-
-
[分享]第13章 脱壳技术(13.9 加密壳)与ODbgScript脱ASProtect壳
-
发表于: 2017-7-25 09:15 7265
-
背景:
在看《加密与解密(第三版)》看到13.9.1 ASProtect脱壳,手动使用OD2.01配合书上的说明进行动态调试,但是始终不能按照书上所说定位到P364页 `00A8BA97 push edx` 这个需要打补丁的位置。只能通过 .code段写断点定位到 `00A8BABB mov dword ptr [ebp], eax` 的位置。
每次调试因为ASLR(本人使用win10+OD环境)的原因,地址`00A8BA97`总是动态变化的,想了各种办法,还是不能对此位置下断点。
另外,书上p364最后一段说 “按 Alt + M 打开内存窗口,对代码段再次下内存写断点,如下图所示,本人没有找到啊!!解决办法是 Set access -> Read Only, 然后 OD的选项中 Exception -> Ignore -> Memory access violation 关闭, 然后继续动态调试直到 .code 段内存访问异常。
在P365 页,书上提到 OllyScript,于是想办法使用脚本来解决下断点的问题,也避免每次补丁验证都需要 “下断点 -> 取消断点 -> 重新下断点 -> 配置 OD选项 -> F9/Shifrt-F9->手动编辑补丁代码" 不停的反复体力劳动。
ODbgScript for 光盘程序“
.\13.10.1 ASProtect\Emulate standard system functions\TraceMe_Emulate standard system functions.exe
” 调试源代码
// MSG "[SETOPTION] Ignore Memory access violations" ; first BP of writing .code section GMI eip,CODEBASE ; Get Module Info MOV codebase,$RESULT BPWM codebase,4 RUN STO ; Step Over "REP" command ; BP on decompress func RUN BPMC ; BP on checksum func BPRM codebase,4 RUN BPMC ; BP on Emulate function entry FIND eip,#526A008D4C2418# MOV emu_func, $RESULT BP emu_func RUN BC ; padding code ALLOC 1000 MOV addr_pad, $RESULT MOV pp, addr_pad ASM pp, "pushad" ADD pp, $RESULT GMI codebase, DATABASE ; Get Module Info MOV database, $RESULT ITOA database MOV tmp, "mov esi, "+$RESULT ASM pp, tmp ; IAT start address ADD pp, $RESULT ASM pp, "cmp dword ptr ds:[esi],eax" ; EAX = VA_of_API ADD pp, $RESULT MOV tmp, addr_pad ADD tmp, 17 ITOA tmp MOV tmp, "je short " + $RESULT ASM pp, tmp ADD pp, $RESULT ASM pp, "add esi, 4" ADD pp, $RESULT MOV tmp, database ADD tmp, D0 ITOA tmp MOV tmp, "cmp esi, " + $RESULT ASM pp, tmp ADD pp, $RESULT MOV tmp, addr_pad ADD tmp, 2B ITOA tmp MOV tmp, "ja short " + $RESULT ASM pp, tmp ADD pp, $RESULT MOV tmp, addr_pad ADD tmp, 6 ITOA tmp MOV tmp, "jmp " + $RESULT ASM pp, tmp ADD pp, $RESULT ASM pp, "mov cx, 15FF" ADD pp, $RESULT ASM pp, "mov word ptr ss:[ebp], cx" ADD pp, $RESULT ASM pp, "add ebp, 2" ADD pp, $RESULT ASM pp, "mov dword ptr [ebp], esi" ADD pp, $RESULT ASM pp, "popad" ADD pp, $RESULT MOV tmp, emu_func ADD tmp, 31 ITOA tmp MOV tmp, "jmp " + $RESULT ASM pp, tmp /* ; BP for dump MOV tmp, emu_func ADD tmp, 6A BP tmp */ ; BP for OEP MOV tmp, codebase ADD tmp, 3A0 BP tmp ; redirect eip to padding space LABEL: CMP eip, emu_func JNE END MOV eip, addr_pad RUN JMP LABEL END: PAUSE ; do nothing ;BC ;BPMC
由于写上面代码需要参考官方文档,官方文档存在较多错误,另外部分指令不可用,也未提供指令速览功能,本人对官方文档进行了可读性整理,及修正部分错误。
文档内容[请使用markdown阅读工具收藏查阅]
------------------------------- [ODbgScript original plugin](http://github.com/odbgscript) ------------------------------- 1. About OllyScript and ODbgScript 2. Status 2.1 What's new? 3. Documentation 3.1 Language 3.1.1 Reserved variables 3.1.2 Commands 3.2 Labels 3.3 Comments 3.4 Menus 3.5 Script Window 4. Integration with other plugins 5. Contact me 6. License and source code 7. Thanks! ------------------------------- 1. About ODbgScript ------------------------------- ODbgScript is a plugin for OllyDbg, which is, in our opinion, the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. ODbgScript is a plugin meant to let you **automate OllyDbg** by writing scripts in an **assembly-like language**. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using this plugin you can write a script once and for all. ------------------------------- 2. Status ------------------------------- v2.0 ODbgScript for OllyDBG 2, project moved to github 2.1 What's new? ------------------------------- 2.0 + OllyDBG 2 branch, project moved to github ------------------------------- 3. Documentation ------------------------------- Example script (sample.osc) is available with this release. The script will break on LoadLibrary call to debug a SHELL32.DLL function. Try it on mspaint.exe 3.1 Language ------------------------------- The scripting language of OllyScript is an assembly-like language. ### In the document below, src and dest can be (unless stated otherwise): --------------------------- * Constant in the form of a **hex** number without prefixes and suffixes, with leading 0 * **hex** number (i.e. 00FF, not 0x00FF or 00FFh) * **decimal** values, use the point (i.e. 100. 128.) * Variable previously declared by **VAR**, or are declared with MOV * A 32-bit **registers** (one of EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP, EIP). * A 16-bit register (one of AX, BX, CX, DX, SI, DI, BP, SP) * A 8-bit register (one of AL, AH, ... DL, DH) * A **memory** reference in square brackets (i.e. [401000] points to the memory at address 401000, [ecx] points to the memory at address ecx). * A **flag** with an exclamation mark in front (one of !CF, !PF, !AF, !ZF, !SF, !DF, !OF) * Sometimes **byte** strings are required. * Those are scripted as #6A0000# (values between two #) and must have an even number of characters. * Some byte strings can contain the **wildcard** '?', for example #6A??00# or #6?0000# ### A combination of these values with operators: ------------------------------- You can use operators in your scripts, +-*/&|^>< for dword and + to concatenate strings. * Operators **>** and **<** are **shr** and **shl** (>> and << in C/C++) * Operator **^** is **XOR** * Operator **&** is **AND** * Operator **|** is **OR** 3.1.1 Reserved variables ------------------------------- `$RESULT` ------------------------------- Return value for some functions like FIND etc. `$RESULT_1` and `$RESULT_2` are available for some commands. `$VERSION` ------------------------------- Contains current version of OllyScript Example: ``` cmp $VERSION, "0.8" ja version_above_08 ``` 3.1.2 Commands ------------------------------- `#INC file` ------------------------------- Include a script file in another script file Example: ``` #inc "anotherscript.txt" ``` `#LOG` ------------------------------- Enable logging of executed commands. The commands will appear in OllyDbg log window, and will be prefixed with --> Example: ``` #log ``` `ADD dest, src` ------------------------------- Adds src to dest and stores result in dest Example: ``` add x, 0F add eax, x add [401000], 5 add y, " times" // If y was 1000 before this command then y is "1000 times" after it ``` `AI` ------------------------------- Execute "Animate into" in OllyDbg Example: ``` ai ``` `ALLOC size` ------------------------------- Allocate new memory page, you can read/write and execute. Example ``` alloc 1000 free $RESULT, 1000 ``` `AN addr` ------------------------------- Analyze module which contains the address addr. Example: ``` an eip // Same as pressing CTRL-A ``` `AND dest, src` ------------------------------- AND's src and dest and stores result in dest Example: ``` and x, 0F and eax, x and [401000], 5 ``` `AO` ------------------------------- Executes "Animate over" in OllyDbg Example: ao `ASK question` ------------------------------- Display an input box with the specified question and lets user enter a response. Sets the reserved `$RESULT` variable (0 if cancel button was pressed). You have also the length in `$RESULT_1` (divided by 2 for hex entries) Example: ``` ask "Enter new EIP" cmp $RESULT, 0 je cancel_pressed mov eip, $RESULT ``` `ASM addr, command [,version]` ------------------------------- Assemble a command at some address. Change version number (0,1,...) to get alternative code bytes, if possible. Returns bytes assembled in the reserved `$RESULT` variable Example: ``` asm eip, "mov eax, ecx" ``` `ASMTXT addr, file` ------------------------------- Assemble a text asm file at some address. Example: ``` asmtxt EIP, "myasm.txt" ``` `ATOI str [, base=16.]