Ollydbg getting started series (1)-Understanding ollydbg

Question: [original] ollydbg entry series (1)-Understanding ollydbg
Author: ccdebuger
Time: 2006-02-13, 17: 23
Chain: http://bbs.pediy.com/showthread.php? T = 21284

Ollydbg getting started series (1)-Understanding ollydbg

Author: ccdebuger

1. ollydbg installation and configuration

The released version of ollydbg 1.10 Is a zip package. You only need to extract the package to a directory and run ollydbg.exe. The released version of the Chinese version is a RAR compressed package. You only need to extract the package to a directory and run ollydbg.exe:

The functions of various windows in ollydbg are as follows. Briefly explain the functions of each window. For more details, refer to the help of the TT translation team in Chinese:

Disassembly window: displays the disassembly code of the program to be debugged, you can right-click the address, Hex data, disassembly, and comment in the title bar and choose "Hide title" or "show title" from the shortcut menu. Click the comment tab with the left mouse button to switch the comment display mode.

Register window: displays the CPU register content of the currently selected thread. You can also click the label register (FPU) to switch the display register mode.

Information Window: displays the parameters of the First Command selected in the Disassembly window, as well as some jump destination addresses and strings.

Data window: displays the memory or file content. You can right-click a menu to change the display mode.

Stack window: displays the stack of the current thread.

To adjust the size of each window above, you only need to left-click and hold down the border and drag it. After the adjustment, restart the ollydbg to take effect.

After the plug-in is started, we need to set the directory of the plug-in and UDD to an absolute path. Click Options> interface on the menu to display a dialog box for Interface Options. Click the directory label in the dialog box:
 
Because I decompress the ollydbg in the F: "ollydbg directory, the corresponding UDD directory and plug-in directory are configured on the graph. Another commonly used label is the font behind it. Here you can change the font displayed in ollydbg. Other options can be retained as default, and can be modified as needed. After the modification, click OK. A dialog box is displayed, indicating that we have changed the plug-in path and want to restart ollydbg. In this dialog box, click OK and restart ollydbg. We can check the options on the interface to find that all the paths we have set have been saved. Some people may know the role of the plug-in, but they are not clear about the UDD directory. Here is a simple explanation: the role of this UDD directory is to save your debugging work. For example, if you debug a software, set a breakpoint, add a comment, and do not finish it at once, then ollydbg will save your work to this UDD directory, so that you can continue the previous work during the next debugging. If you do not set this UDD directory, ollydbg saves the files with the suffix UDD in its installation directory by default, which will be messy after a long time, therefore, we recommend that you set a directory to save these files.

Another important option is debugging. You can choose Menu Options> debugging settings to configure it:
 
You do not need to change the options here. The options are configured by default and can be used directly. We recommend that you configure the ollydbg when you are familiar with it. The options in the above exception label are often used in shelling. We recommend that you configure the options here when learning to shelling after a certain debugging basis.

In addition to directly starting the ollydbg for debugging, we can also add the ollydbg to the resource manager right-click menu, so that we can directly in. EXE and. right-click the DLL file and select the "open with ollydbg" menu for debugging. To add the ollydbg to the resource manager right-click the menu, just click the menu option-> Add to the browser, a dialog box will appear, first click "add ollydbg to system resource manager menu ", click "finish. It is also very easy to delete from the right-click menu. In this dialog box, click "delete ollydbg from system resource manager menu" and then click "finish.

Ollydbg supports the plug-in function. You only need to copy the downloaded plug-in (usually a DLL file) to the plug-in directory under the ollydbg installation directory, the ollydbg is automatically recognized when it is started. Note that ollydbg 1.10 has a limit on the number of plug-ins. A maximum of 32 plug-ins are allowed. Otherwise, an error may occur. We recommend that you do not add too many plug-ins.

Now the basic configuration is complete. ollydbg stores all the configurations in the ollydbg. ini file under the installation directory.

Ii. Basic debugging methods

Ollydbg has three methods to load the program for debugging. One is to click the menu File> open (the shortcut key is F3) to open an executable file for debugging, the other is to click the menu File> attach to a running process for debugging. Note that the program to be appended must be running. The third is to load the program using the right-click menu (I don't know if this calculation is true ). In general, we choose the first method. For example, we select test.exe for debugging and load the program through the menu File> open. The content displayed in ollydbg will be as follows:
 
The following shortcut keys are frequently used during debugging:

F2: Set the breakpoint. You only need to press F2 at the cursor position (in gray). Then press f2 to delete the breakpoint. (Equivalent to F9 in SoftICE)

F8: step by step. Every time you press this key to execute an instruction in the Disassembly window, the call and other subprograms do not enter the code. (Equivalent to F10 in SoftICE)

F7: step by step. The function is similar to a step-by-step (F8) process. The difference is that when a call or another subprogram is entered, it first stays on the first instruction of the subprogram. (Equivalent to F8 in SoftICE)

F4: run to the selected location. The function is to directly run to the position where the cursor is located and pause. (Equivalent to F7 in SoftICE)

F9: Run. Press this key. If no breakpoint is set, the program to be debugged will start running directly. (Equivalent to F5 in SoftICE)

CTR + F9: execution to return. This command is paused when executed to a RET (return command) command. It is often used to return from the system airspace to the program airspace we debug. (Equivalent to F12 in SoftICE)

Alt + F9: run the user code. It can be used to quickly return from system airspace to the procedural airspace we debug. (Equivalent to F11 in SoftICE)

The preceding shortcut keys are enough for general debugging. To start debugging, you only need to set the breakpoint, find the code segment you are interested in, and then press the F8 or F7 key to separate the analysis command function. This is what I wrote. I will try again when I have time in the next day.

--------------------------------------------------------------------------------
[Copyright notice] This article is purely a technical exchange. repost the article to indicate the author and keep it complete. Thank you!