How to automate task in OllyDBG ? Using Ollyscript or any other tool

Question

How to automate task in OllyDBG? I want to create a script.

I bp on a certain address and go to its stack arguments. There are four stack arguments. I use the address of the 2nd argument and the size from the 4th argument and dump the HEX data into a log file.

For example :

I set a breakpoint at 512A12 and I see the following in stack:

00192003   005DB123  RETURN to program.005DB123 from program.00512A12
00192011   0018F058 - 1st argument
00192028   03F48D78 - 2nd argument
00192032  03F48D78 - 3rd argument
00192036   00000500 - 4th argument

So I dump the data from address starting at 00192028 03F48D78 - 2nd argument where 03F48D78 is the address to start the dump from.

And I use the size from the 4th argument 00192036 00000500 - 4th argument where 500 is the size of the data to be dumped.

The data is saved in a log file. It is a hex data from the dump section in OllyDBG.

Now I want to loop this function and automate it. How can this automation be done in Ollyscript or something else?

Answer 1

The actual function I need in the end to complete my task is as following.

Its an encryption / Decyption function

0x1 PUSH EBP - the encrypted data is loaded.

0x5 RETN - the data is decrypted

So the encrypted/decrypted data is loaded in the stack values as I earlier explained.

1 - When bp hits 0x1 PUSH EBP

2 - We goto stack values

3 - We follow the 2nd argument as start address for the chunk of encrypted data and the 4th argument for the size of the data.

4- We dump using wrtiemem from cmdline mod

---

Also we follow the same for decrypted data

1 - When bp hits 0x5 RETN

2 - We goto stack values

3 - We follow the 2nd argument as start address for the chunk of decrypted data and the 4th argument for the size of the data.

4- We dump using wrtiemem from cmdline mod.

---

I was wondering if the data could be saved in one text file called encdec.txt

Encrypted HEX Values Decrypted HEX Values.

For exammple:

ENC - 88 F4 62 71 3D 25 CD 7C 72 76 8E 14 95 0B D1 8B DEC - 3E 2E BA 24 FA 22 47 A0 00 0F A5 0E F7 B0 9C 32

If the above is done then I need to automate the HEX search and replace values from encdec.txt on the target encrypted file.

So the automation would check the line " ENC - 88 F4 62 71 3D 25 CD 7C 72 76 8E 14 95 0B D1 8B " and search for it on the targeted file and replace the values with hex values in "DEC - 3E 2E BA 24 FA 22 47 A0 00 0F A5 0E F7 B0 9C 32"

Answer 2

Afaik none of existing plugins offer windbg's .writemem functionality uploaded below is an ollydbg plugin enhanced from anonymouse (openrce blog) modified cmdline plugin with an added command .writemem

Download and put the dll in ollydbg 1.10 plugin path.

possible crash path fixed (FindModule -> Mod-name can be null if FindModule return null in such cases added "unknown_module" string as modulename for sprintf_s)

http://wikisend.com/download/750442/cmdline.dll

This plugin is an enhanced version of modified cmdline plugin for ollydbg 1.10 by anonymouse (openrce blog) and contains one extra command .writemem

enhancements being original source altered considerably to make it compile with visual studio 2010 express (old commands not tested) one extra command .writemem added (similar to windbg's .writemem)

usage as follows alt+f1 or plugin -> cmdline plugin . in the dialog box type

writemem [esp+0x4] dword [esp+0x10] c:\dumps 

or may be

writemem 0x403085 0x45 f:\foo\blah

first command will dump 0xxxx bytes pointed by [esp+0x10] from address pointed by [esp+0x4] to the preexisting folder c:\dumps

second command will dump 0x45 bytes from 0x402085 to the specified folder

to automate use this command with conditional log breakpoint pass commands to plugin when paused functionality (shift+f4)

in the edit box enter

.writemem <address> <size> <folder path>
.run

when ever the breakpoint is hit the memory contents will be dumped

another snapshot to explain the words better below

Answer 3

This tutorial might help: http://x9090.blogspot.com/2009/07/ollyscript-tutorial-unpack-upx.html

Also, you can read some scripts carefully to learn more about Olly scripting.