ODbgScript plugin by hnhuqiong

From
ODbgScript plugin v1.47 by Epsylon3
OllyScript plugin v0.92 by SHaG


-------------------------------------------
1.  OllyScript
2. Ŀǰ
2.1 v1.54¸
3. ĵ
3.1 Ը
3.1.1 
3.1.2 ָ
3.2 ǩ
3.3 ע
3.4 ˵
4. ǶĲ
5. ѽ
6. ϵ
7. Դ
8. л

-------------------

1.  ODbgScript
-------------------
ODbgScript OLLYDBGһҸΪOllyDbgĿǰõĳ򼶵
ɫ֮һĲϵʹûܹΪЧչĹܡ
ODbgScript һͨԵĽűOllyDbgԶеĲ
ڵԳʱǽΪҪҵĳؼ㣬òظ 
ͨʹҵĽűͿдһνűʹá 

ODbgScriptOllyScriptӵһűĵд,ܺܺõĿƽű͹۲
ű״̬,ODbgScriptĵԴ,ԵִĽű,ִֹнű,
Ľű¶ϵ,Եıֵ.Ľű,ڲѡ
д,ͳ.

ODbgScriptһ־(LOG),Ŀô,ڲõĽ,Ϊչǿ
.

------------------------------

2. Ŀǰ200752գ
----------------------------
V1.48-
2006-5-20ʼ,ODbgScripthnhuqiongEpsylon3ԴĻϽбػԼ.

v1.0-v1.47
OllyScriptODbgScript,µͼν,2005-11-4ʼEpsylon3̳SHaG.
(δ֪ԭ2006-2-6Epsylon3ûΪOllyScriptµ.)

v0.92
OllyScriptĿǰѾһˣζų2Gb˵
ΪҪһxrayϵͳĿĿҪȥҲٵʱ䣬ԿĲҪˡ
ĶԲˡ
(2004710SHaGOllyScriptĿ,Դ.)


2.1 ¸(+:ӹ *:BUG -:ȥ #:Թ)
V1.65.2(2007/09/15)
+ BPHWC   ɾӲϵ
+ BC      ɾжϵ
+ BD      ֹжϵ
+ BPGOTO  ϵԶתǩ
+ buf     תַΪASCII뵽
+ GCI     ƶַĻϢ
+ call    ñǩӳRET
+ TICK    Ųʱ
+ űб༭
+ űűϵв仯
* findcmds  
* һЩСBUG



V1.54(2007/06/01)
+GMI չ,ֿɵõϢ
  MODULEBASE:   ģַ
  MODULESIZE:   ģС
  CODEBASE:     λַ
  CODESIZE:     δС
  DATABASE:     ݶλַ
  RESBASE:      Դλַ
  RESSIZE:      ԴδС
  IDATATABLE:   ַ(Base address of import data table)
  entry:        ģ
  nsect:        Ŀ(Number of sections in the module)


V1.53(2007/05/03)
+ pop,push,test,xchg
+ findcmds()
* ٷPLUGIN±,DBH,DBSBUG
* /ִнű˳ҵشBUG޸(ڲNRUMRU),BUGҺܾ
 ԭһֱBUG,ǰ̫ע,Զ¾Ľ.


V1.52
# ˵˴ģĲԼ
# Ϊǰ汾Ľű,ȥCĲ.
# asmtxt(ıasmļдַָ, asmļ֧jmp)
+ bpx,bpd(,ֹúϵ);
+ opentrace(򿪸)
+ setoption(ò˵)
+ GAPI(жַָAPI)
+ READSTR(ַָСַ)
+ ֧16λĴ(ax,bx...)
+ findȫ,ֱֱ֧ڴԼַ,֧Χ
+ findopȫ,ֱֱ֧ڴ,֧Χ
+ findcmd();
* ༭ܴ50
* var BUG  
* GN,ԱGAPI
* GCMT (лVOLX BUG)
* ASM밴ģʽ,ODദͬ(лliuyilin BUG)
* һЩڲBug

v1.51 
*  ڲ(getFLTOperatorPos)شBUG(лFLY,xxxx BUG)

v1.50 release
* anõapi
* len
* һЩСĴ
+ ڽű˫

V1.49
# MSG,MSGYNϢ򵯳ع0.92ģʽ
# NEG,NOT,ROL,ROR
# (ڲGetBYTEOpValue)
+ űде괦˵(F4)
+ GMIDATABASE,RESBASE,RESSIZEĲ
+ MUL,DIV
* ػ׼ȷ
* MOV 
* exec/endeͷڴ
* һЩС
* asmָеĴ
* exec/endeеĴ(script_pos,endeִ)

v1.48bata (2006-5-20)
# MUL,DIV
# űде괦˵(F4)
# ػ
# ʵһЩԤж,ֹûɱ
* BPWM
* һЩַ
* һЩ(CreateOperands==)
* ̫С,OD.
- һ汾δĺȥ(LogRegNr,Process)

3. ĵ
----------------
汾Уű(tElock098.osc  UPX.osc) 
űѸҵӦǵڡ


3.1 
------------
OllyScriptűһԡʹODbgScriptͽű.

