对于OllyDbg加载插件过程的分析——细数OllyDbg作者的不足之处

元始天尊 · 发表于 2015-1-5 01:07:31

欢迎访问技术宅的结界，请注册或者登录吧。

您需要登录才可以下载或查看，没有账号？立即注册→加入我们

×

本帖最后由元始天尊于 2015-1-5 14:14 编辑

这里对v1.10版本进行逆向，加载插件是在OllyDbg启动后，加载调试程序前完成的，因此需要用OllyDbg调试自身。文档中说OllyDbg先检查_ODBG_Plugindata，那么下断点bp GetProcAddress,[esp+8]=="_ODBG_Plugindata"会发现断在以地址0x00496658开始的函数中。查看其反汇编代码，先进行总体分析，发现有多处调用GetProcAddress，初步判断为加载插件的模块，命名为LoadPlugin，反汇编代码如下：

.text:00496658 push ebx
.text:00496659 push esi
.text:0049665A push edi
.text:0049665B push ebp
.text:0049665C add esp, 0FFFFF004h
.text:00496662 mov ebp, offset alldll ; "*.dll"
.text:00496667 push eax
.text:00496668 add esp, 0FFFFFBB0h
.text:0049666E push 4B00h ; n
.text:00496673 push 0 ; c
.text:00496675 push offset unk_4F0AB4 ; s
.text:0049667A call _memset
.text:0049667F xor eax, eax
.text:00496681 add esp, 0Ch
.text:00496684 mov dword_4F55B4, eax
.text:00496689 xor eax, eax
.text:0049668B or ecx, 0FFFFFFFFh
.text:0049668E mov edi, offset aCUsersLichaoDe ; "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
.text:00496693 repne scasb
.text:00496695 not ecx
.text:00496697 sub edi, ecx
.text:00496699 lea esi, [esp+1460h+pluginpath]
.text:004966A0 xchg esi, edi
.text:004966A2 mov edx, ecx
.text:004966A4 mov eax, edi
.text:004966A6 shr ecx, 2
.text:004966A9 lea eax, [esp+1460h+pluginpath]
.text:004966B0 rep movsd
.text:004966B2 mov ecx, edx
.text:004966B4 and ecx, 3
.text:004966B7 rep movsb
.text:004966B9 push eax ; s
.text:004966BA call _strlen
.text:004966BF pop ecx
.text:004966C0 mov edi, eax
.text:004966C2 test edi, edi
.text:004966C4 jle short loc_4966DD
.text:004966C6 xor eax, eax
.text:004966C8 mov al, [esp+edi+1460h+var_355]
.text:004966CF cmp eax, 5Ch
.text:004966D2 jz short loc_4966DD
.text:004966D4 mov [esp+edi+1460h+pluginpath], 5Ch
.text:004966DC inc edi
.text:004966DD
.text:004966DD loc_4966DD: ; CODE XREF: LoadPlugins+6C j
.text:004966DD ; LoadPlugins+7A j
.text:004966DD lea edx, [esp+1460h+pluginpath]
.text:004966E4 mov esi, ebp
.text:004966E6 add edi, edx
.text:004966E8 push edi
.text:004966E9 mov eax, edi
.text:004966EB movsd
.text:004966EC movsw
.text:004966EE pop edi
.text:004966EF lea edx, [esp+1460h+FindFileData]
.text:004966F6 push edx ; lpFindFileData
.text:004966F7 lea ecx, [esp+1464h+pluginpath]
.text:004966FE push ecx ; lpFileName
.text:004966FF call FindFirstFileA
.text:00496704 mov [esp+1460h+hFindFile], eax
.text:00496708 cmp [esp+1460h+hFindFile], 0FFFFFFFFh
.text:0049670D jnz short loc_496716
.text:0049670F xor eax, eax
.text:00496711 jmp loc_496B40
.text:00496716 ; ---------------------------------------------------------------------------
.text:00496716
.text:00496716 loc_496716: ; CODE XREF: LoadPlugins+B5 j
.text:00496716 call CreateMenu
.text:0049671B mov [esp+1460h+uIDNewItem], eax
.text:0049671F cmp [esp+1460h+uIDNewItem], 0
.text:00496724 jnz short loc_49672D
.text:00496726 xor eax, eax
.text:00496728 jmp loc_496B40
.text:0049672D ; ---------------------------------------------------------------------------
.text:0049672D
.text:0049672D loc_49672D: ; CODE XREF: LoadPlugins+CC j
.text:0049672D ; LoadPlugins+499 j
.text:0049672D xor esi, esi
.text:0049672F push 0
.text:00496731 lea eax, [esp+1464h+arglist]
