Dear Epsylon3!

I made a new topic for our wishes of improvement of ODbgScript!

Here are my wishes (I am waiting very long time for fulfillment :-[ ):

1. OPCODE addr -> new function
OPCODE addr sets the $RESULT variable to the opcode bytes, $RESULT_1 variable to mnemonic opcode (i.e. MOV ECX,EAX) and $RESULT_2 to the length of the opcode. If an invalid opcode appears, $RESULT_2 should be 0. addr is increased by the length of the opcode (disassemble command). With this function you can step forward through code.

2. PREOP addr -> new function
PREOP addr sets the $RESULT variable to address of previous opcode of addr. If any error occurs, $RESULT is 0. With this function you can step back through code.

3. REF addr -> new function
REF addr works as "Find references to .. Selected command" and "Find references", Ctrl R, in OllyDbg. Now the problem is, that there are not defined arrays. The $RESULT variable should now be set to the first reference addr and $RESULT_1 to the opcode if available and $RESULT_2 to the comment (like reference window). The next refs you can get by using NEXTREF.

4. NEXTREF addr -> new function
NEXTREF addr works as REF, but results in the next reference. Another call of NEXTREF should result in the next reference and 0 if no more is found.

5. GMI -> more arguments
gmi addr,MEMBASE and
gmi addr,MEMSIZE
The $RESULT variable is set with the base memory adress / the memory size of an existing memory block.
If addr is in module the result could be MODULEBASE/MODULESIZE. (MODULEBASE and MODULSIZE now returns 0 if an address outside module is used.)

6. ALLOC len -> new function
ALLOC allocates a new memory block of length len, the base address is returned in the $RESULT variable. If any error occurs, $RESULT is 0.

7. FIND -> improvement
FIND should work with variables too (instead of only constants now)!
Example:
var x
mov x, "6A00E8"
find eip, x // find a PUSH 0 followed by some kind of call

8. FINDOP -> improvement
FIND should work with variables too (instead of only constants now)!
Example:
var x
mov x, "6A00"
findop eip, x // find a PUSH 0

9. GPA -> improvement -> OK !
GPA should work with variables too (instead of only constants now)!
Example:
var api
mov api, "MessageBoxA"
var dll
mov dll, "user32.dll"
gpa api, dll // After this $RESULT is the address of MessageBoxA

10. FINDMEM addr, what -> new function
Same as FIND, but searches in all allocated memory blocks (like search function in memory map window), not only in the memory, in which addr is located !

11. WRT what, file -> new function
WRT writes what (string or value) to specified file file. If file exists, it is overwritten.

12. WRTA what, file -> new function
WRT writes what (string or value) to specified file file, but it appends data to existing file.



I hope, this is not to much for you. But I think some functions are not very difficult to realize.

Thanx for implementing in ODbgScript, Epsylon3 :-))

~hERi~

if somebody has some time to do some functions... give me the code... i'll merge to the plugin....

i'm very busy this week...

but i'll add this new funcs and also other GUI things... like "edit script file", "script breakpoints (to pause or step)"

Hi Epsylon3!

I am a newbe in programming C. So I can´t help you. But if someone else could do ...

Thank for your help!

~hERi~

i've made a new version for script debugging (step to step and breakpoints) and hotkeys...

these commands will be implemented soon :

FIND & FINDOP improvements
WRT WRTA implementation

Check the "1.20" thread, i will edit it when done...

Hi Epsylon3!
I tried to help you and made a new function GMEMI instead of improving GMI (point 5).
You can see it here (ollyscr.balder.prohosting.com/GMEMI.txt).

Furthermore I changed GPA (point 9). Errorhandling now can be made by the script with $RESULT_1.
You can see it here (ollyscr.balder.prohosting.com/GPA.txt).

The code is NOT tested, there could be bugs! Please check and integrate in your script!

I have added help text for your help file readme.

Thanks

~hERi~

Links were not well !
GMEMI.txt ("http://ollyscr.balder.prohosting.com/GMEMI.txt")
GPA.txt ("http://ollyscr.balder.prohosting.com/GPA.txt")

for the GPA's case , instead of using another variable $RESULT_1 cant it simply return string " INVALID DLL / LIB " in the $RETURN variable ??

Hi nick_name!
This is the current state. But I is not useful. When a variable address is given to GPA by the script and this address is invalid, then the script stops with an error message and you cannot handle the error with the script himself! The execution of the script is canceled.
Therefore it is better you include some code (only 5 lines) and make your own error message handler (with your own error message!).

~hERi~

shERis , ya i understand ur point, but after handling that error why dont u just strcopy CUSTOM ERR MSG into $RETURN
( i mean if that's not impossible , i have'nt looked into the code )

i guess that'd just keep things a little less complicated

thank you.

gpa [x],[y]

gives error message and exit script if x ordinal is not found in y dll, as you noticed. It would be good that in next versions in case of wrong ordinal, return value to $RESULT is 0 instead of exiting script. In this way script can continue or we can chose to continue or not.


