前言
今天看脫殼資料, 看人家用OD腳本來干活, 自己也練習(xí)下. OD腳本是模擬手工來干活, 只要手工可以F7, F8, 下斷點, go等操作. OD腳本都可以模擬. OD腳本學(xué)習(xí)起來很快, 1天就可以寫出有實際功能的腳本了. 如果開始對OD腳本命令不熟, 可能調(diào)試花些時間.
記錄
做了2個OD腳本練習(xí). * 加法計算器 *一個trace程序流程用的腳本, 如果看cm注冊算法實現(xiàn)和流程拐點, 可能有些用. 只針對某個cm, 如果trace其他cm, 腳本里面的Eip范圍和函數(shù)白名單要改改.
找到了2個OD腳本命令說明文檔, 一個英文版, 一個中文版
加法計算器
// @filename MyOllyScript_add_calc.txt// @brief 加法計算器var Val1 // var => 變量定義var Val2var vSumvar vEipLCLR // 清除Script日志窗口內(nèi)容bc * // 清除所有F2斷點GBPR // 得到斷點命中的原因mov vEip, eipeval "EIP = {vEip}, breakpoint hit reason sn: {$RESULT}"log $RESULT // log 記錄日志eval "OllyDbgScript {$VERSION}, make add : a + b = c" // eval => 字符串格式化, 不支持中文log $RESULTmsg $RESULT // msg 彈窗ask "please input a" // ask => 提示輸入, 帶輸入框mov Val1, $RESULTeval "a = {Val1}"log $RESULTask "please input b"mov Val2, $RESULT // mov => 賦值eval "b = {Val2}"log $RESULTmov vSum, Val1add vSum, Val2 // add => 加法eval "{Val1} + {Val2} = {vSum}"log $RESULTmsg $RESULTret // 腳本結(jié)束trace流程的腳本
// @filename MyOllyScript_log_trace.txt// @brief trace主模塊流程, 只trace EIP在主模塊中的代碼, 不trace系統(tǒng)模塊的代碼// 等于模擬手工調(diào)試程序時的F7,F8, 只F7主模塊的call, 遇到調(diào)用系統(tǒng)API時, F8// 還可以在整理一下, 只trace非jmp的代碼, 弄好后, 可以對付亂跳// @note 在EP處執(zhí)行此腳本, 只針對試驗程序, 為了跑的快些, 要go到關(guān)心的地址(e.g. 注冊碼判斷流程)再trace, 純F7, F8從頭開始跑, 太慢了.// 也可以加白名單, 放過一些已經(jīng)不關(guān)心的主模塊中的函數(shù), 這個比較容易操作.// 試驗過了, 只有放過已經(jīng)功能的函數(shù), trace的才能快. 蠻力跑trace, 慢的讓人接受不了.// 做試驗的程序,是一個命令行程序,只打印了3句話. 加入白名單放過已經(jīng)函數(shù)后, 快很多, 耗時也能接受了, 1分鐘trace完畢.// 如果是確定了要trace的范圍, 而且已經(jīng)分析出一些已經(jīng)函數(shù)(加入了白名單), 用OD腳本插件進行trace還是蠻好使的// 如果是對付亂跳, 在trace腳本中, 不trace JMP語句可以實現(xiàn).var vDebugCodeLineCntCur // 記錄的計數(shù)器當(dāng)前值var vDebugCodeLineMax // 記錄的計數(shù)器最大值var vEP // entry pointvar vEIP // EIPvar vDisasmCmd // 反匯編命令var vOpcodeSize // 反匯編指令字節(jié)長度var vNextCodeAddr // 下一條指令的地址, 如果為0, 就是下一條. 如果不為0, 就要比較是否為DLL中的API地址var vRegValue // 寄存器的值, e.g. call ebp 的 ebpvar vAddrTraceBegin // trace開始地址var vAddrTraceEnd // trace結(jié)束地址var vTmp // 臨時變量BEGIN: LCLR // 清除Script日志窗口內(nèi)容 bc * // 清除所有F2斷點 BPHWCALL // 清除所有硬斷點 eval ">> trace begin ..." log $RESULT mov vDebugCodeLineCntCur, 0 mov vDebugCodeLineMax, 30 an eip // 先分析一下addr, 防止F7,F8時, OD彈出斷點警告框(說斷點可以下在數(shù)據(jù)里) GMI eip, ENTRY // 得到EP值 mov vEP, $RESULT eval "EP = {vEP}" log $RESULT cmp vEP, eip je BEGIN1 eval "the script need run from EP({vEP}), but EIP = ({eip})" log $RESULT jmp L_LOG_ENDBEGIN1: GMI eip, CODEBASE // 得到主模塊代碼范圍 mov vAddrTraceBegin, $RESULT mov vAddrTraceEnd, vAddrTraceBegin eval "CODEBASE = {$vAddrTraceBegin}" GMI eip, CODESIZE add vAddrTraceEnd, $RESULT eval "Code Range [{vAddrTraceBegin}, {vAddrTraceEnd}]" log $RESULTL_DO: mov vEIP, eip/** cmp vEIP, 00402621 jne L_DO0_1 go 0040262F // 阻塞執(zhí)行的 jmp L_DO*/L_DO0_1: GCI eip, COMMAND // 得到當(dāng)前EIP的匯編命令信息, e.g. "call ebp" mov vDisasmCmd, $RESULT eval "{vEIP} {vDisasmCmd}" // 打印當(dāng)前反匯編命令 log $RESULT GCI eip, SIZE // 當(dāng)前指令的字節(jié)數(shù) e.g. 2 "ffd5 call ebp" mov vOpcodeSize, $RESULT // GCI eip, TYPE // 返回值為0x70, 只說明是一個call 類型, 沒大用 GCI eip, DESTINATION // 得到是否為跳轉(zhuǎn)指令 mov vNextCodeAddr, $RESULTL_DO1: cmp vNextCodeAddr, 0 je L_MAYBE_IS_MY_CODE_PREL_DO2: cmp vNextCodeAddr, vAddrTraceBegin // 下一條地址不在主模塊范圍內(nèi), 就不trace jb L_IS_NOT_MY_CODE cmp vNextCodeAddr, vAddrTraceEnd ja L_IS_NOT_MY_CODE // 到這已經(jīng)是主模塊的代碼 // 放過一些和程序業(yè)務(wù)邏輯無關(guān)的函數(shù)調(diào)用, trace的太慢了 // cmp vDisasmCmd, "call 004025B3" 這樣無效, 只能比地址(如下) // pass 一些main函數(shù)之前的代碼 // pass 00402A05 cmp vNextCodeAddr, 00402A05 je L_PASS_WHITE_NAME_LIST // pass 0040125B cmp vNextCodeAddr, 0040125B je L_PASS_WHITE_NAME_LIST // pass 004026E5 cmp vNextCodeAddr, 004026E5 je L_PASS_WHITE_NAME_LIST // pass 004025B3 cmp vNextCodeAddr, 004025B3 // 16進制數(shù),后面不能加h je L_PASS_WHITE_NAME_LIST // pass 00402366 cmp vNextCodeAddr, 00402366 je L_PASS_WHITE_NAME_LIST // 放過 call 004022AD cmp vNextCodeAddr, 004022AD je L_PASS_WHITE_NAME_LIST // pass 004013E2 cmp vNextCodeAddr, 004013E2 je L_PASS_WHITE_NAME_LIST // 放過 call 00403EF7 cmp vNextCodeAddr, 00403EF7 je L_PASS_WHITE_NAME_LIST // pass call 00403B33 cmp vNextCodeAddr, 00403B33 je L_PASS_WHITE_NAME_LIST // pass 00402F80 cmp vNextCodeAddr, 00402F80 je L_PASS_WHITE_NAME_LIST // pass 00401126 cmp vNextCodeAddr, 00401126 je L_PASS_WHITE_NAME_LIST // pass 00401060 cmp vNextCodeAddr, 00401060 je L_PASS_WHITE_NAME_LIST // pass 00401090 cmp vNextCodeAddr, 00401090 je L_PASS_WHITE_NAME_LIST jmp L_IS_MY_CODEL_PASS_WHITE_NAME_LIST: jmp L_IS_NOT_MY_CODEL_MAYBE_IS_MY_CODE_PRE: // 如果是 call reg, vJmpAddr也是0 // 再判斷是不是2字節(jié)指令 cmp vOpcodeSize, 2 jne L_IS_NOT_MY_CODE // 如果是2字節(jié)的指令, 就要判斷是否為"call register" // 如果不是"call register", 才可以F7 // 好沒有在ollyDbgScript命令集合中找到有效判斷"call register"的方法 // e.g. * 是不是"call register" // * 如果是"call register", 如何快速拿到register的值 // 暫時只能if-else, 一個一個去比對是不是"call register" cmp vDisasmCmd, "call eax" jne L_MAYBE_IS_MY_CODE_PRE1 mov vRegValue, eax jmp L_MAYBE_IS_MY_CODE_PRE_ENDL_MAYBE_IS_MY_CODE_PRE1: cmp vDisasmCmd, "call ebx" jne L_MAYBE_IS_MY_CODE_PRE2 mov vRegValue, ebx jmp L_MAYBE_IS_MY_CODE_PRE_ENDL_MAYBE_IS_MY_CODE_PRE2: cmp vDisasmCmd, "call ecx" jne L_MAYBE_IS_MY_CODE_PRE3 mov vRegValue, ecx jmp L_MAYBE_IS_MY_CODE_PRE_ENDL_MAYBE_IS_MY_CODE_PRE3: cmp vDisasmCmd, "call edx" jne L_MAYBE_IS_MY_CODE_PRE4 mov vRegValue, edx jmp L_MAYBE_IS_MY_CODE_PRE_ENDL_MAYBE_IS_MY_CODE_PRE4: cmp vDisasmCmd, "call esi" jne L_MAYBE_IS_MY_CODE_PRE5 mov vRegValue, esi jmp L_MAYBE_IS_MY_CODE_PRE_ENDL_MAYBE_IS_MY_CODE_PRE5: cmp vDisasmCmd, "call edi" jne L_MAYBE_IS_MY_CODE_PRE6 mov vRegValue, edi jmp L_MAYBE_IS_MY_CODE_PRE_ENDL_MAYBE_IS_MY_CODE_PRE6: cmp vDisasmCmd, "call ebp" jne L_IS_MY_CODE mov vRegValue, ebp jmp L_MAYBE_IS_MY_CODE_PRE_ENDL_MAYBE_IS_MY_CODE_PRE_END: jmp L_IS_NOT_MY_CODEL_IS_MY_CODE: // 下一個地址在主模塊范圍內(nèi), F7 sti // F7 jmp L_WHILEL_IS_NOT_MY_CODE: // 下一個地址在不主模塊范圍內(nèi), F8 sto // F8 jmp L_WHILEL_WHILE: /** inc vDebugCodeLineCntCur cmp vDebugCodeLineMax, vDebugCodeLineCntCur je L_LOG_END */ jmp L_DOL_LOG_END: eval "<< trace end :)" log $RESULT ret // 腳本結(jié)束找到的OD腳本命令資料
