PDA

View Full Version : ODbgScript - my wishes for improvement


shERis
November 14th, 2005, 21:32
Dear Epsylon3!

I made a new topic for our wishes of improvement of ODbgScript!

Here are my wishes (I am waiting very long time for fulfillment :-[ ):

1. OPCODE addr -> new function
OPCODE addr sets the $RESULT variable to the opcode bytes, $RESULT_1 variable to mnemonic opcode (i.e. MOV ECX,EAX) and $RESULT_2 to the length of the opcode. If an invalid opcode appears, $RESULT_2 should be 0. addr is increased by the length of the opcode (disassemble command). With this function you can step forward through code.

2. PREOP addr -> new function
PREOP addr sets the $RESULT variable to address of previous opcode of addr. If any error occurs, $RESULT is 0. With this function you can step back through code.

3. REF addr -> new function
REF addr works as "Find references to .. Selected command" and "Find references", Ctrl R, in OllyDbg. Now the problem is, that there are not defined arrays. The $RESULT variable should now be set to the first reference addr and $RESULT_1 to the opcode if available and $RESULT_2 to the comment (like reference window). The next refs you can get by using NEXTREF.

4. NEXTREF addr -> new function
NEXTREF addr works as REF, but results in the next reference. Another call of NEXTREF should result in the next reference and 0 if no more is found.

5. GMI -> more arguments
gmi addr,MEMBASE and
gmi addr,MEMSIZE
The $RESULT variable is set with the base memory adress / the memory size of an existing memory block.
If addr is in module the result could be MODULEBASE/MODULESIZE. (MODULEBASE and MODULSIZE now returns 0 if an address outside module is used.)

6. ALLOC len -> new function
ALLOC allocates a new memory block of length len, the base address is returned in the $RESULT variable. If any error occurs, $RESULT is 0.

7. FIND -> improvement
FIND should work with variables too (instead of only constants now)!
Example:
var x
mov x, "6A00E8"
find eip, x // find a PUSH 0 followed by some kind of call

8. FINDOP -> improvement
FIND should work with variables too (instead of only constants now)!
Example:
var x
mov x, "6A00"
findop eip, x // find a PUSH 0

9. GPA -> improvement -> OK !
GPA should work with variables too (instead of only constants now)!
Example:
var api
mov api, "MessageBoxA"
var dll
mov dll, "user32.dll"
gpa api, dll // After this $RESULT is the address of MessageBoxA

10. FINDMEM addr, what -> new function
Same as FIND, but searches in all allocated memory blocks (like search function in memory map window), not only in the memory, in which addr is located !

11. WRT what, file -> new function
WRT writes what (string or value) to specified file file. If file exists, it is overwritten.

12. WRTA what, file -> new function
WRT writes what (string or value) to specified file file, but it appends data to existing file.



I hope, this is not to much for you. But I think some functions are not very difficult to realize.

Thanx for implementing in ODbgScript, Epsylon3 :-))

~hERi~

Epsylon3
November 15th, 2005, 15:24
if somebody has some time to do some functions... give me the code... i'll merge to the plugin....

i'm very busy this week...

but i'll add this new funcs and also other GUI things... like "edit script file", "script breakpoints (to pause or step)"

shERis
November 16th, 2005, 00:44
Hi Epsylon3!

I am a newbe in programming C. So I can´t help you. But if someone else could do ...

Thank for your help!

~hERi~

Epsylon3
November 16th, 2005, 07:33
i've made a new version for script debugging (step to step and breakpoints) and hotkeys...

these commands will be implemented soon :

FIND & FINDOP improvements
WRT WRTA implementation

Check the "1.20" thread, i will edit it when done...

shERis
November 18th, 2005, 05:23
Hi Epsylon3!
I tried to help you and made a new function GMEMI instead of improving GMI (point 5).
You can see it here (ollyscr.balder.prohosting.com/GMEMI.txt).

Furthermore I changed GPA (point 9). Errorhandling now can be made by the script with $RESULT_1.
You can see it here (ollyscr.balder.prohosting.com/GPA.txt).

The code is NOT tested, there could be bugs! Please check and integrate in your script!

I have added help text for your help file readme.

