-------------------------------
ODbgScript english plugin by E3
site : http://odbgscript.sf.net
-------------------------------

1. About OllyScript and ODbgScript
2. Status
 2.1 What's new?
3. Documentation
 3.1 Language
  3.1.1 Reserved variables
  3.1.2 Commands
 3.2 Labels
 3.3 Comments
 3.4 Menus
 3.5 Script Window
4. Integration with other plugins
5. Contact me
6. License and source code
7. Thanks!

------------------------------

1. About ODbgScript
-------------------
ODbgScript is a plugin for OllyDbg, which is, in our opinion, 
the best application-mode debugger out there. One of the best 
features of this debugger is the plugin architecture which allows 
users to extend its functionality. ODbgScript is a plugin 
meant to let you automate OllyDbg by writing scripts in an 
assembly-like language. Many tasks involve a lot of repetitive 
work just to get to some point in the debugged application. By 
using this plugin you can write a script once and for all. 

------------------------------

2. Status
----------------------------

NOT IMPORTANT

------------------------------

3. Documentation
----------------
Example script (sample.osc) is available with this release. 
The script will break on LoadLibrary call to debug a SHELL32.DLL function. 
Try it on mspaint.exe

3.1 Language
------------
The scripting language of OllyScript is an assembly-like language.

In the document below, src and dest can be (unless stated otherwise):
 - Constant in the form of a hex number without prefixes and suffixes, with leading 0 (i.e. 00FF, not 0x00FF or 00FFh)
   For decimal values, use the point (i.e. 100. 128.)
 - Variable previously declared by VAR, or are declared with MOV
 - A 32-bit registers (one of EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP, EIP).
   A 16-bit register (one of AX, BX, CX, DX, SI, DI, BP, SP)
   A 8-bit register (one of AL, AH, ... DL, DH)
 - A memory reference in square brackets (i.e. [401000] points to the memory at address 401000, 
	[ecx] points to the memory at address ecx).
 - A flag with an exclamation mark in front (one of !CF, !PF, !AF, !ZF, !SF, !DF, !OF)
 - Sometimes byte strings are required. Those are scripted as #6A0000# (values between two #) and 
	must have an even number of characters.
   Some byte strings can contain the wildcard '?', for example #6A??00# or #6?0000#
 - A combination of these values with operators:

You can use operators in your scripts, +-*/&|^>< for dword and + to concatenate strings.
 - Operators > and < are shr and shl (>> and << in C/C++)
 - Operator ^ is XOR 
 - Operator & is AND
 - Operator | is OR

3.1.1 Reserved variables
------------------------

$RESULT
-------
Return value for some functions like FIND etc.
$RESULT_1 and $RESULT_2 are available for some commands.

$VERSION
--------
Contains current version of OllyScript
Example
	cmp $VERSION, "0.8"
	ja version_above_08

3.1.2 Commands
--------------

#INC file
---------
Include a script file in another script file
Example:
	#inc "anotherscript.txt"
	
#LOG
----
Enable logging of executed commands.
The commands will appear in OllyDbg log window, and will be prefixed with -->
Example:
	#log

ADD dest, src
-------------
Adds src to dest and stores result in dest
Example: 
	add x, 0F
	add eax, x
	add [401000], 5
	add y, " times" // If y was 1000 before this command then y is "1000 times" after it

AI
--
Execute "Animate into" in OllyDbg
Example:
	ai

ALLOC size
----------
Allocate new memory page, you can read/write and execute.
Example
    alloc 1000
	free $RESULT, 1000

AN addr
-------
Analyze module which contains the address addr.
Example:
	an eip // Same as pressing CTRL-A

AND dest, src
-------------
AND's src and dest and stores result in dest
Example: 
	and x, 0F
	and eax, x
	and [401000], 5

AO
--
Executes "Animate over" in OllyDbg
Example:
	ao

ASK question
------------
Display an input box with the specified question and lets user enter a response.
Sets the reserved $RESULT variable (0 if cancel button was pressed).
You have also the length in $RESULT_1 (divided by 2 for hex entries)
Example:
	ask "Enter new EIP"
	cmp $RESULT, 0
	je cancel_pressed
	mov eip, $RESULT
	
ASM addr, command [,version]
----------------------------
Assemble a command at some address. 
Change version number (0,1,...) to get alternative code bytes, if possible.
Returns bytes assembled in the reserved $RESULT variable
Example:
	asm eip, "mov eax, ecx"

ASMTXT addr, file
-----------------
Assemble a text asm file at some address.
Example:
	asmtxt EIP, "myasm.txt"

ATOI str [, base=16.]
-----------------
Convert a string to integer
Returns the integer in the reserved $RESULT variable
Example:
	atoi "F"
	atoi "10", 10.

