-------------------------------
Ollyűv0.92  SHaG
ĵ:ZMWorm[CCG][TT]
E-Mail:TranslationTeam[at]126.Com
20040812ճ
-------------------------------

1.  OllyScript
2. Ŀǰ
2.1 v0.92¸
3. ĵ
3.1 Ը
3.1.1 
3.1.2 ָ
3.2 ǩ
3.3 ע
3.4 ˵
4. ǶĲ
5. ϵ
6. Դ
7. л

------------------------------

1.  OllyScript
-------------------
OllyScript  OllyDbgһҸΪOllyDbgĿǰõĳ򼶵
ɫ֮һĲϵʹûܹΪЧչĹܡ
OllyScript һͨԵĽűOllyDbgԶеĲ
ڵԳʱǽΪҪҵĳؼ㣬òظ 
ͨʹҵĽűͿдһνűʹá [write a script once and for all]

------------------------------

2. Ŀǰ200710գ
----------------------------
v0.92
һڽűͬĴBugлloveboom
GN ָΪ£behaviour updatedݡ
MOV ָԽַдڴ档

v0.91
һӦóͣBug
GNָ
ASMָ$RESULT

v0.9
OllyScriptĿǰѾһˣζų2Gb˵ΪҪһxrayϵͳĿ
ĿҪȥҲٵʱ䣬ԿĲҪˡĶԲˡ

2.1 ¸
---------------
+ µָASK, BPL, BPLCND, COB, COE, EVAL, EXEC/ENDE, GN, TICND, TOCND
+ ڵԽִд
+ ADDEVALִָ֧
+ Ի
+ ¼ϵLogging breakpoints
+ ȥEOBEOEָ
+ 
+ õַ
# ASMָػȣ$RESULT
# ͣʱBug
# JBEָBugϣһתָBug
# OllyScript Ŀǰֻȫ֧OllyDbg v1.10汾һȫݡ

------------------------------

3. ĵ
----------------
汾Уű(tElock098.osc  UPX.osc) 
űѸҵӦǵڡ

3.1 
------------
OllyScriptűһԡ

ںĵ, Դ  ĿĲʾº:
- ʮƳûǰ׺Ҳûк׺ (磺00FF,  0x00FF  00FFhʽ)
- ʹǰVarж
- һ32λĴ (EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP, EIP)
  Ŀǰвַ֧32λĴʹSHL/SHR  ANDָǵֵ
- һڴַ (磺[401000] ָڴַΪ401000ŷ, 
[ecx] ָڴַΪĴecxŷ).
- һ־λи̾ǰ׺(!CF, !PF, !AF, !ZF, !SF, !DF, !OF)
- ַҲɽСʽΪ #6A0000# (ֵ#֮)#֮һֵ 
- ?ַͨ #6A??00#  #6?0000#

33.1.1 
------------------------

$RESULT
-------
<RESULT>
ĳЩķֵFINDȵȡ

$VERSION
--------
<VERSION>
OllyScriptİ汾Ϣ

cmp $VERSION, "0.8"  //ȽǷ 0.8
ja version_above_08  

3.1.2 ָ
--------------

#INC "ļ"  
---------
<INClude>
һűļݰһűļ
:
#inc "anotherscript.txt"


#LOG
----
<LOG>
ʼ¼ָ
ָʾOllyDbglogУÿ¼ǰϡ-->ǰ׺

#log

ADD ĿĲ,Դ
-------------
<ADD>
ԴĿĲӣӵĽ浽ĿĲС
 
add x, 0F
add eax, x
add [401000], 5
add y, " times" // ڴ֮ǰy="1000" ִָ֮y="1000 times"

AI
--
<Animate Into>
OllyDbgִСԶ롱 [Animate into]

ai

AN ַ
-------
<ANalyze>
ָԴз

an eip // ൱OllyDbgа Ctrl+A

AND ĿĲ, Դ
-------------
<AND>
ԴĿĲ߼浽ĿĲС
 
and x, 0F
and eax, x
and [401000], 5

ASK 
------------
<ASK>
ʾһʾû룬ת$RESULTУûȡ$RESULT=0
:
ask "Enter new EIP"
cmp $RESULT, 0
je cancel_pressed
mov eip, $RESULT

