Download page:
http://www.luocong.com/om/ ("http://www.luocong.com/om/")

OllyMachine is a plugin for OllyDbg. We can use an assembly-like language called OllyMachine Script to write a script to automate OllyDbg.

Its source code is also available.

I tried to find the oppcode as follow:

Run
invoke FindOpcode ,eip,"8944240C"
invoke PrintNum, reg00,16
Halt

but it gave the wrong address with opcode being 0000.

this is in protected target, but olly gave the correct address for the opcode.

so you may want to look at this problem.

Regards.
Britedream

Please use this:

invoke Find, eip, "8944240C"
or
invoke Search, eip, "8944240C"

thanks.

using these instructions at an exception will produce an error , contrary to olly which works fine.


Regards.
Britedream

using these instructions at an exception will produce an error , contrary to olly which works fine.

can you send me your test program and the script for debugging? thanks.

admin@luocong.com

Well I also tested Olly Maschine. first I was impressed. It seem to be more stable and also faster than ollyscript.
So I as tutorial I started for to unpack pecompact. And started like that

GO VirtualAlloc
GO VirtualAlloc
RTU

Whoops in Olly Maschine it's somehow different.
Well finally...

invoke GetProcAddress, "VirtualAlloc", "kernel32.dll"
mov reg01, reg00
invoke GO, reg01 ; that's for the decompressed loader code
invoke GO, reg01 ; that one is inside the loader code
RunToUserCode ; retrun to loader code main()

... did the job. Well for my taste there are somehow slighly too much of that not very meaningful 'invoke's but it's ok. It's asm pure and simple.
But when i needed to retrieve some memory values the code get's really ugly.
For ex to move from modulbase (0x00400000) to the PE-Header with help of the dos-header in OScript it looked like that

var PE_Header

// Just to keep things simple - better use 'gmi eip, CODEBASE' instead..
mov PE_Base,000400000

mov PE_Base,PE_Header
add PE_Header,3c
mov PE_Header,[PE_Header]+12

msg PE_Header

in Olly Maschine there is no mov a,[B] you have to use ReadMemLong instead. So it that's it in OSM

// get PE_Header => reg10

mov reg08,0x400000 ;Get modulebase

mov reg10,reg08
add reg10,0x3c ;DOS Headersize
invoke ReadMemLong,reg10,0x04
mov reg10,reg00
add reg10,reg08

invoke msg, reg10

Now I noticed that it will be no fun to write some code in OSM in that state.
Because you soon loose the overview about your own code.
1. It's not very nice to alway have a list aside to look up what i stored in reg10 or reg8 if I wanna use it later. So forgot about speakable variablenames. (Well I can write a comment behind ever reg10 what it actually is - but that's no fun)
2. There are formal things like '0x' in front of each number to show it is hexa... (Why not make hexa the default and force prefix/suffix for dec, oct or bin numbers?. )
and constructs like
invoke ReadMemLong,..,0x04
mov ..., reg01
that just blow up the code. One statement - one line.

Form on one side OllyMachine is really great. Only from the practical point of the programming language is currently too 'lowlevel' - which makes it hard to read and see the what's the idea and to retain overview over my own code. It laborious and how I feel no fun to write code on that level.

So what about some simple higher level preprocessor that will make it possible to define / predefines some marcos for ex mov reg02,[reg10]
that will resolved to ReadMemLong and replace variablenames with reg01..reg63.

In compare to ollyscript it's opensource and to me it seem to be build on rock solid code. Now it's just to build up something more on that basement
to make OllyMachine to īthatī scripter for ollydbg.

So let's get the source and customize it and try out new ideas