Common OllyDbg shortcut keys

Frequently Used OllyDbg Shortcut Keys sign in every day. Easy to get Xiao coins no matter what the current OllyDbg window is, these shortcut keys are valid:

Ctrl + F2-restart the program, that is, restart the program to be debugged. If no program has been debugged, OllyDbg runs the first program in the history list [history list. After the program is restarted, all memory and hardware breakpoints will be deleted.
Note: The hardware breakpoint is not removed after the program is restarted.

Alt + F2-close: Close the program to be debugged. If the program is still running, a prompt is displayed asking if you want to close the program.

F3-the "Open 32-bit. EXE file" dialog box [Open 32-bit. EXE file] is displayed. You can select an executable file and enter the running parameters.

Alt + F5-keep OllyDbg at the beginning. If the program to be debugged is interrupted at a breakpoint, a window always exists at the beginning of the debugging program (usually in the mode message or mode dialog box [modal message or dialog]). it may cover part of the OllyDbg, but we cannot move to minimize this window. Activate OllyDbg (for example, press the tag on the taskbar) and press Alt + F5. The OllyDbg will be set to always at the beginning, which in turn will cover the window just now. If you press Alt + F5 again, the OllyDbg will return to normal. Whether the OllyDbg is always in the frontend state will be saved and will remain valid during the next debugging. Whether the current status is always in the frontend status is displayed in the status bar.

F7-step by step to the next command. If the current command is a function [Call], it will stop at the first command in the function body. If the current command is prefixed with REP, only one repeat operation is performed.

Shift + F7-same as F7, but if the program is aborted due to an exception, the debugger first tries to handle the exception specified by the program to be debugged (see ignore Invalid Memory Access in Kernel32 ).

Ctrl + F7-automatically step in. Execute the command one by one in all function calls (just as you press and hold the F7 key, but it is faster ). When you execute other single-step commands, or when the program reaches the breakpoint, or an exception occurs, the automatic process will stop. Every step-by-step, OllyDbg updates all windows. Therefore, to speed up automatic entry, close unnecessary windows and try to keep them as small as possible. Press Esc to stop automatically entering the node.

F8-go to the next command step by step. If the current command is a function, the function is executed at one time (unless the function contains a breakpoint or an exception occurs ). If the current command contains the REP prefix, the repeat operation is executed and stops at the next command.

Shift + F8-the same as F8, but if the program is aborted due to an exception, the debugger first tries to handle the exception specified by the debugging program (see ignore Invalid Memory Access in Kernel32 ).

Ctrl + F8-automatically Step through, one by one to execute the command, but does not enter the function call internal (just as you press and hold the F8 key, just faster ). When you execute other single-step commands, or when the program reaches the breakpoint, or an exception occurs, the process will stop automatically. Every time you step by step, OllyDbg updates all windows. Therefore, to speed up the automatic step, close unnecessary windows. It is best to keep the windows as small as possible. Press Esc to stop the automatic step.

F9-let the program continue execution.

Shift + F9-same as F9, but if the program is aborted due to an exception, the debugger first tries to handle the exception specified by the debugging program (see ignore Invalid Memory Access in Kernel32 ).

Ctrl + F9-execute until it returns, and the tracing program waits until it returns. During this period, the sub-function is neither entered nor the CPU data is updated. Because the program runs a command, the speed may be slower. Press Esc to stop the trail.

Alt + F9-execute until the code segment is returned to the user. The tracing program will not enter the sub-function or update CPU data until the module to which the command belongs is not in the system directory. Because the program is executed one by one, the speed may be slower. Press Esc to stop the trail.

Ctrl + F11-Run trace step into, one by one Execute Command, enter each sub-function call, and add the register information to the storage data of the Run trace. The Run trace does not synchronously update the CPU window.

F12-Stop program execution and pause all threads of the program to be debugged. Do not manually restore the thread to run. It is best to continue executing the shortcut key or menu options (like F9 ).

Ctrl + F12-Run trace step, one by one to execute the command, but do not enter the sub-function call, and add the register information to the storage data of the Run trace. The Run trace does not synchronously update the CPU window.

Esc-if the current status is automatic or tracking, automatic running or tracing will be stopped; if the CPU displays tracking data, real data will be displayed.

Alt + B-display the breakpoint window. In this window, you can edit, delete, or follow up to the breakpoint.

Alt + C-display the CPU window.

Alt + E-display the module list [list of modules].

Alt + K-display the Call stack [Call stack] window.

Alt + L-display the log window.

Alt + M-Display memory window.

Alt + O-display option dialog box [Options dialog]

Ctrl + P-the patch window is displayed.

Ctrl + T-open the pause Run trace dialog box

Alt + X-Disable OllyDbg.

Most Windows support the following keyboard commands:

Alt + F3-close the current window.

