Copy the full ollydbg tutorial to the clipboard [copy to clipboard] call stack [Call Stack] Call tree [call tree]

Fourteen, copy to clipboard [copy to clipboard]

The entire line [whole line]-All rows-copies the selected records to the clipboard in the form of multi-line text with annotations. If you want to exclude a column during copying, You can minimize the width of the column (the residual part of the column will become grayed out ).

The entire table [whole table]-the entire table-copies the entire memory image to the clipboard in the form of multiple lines of text, the first line of the text contains the title of the window ("memory ing [Memory Map]"), the second line is the topic title, and all subsequent lines are memory data records. Copy will keep the column width. If you want to exclude certain columns during copying, You can minimize the width of the column (the residual part of the column will become grayed out ).

15th, call stack

The call Stack window (shortcut: Alt + k) tries to reverse track the function call Sequence Based on the stack of the selected thread and display it, it also contains known or implicit parameters of the called function. If a function is called to create a standard stack framework (push EBP; MoV EBP, ESP), this task is very easy to complete. The modern optimization compiler does not worry about the stack framework, so ollydbg adopts a different method. For example, track the code to the next return, and calculate all the inbound and outbound stacks, and modify the ESP. If it fails, try another method, which is more risky and slower: Move the stack and search for all possible return addresses, check whether the address is called by the previously analyzed command. If not, heuristic search is used. Stack movement [stack walk] may be very slow. Ollydbg is used only when the call Stack window is opened.

The call Stack window contains five topics: Address [address], stack [Stack], process [Procedure], call from [called from], framework [frame]. The address [adress] column contains the stack address, and the stack [Stack]
The corresponding return address or parameter value is displayed.

Function [Procedure] (or function/parameter [procedure/arguments]) displays the address of the called function. In some cases, ollydbg does not guarantee that the address is correct and will add one of the following tags:

? The entry point is not reliable.
Maybe [Maybe] ollydbg cannot find the precise entry point. The reported address is guessed by a heuristic algorithm.
The entry point cannot be found when the function contains [des] ollydbg. You only know the address displayed in the function.
You can switch between parameters of a function that is displayed or hidden by clicking the button on the title bar of the example or selecting "hide/show parameters [hide/show arguments]" from the menu.

Call from [called from] to display the command address for calling this function. The last column is the frame [frame] column hidden by default. If the frame pointer value (register EBP) is known, this column is used to display this value.

After the call function is analyzed [analyzed]., stack movement is more reliable and fast.

16th, call tree [call tree]

The call tree (shortcut key: Ctrl + K in the Disassembly window) analyzes the results of [Analysis] to find the list of functions directly or indirectly called by the specified function process, lists the addresses called by the specified function process. To avoid the possible side effects. The call tree will determine whether the selected function is explicitly recursive. "Clearly" means it will not track unknown calls to the target, such as call eax. If there is an unknown call in the function process, the call tree will mark "unknown target ".

Some function calls will add one of the following annotations:

Leaf [Leaf] does not call other functions
Pure function [pure] does not call a function and does not produce any side effects
Only one retn command is returned for a single request.
System [sys] functions in the system dynamic link library. The system dynamic link library is defined as a dynamic link library under the system directory.
If you want to move on the call tree, you can double-click the address in the "called [called from]" or "calling/directly calling [CILS/calldirectly]" column. The call tree window saves the move records (shortcut keys "-" and "+ ").

If the program to be debugged contains several modules, we recommend that you analyze all the modules. The call tree does not attempt to process system functions.