Next issue; script plugin uses always focused - always on top message box. It would be good to make them not focused in case of trouble shoting script. Because you are allowed then to abort script or pause it.


So Epsylon3 I hope that you will find some time for this in new versions. I know that you have probably more important things than this, I just wanted to say that new plugin is great and you are doing great job. Thanks.

Regards, haggar.

That´s all right, mr haggar!

I hope too, that Epsylon3 has more time to improve ODdbgScript. We all are waiting for it!

Perhaps I have some additional ideas for improvement.

~hERi~

yea... i will make changes as soon as possible...

made :
1.24 (19 Nov 2005)
+ FIND and FINDOP supports strings and string vars arguments
+ MSG and MSGYN have now Cancel buttons to pause script (MSGYN returns 2 if canceled)
# Script will now pause instead of stop when error is returned from commands
+ Script Breakpoints (to "debug" a script)
+ Added Real "Load Script" to start paused (script window)
+ Added Step/Resume and Hotkeys (script window)

http://e3.epsylon.org/olly/ ("http://e3.epsylon.org/olly/")

Hi Epsylon3!

I tried your new version - and found a bug !

1. FIND eip, #8B??# (wildcard search) doesn´t work any more !!!
2. FIND only works with string constants and string vars! Binary searching is not possible! Perhaps there should be a function to set a string variable supported by the FIND function with the content of a pointer to a string or binary value in memory.
3. I find script pausing after an command error not useful. A command error must be corrected by modifiying the script. This is only possible if you always manually abort the script! Please restore the original function of aborting the script when a command error appears.
5. The context menu of the script window should have the abort menu item too.

All other improvements are very good !

~hERi~

ok, i will try to fix that....

made for 1.25 (22 Nov 2005)
+ Added WRT (write a file) and WRTA (append) commands: WRT file, data
# fixed OllyDbg focus problem
# fixed path of created files when full path given

For the 3. ... i will keep the pause, could be usefull to ignore after error, but you can use the MRU to restart script.... or Restart Debug session, which requieres script reloading too (for the moment)...

the PREOP concept is a very good idea....

and i think it could be a full new concept the reverse execution....
but i dont know if it's really possible to know last eip with plugins....
because the plugin is not called on every CPU commands...

hmm so... i release 1.25 :

1.25 (22 Nov 2005)
+ Added FINDMEM to search into the whole memory
+ Added WRT (write a file) and WRTA (append) commands: WRT file, data
+ Added GMEMI function (Memory Block Informations)
# GPA now returns 0 and continue if the API is not found, $RESULT_2 set to Proc name if found.
# fixed OllyDbg focus problem
# fixed path of created files when full path given
# fixed FIND binary wildcards, broken in 1.24

Hi Epsylon3!

Great thanx for adding some of my wishes!

I tried FINDMEM, but it only finds the first appearance of "what". Can you add the addr variable as in FIND? Addr should be any address in the whole memory and FINDMEM should begin search with a valid memory block address greater or equal addr. If addr==0 then FINDMEM should find the first appearance.

I think this should be possible. Please improve the function for me!

PREOP:
I don´t think about reverse execution (this could really be a full new concept!), no, I only think about getting the previous opcode of an address in code. I found "Disassembleback" in Ollys plugin help - this is the function PREOP should call. And OPCODE should call "Disasm".

Can you add my other wishes too ?

~hERi~

PREOP is kinda hard to implement... SoftIce has a feature that shows the last instruction (or last eip) before the breakpoint was hit, but the opcode used for that feature is a protected one - it cant be used by a user-mode program, only in kernel-mode... I tried to implement that and ended up with a kernel-mode driver which was quite unstable..

ok, i've made some changes in released 1.26

PREOP addr
FINDMEM what [,from]

but the preop will not give last eip after a jump or ret... just last instruction before this address...

Hey, Epsylon3, you are quite fast!

I know, that PREOP only can find the last instruction before the given address and not the last eip before a given eip!

I will test out new 1.26.

Thanx

~hERi~

Hi Epsylon3!

I tried PREOP - and found a problem.
Some apps allocate memory and run code in this allocated memory block. When you try to call PREOP with such memory address you get 0 as result. Is it possible to use mod->codebase/mod->codesize and/or membase/memsize for Disassembleback depending on the memory block of addr? PREOP now works on for example in kernel32, but not in an allocated memory block.

Furthermore I would need OPCODE!

Please help me !

Thanx

~hERi~

ok... i will set preop to membase instead of codebase... i hope that will work...

1.27 (25 Nov 2005)
+ Added REF to get References to selected command
+ Added OPCODE command to get command bytes, text and size at specified address
# Better comments handling
# Better #inc handling (using also current script path)
# PREOP now works in memory block, not only in code block

Epsylon3,

thanks for updating the Ollyscript so frequently...

the script windows is very useful for debugging script but i would like to have an option to change the value of specific variable from this script windows as well...is that possible to do that in next version?

another thing is can u give the "Step" command a shortcut key that we do not need to go to the plugin menu every time when we need to step through the script...

thanks in advance

Hi Epsylon3!

