刚才有空上网转了下,这不搞到这么个家伙,原来是E文的,为了方便大家,我就献丑了.ollyscript v.081命令中文解说.因为作者想统计一下下载量,所以我这里就不传v0.81上来了,要的就去作者网上下吧,也算是支持一下作者.
只贴全部命令,不贴全文,要不有灌水这嫌就不好了:)
写这文章的原因是,发现现在多了很多有用的命令.
#INC file
---------
Includes a script file in another script file
包含另一个文件
Example:
#inc "anotherscript.txt"
#LOG
----
Enables logging of executed commands.
记录命令
The commands will appear in OllyDbg log window, and will be prefixed with -->
Example:
#log
ADD dest, src
-------------
Adds src to dest and stores result in dest
两个数相加,和汇编一样
Example:
add x, 0F
add eax, x
add [401000], 5
AI
--
Executes "Animate into" in OllyDbg
自动跟进相当于ctrl+f7
Example:
ai
AND dest, src
-------------
和汇编一样
ANDs src and dest and stores result in dest
Example:
and x, 0F
and eax, x
and [401000], 5
ASM addr, command
-----------------
Assemble a command at some address
汇编addr
Example:
asm eip, "mov eax, ecx"
AO
--
Executes "Animate over" in OllyDbg
自动跟过,相当于ctrl+f8
Example:
ao
BC addr
-------
Clear unconditional breakpoint at addr.
清除断点
Example:
bc 401000
bc x
bc eip
BP addr
--------
Set unconditional breakpoint at addr.
设置断点
Example:
bp 401000
bp x
bp eip
BPCND addr, cond
----------------
Set breakpoint on address addr with condition cond.
设置条件断点
Example:
bpcnd 401000, "ECX==1"
BPMC
----
Clear memory breakpoint.
清除内存断点
Example:
bpmc
BPHWC addr
----------
Delete hardware breakpoint at a specified address
清除硬件断点
Example:
bphwc 401000
BPHWS addr, mode
----------------
设置硬件断点,文式有只读,只写,执行.
Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute.
Example:
bphws 401000, "x"
BPRM addr, size
---------------
Set memory breakpoint on read. Size is size of memory in bytes.
设置内存访问断点
Example:
bprm 401000, FF
BPWM addr, size
---------------
Set memory breakpoint on write. Size is size of memory in bytes.
设置内存写入断点
Example:
bpwm 401000, FF
CMP dest, src
同汇编
-------------
Compares dest to src. Works like it's ASM counterpart.
Example:
cmp y, x
cmp eip, 401000
CMT addr, text
--------------
Inserts a comment at the specified address
写入注释
Example:
cmt eip, "This is the entry point"
DBH
---
Hides debugger
隐藏调试器
Example:
dbh
DBS
---
Unhides debugger
取消隐藏
Example:
dbs
DM addr, size, file
-------------------
Dumps memory of specified size from specified address to specified file
dump 内存数据
Example:
dm 401000, 1F, "c:\dump.bin"
DPE filename, ep
----------------
Dumps the executable to file with specified name.
dump 数据到文件中,相当于ollydump的dump功能,oep为壳的入口
Entry point is set to ep.
Example:
dpe "c:\test.exe", eip
EOB label
---------
Transfer execution to some label on next breakpoint.
遇中断就跳
Example:
eob SOME_LABEL
EOE label
---------
Transfer execution to some label on next exception.
遇异常就跳
Example:
eob SOME_LABEL
ESTI
----
Executes SHIFT-F7 in OllyDbg.
异常跟进,相当于shift+f7
Example:
esti
ESTO
----
Executes SHIFT-F9 in OllyDbg.
异常跟过,相当于shift+f8
Example:
esto
FILL addr, len, value
---------------------
Fills len bytes of memory at addr with value
直接从addr处填充数据,命令方式为:fill 地址,长度,值
Example:
fill 401000, 10, 90 // NOP 10h bytes
FIND addr, what
---------------
Searches memory starting at addr for the specified value.
条件查找,这个就好办很多了,现在可以直接用find E8????等等.
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
The search string can also use the wildcard "??" (see below).
Example:
find eip, #6A00E8# // find a PUSH 0 followed by some kind of call
find eip, #6A??E8# // find a PUSH 0 followed by some kind of call
FINDOP addr, what
-----------------
Searches code starting at addr for an instruction that begins with the specified bytes.
查找命令
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
The search string can also use the wildcard "??" (see below).
Example:
findop 401000, #61# // find next POPAD
findop 401000, #6A??# // find next PUSH of something
GPA proc, lib
-------------
Gets the address of the specified procedure in the specified library.
获取API的地址
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
Useful for setting breakpoints on APIs.
Example:
gpa "MessageBoxA", "user32.dll" // After this $RESULT is the address of MessageBoxA and you can do "bp $RESULT".