BACKUP addr [,base,size]
------------------------
Like OPENDUMP, create a Dump Window with data at address.
But this dump window keeps a backup of data, which can be used to view changes
$RESULT is the HWND of window, for future use
Note: If you are looking to save data in a file, see the DM function (Dump Memory)
Example:
	BACKUP esp
	STO
	STO

BC [addr]
---------
Clear unconditional breakpoint at addr.
Without parameter, the command clears all loaded breakpoints 
Example:
	bc 401000
	bc x
	bc eip

BD [addr]
---------
Disable breakpoint at addr.
Without parameter, the command disables all loaded breakpoints 
Example:
	bp 401000
	BD 401000

BEGINSEARCH [start] {commands} ENDSEARCH
----------------------------------------
Create a Copy of Debugged App Memory, Find commands will use this data faster.
You need to use ENDSEARCH before writing to memory and to free this memory copy.
Optimization time is 20% for 5000 loops... but could maybe be optimized
Example:
	mov count, 0
	mov start, eip
	beginsearch start
  next:
	find #00#, start
	cmp $RESULT,0
	je end
	mov start, $RESULT+1
	add count, 1
	jmp next
  end:
	endsearch
	msg count

BP addr  (ubp)
--------------
Set unconditional breakpoint at addr.
Example:
	bp 401000
	bp x
	bp eip

BPCND addr, cond
----------------
Set breakpoint on address addr with condition cond.
Example:
	bpcnd 401000, "ECX==1"

BPD callname
------------
Remove breakpoint on dll call set by BPX

BPGOTO addr, label
------------------
Automatic Jump at label on Breakpoint (Standard(INT3) and Hardware).
EOB Like Command
Example:
	bphws addr
	bpgoto addr, MyLabel
  NextBP:
	RUN
	...
  MyLabel:
	...
	jmp NextBP

BPHWC [addr]
------------
Delete hardware breakpoint at a specified address.
Without address, clear all hardware breakpoints.
Example:
	bphwc 401000
	
BPHWS addr, [mode]
------------------
Set hardware breakpoint. Mode can be "r" - read, "w" - write or "x" - execute (default).
Example:
	bphws 401000, "x"
	
BPL addr, expr
--------------
Sets logging breakpoint at address addr that logs expression expr
Example:
	bpl 401000, "eax" // logs the value of eax everytime this line is passed
	
BPLCND addr, expr, cond
-----------------------
Sets logging breakpoint at address addr that logs expression expr if condition cond is true
Example:
	bplcnd 401000, "eax", "eax > 1" // logs the value of eax everytime this line is passed and eax > 1
	
BPMC
----
Clear the memory breakpoint.
Example:
	bpmc

BPRM addr, size
---------------
Set memory breakpoint on read. Size is size of memory in bytes.
Example:
	bprm 401000, FF

BPWM addr, size
---------------
Set memory breakpoint on write. Size is size of memory in bytes.
Example:
	bpwm 401000, FF

BPX callname
------------
Set breakpoint on every api calls found in current module.
Then you can clear these breakpoints with BPD
Example:
	bpx "GetModuleHandleA"

BUF var
-------
Converts string/dword variable to a Buffer
Example: 
	mov s, "123"
	buf s
	log s // output #313233#

CALL label
----------
to call Labels (use RET to return)


   
CLOSE window
------------
Close an Ollydbg MDI window
window parameter can be a constant or a HWND (like $RESULT of OPENDUMP/BACKUP).
 SCRIPT, SCRIPTLOG, LOG, CPU
 MODULES, MEMORY, THREADS, BREAKPOINTS
 REFERENCES, SOURCELIST, WATCHES
 WINDOWS, PATCHES, RUNTRACE, CALLSTACK
 TEXT, FILE, HANDLES, SEH, SOURCE

CMP dest, src [,size]
---------------------
Compares dest and src. Works like its ASM counterpart.
see SCMP to compare strings or memory data
Example: 
	cmp y, x
	cmp eip, 401000
	je label
	cmp cx, x, 2
	je label

CMT addr, text
--------------
Inserts a comment at the specified address
Example:
	cmt eip, "This is the entry point"