OD腳本命令-中文版
33.1.1 保留變量------------------------$RESULT-------<RESULT>保存某些函數(shù)的返回值,比如FIND函數(shù),等等。$VERSION--------<VERSION>保存OllyScript,的版本信息例: cmp $VERSION, "0.8" //比較是否大于 0.8版 ja version_above_08 3.1.2 指令--------------#INC "文件名" ---------<INClude>將一個腳本文件的內(nèi)容包含到另外一個腳本文件中例: #inc "anotherscript.txt"#LOG----<LOG>開始記錄運行指令指令會顯示在OllyDbg的log窗口中,每條記錄前都會加上“-->”的前綴例: #logADD 目的操作數(shù),源操作數(shù)-------------<ADD>源操作數(shù)與目的操作數(shù)相加,并把相加的結(jié)果保存到目的操作數(shù)中。例: add x, 0F add eax, x add [401000], 5 add y, " times" // 如果在次之前y="1000" ,則在執(zhí)行完此指令之后y="1000 times"AI--<Animate Into>在OllyDbg中執(zhí)行“自動步入” [Animate into]操作。例: aiAN 地址-------<ANalyze>從指定處,對代碼進行分析。例: an eip // 相當(dāng)于在OllyDbg中按 Ctrl+A鍵AND 目的操作數(shù), 源操作數(shù)-------------<AND>源操作數(shù)與目的操作數(shù)進行邏輯與操作,并將結(jié)果保存到到目的操作數(shù)中。例: and x, 0F and eax, x and [401000], 5ASK 問題------------<ASK>顯示一個提示輸入框,讓用戶輸入,并將結(jié)果保存轉(zhuǎn)保留變量$RESULT中(如果用戶按了取消鍵,則$RESULT=0)。例: ask "Enter new EIP" cmp $RESULT, 0 je cancel_pressed mov eip, $RESULTASM 地址, 指令-----------------<ASseMble>修改指定地址的指令。并將修改后的匯編指令長度保存到保留變量$RESULT中例: asm eip, "mov eax, ecx" //將當(dāng)前指令修改為 mov eax,ecxAO--<Animate Over>在OllyDbg中執(zhí)行“自動步過” [Animate over]操作。例: aoBC 地址-------<BreakPoint Clear>清除指定地址的斷點。例: bc 401000 bc x bc eipBP addr--------<BreakPoint>在指定地址設(shè)斷點例: bp 401000 bp x bp eipBPCND 地址, 條件----------------<BreakPoint on CoNDition>在指定地址處,設(shè)置條件斷點。例: bpcnd 401000, "ECX==1" //當(dāng) 代碼執(zhí)行到401000且 ecx等于1 時,程序暫停BPL 地址, 表達式--------------<BreakPoint of Logging>在指定地址處設(shè)置記錄斷點,將表達式的結(jié)果記錄到記錄窗口中。例: bpl 401000, "eax" // 每次執(zhí)行到401000時,都將eax寄存器的結(jié)果記錄BPLCND 地址, 表達式, 條件-----------------------<BreakPoint of Logging on CoNDition>在指定地址處設(shè)置記錄斷點,如果條件為真時,將表達式的結(jié)果記錄到記錄窗口中。例: bplcnd 401000, "eax", "eax > 1" // 如果執(zhí)行到401000時,滿足eax>1,則將eax寄存器的結(jié)果記錄BPMC----<BreakPoint Memory Clear>清除內(nèi)存斷點。例: bpmcBPHWC 地址----------<BreakPoint HardWare Clear>刪除指定地址處的硬件斷點。例: bphwc 401000 //清除 401000處的斷點BPHWS 地址, 模式----------------<BreakPoint HardWare Set>在指定地址,設(shè)置硬件斷點。有三種模式: "r" - 讀取, "w" - 寫入 或者 "x" - 執(zhí)行.例: bphws 401000, "x" //當(dāng)執(zhí)行到此地址時發(fā)生中斷BPRM 地址, 大小---------------<BreakPoint on Read Memory>在指定地址處,設(shè)置一個內(nèi)存讀取斷點。 “大小” 是指內(nèi)存中的字節(jié)大小。例: bprm 401000, FF //一個字節(jié)BPWM 地址, 大小---------------<BreakPoint on Write Memory>在指定地址處,設(shè)置一個內(nèi)存寫入斷點。“大小” 是指內(nèi)存中的字節(jié)大小。例: bpwm 401000, FFCMP 目的操作數(shù), 源操作數(shù)-------------<CoMPare>比較 目的操作數(shù)與源操作數(shù)的大小,和其對應(yīng)的匯編指令作用相同。例: cmp y, x cmp eip, 401000CMT 地址, 字符串--------------<CoMmenT>在指定地址處,加入注釋。例: cmt eip, "這是入口" //當(dāng)前地址處 加上 “這是入口”的注釋COB---<Continue On Breakpoint>發(fā)生中斷后,讓腳本繼續(xù)執(zhí)行(移除EOB指令)例: COBCOE---<Continue On Exception>發(fā)生異常后,讓腳本繼續(xù)執(zhí)行(移除EOE指令)例: COEDBH---<DeBugger Hided> 隱藏調(diào)試器例: dbhDBS---<DeBugger Show>對隱藏的調(diào)試器操作進行恢復(fù),不再隱藏。例: dbsDEC 變量-------<DECrement by 1>對變量進行減一操作例: dec vDM 地址, 大小, 文件名-------------------<Dump Memory>從指定地址處開始,在內(nèi)存中提取指定大小的數(shù)據(jù),并保存到指定的文件中例: dm 401000, 1F, "c:/dump.bin"DMA 地址, 大小, 文件名-------------------<Dump Memory Appended>從指定地址處開始,在內(nèi)存中提取指定大小的數(shù)據(jù),并保存到指定的文件中;如果指定文件已存在,則將數(shù)據(jù)追加到指定文件尾部。例: dma 401000, 1F, "c:/dump.bin"DPE 文件名, 入口----------------<Dump Process with Entry point>提取執(zhí)行模塊到指定文件中。“入口”用來設(shè)定入口地址。例: dpe "c:/test.exe", eip //入口為當(dāng)前地址,保存為C盤下test.exeEOB 標(biāo)簽---------<Execution On Breakpoint>在下次中斷發(fā)生時,跳轉(zhuǎn)到指定標(biāo)簽處。例: eob SOME_LABELEOE 標(biāo)簽---------<Execution On Exception>在下次異常發(fā)生時,跳轉(zhuǎn)到指定標(biāo)簽處。例: eoe SOME_LABELESTI----<Exception STep Into>相當(dāng)于在OllyDbg按 SHIFT-F7。例: estiESTO----<Exception STep cOntinue>相當(dāng)于在OllyDbg按 SHIFT-F9。例: estoEVAL----<EVALuate>計算含義變量的表達式。變量必須已經(jīng)在腳本中聲明。插到字符串中時,要放在用大括號{}中。結(jié)果保存在保留變量$RESULT中Sets the reserved $RESULT variable例: var x mov x, 1000 eval "x的值是 {x}" // 執(zhí)行后$RESULT為 "x的值是 00001000"EXEC/ENDE---------<EXECute/END of Execute>對當(dāng)前調(diào)試進程,執(zhí)行在EXEC和ENDE之間的指令。有大括號的,會被大括號中的變量的值替代。例:// 以下是做移動操作var xvar ymov x, "eax"mov y, "0DEADBEEF"execmov {x}, {y} // mov eax, 0DEADBEEF 將被執(zhí)行mov ecx, {x} // mov ecx, eax 將被執(zhí)行ende// 以下是調(diào)用調(diào)試程序的ExitProcess函數(shù)execpush 0call ExitProcessenderetFILL 地址, 長度, 值---------------------<FILL>從指定地址開始,在內(nèi)存中填充為指定長度的某個值例:fill 401000, 10, 90 // 10字節(jié)的 NOP 指令 FIND 地址, 查找內(nèi)容---------------<FIND>從指定地址開始在內(nèi)存中查找指定的內(nèi)容。如果查找成功,地址會保存到保留變量$RESULT中,否則$RESULT將等于 0。查找的串支持通配符“??”(見下面的例子)。例: find eip, #6A00E8# // 查找一個Call,其的第一個參數(shù)為0 (push 0) find eip, #6A??E8# // 查找一個帶參數(shù)的CallFINDOP 地址, 查找內(nèi)容-----------------<FIND OPcode>從指定地址開始查找指定一個指令,這個指令是以指定內(nèi)容為開始的。 如果查找成功,地址會保存到保留變量$RESULT中,否則$RESULT將等于 0。查找的串支持通配符“??”