` ------------------------------- Convert a string to integer Returns the integer in the reserved `$RESULT` variable Example: ``` atoi "F" atoi "10", 10. ``` `BACKUP addr [,base,size]` ------------------------------- Like `OPENDUMP`, create a Dump Window with data at address. But this dump window keeps a backup of data, which can be used to view changes. `$RESULT` is the HWND of window, for future use Note: If you are looking to save data in a file, see the `DM` function (Dump Memory) Example: ``` BACKUP esp STO // STep Over STO ``` `BC [addr]` ------------------------------- Clear unconditional breakpoint at addr. Without parameter, the command clears all loaded breakpoints Example: ``` bc 401000 bc x bc eip ``` `BD [addr]` ------------------------------- Disable breakpoint at addr. Without parameter, the command disables all loaded breakpoints Example: ``` bp 401000 BD 401000 ``` `BEGINSEARCH [start] {commands} ENDSEARCH` ------------------------------- Create a Copy of Debugged App Memory, Find commands will use this data faster. You need to use ENDSEARCH before writing to memory and to free this memory copy. Optimization time is 20% for 5000 loops... but could maybe be optimized Example: ``` mov count, 0 mov start, eip beginsearch start next: find start, #00# // "FIND addr, what" $RESULT == 0 if nothing found. cmp $RESULT,0 je end mov start, $RESULT+1 add count, 1 jmp next end: endsearch msg count ``` `BP addr (ubp)` ------------------------------- Set unconditional breakpoint at addr. Example: ``` bp 401000 bp x bp eip ``` `BPCND addr, cond` ------------------------------- Set breakpoint on address addr with condition cond. Example: ``` bpcnd 401000, "ECX==1" ``` `BPD callname` ------------------------------- Remove breakpoint on dll call set by `BPX` `BPGOTO addr, label` ------------------------------- Automatic Jump at label on Breakpoint (Standard(INT3) and Hardware). `EOB` Like Command Example: ``` bphws addr bpgoto addr, MyLabel NextBP: RUN ... MyLabel: ... jmp NextBP ``` `BPHWC [addr]` ------------------------------- Delete hardware breakpoint at a specified address. Without address, clear all hardware breakpoints. Example: ``` bphwc 401000 ``` `BPHWS addr, [mode]` ------------------------------- Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default). Example: ``` bphws 401000, "x" ``` `BPL addr, expr` ------------------------------- Sets logging breakpoint at address addr that logs expression expr. Example: ``` bpl 401000, "eax" // logs the value of eax everytime this line is passed ``` `BPLCND addr, expr, cond` ------------------------------- Sets logging breakpoint at address addr that logs expression expr if condition cond is true. Example: ``` bplcnd 401000, "eax", "eax > 1" // logs the value of eax everytime this line is passed and eax > 1 ``` `BPMC` ------------------------------- Clear the memory breakpoint. Example: ``` bpmc ``` `BPRM addr, size` ------------------------------- Set memory breakpoint on read. Size is size of memory in bytes. Example: ``` bprm 401000, FF ``` `BPWM addr, size` ------------------------------- Set memory breakpoint on write. Size is size of memory in bytes. Example: ``` bpwm 401000, FF ``` `BPX callname` ------------------------------- Set breakpoint on every api calls found in current module. Then you can clear these breakpoints with `BPD` Example: ``` bpx "GetModuleHandleA" ``` `BUF var` ------------------------------- Converts string/dword variable to a Buffer Example: ``` mov s, "123" buf s log s // output #313233# ``` ```python In [3]: list(map(lambda x: hex(ord(x)), '123')) # python Out[3]: ['0x31', '0x32', '0x33'] ``` `CALL label` ------------------------------- jumps to the given label and runs it. The only difference to jmp is that it'll return if a `RET` is executed. `Call` & `Ret` will help you structured and organises ya scripts. Example 1 - a procedure with a body and a parameter: ``` var myArg1 mov myArg1, 5 call PROC_myproc2 // Arg1 is 'passed' byReference log myArg1 Ret // Exit the script PROC_myproc2: add myArg1, 1 RET // Just exit 'PROC_myproc2' ``` (Okay well actually Arg1 is just a global Var that is not really passed to the function.) ------------------------------- Example2 - DIY-function like this `Func_myFunc1(myArg1, 3)` ``` var myArg1 mov myArg1, 5 push myArg1 // Arg1 push 3 // Arg2 Call Func_myFunc1 log $RESULT // Show return value log Local1 // if that were a real local that shouldn't work Ret Func_myFunc1: var Local2 // Passing Arg2 byValue pop Local2 // Local2=Arg2 var Local1 // Passing Arg1 byValue pop Local1 // Local1=Arg1 sub Local1, Local2 mov $RESULT, Local1 RET ``` `CLOSE window` ------------------------------- Close an Ollydbg MDI window window parameter can be a `constant` or a `HWND` (like `$RESULT` of `OPENDUMP`/`BACKUP`). ``` SCRIPT, SCRIPTLOG, LOG, CPU MODULES, MEMORY, THREADS, BREAKPOINTS REFERENCES, SOURCELIST, WATCHES WINDOWS, PATCHES, RUNTRACE, CALLSTACK TEXT, FILE, HANDLES, SEH, SOURCE ``` `CMP dest, src [,size]` ------------------------------- Compares dest and src. Works like its `ASM` counterpart. see `SCMP` to compare strings or memory data Example: ``` cmp y, x cmp eip, 401000 je label cmp cx, x, 2 je label ``` `CMT addr, text` ------------------------------- Inserts a comment at the specified address Example: ``` cmt eip, "This is the entry point" ``` `COB` ------------------------------- Makes script continue execution after a breakpoint has occured (removes EOB) Example: ``` COB ``` `COE` ------------------------------- Makes script continue execution after an exception has occured (removes EOE) Example: ``` COE ``` `CRET` ------------------------------- Clear stack of calls, to terminate script in a function. Example: ``` CRET RET ``` `DBH` ------------------------------- Hides debugger against `kernel32!IsDebuggerPresent()` (Note that's done through [BYTE [[FS:18]+30]+2] = 0) Example: ``` dbh ``` `DBS` ------------------------------- Unhides debugger so kernel32!IsDebuggerPresent() will find it. (Note that's done through [BYTE [[FS:18]+30]+2] = 1). Example: ``` dbs ``` `DEC var` ------------------------------- Subtracts 1 from variable Example: ``` dec v ``` `DIV op1, op2` ------------------------------- Sets op1 with op1/op2 Example: ``` div var, 2 ``` `DM addr, size, file` ------------------------------- Dumps