A brand new version of the OllyScript plugin is now available for download!
Lots of new commands, bugfixes, many improvements and a fantastic UPX OEP
finder script (find OEP in less then 24 hours! =)) ) are included! Also large parts of the code are redone.
Grap your copy at http://ollyscript.apsvans.com ("http://ollyscript.apsvans.com") .

Please post suggestions for future improvement here!
<pre>What's new in v0.3?
-------------------
+ New commands:
and, esti, esto, eoe, log, or, shl, shr, xor
+ MOV command now supports registers and memory addresses as source and destination.
It also supports long hex strings in this form: #DEADBEEF1234567890ABCDEF# .
+ Exceptions can now be acted upon like breakpoints were in v0.2.
+ Error handling. Error messages now include code line number,
the bad command and eventually an error description. Line
numbers are not completely accurate when comments are present.
This is to be fixed some other time.
+ New example script: UPX.osc

# JE/JNE no longer show errors when the jump is not taken.
# Open script dialog now sees .osc files.
# You can now use UPPERCASE for commands if you like it better.

- REG command removed. Use MOV instead.</pre>

Greetings,

Please post suggestions for future improvement here!

as you wish

1.)

Sample UPX finder script contains "rmem x, eip" command which isnt understood
Should probably be "mov x,eip".

2.)

I've seen stdafx.h/cpp files that means the project was initially setup to use precompiled headers.
When looking at *.cpp files i see windows.h and other headers included each time. This slows down compilation.

I would prefer to use stdafx.h consistently (inclusion in every *.cpp file) dropping the other ones.

StdAfx.h:

#define STRICT
#include <windows.h>
#include <stdio.h>
#include <fcntl.h>
#include <io.h>

// STL stuff
#include <iostream>
#include <fstream>

#include "plugin.h"

3.)

guicon: having stderr/stdout console is good but i'd like to have a separate native gui logging window (some edit control).
All output (error, warning, informational) should go there (support copy/paste functionality to quickly save errors).
Show/Hide window via plugin sub menu.
Maybe a separate command line (edit control) can be added to bottom of window (or splitter window) too.

4.)

Introduce a "script directory" property.
Save into ollydbg.ini file section.
Use some plain configuration/options dialog to configure this setting (and possibly other following).
File open dialog should use this directory as initial working dir.

5.)

There are some warning level 4 errors:

- unreferenced arguments
- vars initialized but not referenced
- vars used but not initialized
- unreachable code

6.)

There is a bug when script execution is finished.
If the debuggee terminates (script execution finished by DoRET), gets loaded again and exceptions are propgated thru ollydbg main loop,
the DoRET() is executed every time, popping the msg box "finished" up. very annoying.
You should not rely DoRET() on "EOB_row==-1" because script end is already reached, use some other flag.

ODBG_Pluginmainloop()
-> OnException(edi.ExceptionRecord.ExceptionCode);

<pre>
bool OnException(DWORD ExceptionCode)
{
if(EOE_row > -1)
{
script_pos = EOE_row;
return true;
}
else
return DoRET();

return false;
}

-> DoRET()

...
script.clear();
script_pos = 0;
EOB_row = -1;
</pre>

7.)

Some ability to pause/break the script.
If i "pause" in ollydbg the script continues to run.
Some shortcut or menu item to break script execution on next command to process.
"Resume", "reset" would be needed too then.

8.)

ollylang.cpp: would be nice to wrap this thing into some classes before this files becomes too big.
global variables like string errorstr, string command, args, op1, op2 ... should be avoided...
If your command handlers need to reference args, just supply them. Change function pointer signature to accept an array/set of argument strings.
E.g. typedef bool (*PFCOMMAND)( const std::set< std::string>& args );
Parse the arguments itself before supplying them, regardless of command opcode.
The command function handler itself should then check the number, valid values of supplied args.

9.)

Some files referenced in vc++ project file doesnt exist.
Either remove them or update (relative) path: plugins.hlp, script.txt

10.)

There is a post build event in debug build, in release mode not.
"copy.bat" it is (of course not found) -> build error

Thats all on quick review

Regards,

A. Focht

Hey!

1. Fixed and reuploaded.
2. Percompiled headers broke down somehow and had to be removed. Queued.
3. guicon is used while debugging only, not in release... However maybe I should
implement some kind of log window or use OllyDbgs. Queued.
4. Queued for v0.4
5. Queued for v0.4
6. Not good at all... There will have to be a v0.31 tomorrow then... =) Maybe you could give me a bit more exact explanation on how to reproduce this?
7. Queued for v0.4
8. As I said before, this is the result of not doing a proper design work.
Actually I was thinking of some kind of OO implementation of all this, but
didnt come up with any good-looking object model. Queued.
9. Fixed and reuploaded
10. Fixed and reuploaded

Thanks for the through examination of the project! You are like
my quality assurance department. =))

Hi again,

2.) Some infos what the problem is?

Hint: sometimes PCH generation/use options get lost.
.cpp file -> context menu "properties" -> "config properties" -> "c++" ->
"precompiled headers" -> "create/use precompiled header"
change to "use precompiled header /Yu" for every .cpp file, except stdafx.cpp.
For stdafx.cpp use "create precompiled header /Yc".

Make sure that every .cpp file has "#include "Stdafx.h" statement as first include.

3.) ok. there exist some lightweight win32 gui frameworks. ATL/WTL template libaries are best for this

http://www.codeproject.com/wtl/
("http://www.codeproject.com/wtl/
")
http://www.codeproject.com/atl/
("http://www.codeproject.com/atl/
")
http://www.codeguru.com/atl/index.shtml
("http://www.codeguru.com/atl/index.shtml
")

6.)

I used simply UPX packed program, started script (it ran in background).
Somewhere the main gui of program pops up. I exit the program. Reloaded it.
On load there are some exceptions (ok). This is where the msgbox begins to popup.

Regards,

A. Focht

OK, thanks, Ill check...

Also about UPX script (to all who are interested):
The script examplifies a concept only. It's quite useless
for actually finding the OEP of an UPX-packed PE because it
would take ALOT of time to do that!

please include sub instruction the next version.Thanks

Will be done. Until then you can use ADD with a negative number:

add eax, FFFFFFF0

is the same as

sub eax, 10

nice plugin thnx,

probably just my stoopidity but I coundn't get the equivelent of
sub eax,4 (add eax,FFFFFFFC) to work.

hope you don't mind but I just added a SUB function to your sources and
recompiled it. nothing special about the func it, it's just a copy of your
ADD func(replacing the + with - of course).

yeah... 0.4 will include SUB among MANY other things. =)