ASM ַ, ָ
-----------------
<ASseMble>
޸ַָָ
޸ĺĻָȱ浽$RESULT

asm eip, "mov eax, ecx" //ǰָ޸Ϊ mov eax,ecx

AO
--
<Animate Over>
OllyDbgִСԶ [Animate over]

ao
BC ַ
-------
<BreakPoint Clear>
ַָĶϵ㡣

bc 401000
bc x
bc eip

BP addr
--------
<BreakPoint>
ַָϵ

bp 401000
bp x
bp eip

BPCND ַ, 
----------------
<BreakPoint on CoNDition>
ַָϵ㡣

bpcnd 401000, "ECX==1" // ִе401000 ecx1 ʱͣ

BPL ַ, ʽ
--------------
<BreakPoint of Logging>
ַָü¼ϵ㣬ʽĽ¼¼С

bpl 401000, "eax" // ÿִе401000ʱeaxĴĽ¼

BPLCND ַ, ʽ, 
-----------------------
<BreakPoint of Logging on CoNDition>
ַָü¼ϵ㣬ΪʱʽĽ¼¼С

bplcnd 401000, "eax", "eax > 1" // ִе401000ʱeax>1eaxĴĽ¼

BPMC
----
<BreakPoint Memory Clear>
ڴϵ㡣

bpmc

BPHWC ַ
----------
<BreakPoint HardWare Clear>
ɾַָӲϵ㡣

bphwc 401000 // 401000Ķϵ

BPHWS ַ, ģʽ
----------------
<BreakPoint HardWare Set>
ַָӲϵ㡣ģʽ "r" - ȡ, "w" - д  "x" - ִ.

bphws 401000, "x" //ִе˵ַʱж

BPRM ַ, С
---------------
<BreakPoint on Read Memory>
ַָһڴȡϵ㡣 С ָڴеֽڴС

bprm 401000, FF  //һֽ

BPWM ַ, С
---------------
<BreakPoint on Write Memory>
ַָһڴдϵ㡣С ָڴеֽڴС

bpwm 401000, FF

CMP ĿĲ, Դ
-------------
<CoMPare>
Ƚ ĿĲԴĴСӦĻָͬ
 
cmp y, x
cmp eip, 401000

CMT ַ, ַ
--------------
<CoMmenT>
ַָע͡

cmt eip, "" //ǰַ  ڡע

COB
---
<Continue On Breakpoint>
жϺýűִУƳEOBָ

COB

COE
---
<Continue On Exception>
쳣ýűִУƳEOEָ

COE

DBH
---
<DeBugger Hided> 
ص

dbh

DBS
---
<DeBugger Show>
صĵлָء

dbs

DEC 
-------
<DECrement by 1>
Աмһ

dec v

DM ַ, С, ļ
-------------------
<Dump Memory>
ַָʼڴȡָСݣ浽ָļ

dm 401000, 1F, "c:\dump.bin"

DMA ַ, С, ļ
-------------------
<Dump Memory Appended>
ַָʼڴȡָСݣ浽ָļУָļѴڣ׷ӵָļβ

dma 401000, 1F, "c:\dump.bin"

DPE ļ, 
----------------
<Dump Process with Entry point>
ȡִģ鵽ָļС
ڡ趨ڵַ

dpe "c:\test.exe", eip //ΪǰַΪCtest.exe

EOB ǩ
---------
<Execution On Breakpoint>
´жϷʱתָǩ

eob SOME_LABEL

EOE ǩ
---------
<Execution On Exception>
´쳣ʱתָǩ

eoe SOME_LABEL

ESTI
----
<Exception STep Into>
൱OllyDbg SHIFT-F7

esti

ESTO
----
<Exception STep  cOntinue>
൱OllyDbg SHIFT-F9

esto


EVAL
----
<EVALuate>
㺬ıʽ
Ѿڽű嵽ַʱҪô{ }С
ڱ$RESULTSets the reserved $RESULT variable

var x
mov x, 1000
eval "xֵ { x }" // ִк$RESULTΪ "xֵ 00001000"