memory of specified size from specified address to specified file (default path set from opened app.) Example: ``` dm 401000, 1F, "c:\dump.bin" ``` `DMA addr, size, file` ------------------------------- Dumps memory of specified size from specified address to specified file appending to that file if it exists Example: ``` dma 401000, 1F, "c:\dump.bin" ``` `DPE filename, ep` ------------------------------- Dumps the executable to file with specified name. * Entry Point is set to EP. * Path is relative to the path of the currently loaded executable. * Notes: * uses PEFileInfo.dwSizeOfImage * Applies dumpfix to PE.sectionHdr (PointerToRawData = VirtualAddress SizeOfRawData = VirtualSize) Example: ``` dpe "c:\test.exe", eip ``` `ELSE/ENDIF` ------------------------------- See `IFxx` commands `EOB label` ------------------------------- Transfer execution to some label on next breakpoint. (see `BPGOTO` command to assign a label to a breakpoint) Example: ``` eob SOME_LABEL ``` `EOE label` ------------------------------- Transfer execution to some label on next exception. Example: ``` eob SOME_LABEL ``` `ERUN [formerly ESTO]` ------------------------------- Executes `SHIFT-F9` in OllyDbg. Run with Ignore Exceptions. Note: Was ESTO before, but the command is depreciated Example: ``` erun ``` `ESTEP` ------------------------------- Executes `SHIFT-F8` in OllyDbg. Step Over ignoring Exceptions. Example: ``` estep ``` `ESTI` ------------------------------- Executes SHIFT-F7 in OllyDbg. Step Into ignoring Exceptions. Example: ``` esti ``` `EVAL` ------------------------------- Evaluates a string expression that contains variables. The variables that are declared in the current script can be enclosed in curly braces `{var}` to be inserted. Sets the reserved `$RESULT` variable Example: ``` var x mov x, 1000 eval "The value of x is {x}" // after this $RESULT is "The value of x is 1000" ``` `EXEC/ENDE` ------------------------------- Executes instructions between `EXEC` and `ENDE` in the context of the target process. Values in curly braces `{}` are replaced by their values. `pusha` / `popa` commands could be useful when you use this. Examples: ``` // This does some mov's mov x, "eax" mov y, DEADBEEF // hex constant cwithout prefix '0' exec mov {x}, {y} // "mov eax, 0DEADBEEF" will be executed mov ecx, {x} // "mov ecx, eax" will be executed ende // This calls ExitProcess in the debugged application exec push 0 call ExitProcess ende ret ``` `FILL addr, len, value` ------------------------------- Fills len bytes of memory at addr with value Example: ``` fill 401000, 10, 90 // NOP 10h bytes ``` `FIND addr, what` ------------------------------- Searches memory starting at addr for the specified value. When found sets the reserved `$RESULT` variable. `$RESULT == 0` if nothing found. The search string can also use the wildcard `??` (see below). Example: ``` find eip, #6A00E8# // find a PUSH 0 followed by some kind of call find eip, #6A??E8# // find a PUSH 0 followed by some kind of call ``` `FINDCALLS addr [,name]` ------------------------------- Find all intermodular calls (dll calls) in the disasm area. You can filter results by label (case insensitive) with the optionnal second parameter. Reference Window is used and its content changed Then can use `GREF` to get results count and retrieve them. Example: ``` findcalls eip, "exit" gref // Get REFerence of "findcalls" msg $RESULT ``` `FINDCMD addr, cmdstr` ------------------------------- Search for asm command(s), you can search for series also with ";" separator. This command uses "Search for All Sequences" Ollydbg function so could find relative `calls`/`jmp` Reference Window is used and its content changed. You can use `GREF` to get next results in disasm window range. Example 1: ``` mov line, 1 findcmd eip, "push edi" next: gref line cmp $RESULT, 0 je finished inc line jmp next finished: msg "finished!" Example 2: findcmd 401000, "nop;nop;nop" msg $RESULT ``` `FINDCMDS` ------------------------------- Same as FINDCMD. `FINDCMDS`(this function name could be deleted in future versions) `FINDOP addr, what [, maxsize]` ------------------------------- Searches code starting at addr for an instruction that begins with the specified bytes. It sets the reserved `$RESULT` variable to the start of the found instruction. If `$RESULT == 0` nothing was found. The search string can also use the wildcard `??` (see below). Use maxsize to limit that search range. Examples: ``` findop 401000, #61# // find next POPAD findop 401000, "1" // = #61# findop 401000, #6A??# // find next PUSH of something ``` `FINDOPREV addr, what` ------------------------------- Searches code backwards starting at addr for an instruction that begins with the specified bytes. It sets the reserved `$RESULT` variable to the start of the found instruction. If `$RESULT == 0` nothing was found. The search string can also use the wildcard `??` (see below). Example: ``` FINDOPREV eip, #68??????00# // find next PUSH 00xxxxxx backwards ``` `FINDMEM what [, StartAddr]` ------------------------------- Searches whole memory for the specified value. When found sets the reserved `$RESULT` variable. `$RESULT == 0` if nothing found. The search string can also use the wildcard "??" (see below). Example: ``` findmem #6A00E8# // find a PUSH 0 followed by some kind of call findmem #6A00E8#, 00400000 // search it after address 0040.0000 ``` `FREE addr [, size]` ------------------------------- Free memory block allocated by `ALLOC` (or not). If size not given, drop whole memory block. Example: ``` alloc 1000 free $RESULT ``` `GAPI addr #BETA#` ------------------------------- Obtains the code place API call information. The API information saves in preservation variable `$RESULT`. If the symbolic name is a API function, then. `$RESULT` saves the API information. `$RESULT_1` save link base/storehouse (for instance kernel32). `$RESULT_2` save symbolic name (for instance ExitProcess). `$RESULT_3` save calling location (for instance call xxxxx). `$RESULT_4` save destination. Notice: This and the GN difference is GN must point to the IAT address But GAPI gives the code address to be possible directly to obtain API Also has, if you have gotten down the software break point in here, please first clear the break point to use this sentence again, because the software break point modified the code is CC If here does not clear here the software break point, will create this not to be able the very good recognition. Example: ``` GAPI 401000 (call kernel32.ExitProcess) GAPI EIP // examined whether the current code is API calls, is not then returns to 0 ``` `GBPM #BETA#` ------------------------------- Get last memory breakpoint address, affects `$RESULT` with dword value `GBPR #BETA#` ------------------------------- Get last breakpoint reason, affects `$RESULT` with dword value Example: ``` GBPR cmp $RESULT, 10 je SelectNormalBP cmp $RESULT, 20 je SelectMemBP