COB
---
Makes script continue execution after a breakpoint has occured (removes EOB)
Example:
	COB

COE
---
Makes script continue execution after an exception has occured (removes EOE)
Example:
	COE

DBH
---
Hides debugger against kernel32!IsDebuggerPresent()
(Note that's done through [BYTE [[FS:18]+30]+2] = 0)

Example:
	dbh

DBS
---
Unhides debugger so kernel32!IsDebuggerPresent() will find it.
(Note that's done through [BYTE [[FS:18]+30]+2] = 1)

Example:
	dbs

DEC var
-------
Subtracts 1 from variable
Example:
	dec v

DIV op1, op2
------------
Sets op1 with op1/op2
Example:
	div var, 2

DM addr, size, file
-------------------
Dumps memory of specified size from specified address to specified file (default path set from opened app.)
Example:
	dm 401000, 1F, "c:\dump.bin"

DMA addr, size, file
--------------------
Dumps memory of specified size from specified address to specified file appending to that file if it exists
Example:
	dma 401000, 1F, "c:\dump.bin"

DPE filename, ep
----------------
Dumps the executable to file with specified name.
Entry point is set to ep.
Path is relative to the path of the currently loaded executable.
Notes: * uses PEFileInfo.dwSizeOfImage
  * Applies dumpfix to PE.sectionHdr
    (PointerToRawData = VirtualAddress
        SizeOfRawData = VirtualSize)
Example:
	dpe "c:\test.exe", eip

EOB label
---------
Transfer execution to some label on next breakpoint.
(see BPGOTO command to assign a label to a breakpoint)
Example:
	eob SOME_LABEL

EOE label
---------
Transfer execution to some label on next exception.
Example:
	eob SOME_LABEL

ERUN   [formerly ESTO]
----------------------
Executes SHIFT-F9 in OllyDbg. Run with Ignore Exceptions
Note: Was ESTO before, but the command is depreciated
Example:
	erun

ESTEP
-----
Executes SHIFT-F8 in OllyDbg. Step Over ignoring Exceptions.
Example:
	estep

ESTI
----
Executes SHIFT-F7 in OllyDbg. Step Into ignoring Exceptions.
Example:
	esti

EVAL
----
Evaluates a string expression that contains variables.
The variables that are declared in the current script can be enclosed in curly braces {} to be inserted.
Sets the reserved $RESULT variable
Example:
	var x
	mov x, 1000
	eval "The value of x is {x}" // after this $RESULT is "The value of x is 1000"

EXEC/ENDE
---------
Executes instructions between EXEC and ENDE in the context of the target process.
Values in curly braces {} are replaced by their values.
PUSHA / POPA commands could be useful when you use this.
Examples:
	// This does some mov's
	mov x, "eax"
	mov y, DEADBEEF
	exec
		mov {x}, {y} // mov eax, 0DEADBEEF will be executed
		mov ecx, {x} // mov ecx, eax will be executed
	ende

	// This calls ExitProcess in the debugged application
	exec
		push 0
		call ExitProcess
	ende
	ret

FILL addr, len, value
---------------------
Fills len bytes of memory at addr with value
Example:
	fill 401000, 10, 90 // NOP 10h bytes

FIND addr, what
---------------
Searches memory starting at addr for the specified value.
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
The search string can also use the wildcard "??" (see below).

Example:
	find eip, #6A00E8# // find a PUSH 0 followed by some kind of call
	find eip, #6A??E8# // find a PUSH 0 followed by some kind of call

FINDCALLS addr [,name]
----------------------
Find all intermodular calls (dll calls) in the disasm area.
You can filter results by label (case insensitive) with the optionnal second parameter.
Reference Window is used and its content changed
Then can use GREF to get results count and retrieve them.

Example:
	findcalls eip, "exit"
	gref
	msg $RESULT

FINDCMD addr, cmdstr
--------------------
Search for asm command(s), you can search for series also with ";" separator.
This command uses "Search for All Sequences" Ollydbg function so could find relative calls/jmp
Reference Window is used and its content changed
You can use GREF to get next results in disasm window range

Example 1:
	mov line,1
	findcmd eip, "xor R32,R32"
  next:
	gref line
	cmp $RESULT,0
	je finished
	inc line
	jmp next
  finished:

Example 2:
	findcmd 401000, "nop;nop;nop"
	msg $RESULT


FINDCMDS (this function name could be deleted in future versions)
--------
Same as FINDCMD