Ctrl + F4-close the current window.

F5-maximize the current window or change the current window size to normalization.

F6-switch to the next window.

Shift + F6-switch to the previous window.

F10-open a shortcut menu related to the current window or panel.

Left arrow key-displays the content of a byte width on the left side of the window.

Ctrl + left arrow key-display the content in the left column of the window.

Right arrow key-display the content of one byte width on the right of the window

Ctrl + right arrow key-display content in the right column of the window

The shortcut key in the Disassembly window [discycler shortcuts]

When the disassembly Panel [discycler pane] In the CPU window is active, you can use the following shortcut keys:

Enter key-Add the selected command to the command history [command history]. If the current command is a jump, function, or a part of the conversion table, enter the destination address.

Return key-remove the automatic analysis information of the selected part. If the analyzer mistakenly identifies the code as data, this shortcut is very useful. Refer to the decoding prompt [decoding hints].

Alt + return key-Undo the modification of the selected part and replace the selected part with the corresponding content of the backup data. Only when the backup data exists and is not available at the same time as the selected part.

Ctrl + F1-if the API help file has been selected, the help topic associated with the symbol name in the first selected line will be opened.

F2-switch INT3 Breakpoint [Breakpoint] on the first selected command, or double-click the second column of the row.

Shift + F2-set the condition breakpoint in the first selection command. For details, see Ignore memory access exceptions in Kernel32 [Ignore memory access violations in Kernel32].

F4-execute to the selected line, set a one-time breakpoint on the first selected command, and then continue to execute the debugging program until OllyDbg detects an exception or stops at the breakpoint. This one-time breakpoint remains valid until the program executes the command. If necessary, delete it in the breakpoint window [Breakpoints window.

Shift + F4-set a record Breakpoint (a condition Breakpoint. When the condition is met, the values of some expressions are recorded). For more information, see [Breakpoint].

Ctrl + F5-open the source file corresponding to the first selected command.

Alt + F7-go to the previous found reference.

Alt + F8-go to the next one to find the reference.

Ctrl + A-analyze the code segment of the current module.

Ctrl + B-start binary search.

Ctrl + C-copy the selected content to the clipboard. During replication, invisible content is simply truncated by column width. to exclude unnecessary columns, You can minimize the width of these columns.

Ctrl + E-edit the selected content in binary (hexadecimal) format.

Ctrl + F-start command search.

Ctrl + G-go to an address. This command will pop up the input address or expression window. This command does not modify the EIP.

Ctrl + J-list all calls and redirects involving this location. You must use the analysis code function before using this function.

Ctrl + K-view the Call tree related to the current function [Call tree]. Before using this function, you must use the analysis code function.

Ctrl + L-search for the next one and repeat the previous search content.

Ctrl + N-open the name (TAG) list of the current module.

Ctrl + O-scan the object file. Scan Object files. The scan Object dialog box is displayed. You can select an Object or lib file in the dialog box and scan the file to find the target module used in the actual code segment.

Ctrl + R-search for the reference of the selected command. This command scans All executable code of the activation module to find all relevant references (including constants, jumps, and CALLS) related to the first selected command ), you can use the shortcut keys Alt + F7 and Alt + F8 in the references to browse these references. For ease of use, the referenced commands are also included in this list.

Ctrl + S-command search. This command displays the command Query [Find command] dialog box for you to enter the assembly command and start searching from the current command.

Asterisk [Asterisk] (*)-go to the original position (the EIP of the active thread ).

Ctrl + asterisk (*)-specify a new starting position and set the EIP of the selected thread to the first selected byte address. You can select an EIP and undo it.

Plus sign [Plus] (+)-if the run trace [run trace] is not activated, go to the next place where the command has been run based on the command history [command history; otherwise, jump to the next record of the Run trail.

Ctrl + plus sign-jump to the beginning of the previous function. (Note that the task is skipped and not executed)

Minus [Minus] (-)-if the run trace [run trace] is not activated, go to the previous place where the command was run based on [command history; otherwise, jump to the previous record of the Run trail.

Ctrl + minus sign-jump to the start of the next function. (Note that the task is skipped and not executed)

Space [Space]-modify command. In the displayed dialog box, you can modify the actual commands in assembly language or enter new commands. These commands Replace the actual code. You can also double-click the commands you want to modify.

Colon [Colon] (:)-Add a label. The Add label window [Add label] or the Change label window [Change label] is displayed. You can enter the label (symbol name) associated with the first byte in the first selected command ). Note: In multiple programming languages, colons can be part of tags.

Semicolon [Semicolon] (;)-Add comment [comment]. The Add Comment window [Add label] or modify the comment window [Change label] is displayed. you can enter comments associated with the first byte of the First Command selected here (the comment string is displayed