|
OllyMachine is made up of an assembler and a 32-bit Virtual Machine. Its kernel is a Register-Machine, provided with stack, register structure and corresponding addressing method, is similar with x86 CPU.
OllyMachine is a 32-bit Virtual Machine, so its valid addressing space is:
signed num value : -2GB to +2GB
unsigned num value : 0 to 4GB
But of course, we are in the real world! :-) Most of us do not have so many physical memory, so this is only a theoretics value.
In the OllyMachine Virtual Machine, there're 83 general registers and 3 hidden registers. Thereinto:
reg00, reg01, reg02 ... reg64, FreeBufferReg, FreeBufferSizeReg
The 67 registers above could be used freely by programmers. FreeBufferReg and FreeBufferSizeReg have their particular usages, we leave them to say in the future.
Another 9 registers are:
eax, ecx, edx, ebx, esp, ebp, esi, edi, eip
These 9 registers are a little particularly. They're here because when I decided OllyMachine, I felt that there must be a much more easier way for programmers to alternate between OllyMachine and OllyDbg, so I declared these 9 registers which have the same naming to x86 CPU, all operations on them are equal to what you do on the OllyDbg's current debugging process.
Rest 7 registers are:
CF, PF, AF, ZF, SF, DF, OF
These 7 registers are for OllyDbg's eflags register. For example:
not cf mov zf, 0 mov pf, 1
In addition, there're 2 hidden registers for OllyMachine internal CPU: eip and esp. Eip is the instruction pointer register, Esp is the stack pointer register. But DO NOT confuse these 2 register with the 9 registers above! They're for the OllyMachine's internal CPU! I choose the name just because my favor of the x86 CPU's architecture.
There's still a hidden flags registers called EFlags in the OllyMachine internal CPU. Two flags in it:
CF (Carry Flag) : Set if an arithmetic operation generates a carry or a borrow out of the most-significant bit of the resul; cleared otherwise. This flag indicates an overflow condition for unsigned-integer arithmetic.
ZF (Zero Flag) : Set if the result is zero; cleared otherwise.
OllyMachine has a suit of its own opcodes, its interface to the programmers is an assembly-like language which called OllyMachine Script.
Before running the opcodes, OllyMachine will firstly use its internal assembler to assemble source codes into bytecodes, here's its working flow:
|
After generated bytecodes by assembler, the bytecodes can now be sent to Virtual Machine to run.
So, actually OllyMachine's working flow is seperated into two steps:
Assemble source codes to bytecodes
Run bytecodes in Virtual Machine
Therefore, we can assemble source codes beforehand, after that it is faster to use OllyMachine to run this bytecode file without assembling source codes again.
OllyMachine has an internal two-by pass LL(1) assembler. If the source code has errors, will be found and prompted like the following example:
Source:
mov reg00, reg73 // Error: "reg73" is invalid inc reg00 inc reg00, 1 // Error: "inc" doesn't need second operand exit: // Warning: unreferenced label
OllyMachine's internal assembler will tell us:
|
We'll see, errors and warnings have been found in line 1, 1, 3, 5, and the error or warning reasons will be given to you.
If exceptions occured during the running time, they will be captured. (i.e. divided by 0)
Let's see an example:
mov reg00, 9 mov reg01, 3 sub reg01, 3 // now reg01 is 0 div reg00, reg01 // oh shit!
Holy...!!!
|
|
