last CMP result
Example:
```
IFB $VERSION, "1.82"
MSG "This script requires ODBGScript version 1.82"
RET
ENDIF
```
`IFEQ x, y, [z]`
-------------------------------
Simple condition if equals
See CMP for parameters
Without parameter, IF commands use last CMP result
Example:
```
IFEQ val, 0
log "val = 0"
ELSE
log "val <> 0"
ENDIF
```
`IFNEQ x, y, [z]`
-------------------------------
Simple condition if not equals
Without parameter, IF commands use last CMP result
Example:
```
IFNEQ val, 0
log "val <> 0"
ELSE
log "val = 0"
ENDIF
```
`INC var`
-------------------------------
Adds 1 to variable
Example:
```
inc v
```
`INIR key, def`
-------------------------------
Read ODBGScript Key value in ollydbg.ini
def(ault) value determines type (wstring or dword)
Example :
```
inir "key", ""
inir "key", 0
```
`INIW key, val`
-------------------------------
Write ODBGScript Key value in ollydbg.ini
val can be a string or a dword
Example :
```
iniw "key", "x"
iniw "key", 10.
```
`ITOA n [, base=16.]`
-------------------------------
Convert an integer to string
Returns the string in the reserved `$RESULT` variable
Example:
```
_itow F
_itow 10., 10.
```
`JA label (JG)`
-------------------------------
Use this after CMP. Works like its asm counterpart.
Example:
```
ja SOME_LABEL
```
`JAE label (JGE)`
-------------------------------
Use this after CMP. Works like its asm counterpart.
Example:
```
jae SOME_LABEL
```
`JB label`
-------------------------------
Use this after CMP. Works like its asm counterpart.
Example:
```
jb SOME_LABEL
```
`JBE label`
-------------------------------
Use this after CMP. Works like its asm counterpart.
Example:
```
jbe SOME_LABEL
```
`JE label (JZ)`
-------------------------------
Use this after CMP. Works like its asm counterpart.
Example:
```
je SOME_LABEL
```
`JMP label`
-------------------------------
Unconditionally jump to a label. label can be a string variable.
Example:
```
jmp SOME_LABEL
```
`JNE label (JNZ)`
-------------------------------
Use this after CMP. Works like its asm counterpart.
Example:
```
jne SOME_LABEL
```
`KEY vkcode [, shift [, ctrl]]`
-------------------------------
Emulate global keyboard shortcut.
Example:
```
key 20
key 20, 1 //Shift+space
key 20, 0, 1 //Ctrl+space
```
`LBL addr, text`
-------------------------------
Insert a label at the specified address
Example:
```
lbl eip, "NiceJump"
```
`LC`
-------------------------------
Clear Main Log Window
`LCLR`
-------------------------------
Clear Script Log Window
`LEN str`
-------------------------------
Get length of a string
Example:
```
len "NiceJump"
msg $RESULT
```
`LM addr, size, filename`
-------------------------------
Load dump file into memory
LM is the opposite of the DM command
Example:
```
;whole file
lm 401000, 0, "test.bin"
;first 0x100 bytes
lm 401000, 100, "test.bin"
```
`LOADLIB dllname`
-------------------------------
Load a dll into debugged program memory
Could be useful to set breakpoints on dynamically loaded library
Returns address of loaded library
Example:
```
pusha
loadlib "user32.dll"
popa
```
`LOG src [,prefix]`
-------------------------------
Log `src` to OllyDbg log window.
If `src` is a constant string the string is logged as it is.
If `src` is a variable or register its logged with its name.
You can replace default prefix with the optional second parameter.
Example:
```
log "Hello world" // The string "Hello world" is logged
var x
mov x, 10
log x // The string "x: 00000010" is logged.
log x, "" // The string "00000010" is logged.
```
`LOGBUF var [,linecount [,separator]]`
-------------------------------
Logs a string or buffer like a memory dump, useful for long data
`MOV dest, src [,size]`
-------------------------------
Move src to dest.