.text:00496738 push eax
.text:00496739 push 0
.text:0049673B push 0
.text:0049673D lea edx, [esp+1470h+FindFileData.cFileName]
.text:00496744 push edx
.text:00496745 call j___fnsplit
.text:0049674A add esp, 14h
.text:0049674D lea ecx, [ebp+6]
.text:00496750 push ecx ; s2
.text:00496751 lea eax, [esp+1464h+arglist]
.text:00496758 push eax ; s1
.text:00496759 call _stricmp
.text:0049675E add esp, 8
.text:00496761 test eax, eax
.text:00496763 jz loc_496AD3
.text:00496769 lea edx, [ebp+0Ch]
.text:0049676C push edx ; s2
.text:0049676D lea ecx, [esp+1464h+arglist]
.text:00496774 push ecx ; s1
.text:00496775 call _stricmp
.text:0049677A add esp, 8
.text:0049677D test eax, eax
.text:0049677F jz loc_496AD3
.text:00496785 xor eax, eax
.text:00496787 or ecx, 0FFFFFFFFh
.text:0049678A mov edi, offset aCUsersLichaoDe ; "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
.text:0049678F lea esi, [esp+1460h+pluginpath]
.text:00496796 repne scasb
.text:00496798 not ecx
.text:0049679A sub edi, ecx
.text:0049679C mov edx, ecx
.text:0049679E xchg esi, edi
.text:004967A0 shr ecx, 2
.text:004967A3 mov eax, edi
.text:004967A5 rep movsd
.text:004967A7 mov ecx, edx
.text:004967A9 lea eax, [esp+1460h+pluginpath]
.text:004967B0 and ecx, 3
.text:004967B3 rep movsb
.text:004967B5 push eax ; s
.text:004967B6 call _strlen
.text:004967BB pop ecx
.text:004967BC mov edi, eax
.text:004967BE test edi, edi
.text:004967C0 jle short loc_4967D9
.text:004967C2 xor eax, eax
.text:004967C4 mov al, [esp+edi+1460h+var_355]
.text:004967CB cmp eax, 5Ch
.text:004967CE jz short loc_4967D9
.text:004967D0 mov [esp+edi+1460h+pluginpath], 5Ch
.text:004967D8 inc edi
.text:004967D9
.text:004967D9 loc_4967D9: ; CODE XREF: LoadPlugins+168 j
.text:004967D9 ; LoadPlugins+176 j
.text:004967D9 lea edx, [esp+1460h+pluginpath]
.text:004967E0 xor eax, eax
.text:004967E2 add edi, edx
.text:004967E4 or ecx, 0FFFFFFFFh
.text:004967E7 push edi
.text:004967E8 mov esi, edi
.text:004967EA lea edi, [esp+1464h+FindFileData.cFileName]
.text:004967F1 repne scasb
.text:004967F3 not ecx
.text:004967F5 sub edi, ecx
.text:004967F7 mov edx, ecx
.text:004967F9 xchg esi, edi
.text:004967FB shr ecx, 2
.text:004967FE mov eax, edi
.text:00496800 rep movsd
.text:00496802 mov ecx, edx
.text:00496804 and ecx, 3
.text:00496807 rep movsb
.text:00496809 pop edi
.text:0049680A lea eax, [esp+1460h+pluginpath]
.text:00496811 push eax ; lpLibFileName
.text:00496812 call LoadLibraryA
.text:00496817 mov esi, eax
.text:00496819 test esi, esi
.text:0049681B jz loc_496AD3
.text:00496821 lea eax, [ebp+14h]
.text:00496824 push eax ; lpProcName
.text:00496825 push esi ; hModule
.text:00496826 call GetProcAddress
.text:0049682B mov ebx, eax
.text:0049682D lea eax, [ebp+25h]
.text:00496830 push eax ; lpProcName
.text:00496831 push esi ; hModule
.text:00496832 call GetProcAddress
.text:00496837 mov edi, eax
.text:00496839 test ebx, ebx
.text:0049683B jz loc_496AD3
.text:00496841 test edi, edi
.text:00496843 jz loc_496AD3
.text:00496849 mov [esp+1460h+src], 0
.text:0049684E lea eax, [esp+1460h+src]
.text:00496852 push eax
.text:00496853 call ebx
.text:00496855 pop ecx
.text:00496856 mov ecx, eax
.text:00496858 cmp ecx, 6Ah
