OllyScript Tutorial

 Hello.

This article is written for some newbie reverser who wan't to create a ollydbg script for automated task in ollydbg. 

Introduction :

OllyScript is a plugin in OllyDbg that enables to automatize some tasks via a script. Several scripts exist to automate the identification of the OEP in a packed executable. You can find lot of script on internet. Tuts4you is one of the best community for letest scripts. Basically OllyScript is best for newbie to unpack a program by the script that found on internet.

What is OllyScript?

OllyScript is a plugin for OllyDbg, which is, in my opinion, the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. OllyScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using this plugin you can write a script once and for all. 

Example Script :

I am posting a short script for unpacking UPX packed program. I also described why I used that command on script. 

This is the simplest Ollyscript tutorial to demonstrate how to write Ollydbg script.

var hwdBP     // Local variable to store hardware breakpoint

var softBP     // Local variable to strore software breakpoint

sti                  // Step into F7 command

findop eip, #61#          // find next POPAD

mov hwdBP, $RESULT         // Store $RESULT to hardware breakpoint local variable

bphws hwdBP, "x"           // Set hardware breakpoint (execute) on the next POPAD

run           // Run F9 command

findop eip, #E9????????#          // Find the next JMP

mov softBP, $RESULT           // Store $RESULT to software breakpoint local variable

bp softBP

run           // Run to JMP instruction

sti         // Step into the OEP

cmt eip, "<<>>"

msg "OEP found, you can dump the file starting from this address"

ret

This is an example script. It can find the OEP of UPX packed program. You just have to dump it and fix it.

I have also attached the link of a Help file where you can find the list of all ollyscript commands. Comments are most welcome. You can ask where you didn't understand.