ODbgScript學習

ODbgScript腳本可以更加靈活的控制OllyDBG,以下根據《加密與解密（第三版）》ISO的第二章和官方文檔而寫。相關文件：OllyScript

《加密與解密》的光盤中的OllyDBG自帶ODbgScript插件，這裏使用ODbgScript的1.82版本。參看ODbgScript入門系列.chm和ODBGScript.chm給出下面的ODbgScript和註釋。

cmp $VERSION,"1.60"
;jae jump if above or equal
jae ver_ok
	msg "error"
	ret
ver_ok:
	;msg "ok"

var entry

;bp 0100137B
alloc 1000
log $RESULT
free $RESULT,1000

gpa "GetDlgItemTextA","user32.dll"

;GPA proc, lib, [0,1]		Get the address of the specified procedure in the specified library
bp $RESULT
log $RESULT

;esto
;Executes SHIFT-F9 in OllyDbg. Run with Ignore Exceptions    e run
;Shift+F9	Pass exception to standard handler and run
bc $RESULT

;GMI addr, info
;Get information about a module to which the specified address belongs.
; MODULEBASE, MODULESIZE
; CODEBASE,   CODESIZE
; ENTRY, NSECT, DATABASE
; EDATATABLE, EDATASIZE    IDATABASE, IDATATABLE  
; RESBASE,    RESSIZE,     RELOCTABLE, RELOCSIZE
gmi eip,codebase
gmi eip,codesize
gmi 01002000,codesize

;GPI key
;Get process information, one of :
;HPROCESS, PROCESSID, HMAINTHREAD, MAINTHREADID, MAINBASE, PROCESSNAME, EXEFILENAME, CURRENTDIR, SYSTEMDIR

gpi MAINTHREADID
;x command
;asm eip, "call    01001811"
;asm eip, "mov eax, ecx"

;EXEC/ENDE
;Executes instructions between EXEC and ENDE in the context of the target process. Values in curly braces {} are replaced by their values.
;PUSHA / POPA commands could be useful when you use this.

;exec
;mov eip,[eax]
;ende
;越過ODbgScript直接跳入進程,對進程進行直接控制. 取當前進程的信息進行保存,然後新分配一個代碼內存區. 

;mov x, "eax"
;mov y, DEADBEEF
;exec
; 	mov {x}, {y} 	mov eax, 0DEADBEEF will be executed
; 	mov ecx, {x} 	mov ecx, eax will be executed
;ende
;msg eax


;DPE filename, ep
; Dumps the executable to file with specified name.
; Entry point is set to ep.
; Path is relative to the path of the currently loaded executable.
; Notes: * uses PEFileInfo.dwSizeOfImage
;   * Applies dumpfix to PE.sectionHdr
;     (PointerToRawData = VirtualAddress
;         SizeOfRawData = VirtualSize)

;dpe "D:\download\2019-09-15\Reverse02.exe", eip

;BPHWS addr, [mode]
;Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default)
;bphws 401000, "x"

var ImageBase
var PEheader

gmi eip,MODULEBASE
mov ImageBase,$RESULT
find ImageBase,#50450000#
mov PEheader,$RESULT

; mov DOSstub,[modulebase],2    只取2個字節
; cmp DOSstub,5a4d              "MZ"
; jne end
; end:
; ret

log "ImageBase:"
log ImageBase
log "PEheader"
log PEheader

eval "ImageBase={ImageBase}"
wrt "PE.txt",$RESULT

msgyn "你是選擇pushad/popad方式嗎(是)?還是狹義ESP方式(否)"
cmp $RESULT,1
je esp
jne esp
esp:
	msg $RESULT
	ret

;tocnd "eax == 0A280105"
;find eip,#0040??00#

log cl
sto

;clear log window
;lclr