FINDOP addr, what [, maxsize]
-----------------
Searches code starting at addr for an instruction that begins with the specified bytes. 
It sets the reserved $RESULT variable to the start of the found instruction. If $RESULT == 0 nothing was found.
The search string can also use the wildcard "??" (see below).
Use maxsize to limit that search range.
Examples:
	findop 401000, #61# // find next POPAD
	findop 401000, "1" // = #61#
	findop 401000, #6A??# // find next PUSH of something


FINDOPPREV addr, what
-----------------
Searches code backwards starting at addr for an instruction that begins with the specified bytes. 
It sets the reserved $RESULT variable to the start of the found instruction. If $RESULT == 0 nothing was found.
The search string can also use the wildcard "??" (see below).
Example:
	findop FINDOPPREV, #68??????00# // find next PUSH 00xxxxxx backwards



FINDMEM what [, StartAddr]
--------------------------
Searches whole memory for the specified value.
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
The search string can also use the wildcard "??" (see below).
Example:
	findmem #6A00E8# // find a PUSH 0 followed by some kind of call
	findmem #6A00E8#, 00400000 // search it after address 0040.0000

FREE addr [, size]
------------------
Free memory block allocated by ALLOC (or not). 
If size not given, drop whole memory block.
Example
    alloc 1000
	free $RESULT

GAPI addr #BETA#
---------
## Chinese Translation ## 
Obtains the code place API call information
The API information saves in preservation variable $RESULT.
If the symbolic name is a API function, then
$RESULT saves the API information
$RESULT_1 save link base/storehouse (for instance kernel32)
$RESULT_2 save symbolic name (for instance ExitProcess).
$RESULT_3 save calling location (for instance call xxxxx)
$RESULT_4 save destination

Notice: This and the GN difference is GN must point to the IAT address
But GAPI gives the code address to be possible directly to obtain API
Also has, if you have gotten down the software break point in here, please first clear the break point to use this sentence again, because the software break point modified the code is CC
If here does not clear here the software break point, will create this not to be able the very good recognition.
Example:
	GAPI 401000 (call kernel32.ExitProcess)
	GAPI the EIP // examined whether the current code is API calls, is not then returns to 0

GBPM (beta)
----
Get last memory breakpoint address, affects $RESULT with dword value
 
GBPR
----
Get last breakpoint reason, affects $RESULT with dword value
Example:
	GBPR
	cmp $RESULT, 10
	je SelectNormalBP
	cmp $RESULT, 20
	je SelectMemBP
	cmp $RESULT, 40
	je SelectHwBP
	jmp NextBP

GCI addr, info
--------------
Get Command Information of asm instruction at "addr".
"info" specifies what data should be returned in $RESULT:
	- COMMAND for asm command string (like OPCODE)
	- CONDITION {disasm.condition}
	- DESTINATION for Destination of jump/call/return
	- SIZE for number of command bytes
	- TYPE for asm command string (one of C_xxx, see OllyDbg Plugin API)
Example:
	GCI eip, DESTINATION

GCMT addr
---------
Get the comment, automatic comment or analyses comment at specified code address

GMA name, info
--------------
Call GMI, but parameter is short name of the module
Example:
	GMA "KERNEL32", MODULEBASE

GFO addr
--------
Get File Offset of address

GLBL addr
---------
Get Label at address

GMEMI addr, info
----------------
Get information about a memory block to which the specified address belongs.
"info" can be MEMORYBASE, MEMORYSIZE or MEMORYOWNER (if you want other info in the future versions plz tell me).
Sets the reserved $RESULT variable (0 if data not found).
Example:
	GMEMI addr, MEMORYBASE // After this $RESULT is the address to the memory base of the memory block to which addr belongs

GMEXP moduleaddr, info, [num]
-----------------------------
Get Export Address and Names in a module
info can be ADDRESS, LABEL, COUNT
Example:
	gma "KERNEL32", MODULEBASE
	mov addr, $RESULT
	GMEXP addr, COUNT
	log $RESULT
	GMEXP addr, LABEL, 1
	log $RESULT
	GMEXP addr, ADDRESS, 1
	log $RESULT

GMI addr, info
--------------
Get information about a module to which the specified address belongs.
"info" can be :
MODULEBASE, MODULESIZE, CODEBASE, CODESIZE, MEMBASE, MEMSIZE, 
ENTRY, NSECT, DATABASE, RELOCTABLE, RELOCSIZE
RESBASE, RESSIZE, IDATABASE, IDATATABLE, EDATATABLE, EDATASIZE
and strings NAME, PATH, VERSION
 (if you want other info in the future versions plz tell me).
Sets the reserved $RESULT variable (0 if data not found).
Example:
	GMI eip, CODEBASE // After this $RESULT is the address to the codebase of the module to which eip belongs

