当前位置：网站首页>Lyscripttools extended script module

Lyscripttools extended script module

2022-07-23 20:27:00 【51CTO】

LyScriptTools The module is a x64dbg The expansion pack, , This module is mainly for built-in Script Class version encapsulation of script commands , So that users can easily call x64dbg Built in script commands in , The packaging principle utilizes LyScript Module run_command_exec() Command implemented , All the following command encapsulation is around this API Functionally progressive .

The plug-in needs to be installed with LyScript32/64 Install another one on the package LyScriptTools32/64 Expansion pack, , The package has been submitted to pypi Official warehouse .

Installation only needs to be performed pip install LyScriptTools32 perhaps pip install LyScriptTools64

as follows x64dbg General functions collated from （Ibinary）：<a rel=“nofollow” href=“ https://www.cnblogs.com/iBinary/p/16359195.html”> https://www.cnblogs.com/iBinary/p/16359195.html</a>

The plug-in is currently divided into four parts , among LyScriptModule It is a package for module operation ,LyScriptMemory Memory encapsulation ,LyScriptDisassemble It is disassembly encapsulation ,LyScriptOther It's some miscellaneous .

from LyScriptTools32 import LyScriptModule

mod.party(addr) —> Get the mode number of the module , addr = 0 User module ,1 Is the system module
mod.base(addr) —> Get module base address
mod.size(addr) —> Return module size
mod.hash(addr) —> Return module hash
mod.entry(addr) —> Return to module entry
mod.system(addr)—> If addr If it is a system module, it is true Otherwise it would be false
mod.user(addr) —> If it is a user module, return true Otherwise false
mod.main() —> Return the base address of the main module
mod.rva(addr) —> If addr If it is not in the module, it returns 0, Otherwise return to addr Located in RVA The offset
mod.offset(addr)—> Get the file offset corresponding to the address , If it is not in the module, it returns 0
mod.isexport(addr) —> Determine whether the address is a function exported from the module ,true yes false It is not

from LyScriptTools32 import LyScriptMemory

mem.valid(addr) Judge addr Whether it works , Valid returns True
mem.base(addr) Or the current addr The base of
mem.size(addr) Get current addr Memory size
mem.iscode(addr) Judge the present addr Whether it is an executable page , Successfully returns TRUE
mem.decodepointer(ptr) Decryption pointer , Equivalent to calling API. DecodePointer ptr
ReadByte(addr / reg); from addr Or read a byte of memory from the register and return
Byte(addr) byte(addr) ditto
ReadWord(addr) Word(addr) word(addr) ditto Read two bytes
ReadDDword(addr) Dword(addr) dword(addr) ditto Read four bytes
ReadQword(addr) Qword(addr) qword(addr) ditto Read 8 Bytes , But it can only be 64 Bit program can be used
ReadPtr(addr) Read pointer from address (4/8 byte ) And return the read pointer value
ReadPointer(addr) ptr(addr) Pointer(addr) pointer(addr) Same as above
ptr(mod.main()) --> 00905A4D
byte(mod.main()) --> 0x0000004D

from LyScriptTools32 import LyScriptDisassemble

dis.len(addr) obtain addr Instruction length at .
dis.iscond(addr) Judge the present addr Whether the position is a conditional instruction ( such as jxx) Return value : If yes True otherwise False
dis.isbranch(addr) Determine whether the current address is a branch instruction Return value : ditto
dis.isret(addr) Judge whether it is ret Instructions Return value : ditto
dis.iscall(addr) Judge whether it is call Instructions Return value : ditto
dis.ismem(addr) Determine whether it is a memory operand Return value : ditto
dis.isnop(addr) Judge whether it is nop Return value : ditto
dis.isunusual(addr) Judge whether the current address indicates an abnormal address Return value : ditto
dis.branchdest(addr)： The branch target of the instruction is located at （ If the Enter key , What it will follow ）.addr
dis.branchexec(addr)： If Branch at To execute , Then for true.addr
dis.imm(addr) Get the immediate number of the current instruction location ( The immediate number appearing in this line of instructions )
dis.brtrue(addr)： Instruction in Branch target of .addr
dis.brfalse(addr)： The address of the next instruction （ If the command at Is a conditional branch ）.addr
dis.next(addr)： obtain addr Next address
dis.prev(addr)： obtain addr Previous low address
dis.iscallsystem(addr) Determine whether the current instruction is a system module instruction
dis.mnemonic(addr) return addr Mnemonic symbol of , It can be used as a parameter to The string function uses straddrstr.streq(dis.mnemonic(cip), “cpuid”)

from LyScriptTools32 import LyScriptOther

arg.get(index); Get the number of parameters in the current function stack , Suppose the return address is on the stack , And we are inside the function .
arg.set(index,value); The value of the set index position is
ex.firstchance()： Whether the last exception is the first chance exception .
ex.addr()： The last exception address . for example , The address of the instruction that caused the exception .
ex.code()： The last exception code .
ex.flags()： The last exception flag .
ex.infocount()： Last exception information count （ Number of parameters ）.
ex.info(index)： The last exception message , If the index is out of range , It's zero .