Thanks

~hERi~

shERis
November 18th, 2005, 05:27
Links were not well !
GMEMI.txt ("http://ollyscr.balder.prohosting.com/GMEMI.txt")
GPA.txt ("http://ollyscr.balder.prohosting.com/GPA.txt")

nick_name
November 18th, 2005, 10:22
for the GPA's case , instead of using another variable $RESULT_1 cant it simply return string " INVALID DLL / LIB " in the $RETURN variable ??

shERis
November 18th, 2005, 10:37
Hi nick_name!
This is the current state. But I is not useful. When a variable address is given to GPA by the script and this address is invalid, then the script stops with an error message and you cannot handle the error with the script himself! The execution of the script is canceled.
Therefore it is better you include some code (only 5 lines) and make your own error message handler (with your own error message!).

~hERi~

nick_name
November 18th, 2005, 13:39
shERis , ya i understand ur point, but after handling that error why dont u just strcopy CUSTOM ERR MSG into $RETURN
( i mean if that's not impossible , i have'nt looked into the code )

i guess that'd just keep things a little less complicated

thank you.

mr haggar
November 18th, 2005, 14:56
gpa [x],[y]

gives error message and exit script if x ordinal is not found in y dll, as you noticed. It would be good that in next versions in case of wrong ordinal, return value to $RESULT is 0 instead of exiting script. In this way script can continue or we can chose to continue or not.


Next issue; script plugin uses always focused - always on top message box. It would be good to make them not focused in case of trouble shoting script. Because you are allowed then to abort script or pause it.


So Epsylon3 I hope that you will find some time for this in new versions. I know that you have probably more important things than this, I just wanted to say that new plugin is great and you are doing great job. Thanks.

Regards, haggar.

shERis
November 19th, 2005, 01:36
That´s all right, mr haggar!

I hope too, that Epsylon3 has more time to improve ODdbgScript. We all are waiting for it!

Perhaps I have some additional ideas for improvement.

~hERi~

Epsylon3
November 19th, 2005, 12:13
yea... i will make changes as soon as possible...

made :
1.24 (19 Nov 2005)
+ FIND and FINDOP supports strings and string vars arguments
+ MSG and MSGYN have now Cancel buttons to pause script (MSGYN returns 2 if canceled)
# Script will now pause instead of stop when error is returned from commands
+ Script Breakpoints (to "debug" a script)
+ Added Real "Load Script" to start paused (script window)
+ Added Step/Resume and Hotkeys (script window)

Epsylon3
November 19th, 2005, 14:36
http://e3.epsylon.org/olly/ ("http://e3.epsylon.org/olly/")

shERis
November 21st, 2005, 20:48
Hi Epsylon3!

I tried your new version - and found a bug !

1. FIND eip, #8B??# (wildcard search) doesn´t work any more !!!
2. FIND only works with string constants and string vars! Binary searching is not possible! Perhaps there should be a function to set a string variable supported by the FIND function with the content of a pointer to a string or binary value in memory.
3. I find script pausing after an command error not useful. A command error must be corrected by modifiying the script. This is only possible if you always manually abort the script! Please restore the original function of aborting the script when a command error appears.
5. The context menu of the script window should have the abort menu item too.

All other improvements are very good !

~hERi~

Epsylon3
November 21st, 2005, 22:00
ok, i will try to fix that....

made for 1.25 (22 Nov 2005)
+ Added WRT (write a file) and WRTA (append) commands: WRT file, data
# fixed OllyDbg focus problem
# fixed path of created files when full path given

For the 3. ... i will keep the pause, could be usefull to ignore after error, but you can use the MRU to restart script.... or Restart Debug session, which requieres script reloading too (for the moment)...

Epsylon3
November 22nd, 2005, 01:29
the PREOP concept is a very good idea....

and i think it could be a full new concept the reverse execution....
but i dont know if it's really possible to know last eip with plugins....
because the plugin is not called on every CPU commands...

hmm so... i release 1.25 :

1.25 (22 Nov 2005)
+ Added FINDMEM to search into the whole memory
+ Added WRT (write a file) and WRTA (append) commands: WRT file, data
+ Added GMEMI function (Memory Block Informations)
# GPA now returns 0 and continue if the API is not found, $RESULT_2 set to Proc name if found.
# fixed OllyDbg focus problem
# fixed path of created files when full path given
# fixed FIND binary wildcards, broken in 1.24

shERis
November 23rd, 2005, 13:35
Hi Epsylon3!

Great thanx for adding some of my wishes!

I tried FINDMEM, but it only finds the first appearance of "what". Can you add the addr variable as in FIND? Addr should be any address in the whole memory and FINDMEM should begin search with a valid memory block address greater or equal addr. If addr==0 then FINDMEM should find the first appearance.