GMIMP moduleaddr, info, [num]
-----------------------------
Get Import address and names in a module
info can be ADDRESS, LABEL, MODULE, NAME, COUNT
if LABEL results string like "KERNEL32.CopyFileEx"
MODULE results "KERNEL32"
NAME results "CopyFileEx"
Example:
	gma "USER32", MODULEBASE
	mov addr, $RESULT
	GMIMP addr, COUNT
	log $RESULT
	GMIMP addr, LABEL, 1
	log $RESULT
	GMIMP addr, ADDRESS, 1
	log $RESULT

GN addr
-------
Get the symbolic name of specified address (ex the API it points to)
Set the reserved $RESULT variable to the name. If that name is an API
$RESULT_1 is set to the library (ex kernel32) and $RESULT_2 to the name of the API (ex ExitProcess).
Example:
	gn 401000
	
GO addr
-------
Execute to specified address (like G in SoftIce)
Example:
	go 401005

GOPI addr, index, info
----------------------
Get information about operands of asm command

"index" is between 1 and 3

"info" can be :
	- TYPE Type of operand (extended set DEC_xxx, see OllyDbg Plugin API)
	- SIZE Size of operand, bytes
	- GOOD Whether address and data valid
	- ADDR Address if memory, index if register
	- DATA Actual value (only integer operands)

Example:
	GOPI eip, 1, SIZE

GPA proc, lib, [0,1]
--------------------
Get the address of the specified procedure in the specified library.
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
Useful for setting breakpoints on APIs.
Set third param to 1 if you want to keep library in memory
Example:
	gpa "MessageBoxA", "user32.dll" // After this $RESULT is the address of MessageBoxA and you can do "bp $RESULT".

GPP proc, lib, [0,1] 
--------------------
Calls GPA and tries to find API parameters count and types of the API
$RESULT   = ref->addr
$RESULT_1 = disasm.result //command text
$RESULT_2 = disasm.comment

GPI key
-------
Get process information, one of :
HPROCESS, PROCESSID, HMAINTHREAD, MAINTHREADID, MAINBASE, PROCESSNAME, EXEFILENAME, CURRENTDIR, SYSTEMDIR

GREF [line]
-----------
Get Address from Reference Window at Line. First line is 1 because 0 is CPU Initial EIP.
Without parameter, GREF results the Reference Window number of entries.
Example:
	FINDCMD "push eax"
	GREF 1
	msg $RESULT
	GREF 2
	msg $RESULT

GRO addr
--------
Get Relative Offset
When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.

GSL [where]
-----------
Get Selection Limits
returns START/END addresses and SIZE from currently selected line(s) in CPUASM | CPUDUMP | CPUSTACK window in $RESULT, $RESULT_1 & $RESULT_2
arg can be either : CPUDASM, CPUDUMP, CPUSTACK. Default is CPUDASM
Example:
	gsl CPUDUMP

GSTR addr, [arg1]
-----------------
Get String returns a null terminated string from addr, the string is at least arg1 characters
returns in
- $RESULT    : the string
- $RESULT_1  : len of string
Example:
	gstr 401000     ; arg1 in this case is set to default (2 chars)
	gstr 401000, 20 ; must be at least 20 chars

GSTRW addr, [arg1]
------------------
Get String returns a unicode string from addr, the string is at least arg1 characters
returns in
- $RESULT    : the string (ascii)
- $RESULT_1  : len of string
- $RESULT_2  : unicode string
Example:
	gstrw 401000     ; arg1 in this case is set to default (2 chars)
	gstrw 401000, 20 ; must be at least 20 chars

HANDLE x, y, class
------------------
Returns the handle of child window of specified class at point x,y (remember: in hex values).

HISTORY (0,1)
-------------
Enable or Disable Value history in Script Progress Window, could optimize loops
Example:
	history 0 //disable
	history 1 //enable

INC var
-------
Adds 1 to variable
Example:
	inc v

ITOA n [, base=16.]
-------------------
Convert an integer to string
Returns the string in the reserved $RESULT variable
Example:
	itoa F
	itoa 10., 10.