(見下面的例子)。例: findop 401000, #61# // find next POPAD findop 401000, #6A??# // find next PUSH of something譯者注:對比一下FIND 和FINDDOP的區(qū)別:地址 數(shù)據(jù) 代碼00401007 B8 3300 MOV EAX, 330040100C 33F6 XOR ESI, ESIfind 401007, #33# //$RESULT等于401008finddop 401007, #33# //$RESULT等于40100CGN 地址-------<Get Name>獲得指定地址的符號名(比如指向API函數(shù))。符號名將保存到保留變量$RESULT中。如果符號名是一個API函數(shù),則$RESULT_1保存鏈接庫名(比如 kernal32)而 $RESULT_2保存符號名(比如 ExitProcess)。例: gn 401000GPA 函數(shù)名, 動態(tài)鏈接庫名-------------<Get Procedure Address>在指定的動態(tài)鏈接庫中,獲得指定函數(shù)的地址。如果查找成功,地址會保存到保留變量$RESULT中,否則$RESULT將等于 0。在設(shè)置API函數(shù)斷點時,這個指令非常有效。例: gpa "MessageBoxA", "user32.dll" // 這條指令執(zhí)行后,$RESULT等于函數(shù)MessageBoxA的地址,您可以使用"bp $RESULT"設(shè)置斷點。GO 地址-------<GO>執(zhí)行到指定地址處 (相當(dāng)于SoftICE中的 G 命令)例: go 401005GMI 地址, 信息--------------<Get Module Info>獲得指定地址所在模塊的相關(guān)信息。“信息”可以是模塊基地址[MODULEBASE], 模塊大小[MODULESIZE], 代碼段基地址[CODEBASE] 或者 代碼段大小[CODESIZE] (如果您想在將來的版本中,獲得更多的信息,請聯(lián)系我)。信息會保存到保留變量$RESULT中 (如果沒有找到信息,則$RESULT等于0).例: GMI eip, CODEBASE // 這條指令執(zhí)行后,$RESULT等于當(dāng)前所在模塊的代碼段基地址。INC 變量-------<INCrement by 1>對變量進行加一操作例: inc vJA 標(biāo)簽--------<Jump if Above>在cmp命令后使用. 和其對應(yīng)的匯編指令作用相同.例: ja SOME_LABELJAE 標(biāo)簽---------<jump if Above or Equal>cmp. 和其對應(yīng)的匯編指令作用相同.例: jae SOME_LABELJB 標(biāo)簽--------<Jump if Below>在cmp命令后使用. 和其對應(yīng)的匯編指令作用相同.例: jb SOME_LABELJBE 標(biāo)簽---------<Jump if Below or Equal>在cmp命令后使用。和其對應(yīng)的匯編指令作用相同.例: jbe SOME_LABELJE 標(biāo)簽--------<Jump if Equal>在cmp命令后使用. 和其對應(yīng)的匯編指令作用相同.例: je SOME_LABELJMP 標(biāo)簽---------<JuMP>跳轉(zhuǎn)到指定標(biāo)簽.例: jmp SOME_LABELJNE 標(biāo)簽---------<Jump if Not Equal>在cmp命令后使用. 和其對應(yīng)的匯編指令作用相同.例: jne SOME_LABELLBL 地址, 字符串--------------<LaBel Insert>在指定地址處插入一個標(biāo)簽例: lbl eip, "NiceJump"LOG 源操作數(shù)-------<log>將源操作數(shù)輸出到OllyDbg的記錄窗口[log window]中。如果源操作數(shù) 是一個字符串常量,則原樣記錄。如果源操作數(shù) 是一個變量或一個寄存器,則記錄名稱及其存放的數(shù)值例: log "Hello world" // 記錄為 "Hello world" var x mov x, 10 log x // 記錄為 "x = 00000010" MOV 目的操作數(shù), 源操作數(shù)-------------<MOVe>將源操作數(shù)移動到目的操作數(shù)中。源操作數(shù)可以是一個十六進制序列格式#某個十六進制序列#,例如:#1234#。提醒:十六進制序列的位長只能是偶數(shù),比如2, 4, 6, 8等等。例: mov x, 0F mov y, "Hello world" mov eax, ecx mov [ecx], #00DEAD00BEEF00# mov !CF, 1 mov !DF, !PF mov [403000], "Hello world"MSG 消息-----------<MeSsaGe>將指定消息,顯示到一個對話框中。例: MSG "腳本暫停"MSGYN message-----------<MeSsaGe Yes or No>將指定消息,顯示到一個對話框中,這個對話框有“是”、“否”按鈕。如果點“是”,保留變量 $RESULT 等于1,否則保留變量$RESULT等于0 。例: MSGYN "繼續(xù)?"OR 目的操作數(shù), 源操作數(shù)-------------<OR>源操作數(shù)和目的操作數(shù)做邏輯或操作,并將結(jié)果保存到到目的操作數(shù)中。例: or x, 0F or eax, x or [401000], 5PAUSE-----<PAUSE>暫停腳本運行。可以通過插件菜單恢復(fù)腳本運行。例: pauseREPL addr, find, repl, len--------------------------REPL 地址, 查找字符串, 替換字符串, 長度--------------------------<REPLace>在指定地址開始,在指定長度字節(jié)內(nèi),用“替換字符串”替換“查找字符串”。允許使用通配符例: repl eip, #6a00#, #6b00#, 10 repl eip, #??00#, #??01#, 10 repl 401000, #41#, #90#, 1FRET---<RETurn>退出腳本。例: retRTR---<Run To Return>相當(dāng)于在OllyDbg中執(zhí)行 "Run to return" [Ctrl+F9]操作。例: rtrRTU---<Run To User code>相當(dāng)于在OllyDbg中執(zhí)行 "Run to user code"[Alt+F9] 操作。例: rtuRUN---<RUN>相當(dāng)于在OllyDbg中按 F9。例: runSHL 目的操作數(shù), n-------------左移目的操作數(shù),n比特位;并將結(jié)果保存到到目的操作數(shù)中。例: mov x, 00000010 shl x, 8 // x is now 00001000SHR目的操作數(shù), n-------------<SHift Right>右移目的操作數(shù),n 比特位;并將結(jié)果保存到到目的操作數(shù)中。例: mov x, 00001000 shr x, 8 // x is now 00000010STI---<STep Into>相當(dāng)于在OllyDbg中按 F7,單步步入。例: stiSTO---<STep Over>相當(dāng)于在OllyDbg中按 F8,單步步過。例: stoSUB dest, src-------------Substracts src from dest and stores result in destExample: sub x, 0F sub eax, x sub [401000], 5TI--<Trace Into>相當(dāng)于在OllyDbg中執(zhí)行 "Trace into" 操作。例: tiTICND cond----------<Trace Into Condition>執(zhí)行 "Trace into" 操作,直到條件為真時停止。例: ticnd "eip > 40100A" // 當(dāng) eip > 40100A 時停止TO--<Trace Over>相當(dāng)于在OllyDbg中執(zhí)行 "Trace over" 操作。例: toTOCND cond----------<Trace Over Condition>執(zhí)行 "Trace over" 操作,直到條件為真時停止。例: tocnd "eip > 40100A" // 當(dāng) eip > 40100A 時停止VAR---<VARiable>在腳本中,聲明一個變量。必須在變量使用先聲明。例: var xXOR 目的操作數(shù), 源操作數(shù)-------------<XOR>源操作數(shù)與目的操作數(shù)進行異或操作,并將結(jié)果保存到到目的操作數(shù)中。例: xor x, 0F xor eax, x xor [401000], 53.2 標(biāo)簽----------定義標(biāo)簽,要在標(biāo)簽名后面要加上一個冒號.例: SOME_LABEL:3.3 注釋------------您可以使用“//”在任何地方進行注釋。塊注釋必須另外起一行并以 “/*”做為開始,以“*/”作為結(jié)束,“*/”也必須另起一行。例:/*您的注釋*/3.4 菜單---------OllyScript的主菜單包含了下面幾項:- Run script...[運行腳本...]: 用戶選擇一個腳本,并運行這個腳本。- Abort [中止]: 中止腳本運行- Pause [暫停]: 暫停腳本運行- Resume[恢復(fù)]: 恢復(fù)腳本運行- About [關(guān)于]: 顯示此插件信息------------------------------4. 嵌入其他的插件---------------------------------您可以在您的插件中調(diào)用OllyScrip,并且運行一個腳本。使用類似于下面的代碼進行調(diào)用:HMODULE hMod = GetModuleHandle("OllyScript.dll");if(hMod) // 檢測是否被其他插件加載{ // 獲得輸出函數(shù)地址 int (*pFunc)(char*) = (int (*)(char*)) GetProcAddress(hMod, "ExecuteScript"); if(pFunc) // 檢查是否獲得輸出函數(shù) pFunc("myscript.txt"); // 執(zhí)行輸出函數(shù)}------------------------------OD腳本命令-英文版
