?? 中文readme.txt
字號:
///////////////////////////////////////////////
// ollyscript Plugin v0.6全部命令中文解釋
// 我只寫了命令的中文大概意思,沒有全文翻釋.
// 漢化:loveboom[DFCG]
// Email:bmd2chen@tom.com
///////////////////////////////////////////////
-------------------------------
OllyScript plugin v0.6 by SHaG
-------------------------------
1. About OllyScript
2. Status
2.1 What's new in v0.6?
3. Documentation
3.1 Language
3.2 Labels
3.3 Comments
3.4 Menus
4. Contact me
5. License
6. Thanks!
------------------------------
1. About OllyScript
-------------------
OllyScript is a plugin for OllyDbg, which is, in my opinion,
the best application-mode debugger out there. One of the best
features of this debugger is the plugin architecture which allows
users to extend its functionality. OllyScript is a plugin
meant to let you automate OllyDbg by writing scripts in an
assembly-like language. Many tasks involve a lot of repetitive
work just to get to some point in the debugged application. By
using my plugin you can write a script once and for all.
------------------------------
2. Status (24 February 2004)
----------------------------
Another release of OllyScript... I think this plugin is getting to the
point when I no longer have any improvement ideas... So either I start
getting suggestions or there will be no new versions... Remember:
shag@apsvans.com or SHaG on EFnet=)
2.1 What's new?
---------------
The internal architecture of the plugin totally redone and object-oriented
(its not perfect OO, but bear with it). Because of this rewrite, bugs are
likely to appear. Please report them to me ASAP!
Bugs with script processing are fixed, parts of code are redone etc.
+ New commands:
BPCND, BC, BPMC, JA, JB, JAE, JBE, AI, AO, TI, TO
+ Conditional breakpoints
+ Breakpoint clearing (even memory)
+ Tracing and animation
+ More jumps
+ Stepping through script supported
# BP behaviour fixed (it now SETS breakpoint, instead of TOGGLEING it).
# Bugs in script processing fixed (thanks s0nkite).
# LOG now logs things like strings that are referenced by the address,
referenced function addresses etc. Try it, its cool!
# "Thanks" section of readme updated. =)
------------------------------
3. Documentation
----------------
Two example scripts (tElock098.osc and UPX.osc) are available with this release.
The scripts will when run immediately find the OEP packed executable.
3.1 Language
------------
The scripting language of OllyScript is an assembly-like language.
In the document below, src and dest can be (unless stated otherwise):
- Constant in the form of a hex number withot prefixes and suffixes (i.e. 00FF, not 0x00FF or 00FFh)
- Variable previously declared by VAR
- A 32-bit register (one of EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP, EIP). Non 32-bit registers are not supported at
the moment, but you can use SHL/SHR and AND to get their values.
- A memory reference in square brackets (i.e. [401000] points to the memory at address 401000, [ecx] points to the memory at address ecx).
The following commands are available at the moment:
ADD dest, src
-------------
Adds src to dest and stores result in dest
相當(dāng)于匯編中的ADD
Example:
add x, 0F
add eax, x
add [401000], 5
AI
--
相當(dāng)于CTRL+F7
Executes "Animate into" in OllyDbg
Example:
ai
AND dest, src
-------------
相當(dāng)于匯編中的AND
ANDs src and dest and stores result in dest
Example:
and x, 0F
and eax, x
and [401000], 5
ASM addr, command
-----------------
在ADDR處進(jìn)行匯編,相當(dāng)于SICE中的A
Assemble a command at some address
Example:
asm eip, "mov eax, ecx"
AO
--
相當(dāng)于CTRL+F8
Executes "Animate over" in OllyDbg
Example:
ao
BC addr
-------
清除斷點
Clear unconditional breakpoint at addr.
Example:
bc 401000
bc x
bc eip
BP addr
--------
設(shè)置斷點
Set unconditional breakpoint at addr.
Example:
bp 401000
bp x
bp eip
BPCND addr, cond
----------------
設(shè)置條件斷點
Set breakpoint on address addr with condition cond.
Example:
bpcnd 401000, "ECX==1"
BPMC
----
清除內(nèi)存斷點
Clear memory breakpoint.