I think this should be possible. Please improve the function for me!

PREOP:
I don´t think about reverse execution (this could really be a full new concept!), no, I only think about getting the previous opcode of an address in code. I found "Disassembleback" in Ollys plugin help - this is the function PREOP should call. And OPCODE should call "Disasm".

Can you add my other wishes too ?

~hERi~

SHaG
November 23rd, 2005, 21:14
PREOP is kinda hard to implement... SoftIce has a feature that shows the last instruction (or last eip) before the breakpoint was hit, but the opcode used for that feature is a protected one - it cant be used by a user-mode program, only in kernel-mode... I tried to implement that and ended up with a kernel-mode driver which was quite unstable..

Epsylon3
November 23rd, 2005, 22:22
ok, i've made some changes in released 1.26

PREOP addr
FINDMEM what [,from]

but the preop will not give last eip after a jump or ret... just last instruction before this address...

shERis
November 24th, 2005, 00:52
Hey, Epsylon3, you are quite fast!

I know, that PREOP only can find the last instruction before the given address and not the last eip before a given eip!

I will test out new 1.26.

Thanx

~hERi~

shERis
November 24th, 2005, 11:04
Hi Epsylon3!

I tried PREOP - and found a problem.
Some apps allocate memory and run code in this allocated memory block. When you try to call PREOP with such memory address you get 0 as result. Is it possible to use mod->codebase/mod->codesize and/or membase/memsize for Disassembleback depending on the memory block of addr? PREOP now works on for example in kernel32, but not in an allocated memory block.

Furthermore I would need OPCODE!

Please help me !

Thanx

~hERi~

Epsylon3
November 24th, 2005, 17:03
ok... i will set preop to membase instead of codebase... i hope that will work...

1.27 (25 Nov 2005)
+ Added REF to get References to selected command
+ Added OPCODE command to get command bytes, text and size at specified address
# Better comments handling
# Better #inc handling (using also current script path)
# PREOP now works in memory block, not only in code block

hila123
November 25th, 2005, 13:00
Epsylon3,

thanks for updating the Ollyscript so frequently...

the script windows is very useful for debugging script but i would like to have an option to change the value of specific variable from this script windows as well...is that possible to do that in next version?

another thing is can u give the "Step" command a shortcut key that we do not need to go to the plugin menu every time when we need to step through the script...

thanks in advance

shERis
November 25th, 2005, 13:37
Hi Epsylon3!

I tried your improvements of 1.27.

PREOP: works fine !
REF: works fine !
OPCODE: works fine, but it doesn´t increase addr by the opcode length

The new functions are very helpful !

Now I´m only ALLOC missing...

Much thanx to you, you made really great work. Especially the script window is very, very useful ! Step shortcut would be useful too.

I hope that you are able to make more improvements of the script :-))

~hERi~

nick_name
November 25th, 2005, 14:35
Epsylon3, GREAT WORK MATE !!!

i had a tiny request ... please try to add a menu in the olly's right click menu in the code section ... as shown the following picture
and if possible please IGNORE that full script location thing, just the filename would be good enough

http://img458.imageshack.us/img458/5184/odbgscript2zw.jpg

Epsylon3
November 25th, 2005, 22:25
Ctrl + S is not working to step script ?

for the ALLOC function, could you tell me more on what do you wanna do ?

For the plugin menu, i can do that, but it will be as buggy as MRU of main menu.... (i can't refresh menu, made only at load time)

XanSama
November 26th, 2005, 03:21
hey Epsylon3, just wondering if we could see a second $result output for the ask command that states the length of the string the user input. would be quite useful on occasion also, if it's possible to fix the set width of the ask dialog box that would be good. it seems to only display about 40chars or so.

XanSama
November 26th, 2005, 04:12
and for the alloc thing i think he means something like an automated usage of VirtualAllocEx, where instead of having to make the call and specify the process handle and all the other stuff. so you could simply type "alloc 1024" and it would allocate 1024bytes of memory to the processes address space and set $RESULT to the starting address.

edit: err VirtualAlloc is probably closer than VirtualAllocEx, but i'm sure you get the idea.

Epsylon3
November 26th, 2005, 04:15
Ok, i will try to do that...

XanSama
November 26th, 2005, 04:16
lol ^_^, that was a fast response.