Src can be a long hex string in the format `#<some hex numbers>#`, for example `#1234#`.
Remember that the number of digits in the hex string must be even, i.e. `2, 4, 6, 8` etc.
Example:
```
mov x, 0F
mov y, "Hello world"
mov eax, ecx
mov [ecx], #00DEAD00BEEF00#
mov !CF, 1 // set `flags` register
mov !DF, !PF
mov [403000], "Hello world"
```
`MEMCPY dest,src,size`
-------------------------------
Copy app. memory from `src` address to `dst` address.
This function is same as `mov [dst], [src], size`
Example:
```
gma "OLE32",CODEBASE
mov base, $RESULT
gma "OLE32",CODESIZE
mov size, $RESULT
alloc size
mov dst, $RESULT
MEMCPY dst,base,size
...
free dst
```
`MSG message`
-------------------------------
Display a message box with specified message
Example:
```
MSG "Script paused"
```
`MSGYN message`
-------------------------------
Display a message box with specified message and YES and NO buttons.
Sets the reserved `$RESULT` variable to `1` if `YES` is selected and `0` otherwise.
Example:
```
MSGYN "Continue?"
```
`MUL op1, op2`
-------------------------------
Sets op1 with `op1 * op2`
Example:
```
mul op1, 10
```
`NAMES addr`
-------------------------------
Open names Window for module (Like Ctrl + N)
addr is the module address
`NEG op`
-------------------------------
Assembly Operation "neg eax"
`NOT op`
-------------------------------
Assembly Operation "not eax"
`OLLY info`
-------------------------------
Get information about ollydbg
`info` can be :
- PID retrieve the Ollydbg Process ID
- HWND the main Ollydbg HWND
- THREAD the main Ollydbg Thread Handle
- THREADID the main Ollydbg Thread ID
- PATH fullpath of Ollydbg
- EXE Ollydbg.EXE
- INI Ollydbg.INI
- DIR Ollydbg directory
Example:
```
OLLY PID
mov pid, `$RESULT`
OLLY HWND
mov hwnd, `$RESULT`
```
`OR dest, src`
-------------------------------
ORs `src` and `dest` and stores result in `dest`
Example:
```
or x, 0F
or eax, x
or [401000], 5
```
`OPCODE addr`
-------------------------------
`OPCODE` set the `$RESULT` variable to the opcode bytes, `$RESULT_1` variable to mnemonic opcode (i.e. `MOV ECX,EAX`)
and `$RESULT_2` to the length of the opcode.
If an invalid opcode appears, `$RESULT_2` should be 0.
addr is increased by the length of the opcode (disassemble command).
With this function you can step forward through code.
Example:
```
opcode 00401000
```
`OPENDUMP addr [,base,size]`
-------------------------------
Create a new Dump Window with data at address.
`$RESULT` is the HWND of the new window, for future use (backup purpose)
`OPENTRACE`
-------------------------------
Opens run trace window
`PAUSE`
-------------------------------
Pauses script execution. Script can be resumed from plugin menu.
Example:
```
pause
```
`POP dw`
-------------------------------
Retrieve dword from stack
`POPA`
-------------------------------
RESTORE all registers from plugin memory (saved with PUSHA)
`PREOP addr`
-------------------------------
Get asm command line address just before specified address.
Attention: Will not give real executed command eip before the jump.
Example:
```
preop eip
```
`PUSH dw`
-------------------------------
Add dword to stack
`PUSHA`
-------------------------------
Save all register in plugin memory (to be restored by POPA)
Stack is not used by this command
`RBP [arg1]`
-------------------------------
Restore Break Points
arg1 = may be STRICT or nothing
Restores all hardware and software breakpoints
if arg1 == 'STRICT', all soft bp set by script will be deleted and only those
have been set before it runs will be restored.