JA label (JG)
--------
Use this after cmp. Works like its asm counterpart.
Example:
	ja SOME_LABEL

JAE label (JGE)
---------
Use this after cmp. Works like its asm counterpart.
Example:
	jae SOME_LABEL

JB label
--------
Use this after cmp. Works like its asm counterpart.
Example:
	jb SOME_LABEL

JBE label
---------
Use this after cmp. Works like its asm counterpart.
Example:
	jbe SOME_LABEL

JE label (JZ)
--------
Use this after cmp. Works like its asm counterpart.
Example:
	je SOME_LABEL

JMP label
---------
Unconditionally jump to a label.
Example:
	jmp SOME_LABEL

JNE label (JNZ)
---------
Use this after cmp. Works like its asm counterpart.
Example:
	jne SOME_LABEL

KEY vkcode [, shift [, ctrl]]
--------------------------
Emulate global keyboard shortcut.
Example:
	key 20
	key 20, 1 //Shift+space
	key 20, 0, 1 //Ctrl+space

LBL addr, text
--------------
Insert a label at the specified address
Example:
	lbl eip, "NiceJump"

LC
--
Clear Main Log Window

LCLR
----
Clear Script Log Window

LEN str
-------
Get length of a string
Example:
	len "NiceJump"
	msg $RESULT

LM addr, size, filename
-----------------------
Load dump file into memory
LM is the opposite of the DM command
Example:
	;whole file
	lm 401000, 0, "test.bin"
	;first 0x100 bytes
	lm 401000, 100, "test.bin"

LOADLIB dllname
---------------
Load a dll into debugged program memory
Could be useful to set breakpoints on dynamically loaded library
Returns address of loaded library
Example:
	pusha
	loadlib "user32.dll"
	popa
  
LOG src [,prefix]
-----------------
Log src to OllyDbg log window.
If src is a constant string the string is logged as it is.
If src is a variable or register its logged with its name.
You can replace default prefix with the optional second parameter.
Example:
	log "Hello world" // The string "Hello world" is logged
	var x
	mov x, 10
	log x // The string "x: 00000010" is logged.
	log x, "" // The string "00000010" is logged.

LOGBUF var [,linecount [,separator]]
------------------------------------
Logs a string or buffer like a memory dump, useful for long data

MOV dest, src [,size]
---------------------
Move src to dest.
Src can be a long hex string in the format #<some hex numbers>#, for example #1234#.
Remember that the number of digits in the hex string must be even, i.e. 2, 4, 6, 8 etc.
Example: 
	mov x, 0F
	mov y, "Hello world"
	mov eax, ecx
	mov [ecx], #00DEAD00BEEF00#
	mov !CF, 1
	mov !DF, !PF
	mov [403000], "Hello world"

MEMCPY dest,src,size
--------------------
Copy app. memory from "src" address to "dst" address.
This function is same as mov [dst],[src],size
Example: 
	gma "OLE32",CODEBASE
	mov base, $RESULT
	gma "OLE32",CODESIZE
	mov size, $RESULT
	alloc size
	mov dst, $RESULT
	MEMCPY dst,base,size
	...
	free dst

MSG message
-----------
Display a message box with specified message
Example:
	MSG "Script paused"

MSGYN message
-------------
Display a message box with specified message and YES and NO buttons.
Sets the reserved $RESULT variable to 1 if YES is selected and 0 otherwise.
Example:
	MSGYN "Continue?"

MUL op1, op2
------------
Sets op1 with op1*op2
Example:
	mul op1, 10

NAMES addr
----------
Open names Window for module (Like Ctrl + N)
addr is the module address

NEG op
------
Assembly Operation "neg eax"

NOT op
------
Assembly Operation "not eax"

OLLY info
---------
Get information about ollydbg
"info" can be :
	- PID retrieve the Ollydbg Process ID
	- HWND retrieve the main Ollydbg HWND

Example:
	OLLY PID
	mov pid, $RESULT
	OLLY HWND
	mov hwnd, $RESULT

OR dest, src
------------
ORs src and dest and stores result in dest
Example: 
	or x, 0F
	or eax, x
	or [401000], 5

OPCODE addr
-----------
OPCODE set the $RESULT variable to the opcode bytes, $RESULT_1 variable to mnemonic opcode (i.e. "MOV ECX,EAX") 
and $RESULT_2 to the length of the opcode. 
If an invalid opcode appears, $RESULT_2 should be 0. 
addr is increased by the length of the opcode (disassemble command). 
With this function you can step forward through code. 
Example: 
	opcode 00401000

