ollydbg Main thread window:
1. assembly code corresponding to the Address window
2. Hexadecimal Machine Code window for assembly code
3. Disassembly window
4. Annotation Information window for disassembly code
5. Register Information window
6. Information window for the disassembly code currently being executed
7~9. The memory address, hexadecimal, ASCII code where the data resides
10~12. stack address, stored data, corresponding description information
OD basic shortcut key and function:
F2 the breakpoint, which is the address of the specified breakpoint
F3 loading an executable program for debugging analysis
F4 program executes at cursor
F5 shrinking, restoring the current window
F7 stepping Step Into
F8 Single Step Through
F9 run the program directly, at the breakpoint, the program pauses
Ctrl+f2 re-run the program to the beginning, typically used to re-debug the program
Ctrl+f9 execution to function return, for jumping out of function implementation
Alt+f9 execution to user code for quick jump out of system functions
Ctrl+g enter the hexadecimal address to quickly navigate to that address
To load the target file debug:
1. Virtual address: In general, the same instruction in the same program has the same value in different system environments.
2. Machine codes: This is the machine code that the CPU executes.
3. Assembly instruction: The program code corresponding to the machine code.
Debugging Tips Summary:
1.f2 the breakpoint, alt+b open the breakpoint editor, you can edit all the down breakpoints, and the spacebar can quickly toggle the breakpoint state.
2. When you are in a call and want to return to the place where you called it, you can press the "CTRL+F9" shortcut key to perform the return function. This will stop the OD from being the first return command encountered (such as RET, RETF, or Iret).
3. If you follow the API functions provided by the system DLL and want to return to the application airspace at this time, you can press the shortcut key "Alt+f9" to execute the return to user code command.
4. The so-called airspace, in effect, refers to the owner of a piece of code in which the CPU executes the instruction at a certain moment.
5. Such addresses as 004013F7 are generally executable airspace, 7c8114ab such large addresses are generally the address space where the system DLLs reside.
6. The program usually reads the text box contents of the string with the following two functions:
Getdlgitemtexta (GETDLGITEMTEXTW) getwindowtexta (GETWINDOWTEXTW)
7. In general, we want to combine experience by guessing the way to try to set traps, find the relevant function.
8. Press the "Ctrl+g" key to open the window that follows the expression.
9. You can also open the application's Import table (input table) with the "CTRL + N" key, and then see what functions the application has imported in total to infer where to dig the pit traps!
10. With respect to the return value, the assembly code return value Convention is stored in the EAX register, if the 32-bit eax is not enough to store the return value, the system will put the return value in memory location and put the address of the location in EAX return.
ollydbg shortcut key Record posts