原文連結:http://bbs.pediy.com/showthread.php?s=&threadid=5974
/*
簡單分配和釋放記憶體指令碼
受 playar 感染,一時衝動寫了這個指令碼,本指令碼功能簡單,建議要強大的功能還是找其它好的OD外掛使用。本指令碼功能:簡單分配和釋放指定的記憶體Page。由於指令碼提供的功能命令有限,無法精確檢測你輸入的資料是否合要求,但你一般規矩輸入沒問題的。估計適用 Ollydbg 1.10 和 OllyScript 0.92 執行平臺,由於本指令碼運用相容性設計的idea,有采用stolen方法(相容了98,NT設計不用),所以會顯得指令碼比較長,CPU視窗比較混亂時,請按“*”;NT系統下設計會比較省事……Enjoy!若使用有Bug ,請反饋!另外關於VirtualAlloc的type引數還不熟悉,失誤之處還請指出!
*/
var askpage
var call
var input-addr
var input-size
var seip
var base
var size
var flag
var stolen1
var stolen2
var stolen3
var no
var p
mov no,0
mov flag,0
mov seip,eip
mov p,eip
mov stolen1,[p]
add p,4
mov stolen2,[p]
add p,4
mov stolen3,[p]
mov [eip],#606A00E80000000061#
mov p,eip
add p,3
asm p,"call kernel32.GetModuleHandleA"
add p,5
go p
cmp eax,0
je error
mov flag,1
mov base,eax
log base
sto
return:
mov p,seip
mov eip,p
mov [p],stolen1
add p,4
mov [p],stolen2
add p,4
mov [p],stolen3
cmp flag,1
je begin
msg "不明獲取錯誤!"
ret
begin:
ask "請輸入功能選擇:0-退出,1-分配記憶體,2-釋放記憶體"
cmp $RESULT,1
je Allocate_space
cmp $RESULT,2
je Release_space
jmp exit
Allocate_space:
find base,#000000000000000000000000#
cmp $RESULT,0
je error
mov p,$RESULT
log p
mov eip,p
mov call,p
mov [p],#6050515253E80000000061# // VirtualAlloc
add call,5
asm call,"call KERNEL32.VirtualAlloc"
sto
mov no,1
ask "分配記憶體功能 - 輸入申請Size(16進位制值):"
mov edx,$RESULT
mov input-size,edx
mov size,edx //Size
mov eax,40 //flProtect
mov ecx,1000 //Type
ask "分配記憶體功能 - 請輸入申請頁地址(16進位制值,0為自動):"
mov ebx,$RESULT //lpAddress
mov input-addr,ebx
add call,5
log "下面是申請輸入資訊:"
log input-addr
log input-size
msgyn "你輸入引數已經登記在Log視窗,繼續執行點'Y',暫停點'N'。"
cmp $RESULT,1
je continue
pause
continue:
go call
cmp eax,0
je error
mov askpage,eax
log "下面是成功申請資訊:"
log askpage
add size,0FFF
and size,0FFFFF000
log size
sto
mov eip,seip
mov [p],#000000000000000000000000#
msg "Successed get need size page!Look log Windows!"
mov [askpage],"I successed to get This Page!"
cmt eip,"Look the page top,we wrote my flag!"
msg "請求分配記憶體任務成功!"
ret
Release_space:
find base,#000000000000000000000000#
cmp $RESULT,0
je error
mov p,$RESULT
log p
mov eip,p
mov call,p
mov [p],#60505152E80000000061# //VirtualFree
add call,4
asm call,"call KERNEL32.VirtualFree"
sto
mov no,1
ask "釋放記憶體功能 - 輸入釋放頁地址:(16進位制值)"
cmp $RESULT,0
je error
mov askpage,$RESULT
log "下面是輸入請求釋放頁:"
log askpage
mov eax,8000 // Type
mov ecx,0 // Size
mov edx,askpage //lpAddress
add call,5
go call
mov no,eax
sto
mov eip,seip
mov [p],#000000000000000000000000#
cmp no,1
jne waa
log "下面是成功釋放頁:"
log askpage
cmt eip,"若有需要請看 Log 視窗"
msg "請求釋放記憶體任務成功!"
ret
error:
sto
cmp flag,1
jne return
cmp no,1
jne waa
mov eip,seip
mov [p],#000000000000000000000000#
waa:
msg "執行任務失敗!"
ret
exit:
msg "No Mission!"
ret
///////////////////////////////////
修復了一點錯誤檢測!
to somebody:
NT系統的確可以很簡單寫(exec/ende),98你能用得了,現在玩相容性,蘿蔔青菜,各有所愛,有時做些複雜的事會有一定的體會!比如:某某要BT跟殼,偶做不了這妖事;)