OPENDUMP addr [,base,size]
--------------------------
Create a new Dump Window with data at address.
$RESULT is the HWND of the new window, for future use (backup purpose)

OPENTRACE
---------
Opens run trace window

PAUSE
-----
Pauses script execution. Script can be resumed from plugin menu.
Example:
	pause

POP dw
------
Retrieve dword from stack

POPA
-----
RESTORE all registers from plugin memory (saved with PUSHA)

PREOP addr
----------
Get asm command line address just before specified address.
Attention: Will not give real executed command eip before the jump.
Example:
	preop eip

PUSH dw
-------
Add dword to stack

PUSHA
-----
Save all register in plugin memory (to be restored by POPA)
Stack is not used by this command

RBP [arg1]
----------
Restore Break Points
arg1 = may be STRICT or nothing
Restores all hardware and software breakpoints
if arg1 == 'STRICT', all soft bp set by script will be deleted and only those 
have been set before it runs will be restored.
If no argument set, previous soft bp will be appended to those set by script
Return in:
 - $RESULT number of restored swbp
 - $RESULT_1 number of restored hwbp
Example:
	rbp
	rbp STRICT


READSTR str, len
----------------
Copy len chars of str into $RESULT


REF addr, [LOCATION]
--------------------
REF addr works as "Find references to .. Selected command" and "Find references", Ctrl R, in OllyDbg.
Search LOCATION could be the MEMORY block (default), CODE of module, or whole MODULE
$RESULT variable is set to the first reference addr 
$RESULT_1 to the opcode (text asm command) 
$RESULT_2 to the comment (like reference window). 
Repeat "REF addr" until $RESULT=0 to get next refs
REF value counter is reset when addr changes or forced with addr = 0
Example:
	REF 0 // RESET REF
	continue:
		REF eip,CODE
		log $RESULT
		log $RESULT_1
		log $RESULT_2
	cmp $RESULT,0
	jne continue


REFRESH
-------
to redraw memory map, module, and disasm windows
(add in version 1.60)


RESET
-----
Reloads target (same as Ctrl+F2 in ollydbg)


REPL addr, find, repl, len
--------------------------
Replace "find" with "repl" starting at "addr" for "len" bytes.
Wildcards are allowed
Example:
	repl eip, #6a00#, #6b00#, 10
	repl eip, #??00#, #??01#, 10
	repl 401000, #41#, #90#, 1F

RET
---
Exits script or return from CALL.
Example:
	ret

REV what
--------
Reverse dword bytes.
Example:
	rev 01020304
	//$RESULT = 04030201

ROL op, count
-------------
Assembly Operation "rol eax, cl"
save in the target (first) operand.

ROR op, count
-------------
Assembly Operation "ror eax, cl"
Example:
	mov x, 00000010
	ROR x, 8 

RTR
---
Executes "Run to return" in OllyDbg, [Ctrl+F9] operation.
Example:
	rtr

RTU
---
Executes "Run to user code" in OllyDbg, [Alt+F9] operation.
Example:
	rtu

RUN
---
Executes F9 in OllyDbg, you can also use ERUN to ignore exceptions
Example:
	run

SBP 
---
Store Break Points
stores all hardware and software breakpoints, to be restored with RBP
return in:
 - $RESULT number of stored swbp
 - $RESULT_1 number of stored hwbp

SCMP dest, src [,size]
----------------------
Compares strings dest to src. Works like its asm counterpart.
Example: 
	cmp x, "KERNEL32.DLL"
	cmp [eax], "Hello World", 11.
	je Label

SCMPI dest, src [,size]
-----------------------
Compares strings dest to src (case insentitive). Works like its asm counterpart.
Example: 
	cmp sVar, "KERNEL32.DLL"
	cmp [eax], "Hello", 5
	jne Label

SETOPTION
---------
Open the OllyDBG Options Window, to change debugging parameters.
Script will continue on close.