#INC,#LOG,$RESULT,$RESULT_1,$RESULT_2,$RESULT_3,$RESULT_4,$VERSION,ADD,AI,ALLOC,AN,AND,AO,JA,ASK,ASM,ASMTXT,ATOI,STR,BC,BD,BEGINSEARCH,BP,BPCND,BPD,BPGOTO,BPHWC,BPHWS,BPL,BPLCND,BPMC,BPRM,BPWM,BPX,BUF,CMT,CMP,COB,COE,DBH,DBS,DEC,DIV,MODULEBASE,DM,DMA,DPE,EOB,EOE,ERUN,ESTI,EVAL,EXEC,ENDE,FILL,FIND,FINDCALLS,FINDCMD,FINDCMDS,FINDOP,FINDMEM,FREE,GAPI,GBPM,GBPR,GCI,GCMT,GMA,GMEMI,GMI,GN,GO,GOPI,GPA,GPI,GREF,GRO,HANDLE,HISTORY,INC,ITOA,JAE,JB,JBE,JE,JMP,JNE,KEY,LBL,LC,LCLR,LEN,LM,LOG,LOGBUF,MOV,MEMCPY,MSG,MSGYN,MUL,NEG,NOT,OR,OPCODE,OPENDUMP,OPENTRACE,PAUSE,POP,PREOP,PUSH,READSTR,REF,REPL,RET,REV,ROL,ROR,RTR,RTU,RUN,SCMP,SCMPI,SETOPTION,SHL,SHR,STI,STO,SUB,TC,TEST,TI,TICK,TICND,TO,TOCND,UNICODE,VAR,XOR,XCHG,WRT,NAMES,GMIMP,CLOSE,GSTR,MODULESIZE,CODEBASE,CODESIZE,MEMBASE,MEMSIZE,ENTRY,NSECT,DATABASE,RELOCTABLE,RELOCSIZE,LOADLIB,PID,HWND,GMEXP,ESTEP,GFO,SBP,GSL,BACKUP,RESBASE,RESSIZE,IDATABASE,IDATATABLE,EDATATABLE,EDATASIZE,NAME,PATH,MEMORYOWNER,VERSION,MEMORYBASE,MEMORYSIZE,STEP,esto,RBP,GLBL,HPROCESS,PROCESSID,HMAINTHREAD,MAINTHREADID,MAINBASE,PROCESSNAME,EXEFILENAME,CURRENTDIR,SYSTEMDIR,BPHWCALL,WRTA,JZ,JNZ,JG,JGE,POPA,pusha,olly;;$RESULT: -------Return value for some functions like FIND etc.$RESULT_1 and $RESULT_2 are available for some commands.;;ADD: dest, src -------------Adds src to dest and stores result in destExample: add x, 0F add eax, x add [401000], 5 add y, " times" // If y was 1000 before this command then y is "1000 times" after it.;;ASK: question------------Displays an input box with the specified question and lets user enter a response.Sets the reserved $RESULT variable (0 if cancel button was pressed).You have also the length in $RESULT_1 (divised by 2 for hex entries).Example: ask "Enter new EIP" cmp $RESULT, 0 je cancel_pressed mov eip, $RESULT;;ASMTXT: addr, file-----------------Assemble a text asm file at some address.Example: asmtxt EIP, "myasm.txt";;$VERSION:--------Contains current version of OllyScript.Example: cmp $VERSION, "0.8" ja version_above_08;;#INC: file---------Includes a script file in another script file.Example: #inc "anotherscript.txt";;#LOG:----Enables logging of executed commands.The commands will appear in OllyDbg log window, and will be prefixed with -->Example: #log;;ADD: dest, src-------------Adds src to dest and stores result in destExample: add x, 0F add eax, x add [401000], 5 add y, " times" // If y was 1000 before this command then y is "1000 times" after it.;;AI:--Executes "Animate into" in OllyDbgExample: ai;;ALLOC: size----------Allocate new memory page, you can read/write and execute.Example: alloc 1000 free $RESULT, 1000;;AN: addr-------Analyze module which contains the address addr.Example: an eip // Same as pressing CTRL-A.;;AND: dest, src-------------ANDs src and dest and stores result in dest.Example: and x, 0F and eax, x and [401000], 5;;AO:--Executes "Animate over" in OllyDbgExample: ao;;ASM: addr, command [,version]----------------------------Assemble a command at some address. Change version number (0,1,...) to get alternative code bytes, if possible.Returns bytes assembled in the reserved $RESULT variable.Example: asm eip, "mov eax, ecx";;ASMTXT: addr, file-----------------Assemble a text asm file at some address.Example: asmtxt EIP, "myasm.txt";;ATOI: str [, base=16.]-----------------Converts a string to integer,Returns the integer in the reserved $RESULT variable.Example: atoi "F" atoi "10", 10.;;BACKUP: addr [,base,size]------------------------Like OPENDUMP, create a Dump Window with data at address.But this dump window keep a backup of data, which can be used to view changes$RESULT is the HWND of window, for future useNote: If you are looking to save data in a file, see the DM function (Dump Memory)Example: BACKUP esp STO STO;;BC: [addr]---------Clear unconditional breakpoint at addr.Without parameter, the command clears allloaded breakpoints. Example: bc 401000 bc x bc eip;;BD: [addr]---------Disables breakpoint at addr.Without parameter, the command disables all loadedbreakpoints. Example: bp 401000 BD 401000;;BEGINSEARCH: [start]-------------------Create a Copy of Debugged App Memory, Find commands will use this data faster.You need to use ENDSEARCH before writing to memory and to free this memory copy.Optimization time is 20% for 5000 loops... but could maybe be optimized.Example: mov count, 0 mov start, eip beginsearch start find #00#, start ........... endsearch;;BP: addr--------Set unconditional breakpoint at addr.Example: bp 401000 bp x bp eip;;BPCND: addr, cond----------------Set breakpoint on address addr with condition cond.Example: bpcnd 401000, "ECX==1";;BPD: callname------------Remove breakpoint on dll call set by BPX.;;BPGOTO: addr, label------------------Automatic Jump at label on Breakpoint (Standard(INT3) and Hardware).EOB Like Command.Example: bphws addr bpgoto addr, MyLabel;;BPHWC: [addr]------------Delete hardware breakpoint at a specified address.Without address, clear all hardwarebreakpoints.Example: bphwc 401000;;BPHWS: addr, [mode]------------------Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default).Example: bphws 401000, "x";;BPL: addr, expr--------------Sets logging breakpoint at address addr that logs expression expr.Example: bpl 401000, "eax" // logs the value of eax everytime this line is passed;;BPLCND: addr, expr, cond-----------------------Sets logging breakpoint at address addr that logs expression expr if condition cond is true.Example: bplcnd 401000, "eax", "eax > 1" // logs the value of eax everytime this line is passed and eax > 1;;BPMC:----Clear the memory breakpoint.Example: bpmc;;BPRM: addr, size---------------Set memory breakpoint on read. Size is size of memory in bytes.Example: bprm 401000, FF;;BPWM: addr, size---------------Set memory breakpoint