.text:0049685B jl short loc_496869
.text:0049685D cmp ecx, 6Eh
.text:00496860 jg short loc_496869
.text:00496862 cmp [esp+1460h+src], 0
.text:00496867 jnz short loc_49689C
.text:00496869
.text:00496869 loc_496869: ; CODE XREF: LoadPlugins+203 j
.text:00496869 ; LoadPlugins+208 j
.text:00496869 mov eax, ecx
.text:0049686B mov ebx, 64h
.text:00496870 cdq
.text:00496871 idiv ebx
.text:00496873 push edx
.text:00496874 mov eax, ecx
.text:00496876 mov ecx, 64h
.text:0049687B cdq
.text:0049687C idiv ecx
.text:0049687E push eax
.text:0049687F lea eax, [esp+1468h+arglist]
.text:00496886 push eax ; arglist
.text:00496887 lea edx, [ebp+36h]
.text:0049688A push edx ; format
.text:0049688B push 0 ; highlight
.text:0049688D push 0 ; addr
.text:0049688F call _Addtolist
.text:00496894 add esp, 18h
.text:00496897 jmp loc_496AD3
.text:0049689C ; ---------------------------------------------------------------------------
.text:0049689C
.text:0049689C loc_49689C: ; CODE XREF: LoadPlugins+20F j
.text:0049689C mov ebx, dword_4F55B4
.text:004968A2 shl ebx, 3
.text:004968A5 lea ebx, [ebx+ebx*2]
.text:004968A8 lea ebx, [ebx+ebx*4]
.text:004968AB lea ebx, [ebx+ebx*4]
.text:004968AE add ebx, offset unk_4F0AB4
.text:004968B4 mov [ebx], esi
.text:004968B6 lea eax, [ebx+4]
.text:004968B9 push esi
.text:004968BA mov esi, eax
.text:004968BC push edi
.text:004968BD xor eax, eax
.text:004968BF lea edi, [esp+1468h+FindFileData.cFileName]
.text:004968C6 or ecx, 0FFFFFFFFh
.text:004968C9 repne scasb
.text:004968CB not ecx
.text:004968CD sub edi, ecx
.text:004968CF mov edx, ecx
.text:004968D1 xchg esi, edi
.text:004968D3 shr ecx, 2
.text:004968D6 mov eax, edi
.text:004968D8 rep movsd
.text:004968DA mov ecx, edx
.text:004968DC lea edx, [ebx+108h]
.text:004968E2 and ecx, 3
.text:004968E5 rep movsb
.text:004968E7 pop edi
.text:004968E8 pop esi
.text:004968E9 push 1Fh ; maxlen
.text:004968EB lea eax, [esp+1464h+src]
.text:004968EF push eax ; src
.text:004968F0 push edx ; dest
.text:004968F1 call _strncpy
.text:004968F6 add esp, 0Ch
.text:004968F9 lea ecx, [ebp+60h]
.text:004968FC mov byte ptr [ebx+127h], 0
.text:00496903 push ecx ; lpProcName
.text:00496904 push esi ; hModule
.text:00496905 call GetProcAddress
.text:0049690A mov [ebx+238h], eax
.text:00496910 lea eax, [ebp+73h]
.text:00496913 push eax ; lpProcName
.text:00496914 push esi ; hModule
.text:00496915 call GetProcAddress
.text:0049691A mov [ebx+230h], eax
.text:00496920 lea edx, [ebp+88h]
.text:00496926 push edx ; lpProcName
.text:00496927 push esi ; hModule
.text:00496928 call GetProcAddress
.text:0049692D mov [ebx+234h], eax
.text:00496933 lea ecx, [ebp+99h]
.text:00496939 push ecx ; lpProcName
.text:0049693A push esi ; hModule
.text:0049693B call GetProcAddress
.text:00496940 mov [ebx+23Ch], eax
.text:00496946 lea eax, [ebp+0AEh]
.text:0049694C push eax ; lpProcName
.text:0049694D push esi ; hModule
.text:0049694E call GetProcAddress
.text:00496953 mov [ebx+240h], eax
.text:00496959 lea edx, [ebp+0C2h]
.text:0049695F push edx ; lpProcName
.text:00496960 push esi ; hModule
.text:00496961 call GetProcAddress
.text:00496966 mov [ebx+244h], eax
.text:0049696C lea ecx, [ebp+0D8h]
.text:00496972 push ecx ; lpProcName