SHL dest, src
-------------
Shifts dest to the left src times and stores the result in dest.
Example:
	mov x, 00000010
	shl x, 8 // x is now 00001000

SHR dest, src
-------------
Shifts dest to the right src times and stores the result in dest.
Example:
	mov x, 00001000
	shr x, 8 // x is now 00000010

STEP
----
Execute F8 in OllyDbg. Same as STO
Example:
	sto

STI
---
Execute F7 in OllyDbg. STep Into.
Example:
	sti

STO
---
Execute F8 in OllyDbg. STep Over. Same as STEP
Example:
	sto

STR var
-------
Converts variable to a String (buffer or dword)

SUB dest, src
-------------
Reduce src from dest.
Example: 
	sub x, 0F
	sub eax, x
	sub [401000], 5

TC
--
Cancels run trace in OllyDbg
Example:
	tc

TEST dest,src
-------------
Performs a logical AND of the two operands updating the flags register without saving the result.
(Modifies Flags: CF OF PF SF ZF (AF undefined))

TI
--
Executes "Trace into" in OllyDbg, CTRL-F7 in OllyDbg.
Example:
	ti

TICK [var [,reftime]]
---------------------
Set variable with script execution time (microsec)
if reftime parameter is set, set $RESULT with time since reftime.
if no parameter is set, function set $RESULT with execution time in text, in "<ssss mmm> ms" format
var is declared automatically.
Example:
	tick time
	msg time		//time since script startup
	tick time,time	
	msg $RESULT		//time since last TICK, DWORD value


TICND cond
----------
Traces into calls until cond is true
Example:
	ticnd "eip > 40100A" // will stop when eip > 40100A

TO
--
Executes "Trace over" in OllyDbg
Example:
	to

TOCND cond
----------
Traces over calls until cond is true
Example:
	tocnd "eip > 40100A" // will stop when eip > 40100A

UNICODE enable
--------------
Set Unicode Mode, not used for the moment
Example: 
	UNICODE 1
	...

VAR
---
Declare a variable to be used in the script.
Example: 
	var x

XOR dest, src
-------------
XORs src and dest and stores result in dest
Example: 
	xor x, 0F
	xor eax, x
	xor [401000], 5

XCHG dest, src                                 
--------------
Exchanges contents of source and destination.         

WRT file, data
--------------
Write to file (replace existing one) the only accepted symbol is "\r\n"
Numbers are wrote as strings... for the moment
Example: 
	wrt "out.txt", "Data:\r\nOk\r\n"
	wrt sFile, ebx

WRTA file, data [, separator]
-----------------------------
Append to file, default separator is "\r\n"
Example: 
	wrt sFile, "hello world"
	wrta sFile, ABCD, ""
	wrta sFile, "Windows CR, "\r\n"

3.2 Labels
----------
Labels are defined bu using the label name followed by a colon.
Example:
	SOME_LABEL:

3.3 Comments
------------
Comments can be put anywhere and have to start with ";" or "//".
Comment lines starting with ";" will be displayed in script window.
Block comments between "/*" and "*/"

3.4 Menus
---------
The main OllyScript menu consists of the following items:
- Run script...: lets the user select a script file and starts it
- Abort: aborts a running script
- Pause: pauses a running script
- Resume: resumes a paused script
- About: shows information about this plugin

3.5 Script Window
-----------------
The Script Window was introduced with ODbgScript, it enables you to debug
and see progression of your script.
You can set script breakpoints, debug the script, edit variables and also 
execute commands manually.


4. Integration with other plugins
---------------------------------
You can call OllyScript from your plugin and make it execute a script.
Use something like the source code below:

HMODULE hMod = GetModuleHandle("ODbgScript.dll");
if(hMod) // Check that the other plugin is present and loaded
{
	// Get address of exported function
	int (*pFunc)(char*) = (int (*)(char*)) GetProcAddress(hMod, "ExecuteScript");
	if(pFunc) // Check that the other plugin exports the correct function
		pFunc("myscript.txt"); // Execute exported function
}

DebugScript dll entry is also available.

You can also execute script commands via OllyDBG ODBG_plugincmd() 
and in Conditional Log Breakpoints.

5. Contact us
-------------
To contact us you can post your question in the forum or go on IRC 
and message Epsylon3 or SHaG on EFnet. 

You can also use Sourceforge.net Forums or Bug Trackers


6. License and source code
--------------------------
Soon I'm going to armadildo this plugin and charge an awful lot of money
for it! :P Seriously, you are free to use this plugin and the source code however 
you see fit. However please name me in your documentation/about box and if 
the project you need my code for is on a larger scale please also notify 
me - I am curious.


7. Thanks!
----------
I'd like to thank all the wonderful people who reported bugs, wrote scripts, came
with improvement ideas etc. 

R@dier for the great dumping engine.

shERis, nick_name, MetaCore, XanSama, arnix, hila123, bukkake, Human, hnhuqiong,
SunBeam, LCF AT, Fungus, hnedka, Zool@nder for ideas and bug report on the new ODbgScript

And of course Olly for this great debugger!