cmp $RESULT, 40 je SelectHwBP jmp NextBP ``` `GCI addr, info` ------------------------------- Get Command Information of asm instruction at "addr". "info" specifies what data should be returned in `$RESULT`: * `COMMAND` for asm command string (like OPCODE) * `CONDITION` {disasm.condition} * `DESTINATION` for Destination of jump/call/return * `SIZE` for number of command bytes * `TYPE` for asm command string (one of C_xxx, see OllyDbg Plugin API) Example: ``` GCI eip, DESTINATION ``` `GCMT addr` ------------------------------- Get the comment, automatic comment or analyses comment at specified code address `GMA name, info` ------------------------------- Call `GMI`(`GMI addr, info`, Get Module Info), but parameter is short name of the module Example: ``` GMA "KERNEL32", MODULEBASE ``` `GFO addr` ------------------------------- Get File Offset of address `GLBL addr` ------------------------------- Get Label at address `GMEMI addr, info` ------------------------------- Get information about a memory block to which the specified address belongs. "info" can be `MEMORYBASE`, `MEMORYSIZE` or `MEMORYOWNER` (if you want other info in the future versions plz tell me). Sets the reserved `$RESULT` variable (0 if data not found). Example: ``` GMEMI addr, MEMORYBASE // After this $RESULT is the address to the memory base of the memory block to which addr belongs ``` `GMEXP moduleaddr, info, [num]` ------------------------------- Get Export Address and Names in a module. info can be `ADDRESS`, `LABEL`, `COUNT` Example: ``` gma "KERNEL32", MODULEBASE mov addr, $RESULT GMEXP addr, COUNT log $RESULT GMEXP addr, LABEL, 1 log $RESULT GMEXP addr, ADDRESS, 1 log $RESULT ``` `GMI addr, info` ------------------------------- Get information about a module to which the specified address belongs. `info` can be : ``` ;ExampleData from some *.exe MODULEBASE, MODULESIZE ;00400000 00031000 CODEBASE, CODESIZE ;00401000 00024000 ENTRY, NSECT, DATABASE ;0041AC04 00000003 00425000(.rdata-section) EDATATABLE, EDATASIZE IDATABASE, IDATATABLE RESBASE, RESSIZE, RELOCTABLE, RELOCSIZE ``` ...and strings: ``` NAME, PATH, VERSION ; "Sample_a" "C:\myApps\Sample_app.exe" "" ``` (if you want other info in the future versions plz tell me). Sets the reserved `$RESULT` variable (0 if data not found). Example: ``` GMI eip, CODEBASE // After this $RESULT is the address to the codebase of the module to which eip belongs GMI eip, VERSION // instead of that you may also just use $VERSION ``` `GMIMP moduleaddr, info, [num]` ------------------------------- Get Import address and names in a module. info can be `ADDRESS, LABEL, MODULE, NAME, COUNT`. if `LABEL` results string like `KERNEL32.CopyFileEx ` `MODULE` results `KERNEL32`. NAME results "CopyFileEx" Example: ``` gma "USER32", MODULEBASE mov addr, $RESULT GMIMP addr, COUNT log $RESULT GMIMP addr, LABEL, 1 log $RESULT GMIMP addr, ADDRESS, 1 log $RESULT ``` `GN addr` ------------------------------- Get the symbolic name of specified address (ex the API it points to). Set the reserved `$RESULT` variable to the name. If that name is an API. `$RESULT_1` is set to the library (ex kernel32) and `$RESULT_2` to the name of the API (ex ExitProcess). Example: ``` gn 401000 ``` `GO addr` ------------------------------- Execute to specified address (like G in SoftIce) Example: ``` go 401005 ``` `GOPI addr, index, info` ------------------------------- Get information about operands of asm command `index` is between 1 and 3 `info` can be : - TYPE Type of operand (extended set DEC_xxx, see OllyDbg Plugin API) - SIZE Size of operand, bytes - GOOD Whether address and data valid - ADDR Address if memory, index if register - DATA Actual value (only integer operands) Example: ``` GOPI eip, 1, SIZE ``` Okay some more infomation about `TYPE` (from plugin.h): ``` DEC_TYPEMASK 0x1F // Type of memory byte DEC_UNKNOWN 0x00 // Unknown type DEC_BYTE 0x01 // Accessed as byte DEC_WORD 0x02 // Accessed as short DEC_NEXTDATA 0x03 // Subsequent byte of data DEC_DWORD 0x04 // Accessed as long DEC_FLOAT4 0x05 // Accessed as float DEC_FWORD 0x06 // Accessed as descriptor/long pointer DEC_FLOAT8 0x07 // Accessed as double DEC_QWORD 0x08 // Accessed as 8-byte integer DEC_FLOAT10 0x09 // Accessed as long double DEC_TBYTE 0x0A // Accessed as 10-byte integer DEC_STRING 0x0B // Zero-terminated ASCII string DEC_UNICODE 0x0C // Zero-terminated UNICODE string DEC_3DNOW 0x0D // Accessed as 3Dnow operand DEC_SSE 0x0E // Accessed as SSE operand DEC_TEXT 0x10 // For use in t_result only DEC_BYTESW 0x11 // Accessed as byte index to switch DEC_NEXTCODE 0x13 // Subsequent byte of command DEC_COMMAND 0x1D // First byte of command DEC_JMPDEST 0x1E // Jump destination DEC_CALLDEST 0x1F // Call (and maybe jump) destination DEC_PROCMASK 0x60 // Procedure analysis DEC_PROC 0x20 // Start of procedure DEC_PBODY 0x40 // Body of procedure DEC_PEND 0x60 // End of procedure DEC_CHECKED 0x80 // Byte was analysed DEC_SIGNED 0x100 // For use in t_result only ``` `GPA proc, lib, [0,1]` ------------------------------- Get the address of the specified procedure in the specified library. When found sets the reserved `$RESULT` variable. `$RESULT == 0` if nothing found. Useful for setting breakpoints on APIs. Set third param to 1 if you want to keep library in memory Example: ``` gpa "MessageBoxA", "user32.dll" // After this `$RESULT` is the address of MessageBoxA and // you can do "bp `$RESULT`". ``` `GOTO label` ------------------------------- Alias for JMP `GPP proc, lib, [0,1] ` ------------------------------- Calls GPA and tries to find API parameters count and types of the API. `$RESULT` = ref->addr `$RESULT_1` = disasm.result //command text `$RESULT_2` = disasm.comment `GPI key` ------------------------------- Get process information, one of : ``` HPROCESS, PROCESSID, HMAINTHREAD, MAINTHREADID, MAINBASE, PROCESSNAME, EXEFILENAME, CURRENTDIR, SYSTEMDIR ``` `GREF [line]` ------------------------------- Get Address from Reference Window at Line. First line is 1 because 0 is CPU Initial EIP. Without parameter, GREF results the Reference Window number of entries. Example: ``` FINDCMD "push eax" GREF 1 msg $RESULT GREF 2 msg $RESULT ``` `GRO addr` ------------------------------- Get Relative Offset When found sets the reserved `$RESULT` variable. `$RESULT == 0` if nothing found. `GSL [where]` ------------------------------- Get Selection Limits returns START/END addresses and SIZE from currently selected line(s) in CPUASM | CPUDUMP | CPUSTACK window in `$RESULT`, `$RESULT_1` & `$RESULT_2` arg can be either : CPUDASM, CPUDUMP, CPUSTACK. Default is CPUDASM Example: ``` gsl CPUDUMP ``` `GSTR addr, [arg1]` ------------------------------- Get String returns a null terminated string from addr, the string is at least arg1 characters returns in - `$RESULT` : the string - `$RESULT_1` : len of string Example: ``` gstr 401000 ; arg1 in this case is set to default (2 chars) gstr 401000, 20 ; must be at least 