The above is some common function encapsulation , Their calling method is shown below .

from LyScript32 import MyDebug
from LyScriptTools32 import LyScriptModule
from LyScriptTools32 import LyScriptMemory
from LyScriptTools32 import LyScriptDisassemble
from LyScriptTools32 import LyScriptOther

if __name__ == "__main__":
    dbg = MyDebug()
    dbg.connect()

    #  Module class 
    mod = LyScriptModule()

    party = mod.base(dbg,"0x4c55ac")
    print("party: {}".format(hex(party)))

    party = mod.party(dbg,"0x4c55ac")
    print("party: {}".format(hex(party)))

    party = mod.size(dbg,"0x4c55ac")
    print("party: {}".format(hex(party)))

    party = mod.hash(dbg,"0x4c55ac")
    print("party: {}".format(hex(party)))

    party = mod.entry(dbg,"0x4c55ac")
    print("party: {}".format(hex(party)))

    party = mod.system(dbg,"0x4c55ac")
    print("party: {}".format(hex(party)))

    party = mod.user(dbg,"0x4c55ac")
    print("party: {}".format(hex(party)))

    party = mod.main(dbg)
    print("party: {}".format(hex(party)))

    party = mod.rva(dbg,"0x4c55ac")
    print("party: {}".format(hex(party)))

    party = mod.offset(dbg,"0x4c55ac")
    print("party: {}".format(hex(party)))

    party = mod.isexport(dbg,"0x4c55ac")
    print("party: {}".format(hex(party)))

    #  Reverse compilation 
    dis = LyScriptDisassemble()

    ret = dis.len(dbg,"0x401000")
    print("dis :{}".format(hex(ret)))

    ret = dis.iscond(dbg,"0x401000")
    print("dis :{}".format(hex(ret)))

    ret = dis.isbranch(dbg,"0x401000")
    print("dis :{}".format(hex(ret)))

    ret = dis.isret(dbg,"0x401000")
    print("dis :{}".format(hex(ret)))

    ret = dis.iscall(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.ismem(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.isnop(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.isunusual(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.branchdest(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.branchexec(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.imm(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.brtrue(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.brfalse(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.next(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.prev(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    ret = dis.iscallsystem(dbg,"0x4c55d9")
    print("dis :{}".format(hex(ret)))

    #  Memory class 
    mem = LyScriptMemory()

    ref = mem.teb(dbg)
    print("mem : {}".format(ref))

    ref = mem.peb(dbg)
    print("mem : {}".format(ref))

    ref = mem.tid(dbg)
    print("mem : {}".format(ref))

    ref = mem.kusd(dbg)
    print("mem : {}".format(ref))

    ref = mem.valid(dbg,"0x401000")
    print("mem : {}".format(ref))

    ref = mem.base(dbg,"0x401000")
    print("mem : {}".format(hex(ref)))

    ref = mem.size(dbg,"0x401000")
    print("mem : {}".format(hex(ref)))

    ref = mem.iscode(dbg,"0x401000")
    print("mem : {}".format(hex(ref)))

    ref = mem.decodepointer(dbg,"0x401000")
    print("mem : {}".format(hex(ref)))

    ref = mem.read_byte(dbg,"0x401000")
    print("mem : {}".format(hex(ref)))

    ref = mem.byte(dbg,"0x401000")
    print("mem : {}".format(hex(ref)))

    ref = mem.read_word(dbg,"0x401000")
    print("mem : {}".format(hex(ref)))

    ref = mem.read_dword(dbg,"0x401000")
    print("mem : {}".format(hex(ref)))

    ref = mem.read_ptr(dbg,"0x401000")
    print("mem : {}".format(hex(ref)))

    ref = mem.ptr(dbg,"0x401000")
    print("mem : {}".format(hex(ref)))

    #  exception handling 
    ot = LyScriptOther()

    ots = ot.firstchance(dbg)
    print("ot = > {}".format(ots))

    ots = ot.addr(dbg)
    print("ot = > {}".format(ots))

    ots = ot.code(dbg)
    print("ot = > {}".format(ots))

    ots = ot.flags(dbg)
    print("ot = > {}".format(ots))

    ots = ot.infocount(dbg)
    print("ot = > {}".format(ots))

    ots = ot.info(dbg,"0x401000")
    print("ot = > {}".format(ots))
    dbg.close()

     1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
88.
89.
90.
91.
92.
93.
94.
95.
96.
97.
98.
99.
100.
101.
102.
103.
104.
105.
106.
107.
108.
109.
110.
111.
112.
113.
114.
115.
116.
117.
118.
119.
120.
121.
122.
123.
124.
125.
126.
127.
128.
129.
130.
131.
132.
133.
134.
135.
136.
137.
138.
139.
140.
141.
142.
143.
144.
145.
146.
147.
148.
149.
150.
151.
152.
153.
154.
155.
156.
157.
158.
159.
160.
161.
162.
163.
164.
165.
166.

Of course, if you think the above general functions are not enough , Or there is no comprehensive supplement , You can call any class ot.GetScriptValue() The function encapsulates and implements itself .

原网站

版权声明
本文为[51CTO]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/204/202207231945508850.html

当前位置：网站首页>Lyscripttools extended script module

Lyscripttools extended script module

边栏推荐

猜你喜欢

随机推荐