OD自身以及ULTRA STRING PLUGIN都不能正确获取delphi程序的字符串
给严重依赖字符串参考的菜鸟们带来莫大的痛苦
下面是我今天破解过程中一个副产品
首次写ODBGScript脚本,在经历期间一些摸索后,处女作出来了:
代码:var addr var str0 var slen var numb var logfile mov addr,00401000 mov numb,0 cmp $VERSION,"1.53" jb odbgver mov logfile, "g:\download\s.log" eval "\r\n解析进程中delphi字符串脚本 by 快雪时晴\r\n\r\n" wrt logfile, $RESULT loop_0: find addr,#FFFFFFFF# cmp $RESULT,0 je exit_0 mov addr,$RESULT add addr,4 mov slen,[addr] //太长串了,不大可能,或许00到了空白区 cmp slen,ff ja next_0 //太短串了,也没多大意义 cmp slen,5 jb next_0 //string NULL,ONLY 1 BYTE mov str0,[addr+slen+4] and str0,000000FF cmp str0,00 jne next_0 add addr,4 inc numb readstr [addr],slen eval "#{numb}# [{addr}]"+$RESULT //log $RESULT wrta logfile,$RESULT next_0: jmp loop_0 odbgver: msg "ODBGScript版本号应大于v1.53(ReadStr)" exit_0: eval "共找到{numb}个Delphi字符串参考." msg $RESULT ret
我的结果:
有用就拿去
鼓掌!