on write. Size is size of memory in bytes.Example: bpwm 401000, FF;;BPX: callname------------Set breakpoint on dll call;;BUF: var-------Converts string/dWord variable to a Buffer.Example: mov s, "123" buf s log s // output "#313233#;;CLOSE: window------------Close an Ollydbg MDI window window parameter can be a constant or a HWND (like $RESULT of OPENDUMP/BACKUP). SCRIPT, SCRIPTLOG, LOG, CPU MODULES, MEMORY, THREADS, BREAKPOINTS REFERENCES, SOURCELIST, WATCHES WINDOWS, PATCHES, RUNTRACE, CALLSTACK TEXT, FILE, HANDLES, SEH, SOURCE;;CMP: dest, src [,size]---------------------Compares dest to src. Works like it's ASM counterpart.see SCMP to compare strings or memory data.Example: cmp y, x cmp eip, 401000;;CMT: addr, text--------------Inserts a comment at the specified address.Example: cmt eip, "This is the entry point".;;COB:---Makes script continue execution after a breakpoint has occured (removes EOB).Example: COB;;COE:---Makes script continue execution after an exception has occured (removes EOE).Example: COE;;DBH:---Hides debuggerExample: dbh;;DBS:---Unhides debuggerExample: dbs;;DEC: var-------Substracts 1 from variableExample: dec v;;DIV: op1, op2------------Sets op1 with op1/op2Example: div var, 2;;DM: addr, size, file-------------------Dumps memory of specified size from specified address to specified file(default path set from opened app.).Example: dm 401000, 1F, "c:/dump.bin".;;DMA: addr, size, file--------------------Dumps memory of specified size from specified address to specified file,appendingto that file if it existsExample: dma 401000, 1F, "c:/dump.bin".;;DPE: filename, ep----------------Dumps the executable to file with specified name.Entry point is set to ep.Example: dpe "c:/test.exe", eip;;EOB: label---------Transfer execution to some label on next breakpoint.Example: eob SOME_LABEL;;EOE: label---------Transfer execution to some label on next exception.Example: eob SOME_LABEL;;ERUN:----Executes SHIFT-F9 in OllyDbg. Run with Ignore Exceptions.Example: erun.;;ESTI:----Executes SHIFT-F7 in OllyDbg.Example: esti;;ESTEP:----Executes SHIFT-F8 in OllyDbg. Step Over ignoring Exceptions.Example: ESTEP;;EVAL:----Evaluates a string expression that contains variables.The variables that are declaredin the current script can be enclosed in curly braces {} to be inserted.Sets the reserved $RESULT variable.Example: mov x, 1000 eval "The value of x is {x}" // after this $RESULT is "The value of x is 1000";;EXEC:/ENDE---------Executes instructions between EXEC and ENDE in the context of the target process.Values in curly braces {} are replaced by their values.Examples: exec mov {x}, {y} // mov eax, 0DEADBEEF will be executed mov ecx, {x} // mov ecx, eax will be executed ende;;FILL: addr, len, value---------------------Fills len bytes of memory at addr with valueExample: fill 401000, 10, 90 // NOP 10h bytes;;FIND: addr, what---------------Searches memory starting at addr for the specified value.When found sets the reserved$RESULT variable. $RESULT == 0 if nothing found.The search string can also use the wildcard "??" (see below).Example: find eip, #6A00E8# // find a PUSH 0 followed by some kind of call find eip, #6A??E8# // find a PUSH 0 followed by some kind of call;;FINDCALLS: addr [,name]----------------------Find all intermodular calls (dll calls) in the disasm area.You can filter resultsby label (case insensitive) with the optionnal second parameter.Reference Window is used and its content changed, Then can use GREF to get results count and retrievethem.Example: findcalls eip, "exit".;;FINDCMD: addr, cmdstr--------------------Search for asm command(s), you can search for series also with ";" separator.This command uses "Search for All Sequences" Ollydbg function so could find relative calls/jmp Reference Window is used and its content changed You can useGREF to get next results in disasm window range.Example 1: findcmd eip, "xor R32,R32";;FINDCMDS:(this function name could be deleted in future versions)--------Same as FINDCMD.;;FINDOP: addr, what-----------------Searches code starting at addr for an instruction that begins with the specified bytes. When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.The search string can also use the wildcard "??" (see below).Example: findop 401000, #6A??# // find next PUSH of something.;;FINDMEM: what [, StartAddr]--------------------------Searches whole memory for the specified value.When found sets the reserved $RESULTvariable. $RESULT == 0 if nothing found.The search string can also use the wildcard"??" (see below).Example: findmem #6A00E8#, 00400000 // search it after address 0040.0000.;;FREE: addr [, size]------------------Free memory bloc allocated by ALLOC (or not). If size not given, drop whole memory bloc.Example: alloc 1000 free $RESULT;;GAPI: addr #BETA#---------## Chinese Translation ## Obtains the code place API call information,The API information saves in preservationvariable $RESULT.If the symbolic name is a API function, then:$RESULT saves the API information.$RESULT_1 save link base/storehouse (for instance kernel32).$RESULT_2 save symbolic name (for instance ExitProcess).$RESULT_3 save calling location (for instance call xxxxx).