| Http://blog.fishc.com/645.html |
|
Title:"original" ollydbg Primer series (i)-Meet ollydbg
Author: Ccdebuger
Time: 2006-02-13,17:23
Links: http://bbs.pediy.com/showthread.php?t=21284
----------------"Fish C Studio: http://blog.fishc.com/645.html
OLLYDBG Introduction Series (i)-Meet ollydbg
Ccdebuger
First, the installation and configuration of ollydbg
ollydbg version 1.10 version of the release is a ZIP compression package, as long as the extract to a directory, run OllyDBG.exe can be. The release version of the Chinese version is a RAR compression package, also only need to extract to a directory run OllyDBG.exe can:
The functions of each window in the ollydbg are as follows. Briefly explain the functions of each window, more detailed information can be referred to the TT group translation of Chinese Help:
Disassembly window: Displays the disassembly code of the debugged program, the address on the title bar, HEX data, disassembly, and comments can be toggled by right-clicking the menu interface options in the window to hide the title or display the caption. Use the left mouse button to click on the Comment tab to toggle the way comments are displayed.
Register window: Displays the contents of the CPU register for the currently selected thread. Also click on the label Register (FPU) to toggle the display of registers.
Information window: Displays the parameters of the first command selected in the Disassembly window and some jump destination addresses, strings, and so on.
Data window: Displays the contents of the memory or file. The right-click menu can be used to toggle display mode.
Stack window: Displays the stack of the current thread.
To adjust the size of the above window, just left-click and hold the border to drag, and so on, and then restart the ollydbg can be effective.
After launch we want to configure the plugin and UDD directory as an absolute path, click on the menu and the interface, will come out a dialog box of interface options, we click on the Directory tab:
Because I am here to extract ollydbg in the F:\OllyDBG directory, so the corresponding UDD directory and plug-in directory as configured on the diagram. There is also a commonly used label that is the font behind it, where you can change the font displayed in the ollydbg. The other options can be left as default and can be modified if necessary. After the modification, click OK, pop up a dialog box, said we changed the plugin path, to restart ollydbg. On this dialog, click OK, restart the ollydbg, we will look at the interface options, we can see that our original set of paths have been saved. Someone may know what the plugin does, but it's unclear to the UDD directory. Here's a quick explanation: the role of this UDD directory is to save your debugging work. For example, if you debug a software, set breakpoints, add comments, and do not finish at one time, ollydbg will save your work to this UDD directory so that you can continue your previous work the next time you debug. If you do not set this UDD directory, ollydbg default is in its installation directory to save these suffixes named UDD files, the time will be very messy, so it is recommended to set a directory specifically to save these files.
Another important option is the debug option, which can be configured with the Debug settings of menu options:
Beginners generally do not need to change the options here, the default is configured, can be used directly. It is recommended to configure the ollydbg when it is already relatively ripe. The above exception label options are often used in shelling, it is recommended to have a certain debugging basis after the shelling is configured here.
In addition to starting ollydbg to debug directly, we can also add ollydbg to the Explorer right-click menu so that we can right-click on the. exe and. dll files to select the "Open with ollydbg" menu to Debug. To add ollydbg to the Explorer right-click menu, simply add to the browser by clicking menu options, a dialog will appear, click on "Add OllyDbg to System Explorer menu", then click "Finish" button. To delete from the right-click menu is also very simple, this dialog box, click "Remove ollydbg from the System Explorer menu", and then click "Done" on the line.
OLLYDBG support Plug-in features, plug-in installation is also very simple, as long as the download plug-in (usually a DLL file) copied to the OllyDbg installation directory in the PLUGIN directory, ollydbg startup will be automatically recognized. Note that ollydbg 1.10 has a limit on the number of plug-ins, up to 32, or it will be an error. It is recommended that plugins do not add too much.
The basic configuration is complete here, and ollydbg all the configuration in the Ollydbg.ini file in the installation directory.
Second, the basic debugging method
OllyDbg There are three ways to load the program for debugging, one is to click the menu file--open (shortcut is F3) to open an executable file for debugging, the other is to click the menu file, attach to a running process to debug. Note that the program you want to attach here must already be running. The third is to use the right-click menu to load the program (I do not know this count). In general, we choose the first way. For example, we choose a test.exe to debug, through the menu file--open to load the program, the content shown in ollydbg will be as follows:
The shortcut keys we often use in debugging are these:
F2: Set a breakpoint, as long as the cursor location (in the gray bar) to press the F2 key, and then press the F2 key will delete the breakpoint. (equivalent to F9 in SoftICE)
F8: One step at a walk. Each time you press this key to execute an instruction in an disassembly window, you encounter a call such as a subroutine that does not enter its code. (equivalent to F10 in SoftICE)
F7: Step Into. The function is similar to step by step (F8), the difference is to encounter the call and other sub-program will enter into it, the first will stay in the sub-program on the first instruction. (equivalent to F8 in SoftICE)
F4: Runs to the selected location. The function is to run directly to the cursor at the location of the pause. (equivalent to F7 in SoftICE)
F9: Run. Press this key if the corresponding breakpoint is not set, the program being debugged will start running directly. (equivalent to F5 in SoftICE)
CTR+F9: Execution to return. This command pauses when executing to a RET (return instruction) instruction and is often used to return from the system's airspace to the program airspace we have debugged. (equivalent to F12 in SoftICE)
ALT+F9: Executes to user code. Can be used to quickly return from system airspace to the program airspace we have debugged. (equivalent to F11 in SoftICE)
The above mentioned several shortcut keys for the general debugging is basically enough. To start debugging just set a breakpoint, find the code snippet you are interested in and press the F8 or F7 key to analyze the command function. It's written here, and I'll be there sometime.
"Original" ollydbg Primer series (i)-Meet ollydbg
