Chapter1

Summary

1.1  Brief introduction

OllyMachine is a plugin for OllyDbg. We can use an assembly-like language called OllyMachine Script to write a script to automate OllyDbg.

1.2  Homepage

OllyMachine

1.3  Installation

Copy OllyMachine.dll to plugin directory of OllyDbg.

1.4  Run

After installation, there will be an OllyMachine sub-menu in the OllyDbg's plugins, just choose the corresponding menu to run.

1.4.1  Running script file

The default extension of script file is ".oms", for the meaning of "OllyMachine Script". When opening this type of files, the internal assembler will assemble source codes to bytecodes and then feed to Virtual Machine to run.

1.4.2  Running bytecode file

The default extension of bytecode file is ".omb", for the meaning of "OllyMachine Binary". When opening this type of files, the internal loader will load the bytecodes to Virtual Machine to run.

Attention:

1. OllyMachine will automatically judge whether the opening file is a script file or a bytecode file, if it is a bytecode file, it will be running as the bytecodes branch, otherwise will running as the script branch.

2. Before running a script or a bytecode file, you must ensure that there is already a debugging process opened, or else it may extremely brings on a running error or exception!

1.5  About

OllyMachine is a free software, I reserved its copyright, but not for other rights.

1.6  History

[2004-12-07] 0.20 version.

1. Added: four new APIs:

   • WriteMemHexes

   • ReadFileIntoMem

   • VirtualAllocEx

   • VirtualFreeEx

2. Added: process flags CF, PF, AF, ZF, SF, DF, OF, for example:

   not cf
   mov zf, 0
   mov pf, 1
   

3. Added: you can call OllyMachine from your plugin:

   HMODULE hOMDll;
   typedef void (__cdecl *RUNOMFILE)(const char *);
   RUNOMFILE RunOMFile;
   
   hOMDll = GetModuleHandle("OllyMachine.dll");
   // Check that the other plugin is present and loaded
   if (hOMDll)
   {
       // Get address of exported function
       RunOMFile = (RUNOMFILE)GetProcAddress(hOMDll, "RunOMFile");
       // Check that the other plugin exports the correct function
       if (RunOMFile)
       {
           RunOMFile("test.oms");  // Execute script
           RunOMFile("test.omb");  // Execute binary
       }
   }
   

4. Fixed: another slash bug in double quotation string.

5. Fixed: a bug: some arithmetic instructions such as sub, mul, ... didn't process OllyDbg's registers.

[2004-12-01] 0.19 version.

1. Added: one new output API:

   • UpdateDumpBuf

2. Added: three new breakpoint APIs:

   • EOBINT3

   • EOBHW

   • EOBMEM

[2004-11-30] 0.18 version.

1. Added: two new search APIs:

   • ReverseFind

   • ReverseSearch

2. Added: two new replace APIs:

   • CopyBytesTo

   • ReplaceBytesEx

3. Fixed: a bug in API "Search".

[2004-11-29] 0.17 version.

1. Fixed: embedded asm, I rewrite the lexer and parser, and fixed several bugs.

2. Fixed: in the versions front, OllyMachine.ini will be kept in the main directory of OllyDbg, now I fix it to the same directory of OllyMachine.dll.

3. Fixed: an exception synchronization bug in VM.

[2004-11-28] 0.16 version.

1. Added: embedded asm: __asm { }

2. Added: three new APIs:

   • IsWinNTKernel

   • GotoCpuAddr

   • GotoDumpAddr

[2004-11-27] 0.15 versioin.

1. Added: one new searching API:

   • Search

2. Added: two new running APIs:

   • StepIntoS

   • StepOverS

3. Added: five debug assistant APIs:

   • FindProcBegin

   • FindProcEnd

   • FindPrevProc

   • FindNextProc

   • FollowCall

[2004-11-26] 0.14 version.

1. Added£ºtwo new output APIs:

   • PrintBufToDump

   • PrintBufToNewDump

2. Activated: DumpAsPE£¬but current version could not fix import table yet. (special thanks to Blue)

3. Fixed: Slash bug in double quotation string.

[2004-11-24] 0.13 version.

1. Added: Buffer APIs:

   • malloc

   • free

   • strcpy

   • strcat

   • strlen

   • ltoa

   • memcpy

2. Added: When compiling, if .omb file already exists, prompt user to confirm overwriting.

3. Fixed: Wrong GetProcAddress's return value.

4. Fixed: int3 and memory breakpoint's synchronization bug in VM.

[2004-11-23] 0.12 version.

1. Added: directly quote string, example: invoke Msg, "Hello!"

2. Added: Find, supports wildcards.

3. Added: HideOD and UnHideOD, also available in Windows XP Sp2.

4. Modified: ReadMemLong and WriteMemLong.

5. Fixed: "Recent Files" sometimes will not update while OD exits.

6. Fixed: Bugs in FindOpcode and ReplaceBytes.

[2004-11-21] 0.11 version.

1. Added: invoke macro for API invoking.

2. Added: "Recent Files" menu. (thanks to pll621)

3. Fixed: a bug in VM synchronization.

[2004-11-15] 0.10 version.

1.7  Contact

Author: Luo Cong
Address: Kingsoft Antivirus Engine Team, ZhuHai, GuangDong Province, China
Zip: 519015
Homepage: http://www.luocong.com
E-Mail: admin[AT]luocong.com