Example:
bpmc
BPHWC addr
----------
刪除硬件斷點
Delete hardware breakpoint at a specified address
Example:
bphwc 401000
BPHWS addr, mode
----------------
設(shè)置硬件斷點
Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute.
Example:
bphws 401000, "x"
BPRM addr, size
---------------
設(shè)置內(nèi)存讀斷點
Set memory breakpoint on read. Size is size of memory in bytes.
Example:
bprm 401000, FF
BPWM addr, size
---------------
設(shè)置內(nèi)存寫斷點
Set memory breakpoint on write. Size is size of memory in bytes.
Example:
bpwm 401000, FF
CMP dest, src
-------------
比較兩個值,和匯編中一樣
Compares dest to src. Works like it's ASM counterpart.
Example:
cmp y, x
cmp eip, 401000
CMT addr, text
--------------
在ADDR處寫上注釋
Inserts a comment at the specified address
Example:
cmt eip, "This is the entry point"
EOB label
---------
中斷后執(zhí)行l(wèi)abel
Transfer execution to some label on next breakpoint.
Example:
eob SOME_LABEL
EOE label
---------
異常后執(zhí)行l(wèi)abel
Transfer execution to some label on next exception.
Example:
eoe SOME_LABEL '注這里原作者寫錯了,原來寫的是eob some_label
ESTI
----
相當(dāng)于SHIFT+F7
Executes SHIFT-F7 in OllyDbg.
Example:
esti
ESTO
----
相當(dāng)于SHIFT+F9
Executes SHIFT-F9 in OllyDbg.
Example:
esto
FINDOP addr, what
-----------------
在addr位置找到what,和CTRL+B有點類似,找到后結(jié)果保存在$RESULT中,如果$RESULT為0代表沒有找到.
Searches code starting at addr for an instruction that begins with the specified bytes.
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
Example:
findop 401000, #61# // find next POPAD
GPA proc, lib
-------------
得到API函數(shù)的地址,這個函數(shù)非常有用,用于下API斷點.結(jié)果也是放在$RESULT中,如果沒有得到API的值$RESULT==0,找到后可以下bp $RESULT
Gets the address of the specified procedure in the specified library.
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
Useful for setting breakpoints on APIs.
Example:
gpa "MessageBoxA", "user32.dll" // After this $RESULT is the address of MessageBoxA and you can do "bp $RESULT".
GMI addr, info
得到addr模塊信息,info可以為MODULEBASE,MODULESIZE或codebase,codesize
結(jié)果也保存在$RESULT中
--------------
Gets information about a module to which the specified address belongs.
"info" can be MODULEBASE, MODULESIZE, CODEBASE or CODESIZE (if you want other info in the future versions plz tell me).
Sets the reserved $RESULT variable (0 if data not found).
Example:
GMI eip, CODEBASE // After this $RESULT is the address to the codebase of the module to which eip belongs
JA label
--------
相當(dāng)于匯編中的JA
Use this after cmp. Works like it's asm counterpart.
Example:
ja SOME_LABEL
JAE label
相當(dāng)于匯編中的JAE
---------
Use this after cmp. Works like it's asm counterpart.
Example:
jae SOME_LABEL
JB label
--------
相當(dāng)于匯編中的JB
Use this after cmp. Works like it's asm counterpart.
Example:
jb SOME_LABEL
JBE label
---------
相當(dāng)于匯編中的JBE
Use this after cmp. Works like it's asm counterpart.
Example:
jbe SOME_LABEL
JE label
--------
相當(dāng)于匯編中的JE
Use this after cmp. Works like it's asm counterpart.
Example:
je SOME_LABEL
JMP label
---------
相當(dāng)于匯編中的JMP
Unconditionally jump to a label.
Example:
jmp SOME_LABEL
JNE label
---------
相當(dāng)于匯編中的JNE
Use this after cmp. Works like it's asm counterpart.
Example:
jne SOME_LABEL
LBL addr, text
--------------
在ADDR處插入標(biāo)簽
Inserts a label at the specified address
Example:
lbl eip, "NiceJump"
LOG src
-------
記錄SRC到log window
Logs src to OllyDbg log window.
If src is a constant string the string is logged as it is.
If src is a variable or register its logged with its name.
Example:
log "Hello world" // The string "Hello world" is logged
var x
mov x, 10
log x // The string "x = 00000010" is logged.
MOV dest, src
-------------
相當(dāng)于匯編中的MOV
Move src to dest.
Src can be a long hex string in the format #<some hex numbers>#, for example #1234#.
Remember that the number of digits in the hex string must be even, i.e. 2, 4, 6, 8 etc.
Example:
mov x, 0F
mov y, "Hello world"
mov eax, ecx
mov [ecx], #00DEAD00BEEF00#
MSG message
-----------
相當(dāng)于MESSAGEBOX,提示信息
Display a message box with specified message
Example:
MSG "Script paused"
OR dest, src
-------------
相當(dāng)于匯編中的OR
ORs src and dest and stores result in dest
Example:
or x, 0F
or eax, x
or [401000], 5
PAUSE
-----
暫停腳本的執(zhí)行
Pauses script execution. Script can be resumed from plugin menu.
Example:
pause
RET
---
退出腳本
Exits script.
Example:
ret
RTR
---
相當(dāng)于CTRL+F9
Executes "Run to return" in OllyDbg
Example:
rtr
RTU
---
相當(dāng)于ALT+F9
Executes "Run to user code" in OllyDbg
Example:
rtu
RUN
---
相當(dāng)于F9
Executes F9 in OllyDbg
Example:
run
SHL dest, src
-------------
相當(dāng)于匯編中的SHL左移
Shifts dest to the left src times and stores the result in dest.
Example:
mov x, 00000010
shl x, 8 // x is now 00001000
SHR dest, src
-------------
相當(dāng)于匯編中的SHR,右移
Shifts dest to the right src times and stores the result in dest.
Example:
mov x, 00001000
shr x, 8 // x is now 00000010
STI
---
OLLY中的F7
Execute F7 in OllyDbg.
Example:
sti
STO
---
相當(dāng)于F8
Execute F8 in OllyDbg.
Example:
sto
SUB dest, src
-------------
兩個數(shù)相減結(jié)果保存在dest中,相當(dāng)于匯編中的SUB
Substracts src from dest and stores result in dest
Example:
sub x, 0F
sub eax, x
sub [401000], 5
TI
--
相當(dāng)于CTRL+F11,跟蹤步進(jìn)
Executes "Trace into" in OllyDbg
Example:
ti
TO
--
相當(dāng)于CTRL+F12,跟蹤步過
Executes "Trace over" in OllyDbg
Example:
to
VAR
---
定義變量
Declare a variable to be used in the script.
Must be done before the variable is used.
Example:
var x
XOR dest, src
-------------
相當(dāng)于匯編中的XOR
XORs src and dest and stores result in dest
Example:
xor x, 0F
xor eax, x
xor [401000], 5
3.2 Labels
----------
Labels are defined bu using the label name followed by a colon.
Example:
SOME_LABEL:
3.3 Comments
------------
Comments can be put anywhere and have to start with "//". Block
comments must start with "/*" on a new line and and with "*/"
also on a new line.
3.4 Menus
---------
The main OllyScript menu consists of the following items:
- Run script...: lets the user select a script file and starts it
- Abort: aborts a running script
- Pause: pauses a running script
- Resume: resumes a paused script
- Step: execute one script line
- About: shows information about this plugin
------------------------------
4. Contact me
-------------
To contact me you can post your question in the forum or go on IRC
and message SHaG on EFnet.
------------------------------
5. License
----------
Soon I'm going to armadildo this plugin and charge an awful lot of money
for it! :P Seriously, you are free to use this plugin and the source code however
you see fit. However please name me in your documentation/about box and if
the project you need my code for is on a larger scale please also notify
me - I am curious.
------------------------------
6. Thanks!
----------
I'd like to thank:
- A. Focht and sgdt on OllyDbg users' board for helping me with many explanations and ideas.
- s0nkite for reporting bugs
- britedream, lownoise, FEUERRADER (privet =)) and R@dier for writing such nice scripts!
- And of course Olly, the man who wrote the magnificent debugger!
------------------------------?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -