Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Volly - Virus for - by roy g biv

Virus for -

roy g biv
Show all viruses by this author

2008-09-08

Comments
Download volly.zip (6198 bytes) or browse online

Author's description

What is it?

ODbgScript is a plug-in for OllyDbg. Of course you already know what is OllyDbg. ;) ODbgScript contains a scripting language that can automate OllyDbg. It has lots of useful built-in functions, and it can also execute assembler code directly for extra functions.

What kind of built-in functions?

ODbgScript supports local variables, it can push values to the host stack, it can pop values from the host stack, it can access the CPU registers directly, it can get the address of functions in DLLs, it can convert hex values to strings, it can write long strings to memory using the MOV command, it can concatenate strings using the ADD command... and many other things that I did not need. The documentation is very clear. You should go and read that instead. :)

What kind of extra functions?

There is a limitation that ODbgScript does not understand selectors, so we cannot look at fs:[30h] and other places using the scripting language. What we can do instead is to use an execution block. That is EXEC and ENDE. Inside that block we put the code to run, but it does not support any local variables and strings. So to access fs:[30h], for example, we could use this code:

    exec
    mov eax, fs:[30] //all values are in hex, only dword accesses allowed
    ende
    var a //local variable to receive value
    mov a,eax

So easy. We can use functions in DLLs by GPA command. GPA loads the DLL and returns the address of the function. The problem is that DLL is loaded into OllyDbg memory, not the memory of the file being debugged, so if DLL is not there, then we will crash if we try to call the address. Also, there can be a different address for the DLL because of other DLLs loaded already, but that is probably a rare thing.

Labels and variables

ODbgScript supports labels and variables. The variables can be short or long names, and they can be declared more than once without error. This is good for us, so that the host code will still work even if we have a same name. Labels can also be declared more than once, but only the first one has the effect. For that reason, it is good idea to guess about unique names.

Other things

ODbgScript supports some arithmetic commands like ADD, SUB, XOR, INC, DEC. They do not alter the flags. There is CMP command which does alter the flags. It is important to remember that because of a likely bug in this code:

    dec a
    jne b

This code looks like it should branch while a is not zero, but since DEC command does not alter flags, it does not have the right effect. It also means that we can have tricky poly code like this:

    mov a,12345678
    cmp a,12345677
    add a,23456789
    sub a,3579be01
    je  b

Then a is zero but branch is not taken.

Now we look at some real code...

I know that I could put more into EXEC/ENDE blocks, but I wanted to be as much script as possible, so only APIs are there.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org