OllyDbg 1.10 flyODBG + OllyICE 天草随教程附送的教学用软件

------------------------------- OllyScript plugin v0.92 by SHaG ------------------------------- 1. About OllyScript 2. Status 2.1 What's new in v0.92? 3. Documentation 3.1 Language 3.1.1 Reserved variables 3.1.2 Commands 3.2 Labels 3.3 Comments 3.4 Menus 4. Integration with other plugins 5. Contact me 6. License and source code 7. Thanks! ------------------------------ 1. About OllyScript ------------------- OllyScript is a plugin for OllyDbg, which is, in my opinion, the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. OllyScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using my plugin you can write a script once and for all. ------------------------------ 2. Status (10 July 2004) ---------------------------- v0.92 A big bug in script synchronization fixed (thanks loveboom!). GN behaviour updated. MOV can now write strings to memory. v0.91 A bug related to pausing the application fixed, the GN command added, ASM returns $RESULT. v0.9 OllyScript has now been downloaded more then 10000 times! That means more then 2Gb of raw scripting power flowing down the optic cable veins of the Internet. Not bad if you ask me! The development of the plugin has been a bit slow, I've got a job programming xray systems which has taken a lot of time. Sorry about that. 2.1 What's new? --------------- + New commands: ASK, BPL, BPLCND, COB, COE, EVAL, EXEC/ENDE, GN, TICND, TOCND + Execution of code in the target process context + String concateration with ADD or EVAL + Input box + Logging breakpoints + Removal of EOB and EOE + Tracing with condition + Get name of address # ASM now returns assembled length in $RESULT # Fixed pause crash bug # Fixed bug with JBE, hopefully it was the last of the Jxx bugs # OllyScript now REQUIRES OllyDbg v1.10. No other versions are officially supported. ------------------------------ 3. Documentation ---------------- Two example scripts (tElock098.osc and UPX.osc) are available with this release. The scripts will when run immediately find the OEP packed executable. 3.1 Language ------------ The scripting language of OllyScript is an assembly-like language. In the document below, src and dest can be (unless stated otherwise): - Constant in the form of a hex number withot prefixes and suffixes (i.e. 00FF, not 0x00FF or 00FFh) - Variable previously declared by VAR - A 32-bit register (one of EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP, EIP). Non 32-bit registers are not supported at the moment, but you can use SHL/SHR and AND to get their values. - A memory reference in square brackets (i.e. [401000] points to the memory at address 401000, [ecx] points to the memory at address ecx). - A flag with an exclamation mark in front (one of !CF, !PF, !AF, !ZF, !SF, !DF, !OF) - Sometimes byte strings are required. those are scripted as #6A0000# (values between two #) and must have an even number of characters. - Some byte strings can contain the wildcard '?', for exampla #6A??00# or #6?0000# 3.1.1 Reserved variables ------------------------ $RESULT ------- Return value for some functions like FIND etc. $RESULT_1 and $RESULT_2 are available for some commands. $VERSION -------- Contains current version of OllyScript Example cmp $VERSION, "0.8" ja version_above_08 3.1.2 Commands -------------- #INC file --------- Includes a script file in another script file Example: #inc "anotherscript.txt" #LOG ---- Enables logging of executed commands. The commands will appear in OllyDbg log window, and will be prefixed with --> Example: #log ADD dest, src ------------- Adds src to dest and stores result in dest Example: add x, 0F add eax, x add [401000], 5 add y, " times" // If y was 1000 before this command then y is "1000 times" after it AI -- Executes "Animate into" in OllyDbg Example: ai AN addr ------- Analyze module which contains the address addr. Example: an eip // Same as pressing CTRL-A AND dest, src ------------- ANDs src and dest and stores result in dest Example: and x, 0F and eax, x and [401000], 5 ASK question ------------ Displays an input box with the specified question and lets user enter a response. Sets the reserved $RESULT variable (0 if cancel button was pressed). Example: ask "Enter new EIP" cmp $RESULT, 0 je cancel_pressed mov eip, $RESULT ASM addr, command ----------------- Assemble a command at some address. Returns bytes assembled in the reserved $RESULT variable Example: asm eip, "mov eax, ecx" AO -- Executes "Animate over" in OllyDbg Example: ao BC addr ------- Clear unconditional breakpoint at addr. Example: bc 401000 bc x bc eip BP addr -------- Set unconditional breakpoint at addr. Example: bp 401000 bp x bp eip BPCND addr, cond ---------------- Set breakpoint on address addr with condition cond. Example: bpcnd 401000, "ECX==1" BPL addr, expr -------------- Sets logging breakpoint at address addr that logs expression expr Example: bpl 401000, "eax" // logs the value of eax everytime this line is passed BPLCND addr, expr, cond ----------------------- Sets logging breakpoint at address addr that logs expression expr if condition cond is true Example: bplcnd 401000, "eax", "eax > 1" // logs the value of eax everytime this line is passed and eax > 1 BPMC ---- Clear memory breakpoint. Example: bpmc BPHWC addr ---------- Delete hardware breakpoint at a specified address Example: bphwc 401000 BPHWS addr, mode ---------------- Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute. Example: bphws 401000, "x" BPRM addr, size --------------- Set memory breakpoint on read. Size is size of memory in bytes. Example: bprm 401000, FF BPWM addr, size --------------- Set memory breakpoint on write. Size is size of memory in bytes. Example: bpwm 401000, FF CMP dest, src ------------- Compares dest to src. Works like it's ASM counterpart. Example: cmp y, x cmp eip, 401000 CMT addr, text -------------- Inserts a comment at the specified address Example: cmt eip, "This is the entry point" COB --- Makes script continue execution after a breakpoint has occured (removes EOB) Example: COB COE --- Makes script continue execution after an exception has occured (removes EOE) Example: COE DBH --- Hides debugger Example: dbh DBS --- Unhides debugger Example: dbs DEC var ------- Substracts 1 from variable Example: dec v DM addr, size, file ------------------- Dumps memory of specified size from specified address to specified file Example: dm 401000, 1F, "c:\dump.bin" DMA addr, size, file ------------------- Dumps memory of specified size from specified address to specified file appending to that file if it exists Example: dma 401000, 1F, "c:\dump.bin" DPE filename, ep ---------------- Dumps the executable to file with specified name. Entry point is set to ep. Example: dpe "c:\test.exe", eip EOB label --------- Transfer execution to some label on next breakpoint. Example: eob SOME_LABEL EOE label --------- Transfer execution to some label on next exception. Example: eob SOME_LABEL ESTI ---- Executes SHIFT-F7 in OllyDbg. Example: esti ESTO ---- Executes SHIFT-F9 in OllyDbg. Example: esto EVAL ---- Evaluates a string expression that contains variables. The variables that are declared in the current script can be enclosed in curly braces {} to be inserted. Sets the reserved $RESULT variable Example: var x mov x, 1000 eval "The value of x is {x}" // after this $RESULT is "The value of x is 00001000" EXEC/ENDE --------- Executes instructions between EXEC and ENDE in the context of the target process. Values in curly braces {} are replaced by their values. Example: // This does some movs var x var y mov x, "eax" mov y, "0DEADBEEF" exec mov {x}, {y} // mov eax