EXEC/ENDE
---------
<EXECute/END of Execute>
ԵǰԽִ̣EXECENDEָ֮
дŵģᱻеıֵ

// ƶ
var x
var y
mov x, "eax"
mov y, "0DEADBEEF"
exec
mov { x }, { y } // mov eax, 0DEADBEEF ִ
mov ecx, { x } // mov ecx, eax ִ
ende
// ǵõԳExitProcess
exec
push 0
call ExitProcess
ende
ret

FIND ַ, 
---------------
<FIND>
ַָʼڴвָݡ
ҳɹַᱣ浽$RESULTУ$RESULT 0
ҵĴ֧ͨ??()


find eip, #6A00E8# // һCallĵһΪ0 (push 0)
find eip, #6A??E8# // һCall

FINDOP ַ, 
-----------------
<FIND OPcode>
ַָʼָһָָָΪʼġ 
ҳɹַᱣ浽$RESULTУ$RESULT 0
ҵĴ֧ͨ??()

findop 401000, #61# // find next POPAD
findop 401000, #6A??# // find next PUSH of something

ע
ԱһFIND FINDDOP
ַ                           
00401007      B8 3300          MOV     EAX, 33
0040100C      33F6                 XOR     ESI, ESI
find 401007,  #33#    //$RESULT401008
finddop 401007, #33#  //$RESULT40100C

FILL addr,len,value(* ZMWorm©ԼϵģĲãָ)
-------------------------
ӵַaddrʼ䳤Ϊlenֵvalue
:
	fill	401000,10,90	//NOP 10hֽ


GN ַ
-------
<Get Name>
ַָķָAPI
浽$RESULTСһAPI$RESULT_1ӿ kernal32 $RESULT_2 ExitProcess

gn 401000

GPA , ̬ӿ
-------------
<Get Procedure  Address>
ָĶ̬ӿУָĵַ
ҳɹַᱣ浽$RESULTУ$RESULT 0
APIϵʱָǳЧ

gpa "MessageBoxA", "user32.dll" // ִָк$RESULTںMessageBoxAĵַʹ"bp $RESULT"öϵ㡣

GO ַ
-------
<GO>
ִеַָ (൱SoftICEе G )

go 401005

GMI ַ, Ϣ
--------------
<Get Module Info>
ַָģϢ
Ϣģַ[MODULEBASE], ģС[MODULESIZE], λַ[CODEBASE]  δС[CODESIZE] 
(ڽİ汾УøϢϵ)
Ϣᱣ浽$RESULT (ûҵϢ$RESULT0).

GMI eip, CODEBASE // ִָк$RESULTڵǰģĴλַ

INC 
-------
<INCrement by 1>
Աмһ

inc v

JA ǩ
--------
<Jump if Above>
cmpʹ. ӦĻָͬ.

ja SOME_LABEL

JAE ǩ
---------
<jump if Above or Equal>
cmp. ӦĻָͬ.

jae SOME_LABEL

JB ǩ
--------
<Jump if Below>
cmpʹ.  ӦĻָͬ.

jb SOME_LABEL

JBE ǩ
---------
<Jump if Below or Equal>
cmpʹáӦĻָͬ.

jbe SOME_LABEL

JE ǩ
--------
<Jump if Equal>
cmpʹ.  ӦĻָͬ.

je SOME_LABEL

JMP ǩ
---------
<JuMP>
תָǩ.

jmp SOME_LABEL

JNE ǩ
---------
<Jump if Not Equal>
cmpʹ.  ӦĻָͬ.

jne SOME_LABEL

LBL ַ, ַ
--------------
<LaBel Insert>
ַָһǩ

lbl eip, "NiceJump"

LOG Դ
-------
<log>
ԴOllyDbgļ¼[log window]С
Դ һַԭ¼
Դ һһĴ¼Ƽŵֵ

log "Hello world" // ¼Ϊ "Hello world"
var x
mov x, 10
log x // ¼Ϊ "x = 00000010" 

MOV ĿĲ, Դ
-------------
<MOVe>
ԴƶĿĲС
Դһʮиʽ#ĳʮ#磺#1234#
ѣʮеλֻż2, 4, 6, 8ȵȡ
 
mov x, 0F
mov y, "Hello world"
mov eax, ecx
mov [ecx], #00DEAD00BEEF00#
mov !CF, 1
mov !DF, !PF
mov [403000], "Hello world"