20 chars ``` `GSTRW addr, [arg1]` ------------------------------- Get String returns a unicode string from addr, the string is at least arg1 characters returns in - `$RESULT` : the string (ascii) - `$RESULT_1` : len of string - `$RESULT_2` : unicode string Example: ``` gstrw 401000 ; arg1 in this case is set to default (2 chars) gstrw 401000, 20 ; must be at least 20 chars ``` `HANDLE x, y, class` ------------------------------- Returns the handle of child window of specified class at point x,y (remember: in hex values). `HISTORY (0,1)` ------------------------------- Enable or Disable Value history in Script Progress Window, could optimize loops Example: ``` history 0 //disable history 1 //enable ``` `IFA,IFAE,IFB,IFBE x, y, [z]` ------------------------------- Conditions similar to JA, JAE, JB, JBE See CMP for parameters Without parameter, IF commands use last CMP result Example: ``` IFB $VERSION, "1.82" MSG "This script requires ODBGScript version 1.82" RET ENDIF ``` `IFEQ x, y, [z]` ------------------------------- Simple condition if equals See CMP for parameters Without parameter, IF commands use last CMP result Example: ``` IFEQ val, 0 log "val = 0" ELSE log "val <> 0" ENDIF ``` `IFNEQ x, y, [z]` ------------------------------- Simple condition if not equals Without parameter, IF commands use last CMP result Example: ``` IFNEQ val, 0 log "val <> 0" ELSE log "val = 0" ENDIF ``` `INC var` ------------------------------- Adds 1 to variable Example: ``` inc v ``` `INIR key, def` ------------------------------- Read ODBGScript Key value in ollydbg.ini def(ault) value determines type (wstring or dword) Example : ``` inir "key", "" inir "key", 0 ``` `INIW key, val` ------------------------------- Write ODBGScript Key value in ollydbg.ini val can be a string or a dword Example : ``` iniw "key", "x" iniw "key", 10. ``` `ITOA n [, base=16.]` ------------------------------- Convert an integer to string Returns the string in the reserved `$RESULT` variable Example: ``` _itow F _itow 10., 10. ``` `JA label (JG)` ------------------------------- Use this after CMP. Works like its asm counterpart. Example: ``` ja SOME_LABEL ``` `JAE label (JGE)` ------------------------------- Use this after CMP. Works like its asm counterpart. Example: ``` jae SOME_LABEL ``` `JB label` ------------------------------- Use this after CMP. Works like its asm counterpart. Example: ``` jb SOME_LABEL ``` `JBE label` ------------------------------- Use this after CMP. Works like its asm counterpart. Example: ``` jbe SOME_LABEL ``` `JE label (JZ)` ------------------------------- Use this after CMP. Works like its asm counterpart. Example: ``` je SOME_LABEL ``` `JMP label` ------------------------------- Unconditionally jump to a label. label can be a string variable. Example: ``` jmp SOME_LABEL ``` `JNE label (JNZ)` ------------------------------- Use this after CMP. Works like its asm counterpart. Example: ``` jne SOME_LABEL ``` `KEY vkcode [, shift [, ctrl]]` ------------------------------- Emulate global keyboard shortcut. Example: ``` key 20 key 20, 1 //Shift+space key 20, 0, 1 //Ctrl+space ``` `LBL addr, text` ------------------------------- Insert a label at the specified address Example: ``` lbl eip, "NiceJump" ``` `LC` ------------------------------- Clear Main Log Window `LCLR` ------------------------------- Clear Script Log Window `LEN str` ------------------------------- Get length of a string Example: ``` len "NiceJump" msg $RESULT ``` `LM addr, size, filename` ------------------------------- Load dump file into memory LM is the opposite of the DM command Example: ``` ;whole file lm 401000, 0, "test.bin" ;first 0x100 bytes lm 401000, 100, "test.bin" ``` `LOADLIB dllname` ------------------------------- Load a dll into debugged program memory Could be useful to set breakpoints on dynamically loaded library Returns address of loaded library Example: ``` pusha loadlib "user32.dll" popa ``` `LOG src [,prefix]` ------------------------------- Log `src` to OllyDbg log window. If `src` is a constant string the string is logged as it is. If `src` is a variable or register its logged with its name. You can replace default prefix with the optional second parameter. Example: ``` log "Hello world" // The string "Hello world" is logged var x mov x, 10 log x // The string "x: 00000010" is logged. log x, "" // The string "00000010" is logged. ``` `LOGBUF var [,linecount [,separator]]` ------------------------------- Logs a string or buffer like a memory dump, useful for long data `MOV dest, src [,size]` ------------------------------- Move src to dest. Src can be a long hex string in the format `#<some hex numbers>#`, for example `#1234#`. Remember that the number of digits in the hex string must be even, i.e. `2, 4, 6, 8` etc. Example: ``` mov x, 0F mov y, "Hello world" mov eax, ecx mov [ecx], #00DEAD00BEEF00# mov !CF, 1 // set `flags` register mov !DF, !PF mov [403000], "Hello world" ``` `MEMCPY dest,src,size` ------------------------------- Copy app. memory from `src` address to `dst` address. This function is same as `mov [dst], [src], size` Example: ``` gma "OLE32",CODEBASE mov base, $RESULT gma "OLE32",CODESIZE mov size, $RESULT alloc size mov dst, $RESULT MEMCPY dst,base,size ... free dst ``` `MSG message` ------------------------------- Display a message box with specified message Example: ``` MSG "Script paused" ``` `MSGYN message` ------------------------------- Display a message box with specified message and YES and NO buttons. Sets the reserved `$RESULT` variable to `1` if `YES` is selected and `0` otherwise. Example: ``` MSGYN "Continue?" ``` `MUL op1, op2` ------------------------------- Sets op1 with `op1 * op2` Example: ``` mul op1, 10 ``` `NAMES addr` ------------------------------- Open names Window for module (Like Ctrl + N) addr is the module address `NEG op` ------------------------------- Assembly Operation "neg eax" `NOT op` ------------------------------- Assembly Operation "not eax" `OLLY info` ------------------------------- Get information about ollydbg `info` can be : - PID retrieve the Ollydbg Process ID - HWND the main Ollydbg HWND - THREAD the main Ollydbg Thread Handle - THREADID the main Ollydbg Thread ID - PATH fullpath of Ollydbg - EXE Ollydbg.EXE - INI Ollydbg.INI - DIR Ollydbg directory Example: ``` OLLY PID mov pid, `$RESULT` OLLY HWND mov hwnd, `$RESULT` ``` `OR dest, src` ------------------------------- ORs `src` and `dest` and stores result in `dest` Example: ``` or x, 0F or eax, x or [401000], 5 ``` `OPCODE addr` ------------------------------- `OPCODE` set the `$RESULT` variable to the opcode bytes, `$RESULT_1` variable to mnemonic opcode (i.e. `MOV ECX,EAX`) and `$RESULT_2` to the length of the opcode. If an invalid opcode appears, `$RESULT_2` should be 0. addr is increased by the length of the opcode (disassemble command). With this function you can step forward through code. Example: ``` opcode 00401000 ``` `OPENDUMP