I tried your improvements of 1.27.

PREOP: works fine !
REF: works fine !
OPCODE: works fine, but it doesn´t increase addr by the opcode length

The new functions are very helpful !

Now I´m only ALLOC missing...

Much thanx to you, you made really great work. Especially the script window is very, very useful ! Step shortcut would be useful too.

I hope that you are able to make more improvements of the script :-))

~hERi~

Epsylon3, GREAT WORK MATE !!!

i had a tiny request ... please try to add a menu in the olly's right click menu in the code section ... as shown the following picture
and if possible please IGNORE that full script location thing, just the filename would be good enough

http://img458.imageshack.us/img458/5184/odbgscript2zw.jpg

Ctrl + S is not working to step script ?

for the ALLOC function, could you tell me more on what do you wanna do ?

For the plugin menu, i can do that, but it will be as buggy as MRU of main menu.... (i can't refresh menu, made only at load time)

hey Epsylon3, just wondering if we could see a second $result output for the ask command that states the length of the string the user input. would be quite useful on occasion also, if it's possible to fix the set width of the ask dialog box that would be good. it seems to only display about 40chars or so.

and for the alloc thing i think he means something like an automated usage of VirtualAllocEx, where instead of having to make the call and specify the process handle and all the other stuff. so you could simply type "alloc 1024" and it would allocate 1024bytes of memory to the processes address space and set $RESULT to the starting address.

edit: err VirtualAlloc is probably closer than VirtualAllocEx, but i'm sure you get the idea.

Ok, i will try to do that...

lol ^_^, that was a fast response.

yup... reply notification is really missing here

1.28 (26 Nov 2005)
+ Added "Load Script" in DISASM Context Menu
+ Added "ALLOC size" and "FREE addr, size" to (un)allocate memory page
# Modified Run Script to Load in Main MRU
# MRU is now more showing full path of scripts
# ASK now returns string len in $RESULT_1

nice and quick too. my suggestions are next right? :P

oups, forgot to write them in readme, i made them too

xD tyvm

yep, i have just updated ASK command details in help

He he , plugin is updated faster than I can test it. That's good.

Hi Epsylon3!

ALLOC and FREE is just all what I wanted :-)) (thanx XanSama, I always executed this code with many instructions)

You are really fast with your work !!!

Thanx for all - all your improvements are very good !!!
I´m a bit inquisitive: are you from france, Epsylon3 ?

~hERi~

Next functions :

REV dword
Reverse order of bytes

yes, im (just) french

hi Epsylon3,

can u implement a string copy and string length function in next version as well

STRCPY destination, source if success $RESULT is the length of string copied else 0

STRLEN source $RESULT is the length of the string if success else 0

thanks in advance

for STRCPY you have mov

STRLEN will be a new LEN command

made:
# Script is kept on program restart/change
+ Added LEN to get string length
+ Added REV to reverse dword bytes
# Fixed FIND commands to search dwords variables

todo:
new command HANDLE class, caption to find handle of a window (or editbox etc)

Hi Epsylon3!

Could it be possible to add subroutine functionality to ODbgScript? I mean CALL procname,param1,param2,... and RETCALL res.
This would be helpful, if longer code is to be executed some times.

~hERi~

Hi Epsylon3!
I included a script an a script with the #inc command - and found a bug.
In OllyLang.cpp, proc int OllyLang::InsertScript(vector<string> toInsert, int posInScript) there are two MsgInt(posInScript,filename), which must be deleted. I think, they were inserted for debugging only.

Hi Epsylon3!

A command TC for "Close run trace" (stops tracing) would be useful.

Perhaps a command CLLW is possible, which cleares the log window.

Great thanx!
~hERi~

you are right, i will delete these MsgInt (sorry)

i'll see for these 2 commands...

1.29 (03 Dec 2005)
+ Added LEN to get string length
+ Added REV to reverse dword bytes
+ Added HANDLE to find a window handle (like "Edit" Boxes) in debugged application
# Script is kept on debugged program restart/change
# Fixed FIND commands to search dwords variables
# MRU on DISASM window is now the real one

great work as always !!

there's a bug in MRU in disam window

if the script name is too long , then it's wrapped in the 2nd line
but the problem is the wrapped line also get highted 'n acts like
another MRU entry.

could u take a look into that ??

guess the following pic would explain it a bit more ...

http://img226.imageshack.us/img226/4839/mru6at.jpg

wow... that's weird, could you paste me the real full path ?

maybe you have comma....

made for the next major release (1.3x) :

+ Added support of reg8 & reg16 registers (al,ah...dl,dh,ax,bx,cx,dx,bp,sp,si,di)
+ Enhanced Style of Script Window (current line, jumps, labels, same values)
+ Added Result column
+ Value column keeps history of values
+ Added TC to close and delete runtrace
# Fix MRU when a filename contains comma or {}

continue thread in the 1.3x one :
http://ollydbg.win32asmcommunity.net/?action=vthread&forum=6& topic=1590 ("http://ollydbg.win32asmcommunity.net/?action=vthread&forum=6&topic=1590")