ODbgScript is an extension for OllyDbg debugger (note to myself: so mr smartass there’s life except SoftICE heh 
).
I was always a little bit afraid of using it becouse i thought it’s easier to write separate application than to code in this weird scripting language.
But today i need a tool to dump decrypted strings from one application (while it’s running). I wanted to start coding live dumper based on WinApi’s debug functions but i though what the heck, let’s try to do it in ODbgScript.
Here’s the result:
; declare variables var string_ptr var file_name var file_index var file_size var x ; set breakpoint at the instruction where we ; intercepts decrypted strings bp 401020 ; initialize file_index variable mov file_index, 0 ; run application after setting the breakpoint again: run ; if we're here, it means application hit the breakpoint ; continue to execute script after breakpoint is hit ; (don't stop in OllyDbg) cob ; pointer to the encrypted string is stored ; at [ebp-14] let's grab it mov x, ebp sub x, 14 mov x, [x] mov string_ptr, x ; strings are null terminated, let's find its ; size so we can dump it (LEN command didn't work ; here, it always returns 0FFh) find string_ptr, #00# cmp $RESULT, 0 je skip_file ; calculate string size mov x, $RESULT sub x, string_ptr mov file_size, x ; format file name for decrypted string, name it using ; file_index value and .txt extension, eval works almost ; like wsprintf eval "C:\Test\{file_index}.txt" mov file_name, $RESULT ; dump memory area to the file dm string_ptr, file_size, file_name ; log action eval "{file_index} - VA = {string_ptr}, SIZE = {file_size}" log $RESULT; ; increase index value inc file_index skip_file: ; run application again after dumping jmp again
At first it might look confusing, but after playing with it for 5 minutes you will love it, especially if you know how to code in assembler.
And if you make mistakes in the script, don’t worry, it has its own, built-in debugger, available directly from OllyDbg so you can spot every mistake you did, trace down the script, modify its variables etc.
In other words viva la ODbgScript
PS. And don’t ask me why i didn’t use it before 