ںĵ, Դ  ĿĲʾº:
- ʮƳûǰ׺Ҳûк׺ (磺00FF,  0x00FF  00FFhʽ)
  ʮƳ,ں׺мӵ. (:100. 128. ҲǸ128.56,ֻܱС2λ)
- ʹǰVarж
- 32λĴ (EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP, EIP)
  16λĴ (AX, BX, CX, DX, SI, DI, BP, SP)
  8λļĴ(AL, AH, ... DL, DH)
- ڴַ (磺[401000] ָڴַΪ401000ŷ, 
  [ecx] ָڴַΪĴecxŷ).
- һ־λи̾ǰ׺(!CF, !PF, !AF, !ZF, !SF, !DF, !OF)
- ַҲɽСʽΪ #6A0000# (ֵ#֮)#֮һֵ
                                  "1234567ABCDEF"
- ?ַͨ #6A??00#  #6?0000#

3.1.1 
------------------------

$RESULT
-------
<RESULT>
ĳЩķֵFINDкĽȵȡ
ODbgScriptĽűԴ,ܹ۲쵽ı仯,ҿ޸.


$VERSION
--------
<VERSION>
ODBGScriptİ汾Ϣ,ϵͳ.

cmp $VERSION, "1.47"  //ȽǷ 1.47
ja version_above_147  


3.1.2 ָ
----------------------------------------------

#INC "ļ"  
---------

һűļһű.ӳһ.űеıͬ.
:
#inc "test.txt"     


#LOG
---------
ʼ¼ָ
ָʾOllyDbglogУÿ¼ǰϡ-->ǰ׺

#log


ADD ĿĲ,Դ
---------
<ADD>
ԴĿĲӣӵĽ浽ĿĲ,ַ֧.
 
add x, 0F          // x=x+F
add eax, x         //eax=eax+x
add [401000], 5    //[401000]=[401000]+5

add x,16.50        //x=x+16.50
(ַ)
add y, " times"    // ڴ֮ǰy="1000" ִָ֮y="1000 times"


AI
------------
<Animate Into>
OllyDbgִСԶ롱 [Animate into]
൱OllyDbgаCTRL+F7

ai

ALLOC С
----------
ڴ, ܶ/д/ִ.

  alloc 1000          //ڴ,СΪ1000,ؽ$RESULTڴĿʼַ.
  free $RESULT, 1000

AN ַ
-------
<ANalyze>
ַָԴз

an eip //   ൱OllyDbgа Ctrl+A


AND ĿĲ, Դ
-------------
<AND>
ԴĿĲ߼浽ĿĲС
 
and x, 0F                  //x=x&&f
and eax, x                 //eax=eax&&x
and [401000], 5            //[401000]=[401000]&&5


AO
--
<Animate Over>
OllyDbgִСԶ [Animate over]
൱OllyDbgаCTRL+F8

ao

ASK 
------------
<ASK>
ʾһʾû룬$RESULTУûȡ$RESULT=0
$RESULT_1зĳ.
(ע:жַ,$RESULT_1ĽַĿ,/2,*2)
:
ask "Enter new EIP"
cmp $RESULT, 0
je cancel_pressed
mov eip, $RESULT


ASM ַ, ָ
-----------------
<ASseMble>
޸ַָָ
޸ĺĻָȱ浽$RESULT

asm eip, "mov eax, ecx" //ǰָ޸Ϊ mov eax,ecx

ASMTXT ļ 
-----------------
<ASseMble>
ָļеָ
ָȱ浽$RESULT
ָ浽$RESULT_1

asmtxt EIP,"myasm.txt" //myasm.txtļеasmתopcodeдEIP.


ATOI str [, base=16.]
-----------------
תַ16,[Խκνת16]
ؽŵ $RESULT 

	itoa "F"         //ַ"F"ת,F
	itoa "10", 10.   //ַ"10"ʮ,A

BC ַ
-------
<BreakPoint Clear>
ַָĶϵ㡣

bc 401000          //401000Ķϵ
bc x               //X(ֵ)Ķϵ
bc eip             //ǰEIPĶϵ

BP addr
--------
<BreakPoint>
ַָϵ

bp 401000          //401000¶ϵ
bp x               //X(ֵ)¶ϵ 
bp eip             //ڵǰEIP¶ϵ

BPCND ַ, 
----------------
<BreakPoint on CoNDition>
ַָϵ㡣

bpcnd 401000, "ECX==1" // ִе401000 ecx1 ʱͣ

BPD ַ
---------------
úϵ,Ϊַʾ.
:
bpd "GetVersion"   //ȡGetVersionĶϵ


BPHWC ַ
----------
<BreakPoint HardWare Clear>
ɾַָӲϵ㡣

bphwc 401000 // 401000Ķϵ


BPHWCALL
-----------
еӲϵ

BPHWCALL     //еӲϵ


BPHWS ַ, ģʽ
----------------
<BreakPoint HardWare Set>
ַָӲϵ㡣ģʽ "r" - ȡ, "w" - д  "x" - ִ.
˶ϵֻ֧1ֽڵĶ.

bphws 401000, "x" //ִе˵ַʱж.
Bphws 401000,"r"  //ȡ401000ʱж


BPL ַ, ʽ
--------------
<BreakPoint of Logging>
ַָü¼ϵ㣬ʽĽ¼¼С

bpl 401000, "eax" // ÿִе401000ʱeaxĴĽ¼


BPLCND ַ, ʽ, 
-----------------------
<BreakPoint of Logging on CoNDition>
ַָü¼ϵ㣬ΪʱʽĽ¼¼С

bplcnd 401000, "eax", "eax > 1" // ִе401000ʱeax>1eaxĴĽ¼


BPMC
----
<BreakPoint Memory Clear>
ڴϵ㡣

bpmc


BPRM ַ, С
---------------
<BreakPoint on Read Memory>
ַָһڴȡϵ㡣 С ָڴеֽڴС

bprm 401000, FF  //401000ڴϵ,ڴеĴСΪFF


BPWM ַ, С
---------------
<BreakPoint on Write Memory>
ַָһڴдϵ㡣С ָڴеֽڴС

bpwm 401000, FF   //401000ڴдϵ,ڴеĴСΪFF


BPX ַ
---------------
õúϵ,Ϊַʾ.
˶ϵĵַ,ڱ$RESULT.
:
bpx "GetVersion"   //ºGetVersionϵ,µΪ call [xxxxx]

BUF var
-------
תַstring/dword variable to a Buffer
Example: 
	mov s, "123"
	buf s
	log s // output "#313233#

CMP ĿĲ, Դ
-------------
<CoMPare>
Ƚ ĿĲԴĴСӦĻָͬ
Ǹֵ,ַ(ԴС).
 
cmp y, x          //Ƚ(YX)ĴС,
cmp eip, 401000   //ȽEIP401000ĴС

CMT ַ, ַ
--------------
<CoMmenT>
ַָע͡

cmt eip, "" //ǰַ ϡڡע

COB
---
<Continue On Breakpoint>
жϺýűִУƳEOBָ

COB

COE
---
<Continue On Exception>ƳEOEָ
쳣ýűִ

COE

DBH
---
<DeBugger Hided> 
ص

dbh

DBS
---
<DeBugger Show>
صĵлָء

dbs

DEC 
-------
<DECrement by 1>
Աмһ

dec v            //V=V-1


DIV ĿĲ, Դ
-------------
<div>
ԴĿĲг浽ĿĲС
 
div x, 0F        //X=X/0F
div eax, x       //eax=eax/x
div [401000], 5  //[401000]/5


DM ַ, С, ļ
-------------------
<Dump Memory>
ַָʼڴȡָСݣ浽ָļ

dm 401000, 1F, "c:\dump.bin"

DMA ַ, С, ļ
-------------------
<Dump Memory Appended>
ַָʼڴȡָСݣ浽ָļУ
ָļѴڣ׷ӵָļβ

dma 401000, 1F, "c:\dump.bin"

DPE ļ, 
----------------
<Dump Process with Entry point>
ȡִģ鵽ָļС
ڡ趨ڵַ
ץȡļ,ǱȽϺõ,ΪֱODǿڴ.

dpe "c:\test.exe", eip //ΪǰַΪCtest.exe

EOB ǩ
---------
<Execution On Breakpoint>
´жϷʱתָǩ
˹ܺEOEԻ󲻽,ʵжűת.
в,뿴ĵĴɽ½.

eob SOME_LABEL

EOE ǩ
---------
<Execution On Exception>
´쳣ʱתָǩ

eoe SOME_LABEL

ESTI
----
<Exception STep Into>
൱OllyDbg SHIFT-F7

esti

ESTO
----
<Exception STep  cOntinue>
൱OllyDbg SHIFT-F9

esto


EVAL 
----
<EVALuate>
㺬ıʽ
Ѿڽű
ע:嵽ַʱҪڴ{ }С
ڱ$RESULT.
Ͻܶı仯,úĽűʮ.

var x
mov x, 1000
eval "xֵ { x }" // ִк$RESULTΪ "xֵ00001000"


EXEC/ENDE
---------
<EXECute/END of Execute>
ԵǰԽִ̣EXECENDEָ֮
ֱ,Խֱ̽ӿ.
ԭȡǰ̵Ϣб,Ȼ·һڴ(ɶ/д/ִ.С1000)
ODĻתOPcode,OPcode,ȻEIPָĴ뿪ͷ.
Ȼ󽫿Ȩ.ִEIP黹ԭλ,Ȼ󽫿ȨODbgScript.
ĺôԺܸߵЧڽĽűҪЧĲ.
!ע:ڽ̿Ȩ,ô,ĴЧԽֻԼ.
!ע:ִк󲻱ֳ.ⶼҪ.(Ҫֳ,ʹpushad,popad)
дŵģᱻеıֵ

// ƶ
var x
var y
mov x, "eax"
mov y, "0DEADBEEF"
exec
mov {x},{y}     // ¿Ĵȥ,mov eax,0DEADBEEF ִ
mov ecx, {x}    //mov ecx, eax ִ
ende
// ǵõԳExitProcess
exec
push 0
call ExitProcess
ende
ret

FILL addr,len,value
-------------------------
ӵַaddrʼ䳤Ϊlenֵvalue
!ע:valueֵ8ֽ,ΪĴֵ,־λֵ,ֵ,16ֵ,10ֵ,[]ָ.
:
fill	401000,10,90	        //NOP 10hֽ
fill 401000,ff,[eax]        //ȡ[eax]ֵ,䵽401000,Ϊff
fill 401000,ff,$RESULT     //$RESULTֵ䵽401000,Ϊff

FIND ַ,  ,[С]
---------------
<FIND>
ַָʼڴвָݡ
ҳɹַᱣ浽$RESULTУ$RESULT 0
ҵĴ֧ͨ??()
##еΪHEX,""еΪַ,ʲôΪڴ
!ע:16ַǳż
    1.52濪ʼֱ֧ӱݲ.

find eip, #6A00E8# // һCallĵһΪ0 (push 0)
find eip, #6A??E8# // һCall,һ?һַ
find eip,"kernel32.dll"  //ַ"kernel32.dll"
find eip,"ker???32.d??"  //Ҵͨ?ַ,һ?һַ
                           (עͨ?HEXе?ͬ)

find eip,15ff      //ڴ15ff(Ϊff115)
(mov tmp,#ff15#
 find eip,tmp )    //ұtmpеֵ,tmp=ff15
(mov tmp,"kernel32.dll"
find eip,tmp  )    //ұtmpеַ"kernel32.dll"
(mov tmp,15ff
 find eip,tmp      //ұtmpеڴ15ff(ע#ff15#)
(ask "Ҫ"
find eip,$RESULT       //Ϊ#ff15#,"Kernel32.dll",15ffͬ

find eip,#ff15#,ff  //EIPʼ,FFСΧ,ַff15,


FINDCMD ַ, 
-----------------
<FIND command>
ַָʼָһ 
ҳɹַᱣ浽$RESULTУ$RESULT 0

findcmd 401000, "push eax" // find "push eax"


FINDCMDS ַ, 
-----------------
<FIND command>
ַָʼָС 
ҳɹַᱣ浽$RESULTУ$RESULT 0
ע:зָʹ;(ֺ).


findcmd 401000, "push eax;mov eax,edx" //     Ѱ"push eaxmov eax,edx"


FINDOP ַ, ,[ҷΧ]
-----------------
<FIND OPcode>
ַָʼָһָָָΪʼġ 
ҳɹַᱣ浽$RESULTУ$RESULT 0
ҵĴ֧ͨ??()
ע:findopopcode,ַ֧.
     findopfindfindopҵıopcode.
	 1.52ֱ֧ӱڴ

findop 401000, #61# // find next POPAD
findop 401000, #6A??# // find next PUSH of something
ע
ԱһFIND FINDDOP
ַ                           
00401007      B8 3300          MOV     EAX, 33
0040100C      33F6             XOR     ESI, ESI
find 401007,  #33#    //$RESULT401008
finddop 401007, #33#  //$RESULT40100C