addr [,base,size]` ------------------------------- Create a new Dump Window with data at address. `$RESULT` is the HWND of the new window, for future use (backup purpose) `OPENTRACE` ------------------------------- Opens run trace window `PAUSE` ------------------------------- Pauses script execution. Script can be resumed from plugin menu. Example: ``` pause ``` `POP dw` ------------------------------- Retrieve dword from stack `POPA` ------------------------------- RESTORE all registers from plugin memory (saved with PUSHA) `PREOP addr` ------------------------------- Get asm command line address just before specified address. Attention: Will not give real executed command eip before the jump. Example: ``` preop eip ``` `PUSH dw` ------------------------------- Add dword to stack `PUSHA` ------------------------------- Save all register in plugin memory (to be restored by POPA) Stack is not used by this command `RBP [arg1]` ------------------------------- Restore Break Points arg1 = may be STRICT or nothing Restores all hardware and software breakpoints if arg1 == 'STRICT', all soft bp set by script will be deleted and only those have been set before it runs will be restored. If no argument set, previous soft bp will be appended to those set by script Return in: - `$RESULT` number of restored swbp - `$RESULT_1` number of restored hwbp Example: ``` rbp rbp STRICT ``` `READSTR str, len` ------------------------------- Copy len chars of str into `$RESULT` `REF addr, [LOCATION]` ------------------------------- `REF addr` works as "Find references to .. Selected command" and "Find references", `Ctrl R` in OllyDbg. Search `LOCATION` could be the `MEMORY` block (default), `CODE` of module, or whole `MODULE` `$RESULT` variable is set to the first reference addr `$RESULT_1` to the opcode (text asm command) `$RESULT_2` to the comment (like reference window). Repeat `REF addr` until `$RESULT=0` to get next refs `REF` value counter is reset when addr changes or forced with `addr = 0` Example: ``` REF 0 // RESET REF continue: REF eip,CODE log $RESULT log $RESULT_1 log $RESULT_2 cmp $RESULT,0 jne continue ``` `REFRESH` ------------------------------- To redraw memory map, module, and disasm windows (add in version 1.60) `RESET` ------------------------------- Reloads target (same as `Ctrl+F2` in ollydbg) `REPL addr, find, repl, len` ------------------------------- Replace `find` with `repl` starting at `addr` for `len` bytes. Wildcards are allowed Example: ``` repl eip, #6a00#, #6b00#, 10 repl eip, #??00#, #??01#, 10 repl 401000, #41#, #90#, 1F ``` `RET` ------------------------------- Exits script or return from CALL. Example: ``` ret ``` `REV what` ------------------------------- Reverse dword bytes. Example: ``` rev 01020304 //$RESULT = 04030201 ``` `ROL op, count` ------------------------------- Assembly Operation `rol eax, cl` save in the target (first) operand. `ROR op, count` ------------------------------- Assembly Operation `ror eax, cl` Example: ``` mov x, 00000010 ROR x, 8 ``` `RTR` ------------------------------- Executes "Run to return" in OllyDbg, `Ctrl+F9` operation. Example: ``` rtr ``` `RTU` ------------------------------- Executes "Run to user code" in OllyDbg, `Alt+F9` operation. Example: ``` rtu ``` `RUN` ------------------------------- Executes `F9` in OllyDbg, you can also use `ERUN` to ignore exceptions Example: ``` run ``` `SBP` ------------------------------- Store Break Points stores all hardware and software breakpoints, to be restored with `RBP` return in: - `$RESULT` number of stored swbp - `$RESULT_1` number of stored hwbp `SCMP dest, src [,size]` ------------------------------- Compares strings `dest` to `src`. Works like its asm counterpart. Example: ``` var sVar mov sVar, "Hello World" scmp sVar, "Hello", 5 je Okay log "Error." Okay: log "Ok." ``` `SCMPI dest, src [,size]` ------------------------------- Compares strings `dest` to `src` (case insentitive). Works like its asm counterpart. Example: ``` var sVar mov sVar, "HELLO WORLD" scmpi sVar, "Hell", 4 je Okay log "Error." Okay: log "Ok." ``` `SETOPTION` ------------------------------- Open the OllyDBG `Options Window`, to change debugging parameters. Script will continue on close. `SHL dest, src` ------------------------------- Shifts `dest` to the left `src` times and stores the result in `dest`. Example: ``` mov x, 00000010 shl x, 8 // x is now 00001000 ``` `SHR dest, src` ------------------------------- Shifts `dest` to the right `src` times and stores the result in `dest`. Example: ``` mov x, 00001000 shr x, 8 // x is now 00000010 ``` `STEP` ------------------------------- Execute `F8` in OllyDbg. Same as `STO` Example: ``` step ``` `STI` ------------------------------- Execute `F7` in OllyDbg. `STep` Into. Example: ``` sti ``` `STO` ------------------------------- Execute `F8` in OllyDbg. STep Over. Same as STEP Example: ``` sto ``` `STR var` ------------------------------- Converts variable to a String (buffer or dword) `SUB dest, src` ------------------------------- Reduce `src` from `dest`. Example: ``` sub x, 0F sub eax, x sub [401000], 5 ``` `TC` ------------------------------- Cancels run trace in OllyDbg Example: ``` tc ``` `TEST dest,src` ------------------------------- Performs a logical AND of the two operands updating the flags register without saving the result. (Modifies Flags: CF OF PF SF ZF (AF undefined)) `TI` ------------------------------- Executes "Trace into" in OllyDbg, `CTRL-F7` in OllyDbg. Example: ``` ti ``` `TICK [var [,reftime]]` ------------------------------- Set variable with script execution time (microsec) if reftime parameter is set, set `$RESULT` with time since reftime. if no parameter is set, function set `$RESULT` with execution time in text, in "<ssss mmm> ms" format var is declared automatically. Example: ``` tick time msg time //time since script startup tick time,time msg $RESULT //time since last TICK, DWORD value ``` `TICND cond` ------------------------------- Traces into calls until cond is true Example: ``` ticnd "eip > 40100A" // will stop when eip > 40100A ``` `TO` ------------------------------- Executes "Trace over" in OllyDbg Example: ``` to ``` `TOCND cond` ------------------------------- Traces over calls until cond is true Example: ``` tocnd "eip > 40100A" // will stop when eip > 40100A ``` `UNICODE enable` ------------------------------- Set Unicode Mode, not used for the moment Example: ``` UNICODE 1 ``` `VAR` ------------------------------- Declare a variable to be used in the script. Example: ``` var x ``` `XOR dest, src` ------------------------------- XORs src and dest and stores result in dest Example: ``` xor x, 0F xor eax, x xor [401000], 5 ``` `XCHG dest, src` ------------------------------- Exchanges contents of source and destination. `WRT file, data` ------------------------------- Write to file (replace existing one) the only accepted symbol is "\r\n" Numbers are wrote as strings... for the moment Example: ``` wrt "out.txt", "Data:\r\nOk\r\n" wrt sFile, ebx ``` `WRTA file, data [, separator]` ------------------------------- Append to file, default separator is "\r\n" Example: ``` wrt sFile, "hello world" wrta sFile, 0ABCD, "" wrta sFile, "Windows CR", "\r\n" ``` 3.2 Labels ------------------------------- Labels are defined bu using the label name followed by a colon. Example: ``` SOME_LABEL: ``` 3.3 Comments ------------------------------- Comments can be put anywhere and have to start with "`;`" or "`//`". Comment lines starting with "`;`" will be displayed in script window. Block comments between "`/*`" and "`*/`" 3.4 Menus ------------------------------- The main OllyScript menu consists of the following items: - `Run script...