PDA

View Full Version : OllyScript have a big bug


Anonymous
April 1st, 2004, 05:57
What have we here?

Many scripts where conditional jumps don't work appropiately.

I have a lot of scripts but, How many do they work correctly?
Mmmmmmmmm, few scripts.

Why? I think that OllyScript is for the time being, an experimental
language of scripts and many bugs should be repaired.

The scripts only works where the code is separated by blocks, which transfer the control to the next block when an exception or a BP happens:


start:
run

bloqck1:
gpa "LoadLibraryA","kernel32.dll" //GetProcAddress
bphws $RESULT, "x"
eob block2
run

block2:
eob block3
run

block3:
eob block4:
run

block4:
bphwc $RESULT

end:
msg "This is a shit, This is a shit, This is a shit"
ret

THIS IS A SHIT, because previously it is necessary to count the quantity of times that the program stops in that BP and then to make a block for every time.

The best thing is to make a single main block which repeats until a
condition is completed:

start:
run

bloqck1:
gpa "LoadLibraryA","kernel32.dll" //GetProcAddress
bphws $RESULT, "x"
eob block2
run

single_main_block:
mov a,eax
cmp a,44332211 (for example)

je PATCH:

continue:
log a
eob single_main_block
run
jmp single_main_block


PATCH:
mov [a], #11223344#
bphwc $RESULT
msg "This is correct but it doesn't work yet"
ret

The problem is that "je PATCH" is never executed when "cmp a,WWXXYYZZ" is true: PATCH label will be never executed.

I have loged variables to Log Window to see their values, but when "a" takes the value 44332211, the jump is not executed.

Could somebody tell me how to make so that this work appropiately, please?

From the depths of the abyss...
SACCOPHARYNX

psyCK0
April 1st, 2004, 09:46
I will look into it ASAP.
Can you please mail me the app you tested this on? Or write something so I can test it?

psyCK0
April 1st, 2004, 10:00
Update: I wrote a small test app and tested script jumps and they seem to work? Look at
http://ollyscript.apsvans.com/tmp/jump_test.rar ("http://ollyscript.apsvans.com/tmp/jump_test.rar")

Anonymous
April 1st, 2004, 11:19
Hi psyCKO:

The script that I wrote is this:

// ANTI-Detect NTICE for Armadillo
// by SACCOPHARYNX
// http://www.iespana.es/saccopharynx
("http://www.iespana.es/saccopharynx
")
// Tested on HyperSnap DX 5 (Download from http://www.hyperionics.com)
("http://www.hyperionics.com)
")

var a
var b

gpa "RegOpenKeyExA", "advapi32.dll"
bphws $RESULT,"x"
eob main
run

main:

mov a,eax
add a,22
mov b,[a]
cmp b,49636545 //it compares if b is equal to "IceE"
//cmp b,45656349 //it compares if b is equal to "IceE"
jne continue:

patch:
mov [a], #43434153#
bphwc $RESULT
msg "Nice! Softice has not been detected."
ret

continue:
log "This is a: "
log a
log "This is b: "
log b
//eob main
//run
jmp main


but you need SoftICE installed and NOT STARTED to test that. I'm working on Olly 1.10 and Ollyscript 0.62. I hope you can help me.

Good luck.

From the depths of the abyss...
SACCOPHARYNX

Ricardo Narvaja
April 1st, 2004, 14:08
well is the same bug i post and have no response
The conditional jump, jump and the condition is not reached for jumping.

Ricrado

psyCK0
April 1st, 2004, 16:11
Ok... there are some errors in this script... Here is the explanation.
Code + exe can be downloaded at:
http://ollyscript.apsvans.com/tmp/jump_test2.rar
("http://ollyscript.apsvans.com/tmp/jump_test2.rar
")

The source for the test proggie is below. As you can see it opens
three keys and then closes them.

.386
.model flat, stdcall

include kernel32.inc
includelib kernel32.lib

include advapi32.inc
includelib advapi32.lib

.const
HKEY_LOCAL_MACHINE equ 80000002h
KEY_QUERY_VALUE equ 0001h

.data
szSW BYTE "SOFTWARE", 0
szHW BYTE "HARDWARE", 0
szSYS BYTE "SYSTEM", 0

.data?
hKey DWORD ?

.code

main proc
invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE, addr szSW, 0, KEY_QUERY_VALUE, addr hKey
invoke RegCloseKey, hKey
invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE, addr szHW, 0, KEY_QUERY_VALUE, addr hKey
invoke RegCloseKey, hKey
invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE, addr szSYS, 0, KEY_QUERY_VALUE, addr hKey
invoke RegCloseKey, hKey
invoke ExitProcess, 0
main endp

end main


The script below breaks when the program tries to open the HARDWARE key. I didn't really get what the EAX business was all about, the lpSubKey param is at EBP-3C. Also NO : (COLON) AFTER LABEL FOR JUMP COMMANDS (JUST LIKE IN REAL ASM)!


var a
var b

gpa "RegOpenKeyExA", "advapi32.dll"
bphws $RESULT,"x"
eob main
run

main:
mov a, ebp // Here we get the value of lpSubKey from the stack (4 rows)...
sub a, 3c
mov b, [a]
mov b, [B]
cmp b, 44524148 // Compare the value on stack to "HARD"
jne continue // Notice the missing colon (

patch:
// mov [a], #43434153#
// bphwc $RESULT
msg "RegOpenKeyExA for key starting with HARD has been detected!"
ret

continue:
//eob main
run
jmp main


Hope this helps! =)