FINDMEM what [, StartAddr]
--------------------------
ڴ濪ʼڴвָ
ҳɹַᱣ浽$RESULTУ$RESULT 0
ҵĴ֧ͨ??()
Example:
	findmem #6A00E8# // find a PUSH 0 followed by some kind of call
	findmem #6A00E8#, 00400000 // search it after address 00400000
	
FREE
FREE ַ С
-----------
ͷALLOCڴ.
Example:
 alloc 1000
 free $RESULT, 1000

GAPI
GAPI ַ
------------
ָ봦APIϢ
APIϢ浽$RESULTС
һAPI
$RESULTAPIϢ
$RESULT_1ӿ kernal32
$RESULT_2 ExitProcess
$RESULT_3õַXXXX( call xxxxx)
ע:GNGNָIATַ
     GAPIֱӸַͿɵóAPI
     ڴ˴ϵ,ϵô˾,Ϊϵ޸˴ΪCC
	 ˴ϵ,䲻ܺܺõʶ.

GAPI 401000   (call kernal32.ExitProcess)
GAPI EIP   //鿴ǰǷAPI,򷵻0

 
GCMT addr
---------
ַָĽ

GCI addr, info
--------------
ƶַĻָϢ
"info" can be :
	- ַָ (like OPCODE)
	- Ŀַ of jump/call/return
	- ȣOPCODE
	- TYPE for asm command string (one of C_xxx, see OllyDbg Plugin API)


GMEMI addr, info
----------------
ַָڴϢ.
Ϣ MEMORYBASE, MEMORYSIZE or MEMORYOWNER
Example:
	GMEMI addr, MEMORYBASE // After this $RESULT is the address to the memory base of the memory block to which addr belongs

GMI ַ, Ϣ
--------------
<Get Module Info>
ַָģϢ
Ϣ
  MODULEBASE:   ģַ(base address of module in the memory space of debugged process)
  MODULESIZE:   ģС(total size occupied by module, not necessarily contiguous memory)
  CODEBASE:     λַ
  CODESIZE:     δС(size of executable code, as stays in COFF header. In some cases, OllyDbg may correct definitely invalid code size)
  DATABASE:     ݶλַ
  RESBASE:      Դλַ
  RESSIZE:      ԴδС
  IDATATABLE:   ַ(base address of import data table, as stays in COFF header)
  entry:        ģ(ddress of module's entry point, as stays in COFF header)
  nsect:        Ŀ(Number of sections in the module)
(ڽİ汾УøϢϵ)
Ϣᱣ浽$RESULT (ûҵϢ$RESULT0).

GMI eip, CODEBASE // ִָк$RESULTڵǰģĴλַ
	

GN ַ
-------
<Get Name>
ָIATַķָAPI
浽$RESULTС
һAPI
$RESULTǷ
$RESULT_1ӿ kernal32
$RESULT_2 ExitProcess

gn 450100

GO ַ
-------
<GO>
ִеַָ 

go 401005

GPA , ̬ӿ
-------------
<Get Procedure  Address>
ָĶ̬ӿУָĵַ
ҳɹַᱣ浽$RESULTУ$RESULT 0
APIϵʱָǳЧ

gpa "MessageBoxA", "user32.dll" // ִָк$RESULTںMessageBoxAĵַ
ʹ"bp $RESULT"öϵ㡣

GPI key
-------------
ý̵Ϣ.
ϢHPROCESS,PROCESSID,HMAINTHREAD,MAINTHREADID,MAINBASE,PROCESSNAME,EXEFILENAME,CURRENTDIR,SYSTEMDIR

GPP key
--------------
find API parameters number and types

HANDLE x, y, class
---------------------
ָ(16)Ӵָľ


INC 
-------
<INCrement by 1>
Աмһ

inc v

ITOA n [, base=16.]
-----------------
תһַ
 $RESULT 
Example:
	itoa F
	itoa 10., 10.
	