GO addr
-------
Executes to specified address (like G in SoftIce)
运行到addr
Example:
go 401005
GMI addr, info
--------------
Gets information about a module to which the specified address belongs.
得到模块信息,也就是codebase和codesize
"info" can be MODULEBASE, MODULESIZE, CODEBASE or CODESIZE (if you want other info in the future versions plz tell me).
Sets the reserved $RESULT variable (0 if data not found).
Example:
GMI eip, CODEBASE // After this $RESULT is the address to the codebase of the module to which eip belongs
JA label
--------
Use this after cmp. Works like it's asm counterpart.
同汇编
Example:
ja SOME_LABEL
JAE label
---------
Use this after cmp. Works like it's asm counterpart.
同汇编
Example:
jae SOME_LABEL
JB label
--------
Use this after cmp. Works like it's asm counterpart.
同汇编
Example:
jb SOME_LABEL
JBE label
---------
Use this after cmp. Works like it's asm counterpart.
同汇编
Example:
jbe SOME_LABEL
JE label
--------
Use this after cmp. Works like it's asm counterpart.
同汇编
Example:
je SOME_LABEL
JMP label
---------
Unconditionally jump to a label.
Example:
jmp SOME_LABEL
JNE label
---------
Use this after cmp. Works like it's asm counterpart.
同汇编
Example:
jne SOME_LABEL
LBL addr, text
--------------
Inserts a label at the specified address
插入标签
Example:
lbl eip, "NiceJump"
LOG src
-------
Logs src to OllyDbg log window.
记录信息到log窗口,和#log不同
If src is a constant string the string is logged as it is.
If src is a variable or register its logged with its name.
Example:
log "Hello world" // The string "Hello world" is logged
var x
mov x, 10
log x // The string "x = 00000010" is logged.
MOV dest, src
-------------
Move src to dest.
同汇编
Src can be a long hex string in the format #<some hex numbers>#, for example #1234#.
Remember that the number of digits in the hex string must be even, i.e. 2, 4, 6, 8 etc.
Example:
mov x, 0F
mov y, "Hello world"
mov eax, ecx
mov [ecx], #00DEAD00BEEF00#
mov !CF, 1
mov !DF, !PF
MSG message
-----------
Display a message box with specified message
相当于messagebox
Example:
MSG "Script paused"
MSGYN message
-----------
Display a message box with specified message and YES and NO buttons.
类似msg,不过这个有是否的选择
Sets the reserved $RESULT variable to 1 if YES is selected and 0 otherwise.
Example:
MSGYN "Continue?"
OR dest, src
-------------
ORs src and dest and stores result in dest
同汇编
Example:
or x, 0F
or eax, x
or [401000], 5
PAUSE
-----
Pauses script execution. Script can be resumed from plugin menu.
脚本暂停
Example:
pause
RET
---
Exits script.
脚本结束
Example:
ret
RTR
---
Executes "Run to return" in OllyDbg
执行到返回
Example:
rtr
RTU
---
Executes "Run to user code" in OllyDbg
执行到用户代码
Example:
rtu
RUN
---
Executes F9 in OllyDbg
运行,相当于f9
Example:
run
SHL dest, src
-------------
Shifts dest to the left src times and stores the result in dest.
同汇编
Example:
mov x, 00000010
shl x, 8 // x is now 00001000
SHR dest, src
-------------
Shifts dest to the right src times and stores the result in dest.
同汇编
Example:
mov x, 00001000
shr x, 8 // x is now 00000010
STI
---
Execute F7 in OllyDbg.
相当于f7跟进
Example:
sti
STO
---
Execute F8 in OllyDbg.
相当于f8跟过
Example:
sto
SUB dest, src
-------------
Substracts src from dest and stores result in dest
同汇编
Example:
sub x, 0F
sub eax, x
sub [401000], 5
TI
--
Executes "Trace into" in OllyDbg
记录跟进,因这里不好解释,所以我就按功能来说.
Example:
ti
TO
--
Executes "Trace over" in OllyDbg
记录跟过,因这里不好解释,所以我就按功能来说.
Example:
to
VAR
---
Declare a variable to be used in the script.
声明变量
Must be done before the variable is used.
Example:
var x
XOR dest, src
-------------
XORs src and dest and stores result in dest
同汇编
Example:
xor x, 0F
xor eax, x
xor [401000], 5
如果想做插件的朋友可以看看这个.不过国内很少有人写插件的说.
Integration with other plugins
---------------------------------
You can call OllyScript from your plugin and make it execute a script.
Use something like the source code below:
HMODULE hMod = GetModuleHandle("OllyScript.dll");
if(hMod) // Check that the other plugin is present and loaded
{
// Get address of exported function
int (*pFunc)(char*) = (int (*)(char*)) GetProcAddress(hMod, "ExecuteScript");
if(pFunc) // Check that the other plugin exports the correct function
pFunc("myscript.txt"); // Execute exported function
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
