PELock Blog » OllyDbg http://www.pelock.com/blog Assembler, software protection, code obfuscation and other crazy stuff. Tue, 30 Nov 2010 02:03:53 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 Really easy scripting with ODbgScript http://www.pelock.com/blog/2007/09/06/really-easy-scripting-with-odbgscript/ http://www.pelock.com/blog/2007/09/06/really-easy-scripting-with-odbgscript/#comments Wed, 05 Sep 2007 23:30:31 +0000 Bartosz http://www.pelock.com/blog/2007/09/06/really-easy-scripting-with-odbgscript/ ODbgScript is an extension for OllyDbg debugger (note to myself: so mr smartass there’s life except SoftICE heh :) ).

I was always a little bit afraid of using it becouse i thought it’s easier to write separate application than to code in this weird scripting language.

But today i need a tool to dump decrypted strings from one application (while it’s running). I wanted to start coding live dumper based on WinApi’s debug functions but i though what the heck, let’s try to do it in ODbgScript.

Here’s the result:

; declare variables
        var     string_ptr
        var     file_name
        var     file_index
        var     file_size
        var     x
 
; set breakpoint at the instruction where we
; intercepts decrypted strings
        bp     401020
 
; initialize file_index variable
        mov     file_index, 0
 
; run application after setting the breakpoint
again:
        run
 
; if we're here, it means application hit the breakpoint
; continue to execute script after breakpoint is hit
; (don't stop in OllyDbg)
        cob
 
; pointer to the encrypted string is stored
; at [ebp-14] let's grab it
        mov     x, ebp
        sub     x, 14
        mov     x, [x]
 
        mov     string_ptr, x
 
; strings are null terminated, let's find its
; size so we can dump it (LEN command didn't work
; here, it always returns 0FFh)
        find    string_ptr, #00#
 
        cmp     $RESULT, 0
        je      skip_file
 
; calculate string size
        mov     x, $RESULT
        sub     x, string_ptr
 
        mov     file_size, x
 
; format file name for decrypted string, name it using
; file_index value and .txt extension, eval works almost
; like wsprintf
        eval    "C:\Test\{file_index}.txt"
        mov     file_name, $RESULT
 
; dump memory area to the file
        dm      string_ptr, file_size, file_name
 
; log action
        eval    "{file_index} - VA = {string_ptr},
                 SIZE = {file_size}"
        log     $RESULT;
 
; increase index value
        inc     file_index
 
skip_file:
 
; run application again after dumping
        jmp     again

At first it might look confusing, but after playing with it for 5 minutes you will love it, especially if you know how to code in assembler.

And if you make mistakes in the script, don’t worry, it has its own, built-in debugger, available directly from OllyDbg so you can spot every mistake you did, trace down the script, modify its variables etc.

In other words viva la ODbgScript :)

PS. And don’t ask me why i didn’t use it before ;)

]]> http://www.pelock.com/blog/2007/09/06/really-easy-scripting-with-odbgscript/feed/ 0 Kaspersky Anti-Virus v6.0.2 vs OllyDbg http://www.pelock.com/blog/2007/06/13/kaspersky-anti-virus-v602-vs-ollydbg/ http://www.pelock.com/blog/2007/06/13/kaspersky-anti-virus-v602-vs-ollydbg/#comments Wed, 13 Jun 2007 11:59:15 +0000 Bartosz http://www.pelock.com/blog/2007/06/13/kaspersky-anti-virus-v602-vs-ollydbg/ I wonder how much time will it take to them to put notepad.exe on their black list (in “Virus writing editor” category)?

OllyDbg Invader

]]> http://www.pelock.com/blog/2007/06/13/kaspersky-anti-virus-v602-vs-ollydbg/feed/ 2