.text:00496973 push esi ; hModule
.text:00496974 call GetProcAddress
.text:00496979 mov [ebx+248h], eax
.text:0049697F lea eax, [ebp+0EAh]
.text:00496985 push eax ; lpProcName
.text:00496986 push esi ; hModule
.text:00496987 call GetProcAddress
.text:0049698C mov [ebx+24Ch], eax
.text:00496992 lea edx, [ebp+0F7h]
.text:00496998 push edx ; lpProcName
.text:00496999 push esi ; hModule
.text:0049699A call GetProcAddress
.text:0049699F mov [ebx+250h], eax
.text:004969A5 lea ecx, [ebp+106h]
.text:004969AB push ecx ; lpProcName
.text:004969AC push esi ; hModule
.text:004969AD call GetProcAddress
.text:004969B2 mov [ebx+254h], eax
.text:004969B8 xor eax, eax
.text:004969BA mov [esp+1460h+var_1460], eax
.text:004969BD push esp
.text:004969BE mov edx, hwmain
.text:004969C4 push edx
.text:004969C5 push 6Eh
.text:004969C7 call edi
.text:004969C9 add esp, 0Ch
.text:004969CC mov edi, eax
.text:004969CE test edi, edi
.text:004969D0 jz short loc_4969F3
.text:004969D2 push edi
.text:004969D3 lea ecx, [esp+1464h+arglist]
.text:004969DA push ecx ; arglist
.text:004969DB lea eax, [ebp+116h]
.text:004969E1 push eax ; format
.text:004969E2 push 0 ; highlight
.text:004969E4 push 0 ; addr
.text:004969E6 call _Addtolist
.text:004969EB add esp, 14h
.text:004969EE jmp loc_496AD3
.text:004969F3 ; ---------------------------------------------------------------------------
.text:004969F3
.text:004969F3 loc_4969F3: ; CODE XREF: LoadPlugins+378 j
.text:004969F3 mov esi, dword_4F55B4
.text:004969F9 shl esi, 6
.text:004969FC add esi, 0E000h
.text:00496A02 mov [esp+1460h+src], 0
.text:00496A07 cmp dword ptr [ebx+234h], 0
.text:00496A0E jz short loc_496A2D
.text:00496A10 push 0
.text:00496A12 lea eax, [esp+1464h+src]
.text:00496A16 push eax
.text:00496A17 push 0
.text:00496A19 call dword ptr [ebx+234h]
.text:00496A1F add esp, 0Ch
.text:00496A22 test eax, eax
.text:00496A24 jz short loc_496A2D
.text:00496A26 cmp [esp+1460h+src], 0
.text:00496A2B jnz short loc_496A31
.text:00496A2D
.text:00496A2D loc_496A2D: ; CODE XREF: LoadPlugins+3B6 j
.text:00496A2D ; LoadPlugins+3CC j
.text:00496A2D xor edi, edi
.text:00496A2F jmp short loc_496A38
.text:00496A31 ; ---------------------------------------------------------------------------
.text:00496A31
.text:00496A31 loc_496A31: ; CODE XREF: LoadPlugins+3D3 j
.text:00496A31 call CreateMenu
.text:00496A36 mov edi, eax
.text:00496A38
.text:00496A38 loc_496A38: ; CODE XREF: LoadPlugins+3D7 j
.text:00496A38 test edi, edi
.text:00496A3A jz short loc_496A52
.text:00496A3C lea eax, [esp+1460h+src]
.text:00496A40 mov dword_4F55BC, eax
.text:00496A45 push 1 ; int
.text:00496A47 push esi ; int
.text:00496A48 push ebx ; int
.text:00496A49 push edi ; hMenu
.text:00496A4A call sub_496260
.text:00496A4F add esp, 10h
.text:00496A52
.text:00496A52 loc_496A52: ; CODE XREF: LoadPlugins+3E2 j
.text:00496A52 mov ecx, dword_4F55B4
.text:00496A58 cmp ecx, 0Ah
.text:00496A5B jge short loc_496A86
.text:00496A5D add ebx, 108h
.text:00496A63 push ebx
.text:00496A64 mov eax, ecx
.text:00496A66 inc eax
.text:00496A67 mov ecx, 0Ah
.text:00496A6C cdq
.text:00496A6D idiv ecx
.text:00496A6F push edx
.text:00496A70 lea eax, [ebp+141h]