`: lets the user select a script file and starts it - `Abort`: aborts a running script - `Pause`: pauses a running script - `Resume`: resumes a paused script - `About`: shows information about this plugin 3.5 Script Window ------------------------------- The Script Window was introduced with ODbgScript, it enables you to debug and see progression of your script. You can set script breakpoints, debug the script, edit variables and also execute commands manually. 4. Integration with other plugins ------------------------------- You can call OllyScript from your plugin and make it execute a script. Use something like the source code below: ```c HMODULE hMod = GetModuleHandle("ODbgScript.dll"); if(hMod) // Check that the other plugin is present and loaded { // Get address of exported function int (*pFunc)(char*) = (int (*)(char*)) GetProcAddress(hMod, "ExecuteScript"); if(pFunc) // Check that the other plugin exports the correct function pFunc("myscript.txt"); // Execute exported function } ``` DebugScript dll entry is also available. You can also execute script commands via OllyDBG ODBG_plugincmd() and in Conditional Log Breakpoints. 5. Contact us ------------------------------- To contact us you can post your question in the forum or go on IRC and message Epsylon3 or SHaG on EFnet. You can also use Sourceforge.net Forums or Bug Trackers 6. License and source code ------------------------------- Soon I'm going to armadildo this plugin and charge an awful lot of money for it! :P Seriously, you are free to use this plugin and the source code however you see fit. However please name me in your documentation/about box and if the project you need my code for is on a larger scale please also notify me - I am curious. 7. Thanks! ------------------------------- I'd like to thank all the wonderful people who reported bugs, wrote scripts, came with improvement ideas etc. R@dier for the great dumping engine. shERis, nick_name, MetaCore, XanSama, arnix, hila123, bukkake, Human, hnhuqiong, SunBeam, LCF AT, Fungus, hnedka, Zool@nder for ideas and bug report on the new ODbgScript And of course Olly for this great debugger! **** 8. Command Quick Search --------------------------------------------- ``` ; execution ERUN // SHIFT-F9, Run with Ignore Exceptions.[unavailable] ESTEP // SHIFT-F8, Step Over ignoring Exceptions.[unavailable] ESTI // SHIFT-F7, Step Into ignoring Exceptions.[unavailable] GO addr // Execute to specified address (like G in SoftIce) RTR // Ctrl-F9, Executes "Run to return" in OllyDbg,. RTU // Alt-F9, Executes "Run to user code" in OllyDbg RUN // F9, you can also use ERUN to ignore exceptions STI // F7, STep Into. STO // F8, STep Over. Same as STEP STEP // F8, Same as STO. AI // CTRL-F7, Execute "Animate into" in OllyDbg // "Animate into" (自动步入), 相当于持续的 F7 操作 AO // CTRL-F8, Animate over TI // CTRL-F11, Trace into TO // CTRL-F12, Trace over TICND cond // Traces into calls until cond is true TOCND cond // Traces over calls until cond is true ; display ASK question // Display input box and lets user enter a response.[unavailable] MSG message // Display a message box with specified message MSGYN message // Display a message box with specified message and YES and NO buttons. ; log #LOG // Enable logging of executed commands. LC // Clear Main Log Window LCLR // Clear Script Log Window LOG src [,prefix] // Log src to OllyDbg log window. LOGBUF var [,linecount [,separator]] // Logs a string or buffer like a memory dump, useful for long data ; Breakpoint BPL addr, expr // logging breakpoint at address addr that logs expression expr. BP addr (ubp) // Set unconditional breakpoint at addr. BPCND addr, cond // Set breakpoint on address addr with condition cond. BPD callname // Remove breakpoint on dll call set by BPX BPGOTO addr, label // Automatic Jump at label on Breakpoint (Standard(INT3) and Hardware). BPHWC [addr] // Delete hardware breakpoint at a specified address. BPHWS addr, [mode] // Set hardware breakpoint. Mode can be 'r/w/x' BPX callname // Set breakpoint on every api calls found in current module. BPMC // Clear the memory breakpoint. BPRM addr, size // Set memory breakpoint on read. Size is size of memory in bytes. BPWM addr, size // Set memory breakpoint on write. Size is size of memory in bytes. GBPR #BETA# // Get last breakpoint reason, affects $RESULT with dword value GBPM #BETA# // Get last memory breakpoint address, affects $RESULT with dword value BC [addr] // Clear unconditional breakpoint at addr. BD [addr] // Disable breakpoint at addr. COB // Makes script continue execution after a breakpoint has occured (removes EOB) EOB label // Transfer execution to some label on next breakpoint. BPLCND addr, expr, cond // BPL if condition cond is true. RBP [arg1] // Restore Break Points SBP // Store Break Points DBH // Hides debugger against kernel32!IsDebuggerPresent() ; memory ALLOC size // Allocate new memory page, you can read/write and execute. DM addr, size, file // Dumps memory of specified size from specified address // to specified file (default path set from opened app.) DMA addr, size, file // Dumps memory of specified size from specified address // to specified file appending to that file if it exists LM addr, size, filename // Load dump file into memory DPE filename, ep // Dumps the executable to file with specified name. BACKUP addr [,base,size] // Like OPENDUMP, create a Dump Window with data at address. OPENDUMP addr [,base,size] // Create a new Dump Window with data at address. FILL addr, len, value // Fills len bytes of memory at addr with value FIND addr, what // Searches memory starting at addr for the specified value. FINDMEM what [, StartAddr] // Searches whole memory for the specified value. FREE addr [, size] // Free memory block allocated by ALLOC (or not). LOADLIB dllname // Load a dll into debugged program memory MEMCPY dest,src,size// Copy app. memory from src address to dst address. POPA // RESTORE all registers from plugin memory (saved with PUSHA) PUSHA // Save all register in plugin memory (to be restored by POPA) REFRESH // To redraw memory map, module, and disasm windows ; file #INC file // Include a script file in another script file ASM