If no argument set, previous soft bp will be appended to those set by script
Return in:
- `$RESULT` number of restored swbp
- `$RESULT_1` number of restored hwbp
Example:
```
rbp
rbp STRICT
```
`READSTR str, len`
-------------------------------
Copy len chars of str into `$RESULT`
`REF addr, [LOCATION]`
-------------------------------
`REF addr` works as "Find references to .. Selected command" and "Find references", `Ctrl R` in OllyDbg.
Search `LOCATION` could be the `MEMORY` block (default), `CODE` of module, or whole `MODULE`
`$RESULT` variable is set to the first reference addr
`$RESULT_1` to the opcode (text asm command)
`$RESULT_2` to the comment (like reference window).
Repeat `REF addr` until `$RESULT=0` to get next refs
`REF` value counter is reset when addr changes or forced with `addr = 0`
Example:
```
REF 0 // RESET REF
continue:
REF eip,CODE
log $RESULT
log $RESULT_1
log $RESULT_2
cmp $RESULT,0
jne continue
```
`REFRESH`
-------------------------------
To redraw memory map, module, and disasm windows
(add in version 1.60)
`RESET`
-------------------------------
Reloads target (same as `Ctrl+F2` in ollydbg)
`REPL addr, find, repl, len`
-------------------------------
Replace `find` with `repl` starting at `addr` for `len` bytes.
Wildcards are allowed
Example:
```
repl eip, #6a00#, #6b00#, 10
repl eip, #??00#, #??01#, 10
repl 401000, #41#, #90#, 1F
```
`RET`
-------------------------------
Exits script or return from CALL.
Example:
```
ret
```
`REV what`
-------------------------------
Reverse dword bytes.
Example:
```
rev 01020304 //$RESULT = 04030201
```
`ROL op, count`
-------------------------------
Assembly Operation `rol eax, cl`
save in the target (first) operand.
`ROR op, count`
-------------------------------
Assembly Operation `ror eax, cl`
Example:
```
mov x, 00000010
ROR x, 8
```
`RTR`
-------------------------------
Executes "Run to return" in OllyDbg, `Ctrl+F9` operation.
Example:
```
rtr
```
`RTU`
-------------------------------
Executes "Run to user code" in OllyDbg, `Alt+F9` operation.
Example:
```
rtu
```
`RUN`
-------------------------------
Executes `F9` in OllyDbg, you can also use `ERUN` to ignore exceptions
Example:
```
run
```
`SBP`
-------------------------------
Store Break Points
stores all hardware and software breakpoints, to be restored with `RBP`
return in:
- `$RESULT` number of stored swbp
- `$RESULT_1` number of stored hwbp
`SCMP dest, src [,size]`
-------------------------------
Compares strings `dest` to `src`. Works like its asm counterpart.
Example:
```
var sVar
mov sVar, "Hello World"
scmp sVar, "Hello", 5
je Okay
log "Error."
Okay:
log "Ok."
```
`SCMPI dest, src [,size]`
-------------------------------
Compares strings `dest` to `src` (case insentitive). Works like its asm counterpart.
Example:
```
var sVar
mov sVar, "HELLO WORLD"
scmpi sVar, "Hell", 4
je Okay
log "Error."
Okay:
log "Ok."
```
`SETOPTION`
-------------------------------
Open the OllyDBG `Options Window`, to change debugging parameters.
Script will continue on close.
`SHL dest, src`
-------------------------------
Shifts `dest` to the left `src` times and stores the result in `dest`.
Example:
```
mov x, 00000010
shl x, 8 // x is now 00001000
```
`SHR dest, src`
-------------------------------
Shifts `dest` to the right `src` times and stores the result in `dest`.
Example:
```
mov x, 00001000
shr x, 8 // x is now 00000010
```
`STEP`
-------------------------------
Execute `F8` in OllyDbg. Same as `STO`
Example:
```
step
```
`STI`
-------------------------------
Execute `F7` in OllyDbg. `STep` Into.
Example:
```
sti
```
`STO`
-------------------------------
Execute `F8` in OllyDbg. STep Over. Same as STEP
Example:
```
sto
```
`STR var`
-------------------------------
Converts variable to a String (buffer or dword)
`SUB dest, src`
-------------------------------
Reduce `src` from `dest`.