.text:00496A76 push eax ; format
.text:00496A77 lea edx, [esp+146Ch+src]
.text:00496A7B push edx ; buffer
.text:00496A7C call _sprintf
.text:00496A81 add esp, 10h
.text:00496A84 jmp short loc_496AA1
.text:00496A86 ; ---------------------------------------------------------------------------
.text:00496A86
.text:00496A86 loc_496A86: ; CODE XREF: LoadPlugins+403 j
.text:00496A86 add ebx, 108h
.text:00496A8C push ebx
.text:00496A8D lea eax, [ebp+145h]
.text:00496A93 push eax ; format
.text:00496A94 lea edx, [esp+1468h+src]
.text:00496A98 push edx ; buffer
.text:00496A99 call _sprintf
.text:00496A9E add esp, 0Ch
.text:00496AA1
.text:00496AA1 loc_496AA1: ; CODE XREF: LoadPlugins+42C j
.text:00496AA1 test edi, edi
.text:00496AA3 jnz short loc_496AB9
.text:00496AA5 lea ecx, [esp+1460h+src]
.text:00496AA9 push ecx ; lpNewItem
.text:00496AAA push esi ; uIDNewItem
.text:00496AAB push 0 ; uFlags
.text:00496AAD mov eax, [esp+146Ch+uIDNewItem]
.text:00496AB1 push eax ; hMenu
.text:00496AB2 call AppendMenuA
.text:00496AB7 jmp short loc_496ACB
.text:00496AB9 ; ---------------------------------------------------------------------------
.text:00496AB9
.text:00496AB9 loc_496AB9: ; CODE XREF: LoadPlugins+44B j
.text:00496AB9 lea edx, [esp+1460h+src]
.text:00496ABD push edx ; lpNewItem
.text:00496ABE push edi ; uIDNewItem
.text:00496ABF push 10h ; uFlags
.text:00496AC1 mov ecx, [esp+146Ch+uIDNewItem]
.text:00496AC5 push ecx ; hMenu
.text:00496AC6 call AppendMenuA
.text:00496ACB
.text:00496ACB loc_496ACB: ; CODE XREF: LoadPlugins+45F j
.text:00496ACB inc dword_4F55B4
.text:00496AD1 xor esi, esi
.text:00496AD3
.text:00496AD3 loc_496AD3: ; CODE XREF: LoadPlugins+10B j
.text:00496AD3 ; LoadPlugins+127 j ...
.text:00496AD3 test esi, esi
.text:00496AD5 jz short loc_496ADD
.text:00496AD7 push esi ; hLibModule
.text:00496AD8 call FreeLibrary
.text:00496ADD
.text:00496ADD loc_496ADD: ; CODE XREF: LoadPlugins+47D j
.text:00496ADD lea eax, [esp+1460h+FindFileData]
.text:00496AE4 push eax ; lpFindFileData
.text:00496AE5 mov edx, [esp+1464h+hFindFile]
.text:00496AE9 push edx ; hFindFile
.text:00496AEA call FindNextFileA
.text:00496AEF test eax, eax
.text:00496AF1 jnz loc_49672D
.text:00496AF7 cmp dword_4F55B4, 0
.text:00496AFE jle short loc_496B31
.text:00496B00 lea ecx, [ebp+148h]
.text:00496B06 push ecx ; lpNewItem
.text:00496B07 mov eax, [esp+1464h+uIDNewItem]
.text:00496B0B push eax ; uIDNewItem
.text:00496B0C push 410h ; uFlags
.text:00496B11 push 3 ; uPosition
.text:00496B13 mov edx, hwmain
.text:00496B19 push edx ; hWnd
.text:00496B1A call GetMenu
.text:00496B1F push eax ; hMenu
.text:00496B20 call InsertMenuA
.text:00496B25 mov ecx, hwmain
.text:00496B2B push ecx ; hWnd
.text:00496B2C call DrawMenuBar
.text:00496B31
.text:00496B31 loc_496B31: ; CODE XREF: LoadPlugins+4A6 j
.text:00496B31 mov eax, [esp+1460h+hFindFile]
.text:00496B35 push eax ; hFindFile
.text:00496B36 call FindClose
.text:00496B3B mov eax, dword_4F55B4
.text:00496B40
.text:00496B40 loc_496B40: ; CODE XREF: LoadPlugins+B9 j
.text:00496B40 ; LoadPlugins+D0 j
.text:00496B40 add esp, 1450h
.text:00496B46 pop ebp
.text:00496B47 pop edi
.text:00496B48 pop esi
.text:00496B49 pop ebx
.text:00496B4A retn