addr, command [,version] // Assemble a command at some address. ASMTXT addr, file // Assemble a text asm file at some address. WRT file, data // Write to file, the only accepted symbol is "\r\n" WRTA file, data [, separator] // Append to file, default separator is "\r\n" ; convert ATOI str [, base=16.] // Convert a string to integer BUF var // Converts string/dword variable to a Buffer ITOA n [, base=16.] // Convert an integer to string STR var // Converts variable to a String (buffer or dword) EVAL // Evaluates a string expression that contains variables. READSTR str, len // Copy len chars of str into $RESULT ; Get GMEMI addr, info // Get information about a memory block to which the specified address belongs. EXEC/ENDE // Executes instructions between EXEC and ENDE in the context of the target process. RESET // Reloads target (same as Ctrl+F2 in ollydbg) GCI addr, info // Get Command Information of asm instruction at "addr". GCMT addr // Get the comment, automatic comment or analyses comment at specified code address GMA name, info // Call GMI(GMI addr, info, Get Module Info), but parameter is short name of the module GFO addr // Get File Offset of address GLBL addr // Get Label at address GMEXP moduleaddr, info, [num]// Get Export Address and Names in a module. GMI addr, info // Get information about a module to which the specified address belongs. GMIMP moduleaddr, info, [num]// Get Import address and names in a module. GN addr // Get the symbolic name of specified address (ex the API it points to). GOPI addr, index, info// Get information about operands of asm command GPA proc, lib, [0,1]// Get the address of the specified procedure in the specified library. GPI key // Get process information, one of : GREF [line] // Get Address from Reference Window at Line. // First line is 1 because 0 is CPU Initial EIP. GRO addr // Get Relative Offset GSL [where] // Get Selection Limits GSTR addr, [arg1] // Get String returns a null terminated string from addr, the string is at least arg1 characters GSTRW addr, [arg1] // Get String returns a unicode string from addr, the string is at least arg1 characters LEN str // Get length of a string OLLY info // Get information about ollydbg PREOP addr // Get asm command line address just before specified address. GAPI addr #BETA# // Obtains the code place API call information. ; find BEGINSEARCH [start] {commands} ENDSEARCH // Create a Copy of Debugged App Memory, Find commands will use this data faster. DBS // Unhides debugger so kernel32!IsDebuggerPresent() will find it. FINDCALLS addr [,name]// Find all intermodular calls (dll calls) in the disasm area. FINDCMD addr, cmdstr// Search for asm command(s), you can search for series also with ";" separator. FINDCMDS // Same as FINDCMD. FINDOP addr, what [, maxsize]// Searches code starting at addr for an instruction that begins with the specified bytes. FINDOPREV addr, what// Searches code backwards starting at addr for an instruction that begins with the specified bytes. GPP proc, lib, [0,1]// Calls GPA and tries to find API parameters count and types of the API. REF addr, [LOCATION]// REF addr works as "Find references to .. Selected command" and "Find references", Ctrl R in OllyDbg. REPL addr, find, repl, len// Replace find with repl starting at addr for len bytes. ; ollydbg CLOSE window // Close an Ollydbg MDI window INIR key, def // Read ODBGScript Key value in ollydbg.ini INIW key, val // Write ODBGScript Key value in ollydbg.ini SETOPTION // Open the OllyDBG Options Window, to change debugging parameters. [unavailable] TC // Cancels run trace in OllyDbg HANDLE x, y, class // Returns the handle of child window of specified class at point x,y (remember: in hex values). HISTORY (0,1) // Enable or Disable Value history in Script Progress Window, could optimize loops NAMES addr // Open names Window for module (Like Ctrl + N) OPENTRACE // Opens run trace window UNICODE enable // Set Unicode Mode, not used for the moment CMT addr, text // Inserts a comment at the specified address AN addr // Analyze module which contains the address addr. ; script COE // Makes script continue execution after an exception has occured (removes EOE) CRET // Clear stack of calls, to terminate script in a function. PAUSE // Pauses script execution. Script can be resumed from plugin menu. RET // Exits script or return from CALL. TICK [var [,reftime]]// Set variable with script execution time (microsec) VAR // Declare a variable to be used in the script. KEY vkcode [, shift [, ctrl]] // Emulate global keyboard shortcut. ; cmpare CMP dest, src [,size] // Compares dest and src. Works like its ASM counterpart. JA label (JG) // Use this after CMP. Works like its asm counterpart. JAE label (JGE) // Use this after CMP. Works like its asm counterpart. JB label // Use this after CMP. Works like its asm counterpart. JBE label // Use this after CMP. Works like its asm counterpart. JE label (JZ) // Use this after CMP. Works like its asm counterpart. JNE label (JNZ) // Use this after CMP. Works like its asm counterpart. SCMP dest, src [,size]// Compares strings dest to src. Works like its asm counterpart. SCMPI dest, src [,size]// Compares strings dest to src (case insentitive). Works like its asm counterpart. # calculate INC var // Adds 1 to variable ADD dest, src // Adds src to dest and stores result in dest SUB dest, src // Reduce src from dest. DEC var // Subtracts 1 from variable MUL op1, op2 // Sets op1 with op1 * op2 DIV op1, op2 // Sets op1 with op1/op2 AND dest, src // AND's src and dest and stores result in dest OR dest, src // ORs src and dest and stores result in dest XOR dest, src // XORs src and dest and stores result in dest NEG op // Assembly Operation "neg eax" NOT op // Assembly Operation "not eax" TEST dest,src // logical AND two operands updating flags register without saving the result. ROL op, count // Assembly Operation rol eax, cl ROR op, count // Assembly Operation ror eax, cl SHL dest, src // Shifts dest to the left src times and stores the result in dest. SHR dest, src // Shifts dest to the right src times and stores the result in dest. # control CALL label // jumps to label and runs it. GOTO label // Alias for JMP. JMP label // Unconditionally jump to a label. label can be a string variable. LBL addr, text // Insert a label at the specified address EOE label // Transfer execution to some label on next exception. ELSE/ENDIF // See IFxx commands IFA,IFAE,IFB,IFBE x, y, [z] // Conditions similar to JA, JAE, JB, JBE IFEQ x, y, [z] // Simple condition if equals IFNEQ x, y, [z] // Simple condition if not equals MOV dest, src [,size]// Move src to dest. OPCODE addr // set $RESULT to opcode bytes, $RESULT_1 to mnemonic opcode (i.e. MOV ECX,EAX) POP dw // Retrieve dword from stack PUSH dw // Add dword to stack REV what // Reverse dword bytes. XCHG dest, src // Exchanges contents of source and destination. ```
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)