Ollydbg full tutorial plug-in [plugins]

Plug-in [plugins]

The plug-in is a DLL that is stored in the ollydbg directory to add the ollydbg function. You can download plug-in Development Kits for free from the home page of ollydbg (http://home.t-online.de/home/Ollydbg)
Plug110.zip.

The plug-in can set breakpoints, Add labels and annotations, and modify registers and memory. The plug-in can be added to the shortcut menu of the main menu and many windows (such as disassembly windows and memory windows), or the shortcut keys can be intercepted. The plug-in can also create an MDI (Multi-Document Interface) window. The plug-in can also write its own data to the. UDD File Based on the module information and the ollydbg. ini file, and can read various data structures that describe the program to be debugged. The plug-in API contains up to 170
Functions.

Many third-party plug-ins can be obtained from the Internet, such as the ollydbg Forum (http://ollydbg.win32asmcommunity.net) created and maintained by the netizen TBD ).

To install the plug-in, copy the DLL to the plug-in directory [plugin Directory] and restart ollydbg. This plug-in is the directory where the ollydbg.exe file is located.

The current version contains two "original" plug-ins: [bookmark] and the command line [command line]. Their source code is stored in the plug110.zip. File. These plug-ins are free of charge and you can modify or use them as needed.

Tip: [tips and tricks]

? Ollydbg can be used as a binary editor. Select View> file and select the file to be viewed. The file size cannot exceed the remaining memory size.

? If you modify the execution file in the memory, you want to restore the modified part, but you forgot where it was modified, you can load the original file as a backup, in this way, you can find the modified part.

Scan the OBJ file before analysis. At this time, ollydbg will decode the parameters of known C functions.

Some tables contain hidden data. You can increase the column width.

All data windows (including disassembly windows) can be displayed by double-clicking the corresponding address.

You can use Ctrl + rotate or Ctrl + rotate to flip a byte in the data window.

Debug an independent DLL [debugging of stand-alone DLLs]

Open the DLL, or drag it from the Resource Manager to the ollydbg. The ollydbg will ask you and send the entire file to loaddll.exe .. Then the Linked Library is loaded and stops at the code entry (
<Dllentrypoint> ). You can set breakpoints, run or track startup code, and so on. After Initialization is complete, the program will be paused again. This time it stops at the position of the tag named firstbp, before it immediately enters the main message loop.

Now you can call the DLL function. Select "Debug [debug] | Call DLL output [Call DLL export]" from the main menu. A dialog box is displayed. Since this dialog box is a mode-free dialog box, you can still use all the functions of ollydbg, such as viewing code, Data, viewing breakpoints, and modifying memory.
Select the function you want to call. For example, we will start using the MessageBox function in user32.dll. Loaddll.exe already uses this link library. Therefore, it is assumed that the DLL has been initialized and no longer calls the entry. MessageBox is a common function name. In fact, this function has two types: messageboxa for processing ASCII and messageboxw for processing Unicode. Let's continue: