Ok I have been studying some things in Olly and now I want to make an automated script. I know exactly what I want to do but I just don't know how to do it. I have read the entire readme list of functions but I am still stumped. This is what I want to do:

1. I arrive on a line like this: 02563E40 CMP DWORD PTR SS:[EBP-F20],2
I want to change the memory at DWORD PTR SS:[EBP-F20] to 1. In Olly I can easily just right click on the eip and select follow in dump-> memory address and change it by hand. Can I do this with a script?

2. I arrive at a line after some tracing. I want to get the address of the line I am on i.e. 02564127. Once I have this, I want to set a breakpoint so many bytes after this line: 02564127+1400 bytes. The syntax would be something like this I suppose:

declare variables:
var addr
var const
var bpline
mov const, 1400 // make the variable const equal to 1400 bytes
1. get address of eip and save it in var addr: mov addr, eip // addr = current eip
2. add address of eip to constant value.
Something like: add addr, const
3. move the result of the add into variable bpline and set a bp there:
mov bpline, addr // bpline = addr
bp bpline

EDIT: I figured out how to do number 2 but I still don't know how to change the memory in #1.

This is all I need really... Hope someone can help

var pire

mov pire, ebp
sub pire,0f20
mov [pire],02

Ricardo Narvaja

var pire

mov pire, ebp
sub pire,0f20
mov [pire],01

sorry is 01

Ricardo Narvaja

Eso es muy fácil! ¿Por qué no lo pensé? jeje
Muchas gracias.

preguntarle o pedirle al autor de ollyscript porque si se puede poner


cmp [ebp-4],2

no se puede poner

mov [ebp-4],2

y si

mov [ebp],2

cual es el impedimento para permitir una operacion antes del mov dentro del corchete, si en el cmp se puede hacer perfectamente.

Vaya a saber je

Ricardo Narvaja

Ok guys, let's keep it civil here... English please.

Heh. ¿Hay una problema con Español? I see what you are saying Ricardo. If the cmp statement works just fine then why can't we do a mov too? Unfortunately I think the author is pretty busy right now. Also, I wish there was a feature to remove all current breakpoints in the list. When loading one of my targets, olly sets a hardware breakpoint on the oep. I have to remove it manually or the unpacking won't work right. (stupid cc screws it up)

Another question: can an ollyscript set a bp on an api? I tried to set a bp on FreeLibrary but I got an error.

GPA proc, lib
-------------
Gets the address of the specified procedure in the specified library.
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
Useful for setting breakpoints on APIs.
Example:
gpa "MessageBoxA", "user32.dll" // After this $RESULT is the address of MessageBoxA and you can do "bp $RESULT".

With this podes poner Bp en las apis jeje.

Sorry por la mezcla de idiomas es que soy malisimo speaking english jaja.

Ricardo Narvaja

Ricardo

No se preocupe por la mezcla de idiomas Ricardo, yo creo la mayoría de nosotros aquí entienda español.

¡Su trabajo es apreciado bien por nosotros todos!

/hobferret

jeje i think this 30/8 is the end of my ISP connection for no pay, but various friends pay me 6 month more of internet, for this reason you will continue tolerating me a little more jeje.

Ricardo Narvaja

Ricardo

This 30/08 are you referring to cracklatinos which has not been updated since then?

/hobferret

No 30/8/2004 will be, the end of my personal participation, i lost my job and i'm unenployed now, and mi ISP cut me the internet connection 30/8, but a group of friends help me and pay me 6 months more of internet and you will tolerate me a little more jeje.
The crackslatinos page and crackslatinos list continue, with me or without me, is only my personal situation.
I will be founding job but i'm online for six months more.

Ricardo Narvaja

If you describe the issue at hand in English I will be happy to fix it for you in the next release.

Hello SHaG. Heh, Spanish is my second language. Thanks for making ollyscript! It is pretty cool.

I see 2 additions (maybe):
1. I wish there was a feature to remove all current breakpoints in the breakpoint list. When loading one of my targets, olly sets a hardware breakpoint on the oep. I have to remove it manually or the unpacking won't work right. (stupid cc screws it up) I wish I could clear the breakpoint list with a command from the script. (Don't know if you can do this. Maybe just wishful thinking?)


2. I arrive on a line like this: 02563E40 CMP DWORD PTR SS:[EBP-F20],2
I want to change the memory at DWORD PTR SS:[EBP-F20] to 1. In Olly I can easily just right click on the eip and select follow in dump-> memory address and change it by hand.

What Ricardo was saying is that I guess if we do a "cmp [ebp-f20],2" in a script, it will work and return a result. If we try to do a: "mov dword ptr ss:[ebp-f20], 1" it gives an error. So thats why I said "If the cmp statement works just fine then why can't we do a mov too?"

The way Ricardo showed me how to do it is thus:
var mem
mov mem, ebp // move ebp into variable mem
sub mem, f20 // subtract f20 from var mem. Now [mem] = dword ptr ss:[ebp-f20]
mov [mem], 1 // now we can change the memory at [ebp-f20] to 1

So it would be a lot easier if we could just do a "mov dword ptr ss:[ebp-f20], 1"

Now if only I knew how to make a loader that does what my ollyscript does...

Thanks again for the awesome plugin!

Yes the question is, if you can use

cmp [ebp-0f20],2

in ollyscript why can not use

mov [ebp-f20],2

and is possible

mov [ebp],2

is not permitted the operations in a mov and is permitted in a cmp.

Ricardo Narvaja

If I understand correctly, it's all about writing hex numbers
You cannot use f20, because it would be treated as identifier. Put extra 0 in front, if the first significant nibble is a letter.

cmp [ebp-0f20],2

is possible

mov [ebp-0f20],2

is not possible

is not possible make

[xxxx-yyyy]

adds o subs in a mov [ ]

and is possible in a cmp [ ]

is not for the zero before f20 if you need

mov [ebp-4],2

is not possible too

Ricardo Narvaja