MSG Ϣ
-----------
<MeSsaGe>
ָϢʾһԻС

MSG "űͣ"

MSGYN message
-----------
<MeSsaGe Yes or No>
ָϢʾһԻУԻСǡ񡱰ť
㡰ǡ $RESULT 1$RESULT0 

MSGYN ""

OR ĿĲ, Դ
-------------
<OR>
ԴĿĲ߼浽ĿĲС
 
or x, 0F
or eax, x
or [401000], 5

PAUSE
-----
<PAUSE>
ͣűСͨ˵ָűС

pause

REPL addr, find, repl, len
--------------------------
REPL ַ, ַ, 滻ַ, 
--------------------------
<REPLace>
ַָʼָֽڣá滻ַ滻ַ
ʹͨ

repl eip, #6a00#, #6b00#, 10
repl eip, #??00#, #??01#, 10
repl 401000, #41#, #90#, 1F

RET
---
<RETurn>
˳ű

ret

RTR
---
<Run To Return>
൱OllyDbgִ "Run to return" [Ctrl+F9]

rtr

RTU
---
<Run To User code>
൱OllyDbgִ "Run to user code"[Alt+F9] 

rtu

RUN
---
<RUN>
൱OllyDbgа F9

run

SHL ĿĲ, n
-------------
ĿĲnλ浽ĿĲС

mov x, 00000010
shl x, 8 // x is now 00001000

SHRĿĲ, n
-------------
<SHift Right>
ĿĲ,n λ浽ĿĲС

mov x, 00001000
shr x, 8 // x is now 00000010

STI
---
<STep Into>
൱OllyDbgа F7롣

sti

STO
---
<STep Over>
൱OllyDbgа F8

sto


SUB dest, src
-------------
Substracts src from dest and stores result in dest
Example: 
sub x, 0F
sub eax, x
sub [401000], 5

TI
--
<Trace Into>
൱OllyDbgִ "Trace into" 

ti


TICND cond
----------
<Trace Into Condition>
ִ "Trace into" ֱΪʱֹͣ

ticnd "eip > 40100A" //  eip > 40100A ʱֹͣ

TO
--
<Trace Over>
൱OllyDbgִ "Trace over" 

to

TOCND cond
----------
<Trace Over Condition>
ִ "Trace over" ֱΪʱֹͣ
:
tocnd "eip > 40100A" //  eip > 40100A ʱֹͣ

VAR
---
<VARiable>
ڽűУһ
ڱʹ
 
var x

XOR ĿĲ, Դ
-------------
<XOR>
ԴĿĲ浽ĿĲС
 
xor x, 0F
xor eax, x
xor [401000], 5


3.2 ǩ
----------
ǩҪڱǩҪһð.

SOME_LABEL:


3.3 ע
------------
ʹá//κεطע͡
עͱһв /*Ϊʼԡ*/Ϊ*/ҲһС


/*
ע
*/


3.4 ˵
---------
OllyScript˵漸
- Run script...[нű...]: ûѡһűű
- Abort [ֹ]: ֹű
- Pause [ͣ]: ͣű
- Resume[ָ]: ָű
- About []: ʾ˲Ϣ

------------------------------

4. ǶĲ
---------------------------------
ĲеOllyScripһű
ʹĴеã

HMODULE hMod = GetModuleHandle("OllyScript.dll");
if(hMod) // Ƿ
{ 
// ַ
int (*pFunc)(char*) = (int (*)(char*)) GetProcAddress(hMod, "ExecuteScript");
if(pFunc) // Ƿ
pFunc("myscript.txt"); // ִ
}

------------------------------

5. ϵ
-------------
̳ύ⣬ҲIRC EFnetĸSHaGϢȻҲֱдŸңҵǣshag(at)apsvans.com

------------------------------

6. Դ
--------------------------
һʱ䣬ҴʹõĻҪܸߵķã:Pٺ٣Ц
˵ֻҪҪʹԴ롣
ĵͰȨԻУעҵ֡
Ḷ́ģʹ˵Ĵ롣Ҳ֪ͨңһһµġ
Դʱṩ ҪԴĻ뷢ʼ

------------------------------

7. л
----------
ύBugдűԼṩѣұʾл
лR@dierṩDump档
ȻرҪлOllyĵ