Example:
```
sub x, 0F
sub eax, x
sub [401000], 5
```
`TC`
-------------------------------
Cancels run trace in OllyDbg
Example:
```
tc
```
`TEST dest,src`
-------------------------------
Performs a logical AND of the two operands updating the flags register without saving the result.
(Modifies Flags: CF OF PF SF ZF (AF undefined))
`TI`
-------------------------------
Executes "Trace into" in OllyDbg, `CTRL-F7` in OllyDbg.
Example:
```
ti
```
`TICK [var [,reftime]]`
-------------------------------
Set variable with script execution time (microsec)
if reftime parameter is set, set `$RESULT` with time since reftime.
if no parameter is set, function set `$RESULT` with execution time in text, in "<ssss mmm> ms" format
var is declared automatically.
Example:
```
tick time
msg time //time since script startup
tick time,time
msg $RESULT //time since last TICK, DWORD value
```
`TICND cond`
-------------------------------
Traces into calls until cond is true
Example:
```
ticnd "eip > 40100A" // will stop when eip > 40100A
```
`TO`
-------------------------------
Executes "Trace over" in OllyDbg
Example:
```
to
```
`TOCND cond`
-------------------------------
Traces over calls until cond is true
Example:
```
tocnd "eip > 40100A" // will stop when eip > 40100A
```
`UNICODE enable`
-------------------------------
Set Unicode Mode, not used for the moment
Example:
```
UNICODE 1
```
`VAR`
-------------------------------
Declare a variable to be used in the script.
Example:
```
var x
```
`XOR dest, src`
-------------------------------
XORs src and dest and stores result in dest
Example:
```
xor x, 0F
xor eax, x
xor [401000], 5
```
`XCHG dest, src`
-------------------------------
Exchanges contents of source and destination.
`WRT file, data`
-------------------------------
Write to file (replace existing one) the only accepted symbol is "\r\n"
Numbers are wrote as strings... for the moment
Example:
```
wrt "out.txt", "Data:\r\nOk\r\n"
wrt sFile, ebx
```
`WRTA file, data [, separator]`
-------------------------------
Append to file, default separator is "\r\n"
Example:
```
wrt sFile, "hello world"
wrta sFile, 0ABCD, ""
wrta sFile, "Windows CR", "\r\n"
```
3.2 Labels
-------------------------------
Labels are defined bu using the label name followed by a colon.
Example:
```
SOME_LABEL:
```
3.3 Comments
-------------------------------
Comments can be put anywhere and have to start with "`;`" or "`//`".
Comment lines starting with "`;`" will be displayed in script window.
Block comments between "`/*`" and "`*/`"
3.4 Menus
-------------------------------
The main OllyScript menu consists of the following items:
- `Run script...`: lets the user select a script file and starts it
- `Abort`: aborts a running script
- `Pause`: pauses a running script
- `Resume`: resumes a paused script
- `About`: shows information about this plugin
3.5 Script Window
-------------------------------
The Script Window was introduced with ODbgScript, it enables you to debug and see progression of your script.
You can set script breakpoints, debug the script, edit variables and also execute commands manually.
4. Integration with other plugins
-------------------------------
You can call OllyScript from your plugin and make it execute a script.
Use something like the source code below:
```c
HMODULE hMod = GetModuleHandle("ODbgScript.dll");
if(hMod) // Check that the other plugin is present and loaded
{
// Get address of exported function
int (*pFunc)(char*) = (int (*)(char*)) GetProcAddress(hMod, "ExecuteScript");
if(pFunc) // Check that the other plugin exports the correct function
pFunc("myscript.txt"); // Execute exported function
}
```
DebugScript dll entry is also available.
You can also execute script commands via OllyDBG ODBG_plugincmd()
and in Conditional Log Breakpoints.
5. Contact us
-------------------------------
To contact us you can post your question in the forum or go on IRC
and message Epsylon3 or SHaG on EFnet.