JA ǩ
--------
<Jump if Above>
cmpʹ. ӦĻָͬ.

ja SOME_LABEL

JAE ǩ
---------
<jump if Above or Equal>
cmp. ӦĻָͬ.

jae SOME_LABEL

JB ǩ
--------
<Jump if Below>
cmpʹ.  ӦĻָͬ.

jb SOME_LABEL

JBE ǩ
---------
<Jump if Below or Equal>
cmpʹáӦĻָͬ.

jbe SOME_LABEL

JE ǩ
--------
<Jump if Equal>
cmpʹ.  ӦĻָͬ.

je SOME_LABEL

JMP ǩ
---------
<JuMP>
תָǩ.

jmp SOME_LABEL

JNE ǩ
---------
<Jump if Not Equal>
cmpʹ.  ӦĻָͬ.

jne SOME_LABEL

KEY vkcode [, shift [, ctrl]]
--------------------------
水¼.
Example:
	key 20
	key 20, 1 //Shift+space
	key 20, 0, 1 //Ctrl+space
	
LBL ַ, ַ
--------------
<LaBel Insert>
ַָһǩ

lbl eip, "NiceJump"

LC
----
LOG

LCLR
----
Script Log

LEN str
--------------
ַ,$RESULT
Example:
	len "NiceJump"
	msg $RESULT
	
LM addr, size, filename
-------
Dmļڴ
Example:
  lm 0x401000, 0x100, "test.bin"
  
LOG Դ
-------
<log>
ԴOllyDbgļ¼[log window]С
Դ һַԭ¼
Դ һһĴ¼Ƽŵֵ

log "Hello world" // ¼Ϊ "Hello world"
var x
mov x, 10
log x // ¼Ϊ "x = 00000010" 

MOV ĿĲ, Դ,ֽ
-------------
<MOV>
ԴƶĿĲС
Դһʮиʽ#ĳʮ#磺#1234#
ѣʮеλֻż2, 4, 6, 8ȵȡ
 
mov x, 0F                         //Fx
mov y, "Hello world"              //ַ"Hello world"y
mov eax, ecx                      //ͬ
mov [ecx], #00DEAD00BEEF00#       //##ڵݴecxĵַ
mov !CF, 1                        //ֵ!CF־ĴΪ1
mov !DF, !PF                      //!PFֵ!DF
mov [403000], "Hello world"       //ֱӽַ"Hello world"͵403000ĵַ
mov eax,[401000],1                //ֻȡ401000ַеһֽڳȵݴ͵eax(¹)

MSG Ϣ
-----------
<MeSsaGe>
ָϢʾһԻС

MSG "űͣ"

MSGYN message
-----------
<MeSsaGe Yes or No>
ָϢʾһԻУԻСǡ񡱰ť
㡰ǡ $RESULT 1$RESULT0 

MSGYN ""


MUL ĿĲ, Դ
-------------
<mul>
ԴĿĲг˷浽ĿĲС
 
mul x, 0F
mul eax, x
mul [401000], 5

NEG 
-------------
<NEG>
ȡ浽С
 
NEG x, 0F
NEG eax
NEG [401000]

NOT 
-------------
<NOT>
߼ǲ浽С
 
NOT x, 0F
NOT eax
NOT [401000]


OPCODE addr
-----------
ַָĴ.
$RESULTopcode
$RESULT_1ǻ
$RESULT_2ֽ
opcode,$RESULT_20
Example: 
	opcode 00401000

opentrace
------------
иٹ,رʹTC


OR ĿĲ, Դ
-------------
<OR>
ԴĿĲ߼浽ĿĲС
 
or x, 0F
or eax, x
or [401000], 5

PAUSE
-----
<PAUSE>
ͣűСͨ˵ָűС

pause


PREOP addr
----------
ַָĻ
ע: ʵķӳEIPǰİjmp
Example:
	preop eip


READSTR addr,maxsize
-----------
addrָСַ
Example:
    readstr 401000,15

REF addr
--------
൱OllyDbg Ctrl R.
$RESULT variable is set to the first reference addr 
$RESULT_1 to the opcode (text asm command) 
$RESULT_2 to the comment (like reference window). 
Repeat "REF addr" until $RESULT=0 to get next refs
Example:
	continue:
		REF eip
		log $RESULT
		log $RESULT_1
		log $RESULT_2
	cmp $RESULT,0
	jne continue
	

REPL addr, find, repl, len
--------------------------
REPL ַ, ַ, 滻ַ, 
--------------------------
<REPLace>
ַָʼָȵֽڷΧڣá滻ַ滻ַ
ʹͨ

repl eip, #6a00#, #6b00#, 10
repl eip, #??00#, #??01#, 10
repl 401000, #41#, #90#, 1F

REset
---------------------------



RET
---
<RETurn>
˳ű

ret

REV
---
ֽڷת.(עֽڷת,λת)
Example:
rev 01020304	//$RESULT = 04030201

ROL ĿĲ, n
-------------
ѭĿĲnλ浽ĿĲС

mov x, 00000010
ROL x, 8 // x is now 00001000


ROR ĿĲ, n
-------------
ѭĿĲnλ浽ĿĲС

mov x, 00000010
ROR x, 8 


RTR
---
<Run To Return>
ִе
൱OllyDbgִ "Run to return" [Ctrl+F9]

rtr

	
RTU
---
<Run To User code>
صû
൱OllyDbgִ "Run to user code"[Alt+F9] 

rtu


RUN
---
<RUN>
OD
൱OllyDbgа F9

run

SCMP dest, src
-------------
ַȽ. 
Example: 
	cmp x, "KERNEL32.DLL"
	cmp [eax], "Hello World"
	
SCMPI dest, src
-------------
ַȽ(Сд)
Example: 
	cmp sVar, "KERNEL32.DLL"
	cmp [eax], "Hello World"

SETOPTION
-------------
(Option)˵,úúȷִнű
ע:ѡΪ˿ִнűĹпԵ쳣,ٵȵ
	

SHL ĿĲ, n
-------------
ĿĲnλ浽ĿĲС

mov x, 00000010
shl x, 8 // x is now 00001000

SHR ĿĲ, n
-------------
<SHift Right>
ĿĲ,n λ浽ĿĲС

mov x, 00001000
shr x, 8 // x is now 00000010

STI
---
<STep Into>
൱OllyDbgа F7롣

sti

STO
---
<STep Over>
൱OllyDbgа F8

sto


SUB dest, src
-------------
ԴݼĿ
Example: 
sub x, 0F
sub eax, x
sub [401000], 5


TC
--
൱OllyDbg "رи"
Example:
	tc

TI
--
൱OllyDbgа CTRL-F7١
Example:
	ti
	
TICND cond
----------
<Trace Into Condition>
ִ "Trace into" ֱΪʱֹͣ

ticnd "eip > 40100A" //  eip > 40100A ʱֹͣ


TICK [var [,reftime]]
-------------------
Ųʱ(microsec)
2αóΪʱ
Example:
	tick time
	msg time		//time since script startup
	tick time,time	
	msg $RESULT		//time since last TICK, DWORD value

TO
--
<Trace Over>
൱OllyDbgִ "Trace over" 

to

TOCND cond
----------
<Trace Over Condition>
ִ "Trace over" ֱΪʱֹͣ
:
tocnd "eip > 40100A" //  eip > 40100A ʱֹͣ

VAR
---
<VARiable>
ڽűУһ
ڱʹ
ע:ĸϳɵʶı
     +-*/ȵȷòҪڱ,𲻿ԤĴ
	 Ϊ˼ǰϵͳ,벻ҪA,B,C,D,E,FΪ.
 
var tmp

XOR ĿĲ, Դ
-------------
<XOR>
ԴĿĲ浽ĿĲС
 
xor x, 0F
xor eax, x
xor [401000], 5

WRT file, data
-------------
дݸļ ()
Numbers are wrote as strings... for the moment
Example: 
	wrt "out.txt", "Data:\r\nOk\r\n"
	wrt sFile, ebx

WRTA file, data
-------------
ݵļ(ļβ)
Example: 
	wrta sFile, "hello world\r\n"
	
3.2 ǩ
----------
ǩҪڱǩҪһð.

SOME_LABEL:

3.3 ע
------------
ʹá//κεطע͡
עͱһв /*Ϊʼԡ*/Ϊ*/ҲһС


/*
ע
*/


3.4 ˵
---------
ODBGScript˵漸
- Run script...[нű...]: ûѡһűű
- Abort [ֹ]: ֹű
- Pause [ͣ]: ͣű
- Resume[ָ]: ָű
-űд:̬۲ű
-ű־:¼ű
- About []: ʾ˲Ϣ

3.5 Script Window
-----------------
űODbgScriptõ,Ժ͹۲Ľű.
Ϊűöϵ,Խű,༭ִֹнű

4. ǶĲ
---------------------------------
ĲеOllyScripһű
ʹĴеã

HMODULE hMod = GetModuleHandle("OllyScript.dll");
if(hMod) // Ƿ
{ 
// ַ
int (*pFunc)(char*) = (int (*)(char*)) GetProcAddress(hMod, "ExecuteScript");
if(pFunc) // Ƿ
pFunc("myscript.txt"); // ִ


5. ѽͺͼ
--------------------------------------
ʹ,һЩȽʹ,ｫвֵĽ.