$RESULT_4 save destination.;;GBPM: (beta)----Get last memory breakpoint address, affects $RESULT with dword value;; GBPR:----Get last breakpoint reason, affects $RESULT with dword valueExample: GBPR;;GCI addr, info--------------Gets information about asm command"info" can be : - COMMAND for asm command string (like OPCODE) - DESTINATION for Destination of jump/call/return - SIZE for number of command bytes - TYPE for asm command string (one of C_xxx, see OllyDbg Plugin API)Example: GCI eip, DESTINATION;;GCMT: addr---------Gets the comment, automatic comment or analyse's comment at specified code address;;GFO: addr--------Get File Offset of address;;GLBL: addr---------Get Label at address;;GMEXP: moduleaddr, info, [num]-----------------------------Get Export Address and Names in a module info can be ADDRESS, LABEL, COUNTExample: gma "KERNEL32", MODULEBASE mov addr, $RESULT GMEXP addr, COUNT log $RESULT GMEXP addr, LABEL, 1 log $RESULT GMEXP addr, ADDRESS, 1 log $RESULT;;GMIMP: moduleaddr, info, [num]-----------------------------Get Import address and names in a module info can be ADDRESS, LABEL, MODULE, NAME, COUNTif LABEL results string like "KERNEL32.CopyFileEx"MODULE results "KERNEL32"NAME results "CopyFileEx"Example: gma "USER32", MODULEBASE mov addr, $RESULT GMIMP addr, COUNT log $RESULT GMIMP addr, LABEL, 1 log $RESULT GMIMP addr, ADDRESS, 1 log $RESULT;;GMA: name, info--------------Calls GMI, but parameter is short name of the module;;GMEMI: addr, info----------------Gets information about a memory block to which the specified address belongs."info" can be MEMORYBASE, MEMORYSIZE or MEMORYOWNER.Sets the reserved $RESULTvariable (0 if data not found).Example: GMEMI addr, MEMORYBASE // After this $RESULT is the address to the memory base of the memory block to which addr belongs;;GMI: addr, info--------------Gets information about a module to which the specified address belongs."info" can be : MODULEBASE, MODULESIZE, CODEBASE, CODESIZE, MEMBASE, MEMSIZE, ENTRY, NSECT, DATABASE, RELOCTABLE, RELOCSIZE,RESBASE, RESSIZE, IDATABASE, IDATATABLE, EDATATABLE, EDATASIZE.Example: GMI eip, CODEBASE // After this $RESULT is the address to the codebase of the module to which eip belongs;;GN: addr-------Gets the symbolic name of specified address (ex the API it poits to)Sets the reserved $RESULT variable to the name. If that name is an API $RESULT_1 is setto the library (ex kernel32) and $RESULT_2 to the name of the API (ex ExitProcess).Example: gn 401000;;GO: addr-------Executes to specified address (like G in SoftIce)Example: go 401005;;GOPI: addr, index, info--------------Gets information about Operands of asm command,"index" is between 1 and 3"info" can be : - TYPE Type of operand (extended set DEC_xxx, see OllyDbg Plugin API) - SIZE Size of operand, bytes - GOOD Whether address and data valid - ADDR Address if memory, index if register - DATA Actual value (only integer operands)Example: GOPI eip, 1, SIZE;;GPA: proc, lib, [0,1]--------------------Gets the address of the specified procedure in the specified library.When foundsets the reserved $RESULT variable. $RESULT == 0 if nothing found.Useful for settingbreakpoints on APIs.Example: gpa "MessageBoxA", "user32.dll" // After this $RESULT is the address of MessageBoxA and you can do "bp $RESULT".;;GPI: key-------Gets process information, one of :HPROCESS,PROCESSID,HMAINTHREAD,MAINTHREADID,MAINBASE,PROCESSNAME,EXEFILENAME,CURRENTDIR,SYSTEMDIR.;;GREF: [line]-----------Get Address from Reference Window at Line. First line is 1 because 0 is CPU Initial EIP.Without parameter, GREF results the Reference Window number of entries.Example: FINDCMD "push eax" GREF 1;;GRO: addr--------Get Relative OffsetWhen found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.;;GSTR: addr, [arg1]-----------------Get String returns a null terminated string from addr, the string is at leastarg1 characters returns in- $RESULT : the string- $RESULT_1 : len of stringExample: gstr 401000 ; arg1 in this case is set to default (2 chars) gstr 401000, 20 ; must be at least 20 chars;;GSL: [where]-----------Get Selection Limitsreturns START/END addresses and SIZE from currently selected line(s) in CPUASM | CPUDUMP | CPUSTACK window in $RESULT, $RESULT_1 & $RESULT_2arg can be either : CPUDASM, CPUDUMP, CPUSTACK. Default is CPUDASMExample: gsl CPUDUMP;;HANDLE: x, y, class---------------------Returns the handle of child window of specified class at point x,y(remember: in hex values).;;HISTORY: (0,1)--------------Enables or Disables Value history in Script Progress Window, could optimize loopsExample: history 0 //disable history 1 //enable;;INC: var-------Adds 1 to variableExample: inc v;;ITOA: n [, base=16.]