You can also use Sourceforge.net Forums or Bug Trackers
6. License and source code
-------------------------------
Soon I'm going to armadildo this plugin and charge an awful lot of money
for it! :P Seriously, you are free to use this plugin and the source code however you see fit. However please name me in your documentation/about box and if
the project you need my code for is on a larger scale please also notify
me - I am curious.
7. Thanks!
-------------------------------
I'd like to thank all the wonderful people who reported bugs, wrote scripts, came
with improvement ideas etc.
R@dier for the great dumping engine.
shERis, nick_name, MetaCore, XanSama, arnix, hila123, bukkake, Human, hnhuqiong,
SunBeam, LCF AT, Fungus, hnedka, Zool@nder for ideas and bug report on the new ODbgScript
And of course Olly for this great debugger!
****
8. Command Quick Search
---------------------------------------------
```
; execution
ERUN // SHIFT-F9, Run with Ignore Exceptions.[unavailable]
ESTEP // SHIFT-F8, Step Over ignoring Exceptions.[unavailable]
ESTI // SHIFT-F7, Step Into ignoring Exceptions.[unavailable]
GO addr // Execute to specified address (like G in SoftIce)
RTR // Ctrl-F9, Executes "Run to return" in OllyDbg,.
RTU // Alt-F9, Executes "Run to user code" in OllyDbg
RUN // F9, you can also use ERUN to ignore exceptions
STI // F7, STep Into.
STO // F8, STep Over. Same as STEP
STEP // F8, Same as STO.
AI // CTRL-F7, Execute "Animate into" in OllyDbg
// "Animate into" (自动步入), 相当于持续的 F7 操作
AO // CTRL-F8, Animate over
TI // CTRL-F11, Trace into
TO // CTRL-F12, Trace over
TICND cond // Traces into calls until cond is true
TOCND cond // Traces over calls until cond is true
; display
ASK question // Display input box and lets user enter a response.[unavailable]
MSG message // Display a message box with specified message
MSGYN message // Display a message box with specified message and YES and NO buttons.
; log
#LOG // Enable logging of executed commands.
LC // Clear Main Log Window
LCLR // Clear Script Log Window
LOG src [,prefix] // Log src to OllyDbg log window.
LOGBUF var [,linecount [,separator]]
// Logs a string or buffer like a memory dump, useful for long data
; Breakpoint
BPL addr, expr // logging breakpoint at address addr that logs expression expr.
BP addr (ubp) // Set unconditional breakpoint at addr.
BPCND addr, cond // Set breakpoint on address addr with condition cond.
BPD callname // Remove breakpoint on dll call set by BPX
BPGOTO addr, label // Automatic Jump at label on Breakpoint (Standard(INT3) and Hardware).
BPHWC [addr] // Delete hardware breakpoint at a specified address.
BPHWS addr, [mode] // Set hardware breakpoint. Mode can be 'r/w/x'
BPX callname // Set breakpoint on every api calls found in current module.
BPMC // Clear the memory breakpoint.
BPRM addr, size // Set memory breakpoint on read. Size is size of memory in bytes.
BPWM addr, size // Set memory breakpoint on write. Size is size of memory in bytes.
GBPR #BETA# // Get last breakpoint reason, affects $RESULT with dword value
GBPM #BETA# // Get last memory breakpoint address, affects $RESULT with dword value
BC [addr] // Clear unconditional breakpoint at addr.
BD [addr] // Disable breakpoint at addr.
COB // Makes script continue execution after a breakpoint has occured (removes EOB)
EOB label // Transfer execution to some label on next breakpoint.
BPLCND addr, expr, cond // BPL if condition cond is true.
RBP [arg1] // Restore Break Points
SBP // Store Break Points
DBH // Hides debugger against kernel32!IsDebuggerPresent()
; memory
ALLOC size // Allocate new memory page, you can read/write and execute.
DM addr, size, file // Dumps memory of specified size from specified address
// to specified file (default path set from opened app.)