Q:ΪʲôʹһЩű,var ->x1ҪҵOD?
A:ĸϳɵʶı
  +-*/?>ȵȷòҪڱ,𲻿ԤĴ
  Ϊ˼ǰϵͳ,벻ҪA,B,C,D,E,FΪ(ϵͳ׺16abcdef).

Q:ܽȡ[401000]еһֽô??  
A:mov汾й˾޴,ǰİ汾˵
  (size),Ҳ޶ֵֽ.Դڴȡֵ.

Q:EOB,EOEҳ,Լʹϸо,ܽô???
A:eob,eoeжϻ쳣ת,űִежϻ쳣,ָű
  תԼ趨ıǩ,ҪΪ˽̵ת.б汾ź,תӦ
  ǩű.  
  ODBGscriptƵԭ,úeob,eoeתrun.ǳ
  ߼е෴,ǳϲƳΪrun趨eob,eoe.ʵҲ,
  Ҫתĵطýűȥ趨,㴥ȥѰҪıǩ.

Q:ĳЩ,ҪֱODִԼϣĴ,ôʵ??
A:űܵ,ҪԼдһЩִ,ô,ǿѰһЩհ״,
  mov addr,#xxxxxxxxxxxx#ԼĴӦĵַ,ټ¼ǰ
  EIP,Ȼmov eip,addr,ҲǽתԼĴ봦,ִԼĴϺ,
  EIPĻԭĵַ, סֳ,µODֱִĴ,ôΪ
  븺.ODbgscript㱣ֳ.
  
Q:find,findop,findmemûʲô,ܸô???
A:䶼ڴѰ,ͬ.
  findҵӦƥϵĵַ
  findopҪѰҵOPCODEƥĵַ,ҲҵĵַOPCODEƥ䴦.
        Ѱҷʽfindȫͬ,ȽһСһСڵĽתΪopcode,Ȼ
		ƥ.findܺܺüָ.
  findmemѰҵָĽڵַƥĹϵ..dataڴ

Q:evalʲô˼?
A:evalǼ㺬ıʽ,Ѿڽű
      嵽ַʱҪڴ{ },ڱ$RESULT.
      Ͻܶı仯,úĽűʮ.
      ൱ڱ仯˱ı.ú,
	  Ľűı仯.
	  ڵĿǳ˶̬,ú,㽫.

Q:GAPIGNʲô??
A:GAPI봦APIϢ
  GNǸIATַAPIϢ.


Q:opcdeô
A:֪,ڵĿǳʹö̬,ǶԸ̬
  opcodeַָĴ,opcodeָĴȽ,ô
  εĶס̬̺㷨.

Q:ܵҵĽűô??
A:odbgscript汾ǰollyscript 0.92汾,ֻƾֱдű,
  дűЧʱȽϵ,µODBGscript 汾,һű,ܺܺ
  ļ⵽ű״̬,ִܵĽű,ʹǿĽű
  ܰ,ǵõִڽűа"s",ոǷſýű.
  Ϊűöϵ,Խű,༭ִֹнű

Q:űʲôô,ѿǻԼʲôô???
A:űĺôܸݽű˼·˼·.űĹ
  ܶ,ڵԳѿǻ.
  ѿǻͲϸƶӦİ汾,ű˵򵥵ӻ޸
  ܺܺõӦͬİ汾.Ȼǰʹ.
  ĳ˵,űODظ,,ODǿҲͻӰдʹ
  ODBGscript.

Q:OllyscriptODBGscriptʲô?
A:OllyscriptSHagBCд,ODBGscriptԭ汾,04ֹͣ
  ,Ծ͵ODBGscript.ODBGscriptOllyscriptĻϽ˴ģ
  Ϻ϶˴ȵչ.֪,ODBGscript
  ôȶǿ,ڴBUGָϣĹ.


6. ϵ
-------------
̳ύ(bbs.pediy.com)
ȻҲֱдŸңҵǣhnhuqiong@126.com

7. Դ
--------------------------
Epsylon3δODBGScriptĺ,汾Ϊ˿ѩ(pediy)򰮺
һ֦汾ȥ,ڱػͱؼ֧źͺз.
޸Դ,ĵͰȨԻУעҵ֡
Ḷ́ģʹ˵Ĵ롣Ҳ֪ͨңһһµġ


8. л
----------
From
OllyScript plugin v0.92 by SHaG
ODBGScript plugin v1.47 by Epsylon3
ύBugдűԼṩѣұʾл
лR@dierṩDump档
ȻرҪлOllyĵ
оbbs.pediy.comϸλ