复制代码

经过分析得到：

#include <windows.h>
#include <dos.h>
#include "plugin.h"
struct PluginData
{
HMODULE hPluginDll;
char DllName[260];
char PluginName[32];
//+296
???
//+560
ODBG_Pluginmainloop;
ODBG_Pluginmenu;
ODBG_Pluginaction;
ODBG_Pluginshortcut;
ODBG_Pluginsaveudd;
ODBG_Pluginuddrecord;
ODBG_Pluginreset;
ODBG_Paused;
ODBG_Pausedex;
ODBG_Plugincmd;
};
int pluginnum;
PluginData plugindata[32];//最多32个插件
char data[0x1100];
HANDLE hwmain;
bool LoadPlugins()
{
char pluginpath[260],filename[256],pluginname[32];
HANDLE hFindFile;
WIN32_FIND_DATA FindFileData;
HMENU pluginmenu,popupmenu;
HMODULE hmod;
int ret;
int pluginmenuid;
memset(plugindata,sizeof(plugindata));
pluginnum=0;
strcpy(pluginpath,"*.dll");
hFindFile=FindFirstFile(pluginpath,&FindFileData);
if(hFindFile == INVALID_HANDLE_VALUE)
return false;
pluginmenu=CreateMenu();
if(!pluginmenu)
return false;
do
{//搜索根目录下所有dll文件
hmod=NULL;
fnsplit(FindFileData.cFileName,NULL,NULL,filename,NULL);
if(stricmp(filename,"psapi") && stricmp(filename,"dbghelp"))
{//如果不是psapi.dll和dbghelp.dll
strcpy(pluginpath,FindFileData.cFileName);
hmod=LoadLibrary(pluginpath);
if(hmod)
{
ODBG_Plugindata=GetProcAddress(hmod,"_ODBG_Plugindata");
ODBG_Plugininit=GetProcAddress(hmod,"_ODBG_Plugininit");
if(ODBG_Plugindata && ODBG_Plugininit)
{
pluginname[0]='\0';
ret=ODBG_Plugindata(pluginname);
if(ret >= 106 && ret <= 110 && pluginname[0] != '\0')//版本在1.06~1.10之间
{
PluginData& curplugin=plugindata[pluginnum];
curplugin.hPluginDll=hmod;
strcpy(curplugin.DllName,FindFileData.cFileName);
strncpy(curplugin.PluginName,pluginname,31);
curplugin.PluginName[31]='\0';
curplugin.ODBG_Pluginaction=GetProcAddress(hmod,"ODBG_Pluginaction");
curplugin.ODBG_Pluginmainloop=GetProcAddress(hmod,"ODBG_Pluginmainloop");
curplugin.ODBG_Pluginmenu=GetProcAddress(hmod,"ODBG_Pluginmenu");
curplugin.ODBG_Pluginshortcut=GetProcAddress(hmod,"ODBG_Pluginshortcut");
curplugin.ODBG_Pluginsaveudd=GetProcAddress(hmod,"ODBG_Pluginsaveudd");