Epsylon3
November 26th, 2005, 04:36
yup... reply notification is really missing here

Epsylon3
November 26th, 2005, 06:30
1.28 (26 Nov 2005)
+ Added "Load Script" in DISASM Context Menu
+ Added "ALLOC size" and "FREE addr, size" to (un)allocate memory page
# Modified Run Script to Load in Main MRU
# MRU is now more showing full path of scripts
# ASK now returns string len in $RESULT_1

XanSama
November 26th, 2005, 06:51
nice and quick too. my suggestions are next right? :P

Epsylon3
November 26th, 2005, 07:21
oups, forgot to write them in readme, i made them too

XanSama
November 26th, 2005, 07:29
xD tyvm

Epsylon3
November 26th, 2005, 07:43
yep, i have just updated ASK command details in help

mr haggar
November 27th, 2005, 15:11
He he , plugin is updated faster than I can test it. That's good.

shERis
November 28th, 2005, 12:16
Hi Epsylon3!

ALLOC and FREE is just all what I wanted :-)) (thanx XanSama, I always executed this code with many instructions)

You are really fast with your work !!!

Thanx for all - all your improvements are very good !!!
I´m a bit inquisitive: are you from france, Epsylon3 ?

~hERi~

Epsylon3
November 29th, 2005, 01:38
Next functions :

REV dword
Reverse order of bytes

yes, im (just) french

hila123
November 29th, 2005, 01:59
hi Epsylon3,

can u implement a string copy and string length function in next version as well

STRCPY destination, source if success $RESULT is the length of string copied else 0

STRLEN source $RESULT is the length of the string if success else 0

thanks in advance

Epsylon3
November 30th, 2005, 22:27
for STRCPY you have mov

STRLEN will be a new LEN command

made:
# Script is kept on program restart/change
+ Added LEN to get string length
+ Added REV to reverse dword bytes
# Fixed FIND commands to search dwords variables

todo:
new command HANDLE class, caption to find handle of a window (or editbox etc)

shERis
December 2nd, 2005, 13:14
Hi Epsylon3!

Could it be possible to add subroutine functionality to ODbgScript? I mean CALL procname,param1,param2,... and RETCALL res.
This would be helpful, if longer code is to be executed some times.

~hERi~

shERis
December 2nd, 2005, 19:01
Hi Epsylon3!
I included a script an a script with the #inc command - and found a bug.
In OllyLang.cpp, proc int OllyLang::InsertScript(vector<string> toInsert, int posInScript) there are two MsgInt(posInScript,filename), which must be deleted. I think, they were inserted for debugging only.

shERis
December 2nd, 2005, 20:07
Hi Epsylon3!

A command TC for "Close run trace" (stops tracing) would be useful.

Perhaps a command CLLW is possible, which cleares the log window.

Great thanx!
~hERi~

Epsylon3
December 2nd, 2005, 21:20
you are right, i will delete these MsgInt (sorry)

i'll see for these 2 commands...

Epsylon3
December 3rd, 2005, 08:57
1.29 (03 Dec 2005)
+ Added LEN to get string length
+ Added REV to reverse dword bytes
+ Added HANDLE to find a window handle (like "Edit" Boxes) in debugged application
# Script is kept on debugged program restart/change
# Fixed FIND commands to search dwords variables
# MRU on DISASM window is now the real one

nick_name
December 3rd, 2005, 18:33
great work as always !!

there's a bug in MRU in disam window

if the script name is too long , then it's wrapped in the 2nd line
but the problem is the wrapped line also get highted 'n acts like
another MRU entry.

could u take a look into that ??

guess the following pic would explain it a bit more ...

http://img226.imageshack.us/img226/4839/mru6at.jpg

Epsylon3
December 4th, 2005, 02:37
wow... that's weird, could you paste me the real full path ?

maybe you have comma....

made for the next major release (1.3x) :

+ Added support of reg8 & reg16 registers (al,ah...dl,dh,ax,bx,cx,dx,bp,sp,si,di)
+ Enhanced Style of Script Window (current line, jumps, labels, same values)
+ Added Result column
+ Value column keeps history of values
+ Added TC to close and delete runtrace
# Fix MRU when a filename contains comma or {}

continue thread in the 1.3x one :
http://ollydbg.win32asmcommunity.net/?action=vthread&forum=6& topic=1590 ("http://ollydbg.win32asmcommunity.net/?action=vthread&forum=6&topic=1590")