-----------------Converts an integer to string,Returns the string in the reserved $RESULT variable.Example: itoa F itoa 10., 10.;;JA: label--------Use this after cmp. Works like it's asm counterpart.Example: ja SOME_LABEL;;JAE: label---------Use this after cmp. Works like it's asm counterpart.Example: jae SOME_LABEL;;JB: label--------Use this after cmp. Works like it's asm counterpart.Example: jb SOME_LABEL;;JBE: label---------Use this after cmp. Works like it's asm counterpart.Example: jbe SOME_LABEL;;JE: label (JZ)--------Use this after cmp. Works like it's asm counterpart.Example: je SOME_LABEL;;JMP: label---------Unconditionally jump to a label.Example: jmp SOME_LABEL;;JNE: label (JNZ)---------Use this after cmp. Works like it's asm counterpart.Example: jne SOME_LABEL;;KEY: vkcode [, shift [, ctrl]]--------------------------Emulates global keyboard shortcut.Example: key 20 key 20, 1 //Shift+space key 20, 0, 1 //Ctrl+space;;LBL: addr, text--------------Inserts a label at the specified addressExample: lbl eip, "NiceJump";;LC:----Clear Main Log Window;;LCLR:----Clear Script Log Window;;LEN: str--------------Get length of a stringExample: len "NiceJump" msg $RESULT;;LM: addr, size, filename-------load Dm file to mem,LM is the opposite of the DM command.Example: lm 0x401000, 0x100, "test.bin";;LOADLIB: dllname---------------Load a dll into debugged program memoryCould be usefull to set breakpoints on dynamically loaded libraryReturns address of loaded libraryExample: pusha loadlib "user32.dll" popa;;LOG: src [,prefix]-------Logs src to OllyDbg log window.If src is a constant string the string is loggedas it is.If src is a variable or register its logged with its name.You can replacedefault prefix with the optional second parameter.Example: log "Hello world" // The string "Hello world" is logged;;LOGBUF: var [,linecount [,separator]]------------------------------------Logs a string or buffer like a memory dump, usefull for long data;;MOV: dest, src [,size]---------------------Move src to dest.Src can be a long hex string in the format #<some hex numbers>#, for example #1234#.Remember that the number of digits in the hex string must be even, i.e. 2, 4, 6, 8 etc.Example: mov x, 0F mov y, "Hello world";;MEMCPY: dest,src,size--------------------Copy app. memory from "src" address to "dst" address.This function is same as mov [dst],[src],sizeExample: MEMCPY dst,base,size;; MSG: message-----------Display a message box with specified messageExample: MSG "Script paused";;MSGYN: message-------------Display a message box with specified message and YES and NO buttons.Sets the reserved$RESULT variable to 1 if YES is selected and 0 otherwise.Example: MSGYN "Continue?";;MUL: op1, op2------------Sets op1 with op1*op2Example: mul op1, 10;;NAMES: addr----------Open names Window for module (Like Ctrl + N)addr is the module address;;NEG: op------Assembly Operation "neg eax"NOT: op------Assembly Operation "not eax";;OLLY: info---------Gets information about ollydbg"info" can be : - PID retrieve the Ollydbg Process ID - HWND retrieve the main Ollydbg HWNDExample: OLLY PID mov pid, $RESULT OLLY HWND mov hwnd, $RESULT;;OR: dest, src------------ORs src and dest and stores result in destExample: or x, 0F or eax, x or [401000], 5;;OPCODE: addr-----------OPCODE sets the $RESULT variable to the opcode bytes, $RESULT_1 variable to mnemonicopcode (i.e. "MOV ECX,EAX") and $RESULT_2 to the length of the opcode. If an invalidopcode appears, $RESULT_2 should be 0. addr is increased by the length of the opcode(disassemble command). With this function you can step forward through code. Example: opcode 00401000;;OPENDUMP: addr [,base,size]--------------------------Create a new Dump Window with data at address.;;OPENTRACE:---------Opens run trace window;;PAUSE:-----Pauses script execution. Script can be resumed from plugin menu.Example: pause;;POP: dw------Retrieve dword from stack;;POPA:-----RESTORE all registers from plugin memory (saved with PUSHA);;PUSHA:-----Save all register in plugin memory (to be restored by POPA)Stack is not used by this command;;PREOP: addr----------Get asm command line address just before specified address.Attention: Will not give real executed command eip before the jump.Example: preop eip;;PUSH: dw-------Add dword to stack;;RBP: [arg1]----------Restore Break Pointsarg1 = may be STRICT or nothing Restores all hardware and software breakpointsif arg1 == 'STRICT', all soft bp set by script will be deleted and only those have been set before it runs will be restored.If no argument set, previous soft bp will be appended to those set by scriptReturn in: - $RESULT number of restored swbp - $RESULT_1 number of restored hwbpExample: rbp rbp STRICT;;READSTR: str, len-------Copy len chars of str into $RESULT;;REF: addr, [LOCATION]--------------------REF addr works as "Find references to .. Selected command" and "Find references", Ctrl R, in OllyDbg.Search LOCATION could be the MEMORY bloc (default), CODE of module, or whole MODULE$RESULT variable is set to the first reference addr $RESULT_1 to the opcode (text asm command) $RESULT_2 to the comment (like reference window). Repeat "REF addr" until $RESULT=0 to get next refsREF value counter is reset when addr changes or forced with addr = 0Example: REF 0 // RESET REF continue: REF eip,CODE log $RESULT log $RESULT_1 log $RESULT_2 cmp $RESULT,0 jne continue;;REPL: addr, find, repl, len--------------------------Replace "find" with "repl" starting at "addr" for "len" bytes.Wildcards are allowedExample: repl eip, #6a00#, #6b00#, 10 repl eip, #??00#, #??01#, 10 repl 401000, #41#, #90#, 1F;;RET:---Exits script or return from CALL.Example: ret;;REV: what--------Reverse dword bytes.Example: rev 01020304 //$RESULT = 04030201;;ROL: op, count-------------Assembly Operation "rol eax, cl"save in the target (first) operand.;;ROR: op, count-------------Assembly Operation "ror eax, cl"Example: mov x, 00000010 ROR x, 8 ;;RTR:---Executes "Run to return" in OllyDbg, [Ctrl+F9] operation.Example: rtr;;RTU:---Executes "Run to user code" in OllyDbg, [Alt+F9] operation.Example: rtu;;RUN:---Executes F9 in OllyDbg, you can also use ERUN to ignore exceptionsExample: run;;SBP: ---Store Break Pointsstores all hardware and software breakpoints, to be restored with RBPreturn in: - $RESULT number of stored swbp - $RESULT_1 number of stored hwbp;;SCMP: dest, src [,size]-------------Compares strings dest to src. Works like it's ASM counterpart.Example: cmp x, "KERNEL32.DLL" cmp [eax], "Hello World", 11. je Label;;SCMPI: dest, src [,size]-------------Compares strings dest to src (case insentitive). Works like it's ASM counterpart.Example: cmp sVar, "KERNEL32.DLL" cmp [eax], "Hello", 5 jne Label;;SETOPTION:---------Open the OllyDBG Options Window, to change debugging parameters.Script will continue on close.;;SHL: dest, src-------------Shifts dest to the left src times and stores the result in dest.Example: mov x, 00000010 shl x, 8 // x is now 00001000;;SHR: dest, src-------------Shifts dest to the right src times and stores the result in dest.Example: mov x, 00001000 shr x, 8 // x is now 00000010;;STEP:---Execute F8 in OllyDbg. Same as STOExample: STEP;;STI:---Execute F7 in OllyDbg. STep Into.Example: sti;;STO:---Execute F8 in OllyDbg. STep Over.Example: sto;;STR: var-------Converts variable to a String (buffer or dword);;SUB: dest, src-------------Reduce src from dest.Example: sub x, 0F sub eax, x sub [401000], 5;;TC:--Cancels run trace in OllyDbgExample: tc;;TEST: dest,src-------------Performs a logical AND of the two operands updating the flags registerwithout saving the result.(Modifies Flags: CF OF PF SF ZF (AF undefined));;TI:--Executes "Trace into" in OllyDbg, CTRL-F7 in OllyDbg.Example: ti;;TICK: [var [,reftime]]-------------------Set variable with script execution time (microsec),if reftime parameter is set,set $RESULT with time since reftime.if no parameter is set, function set $RESULT with execution time in text,in "<ssss mmm> ms" format ,var is declared automatically.Example: tick time;;TICND: cond----------Traces into calls until cond is trueExample: ticnd "eip > 40100A" // will stop when eip > 40100A;;TO:--Executes "Trace over" in OllyDbgExample: to;;TOCND: cond----------Traces over calls until cond is trueExample: tocnd "eip > 40100A" // will stop when eip > 40100A;;UNICODE: enable--------------Set Unicode Mode, not used for the momentExample: UNICODE 1;;VAR:---Declare a variable to be used in the script.Example: var x;;XOR: dest, src-------------XORs src and dest and stores result in destExample: xor x, 0F xor eax, x xor [401000], 5;;XCHG: dest, src --------------Exchanges contents of source and destination. ;;WRT: file, data--------------Write to file (replace existing one) the only accepted symbol is "/r/n"Numbers are wrote as strings... for the momentExample: wrt "out.txt", "Data:/r/nOk/r/n" wrt sFile, ebx;;WRTA: file, data [, separator]-----------------------------Append to file, default separator is "/n"Example: wrta sFile, "hello world" wrta sFile, ABCD, "" wrta sFile, "Windows CR, "/r/n";;MODULEBASE:a parameter of GMI to get information about a module.;;MODULESIZE:a parameter of GMI to get information about a module.;;CODEBASE:a parameter of GMI to get information about a module.;;CODESIZE:a parameter of GMI to get information about a module.;;MEMBASE:a parameter of GMI to get information about a module.;;MEMSIZE:a parameter of GMI to get information about a module.;;ENTRY:a parameter of GMI to get information about a module.;;NSECT:a parameter of GMI to get information about a module.;;DATABASE:a parameter of GMI to get information about a module.;;RELOCTABLE:a parameter of GMI to get information about a module.;;RELOCSIZE:a parameter of GMI to get information about a module.;;RESBASE:a parameter of GMI to get information about a module.;;RESSIZE:a parameter of GMI to get information about a module.;;IDATABASE:a parameter of GMI to get information about a module.;;IDATATABLE:a parameter of GMI to get information about a module.;;EDATATABLE:a parameter of GMI to get information about a module.;;EDATASIZE:a parameter of GMI to get information about a module.;;NAME:a parameter of GMI to get information about a module.;;PATH:a parameter of GMI to get information about a module.;;VERSION:a parameter of GMI to get information about a module.;;MEMORYBASE:a parameter of GMEMI to get information about a memory block to which the specifiedaddress belongs.;;MEMORYSIZE:a parameter of GMEMI to get information about a memory block to which the specifiedaddress belongs.;;MEMORYOWNER:a parameter of GMEMI to get information about a memory block to which the specifiedaddress belongs.;;HPROCESS:a parameter of GPI to Gets process information.;;PROCESSID:a parameter of GPI to Gets process information.;;HMAINTHREAD:a parameter of GPI to Gets process information.;;MAINTHREADID:a parameter of GPI to Gets process information.;;MAINBASE:a parameter of GPI to Gets process information.;;PROCESSNAME:a parameter of GPI to Gets process information.;;EXEFILENAME:a parameter of GPI to Gets process information.;;CURRENTDIR:-----------a parameter of GPI to Gets process information.;;SYSTEMDIR:----------a parameter of GPI to Gets process information.;;NOT: op-------Assembly Operation "not eax";;ENDE:Ends the assembly excution started by EXEC.;;BPHWCALL:---------Clears all hardware breakpoint.;;;created: by britedream on 12/12/2009