DMA addr, size, file
// Dumps memory of specified size from specified address
// to specified file appending to that file if it exists
LM addr, size, filename // Load dump file into memory
DPE filename, ep // Dumps the executable to file with specified name.
BACKUP addr [,base,size] // Like OPENDUMP, create a Dump Window with data at address.
OPENDUMP addr [,base,size] // Create a new Dump Window with data at address.
FILL addr, len, value // Fills len bytes of memory at addr with value
FIND addr, what // Searches memory starting at addr for the specified value.
FINDMEM what [, StartAddr] // Searches whole memory for the specified value.
FREE addr [, size] // Free memory block allocated by ALLOC (or not).
LOADLIB dllname // Load a dll into debugged program memory
MEMCPY dest,src,size// Copy app. memory from src address to dst address.
POPA // RESTORE all registers from plugin memory (saved with PUSHA)
PUSHA // Save all register in plugin memory (to be restored by POPA)
REFRESH // To redraw memory map, module, and disasm windows
; file
#INC file // Include a script file in another script file
ASM addr, command [,version] // Assemble a command at some address.
ASMTXT addr, file // Assemble a text asm file at some address.
WRT file, data // Write to file, the only accepted symbol is "\r\n"
WRTA file, data [, separator] // Append to file, default separator is "\r\n"
; convert
ATOI str [, base=16.] // Convert a string to integer
BUF var // Converts string/dword variable to a Buffer
ITOA n [, base=16.] // Convert an integer to string
STR var // Converts variable to a String (buffer or dword)
EVAL // Evaluates a string expression that contains variables.
READSTR str, len // Copy len chars of str into $RESULT
; Get
GMEMI addr, info // Get information about a memory block to which the specified address belongs.
EXEC/ENDE // Executes instructions between EXEC and ENDE in the context of the target process.
RESET // Reloads target (same as Ctrl+F2 in ollydbg)
GCI addr, info // Get Command Information of asm instruction at "addr".
GCMT addr // Get the comment, automatic comment or analyses comment at specified code address
GMA name, info // Call GMI(GMI addr, info, Get Module Info), but parameter is short name of the module
GFO addr // Get File Offset of address
GLBL addr // Get Label at address
GMEXP moduleaddr, info, [num]// Get Export Address and Names in a module.
GMI addr, info // Get information about a module to which the specified address belongs.
GMIMP moduleaddr, info, [num]// Get Import address and names in a module.
GN addr // Get the symbolic name of specified address (ex the API it points to).
GOPI addr, index, info// Get information about operands of asm command
GPA proc, lib, [0,1]// Get the address of the specified procedure in the specified library.
GPI key // Get process information, one of :
GREF [line] // Get Address from Reference Window at Line.
// First line is 1 because 0 is CPU Initial EIP.
GRO addr // Get Relative Offset
GSL [where] // Get Selection Limits
GSTR addr, [arg1] // Get String returns a null terminated string from addr, the string is at least arg1 characters
GSTRW addr, [arg1] // Get String returns a unicode string from addr, the string is at least arg1 characters
LEN str // Get length of a string
OLLY info // Get information about ollydbg
PREOP addr // Get asm command line address just before specified address.
GAPI addr #BETA# // Obtains the code place API call information.
; find
BEGINSEARCH [start] {commands} ENDSEARCH
// Create a Copy of Debugged App Memory, Find commands will use this data faster.
DBS // Unhides debugger so kernel32!IsDebuggerPresent() will find it.
FINDCALLS addr [,name]// Find all intermodular calls (dll calls) in the disasm area.
FINDCMD addr, cmdstr// Search for asm command(s), you can search for series also with ";" separator.
FINDCMDS // Same as FINDCMD.
FINDOP addr, what [, maxsize]// Searches code starting at addr for an instruction that begins with the specified bytes.
FINDOPREV addr, what// Searches code backwards starting at addr for an instruction that begins with the specified bytes.
GPP proc, lib, [0,1]// Calls GPA and tries to find API parameters count and types of the API.