curplugin.ODBG_Pluginuddrecord=GetProcAddress(hmod,"ODBG_Pluginuddrecord");
curplugin.ODBG_Pluginreset=GetProcAddress(hmod,"ODBG_Pluginreset");
curplugin.ODBG_Paused=GetProcAddress(hmod,"ODBG_Paused");
curplugin.ODBG_Pausedex=GetProcAddress(hmod,"ODBG_Pausedex");
curplugin.ODBG_Plugincmd=GetProcAddress(hmod,"ODBG_Plugincmd");
ulong feature=0;
ret=ODBG_Plugininit(110,hwmain,&feature);
if(ret)
{
Addtolist(0,0,"Plugin '%s' failed to initialize (code %i)",filename,ret);
}
else
{
pluginmenuid=pluginnum*32+57344;
pluginname[0]='\0';
if(curplugin.ODBG_Pluginmenu) && curplugin.ODBG_Pluginmenu(PM_MAIN,data,NULL))
{
if(pluginname[0] != '\0' && (popupmenu=CreateMenu()) != NULL)
{
CreateSubMenu(popupmenu,curplugin,pluginmenuid,1);
}
if(pluginnum >= 10)
sprintf(pluginname,"%s",curplugin.pluginname);
else
sprintf(pluginname,"&%i %s",(pluginnum+1)%10,curplugin.pluginname);
if(popupmenu)
AppendMenu(pluginmenuid,MF_POPUP,popupmenu,pluginname);
else
AppendMenu(pluginmenuid,0,pluginmenuid,pluginname);
pluginnum++;
hmod=NULL;
}
}
}
else
{
Addtolist(0,0,"Plugin '%s' has invalid version (%i.%02i)",filename,ret/100,ret%100);
}
}
}
}
if(hmod)
FreeLibrary(hmod);
}
while(FindNextFile(hFindFile,&FindFileData));
}

复制代码

仅此一个函数就可以看到编码习惯的不足之处：
可见加载过程是：ODBG_Plugindata => ODBG_Plugininit => ODBG_Pluginmenu，同理可分析其它函数。
同时，可以发现OllyDbg作者代码的缺点所在，或许高手不太重视细节，呵呵
1.重要数据类型应该使用优秀的数据结构进行存储，恰巧是对内存的不善利用，造成OllyDbg所占内存较大，同时因此只能允许有限个插件加载
2.使用的函数和数组导致可能存在内存溢出的情况发生
3.滥用全局变量，如代码中的PluginData
4.代码通用性不好，其api不提供unicode版
5.函数设计混乱，返回值不够规范（比如都是int返回值有的函数正确返回1，错误返回0，而有的函数相反）
6.由于上述原因、各种其他原因和考虑不全面，导致各种奇妙bug横行，想必作者修改bug花了很长时间
7.源码和输出函数不兼容VS系列编译器，需要手动改动，这一点在OllyDbg2中有所改观，然而进行了2重输出，弄巧成拙

0xAA55 · 发表于 2015-1-5 07:59:56

额！话说Unicode版……的API，如果作者提供的话BUG恐怕更多。

Golden Blonde · 发表于 2015-1-5 14:35:30

原来插件是这么实现的，我觉得支持第三方插件的软件，都是很牛逼的。。。

账号		自动登录	找回密码
密码			立即注册→加入我们

对于OllyDbg加载插件过程的分析——细数OllyDbg作者的不足之处

欢迎访问技术宅的结界，请注册或者登录吧。

浏览过的版块