ODbgScript
腳本可以更加靈活的控制OllyDBG
,以下根據《加密與解密(第三版)》ISO的第二章和官方文檔而寫。相關文件:OllyScript
《加密與解密》的光盤中的OllyDBG
自帶ODbgScript
插件,這裏使用ODbgScript的1.82版本。參看ODbgScript入門系列.chm和ODBGScript.chm給出下面的ODbgScript
和註釋
。
cmp $VERSION,"1.60"
;jae jump if above or equal
jae ver_ok
msg "error"
ret
ver_ok:
;msg "ok"
var entry
;bp 0100137B
alloc 1000
log $RESULT
free $RESULT,1000
gpa "GetDlgItemTextA","user32.dll"
;GPA proc, lib, [0,1] Get the address of the specified procedure in the specified library
bp $RESULT
log $RESULT
;esto
;Executes SHIFT-F9 in OllyDbg. Run with Ignore Exceptions e run
;Shift+F9 Pass exception to standard handler and run
bc $RESULT
;GMI addr, info
;Get information about a module to which the specified address belongs.
; MODULEBASE, MODULESIZE
; CODEBASE, CODESIZE
; ENTRY, NSECT, DATABASE
; EDATATABLE, EDATASIZE IDATABASE, IDATATABLE
; RESBASE, RESSIZE, RELOCTABLE, RELOCSIZE
gmi eip,codebase
gmi eip,codesize
gmi 01002000,codesize
;GPI key
;Get process information, one of :
;HPROCESS, PROCESSID, HMAINTHREAD, MAINTHREADID, MAINBASE, PROCESSNAME, EXEFILENAME, CURRENTDIR, SYSTEMDIR
gpi MAINTHREADID
;x command
;asm eip, "call 01001811"
;asm eip, "mov eax, ecx"
;EXEC/ENDE
;Executes instructions between EXEC and ENDE in the context of the target process. Values in curly braces {} are replaced by their values.
;PUSHA / POPA commands could be useful when you use this.
;exec
;mov eip,[eax]
;ende
;越過ODbgScript直接跳入進程,對進程進行直接控制. 取當前進程的信息進行保存,然後新分配一個代碼內存區.
;mov x, "eax"
;mov y, DEADBEEF
;exec
; mov {x}, {y} mov eax, 0DEADBEEF will be executed
; mov ecx, {x} mov ecx, eax will be executed
;ende
;msg eax
;DPE filename, ep
; Dumps the executable to file with specified name.
; Entry point is set to ep.
; Path is relative to the path of the currently loaded executable.
; Notes: * uses PEFileInfo.dwSizeOfImage
; * Applies dumpfix to PE.sectionHdr
; (PointerToRawData = VirtualAddress
; SizeOfRawData = VirtualSize)
;dpe "D:\download\2019-09-15\Reverse02.exe", eip
;BPHWS addr, [mode]
;Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default)
;bphws 401000, "x"
var ImageBase
var PEheader
gmi eip,MODULEBASE
mov ImageBase,$RESULT
find ImageBase,#50450000#
mov PEheader,$RESULT
; mov DOSstub,[modulebase],2 只取2個字節
; cmp DOSstub,5a4d "MZ"
; jne end
; end:
; ret
log "ImageBase:"
log ImageBase
log "PEheader"
log PEheader
eval "ImageBase={ImageBase}"
wrt "PE.txt",$RESULT
msgyn "你是選擇pushad/popad方式嗎(是)?還是狹義ESP方式(否)"
cmp $RESULT,1
je esp
jne esp
esp:
msg $RESULT
ret
;tocnd "eax == 0A280105"
;find eip,#0040??00#
log cl
sto
;clear log window
;lclr