REF addr, [LOCATION]// REF addr works as "Find references to .. Selected command" and "Find references", Ctrl R in OllyDbg.
REPL addr, find, repl, len// Replace find with repl starting at addr for len bytes.
; ollydbg
CLOSE window // Close an Ollydbg MDI window
INIR key, def // Read ODBGScript Key value in ollydbg.ini
INIW key, val // Write ODBGScript Key value in ollydbg.ini
SETOPTION // Open the OllyDBG Options Window, to change debugging parameters. [unavailable]
TC // Cancels run trace in OllyDbg
HANDLE x, y, class // Returns the handle of child window of specified class at point x,y (remember: in hex values).
HISTORY (0,1) // Enable or Disable Value history in Script Progress Window, could optimize loops
NAMES addr // Open names Window for module (Like Ctrl + N)
OPENTRACE // Opens run trace window
UNICODE enable // Set Unicode Mode, not used for the moment
CMT addr, text // Inserts a comment at the specified address
AN addr // Analyze module which contains the address addr.
; script
COE // Makes script continue execution after an exception has occured (removes EOE)
CRET // Clear stack of calls, to terminate script in a function.
PAUSE // Pauses script execution. Script can be resumed from plugin menu.
RET // Exits script or return from CALL.
TICK [var [,reftime]]// Set variable with script execution time (microsec)
VAR // Declare a variable to be used in the script.
KEY vkcode [, shift [, ctrl]] // Emulate global keyboard shortcut.
; cmpare
CMP dest, src [,size] // Compares dest and src. Works like its ASM counterpart.
JA label (JG) // Use this after CMP. Works like its asm counterpart.
JAE label (JGE) // Use this after CMP. Works like its asm counterpart.
JB label // Use this after CMP. Works like its asm counterpart.
JBE label // Use this after CMP. Works like its asm counterpart.
JE label (JZ) // Use this after CMP. Works like its asm counterpart.
JNE label (JNZ) // Use this after CMP. Works like its asm counterpart.
SCMP dest, src [,size]// Compares strings dest to src. Works like its asm counterpart.
SCMPI dest, src [,size]// Compares strings dest to src (case insentitive). Works like its asm counterpart.
# calculate
INC var // Adds 1 to variable
ADD dest, src // Adds src to dest and stores result in dest
SUB dest, src // Reduce src from dest.
DEC var // Subtracts 1 from variable
MUL op1, op2 // Sets op1 with op1 * op2
DIV op1, op2 // Sets op1 with op1/op2
AND dest, src // AND's src and dest and stores result in dest
OR dest, src // ORs src and dest and stores result in dest
XOR dest, src // XORs src and dest and stores result in dest
NEG op // Assembly Operation "neg eax"
NOT op // Assembly Operation "not eax"
TEST dest,src
// logical AND two operands updating flags register without saving the result.
ROL op, count // Assembly Operation rol eax, cl
ROR op, count // Assembly Operation ror eax, cl
SHL dest, src // Shifts dest to the left src times and stores the result in dest.
SHR dest, src // Shifts dest to the right src times and stores the result in dest.
# control
CALL label // jumps to label and runs it.
GOTO label // Alias for JMP.
JMP label // Unconditionally jump to a label. label can be a string variable.
LBL addr, text // Insert a label at the specified address
EOE label // Transfer execution to some label on next exception.
ELSE/ENDIF // See IFxx commands
IFA,IFAE,IFB,IFBE x, y, [z] // Conditions similar to JA, JAE, JB, JBE
IFEQ x, y, [z] // Simple condition if equals
IFNEQ x, y, [z] // Simple condition if not equals
MOV dest, src [,size]// Move src to dest.
OPCODE addr // set $RESULT to opcode bytes, $RESULT_1 to mnemonic opcode (i.e. MOV ECX,EAX)
POP dw // Retrieve dword from stack
PUSH dw // Add dword to stack
REV what // Reverse dword bytes.
XCHG dest, src // Exchanges contents of source and destination.
```[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
