Using Ollydbg - Part 1
Required Knowledge
It is recomended you have an understanding of the basic assembly concepts, follow the links here.Using Ollydbg - Part 1
There's no doubt that Ollydbg is a hugely powerful debugger (and so much more) but, ofcourse, with this repository of power comes the need to learn how to use the tool. As intuitive as it is, even I'm still learning about nifty new features it has. As an example of it's versatility, most people who make a change in the debugger will try to open a hex editor to finalize their changes, such as Hiew or RTA. However, Ollydbg has it's own function to save modifications to a file. Not only does it have this option, but you can specify which modifications to write to the new file, if need be (useful for not saving changes like those which only affect someone who is debugging an application, rather than the end user).So, over the span of two or three tutorials, I intend to show you the basics (and maybe a few neat little tricks along the way) of Ollydbg.
First off, the interface:
Open up Ollydbg and ensure it is maximised, you should see something similar to the above picture.
1: The file menu and acompanying icons contain many commands which range from stepping through the disassembly, one line at a time, to opening up the various windows. It is also from here that you can change various debugger options.
The icons are generally here for quick reference only and play no role if you know your shortcuts, for the most part.
2: Part of the main code section, this column displays addresses for various commands as either a virtual address (link?) or an offset from a chosen address.
3: This column contains the opcodes as you would see through a plain hex editor. However, it also contains various useful symbols, such as a $ sign to indicate the start of a function, or a >/V and ^ symbols to indicate various jumps (^ and V indicate the code is jump down or up whereas a > indicates some code is jumping to that specific location). Small lines enclosing areas (Starting at a $ and ending at a RETN opcode of some sort) indicate entire functions.
4: Next is a wordy representation of the opcodes, giving the name of each opcode and the paramaters used. Lines in this column can also indicate jump paths, similarly to those in the previous column.
5: This section is a space for comments, input by both the debugger and the user. Such debugger comments include comments on switches (and their cases), arguments for known functions and guessed functions. Also, it will show ASCII text if referenced by the corresponding opcode.
6: This little bar provides lots of information about the current instruction being debugged. For instance, it will note the contents of evaluations within the arguments for the current line. For example, if the line in question were 'MOV EDI,94' the area would display the contents of EDI (and any extra information about the contents of EDI, if available). It can also evaluate memory expressions and will echo if a conditional jump is to be taken.
7: The registers window gives information on the standard registers, flags, segment registers and will give extra information on either the debug/FPU/MMX or 3DNow! registers. The contents and states of many of these registers/flags can be changed when 'stepping' through code.
8: This area is a dump for any memory address specified. Addresses are given along with the raw data. Extra options can be specified on how to display this data further, ASCII/Unicode/Shorts etc. and can even disassemble the data (even if it isn't supposed to be executed as code).
9: Finally, this is the stack window. Again, the addresses can be given as either virtual addresses or offsets from a specified address. The contents of each 4 byte section are then displayed as a hex value, which can be shown as hex or UNICODE or not at all, and then extra comments are given (much like the main code section, except always with 4 bytes per line).
There are many many more windows, however we'll tackle them as we encounter them.
Now it's time to load up a program! Download the attached file, Target1_Ollydbg1Tut.rar (A simple message box example) and then open the executable, called OllydbgPartI_Tut.exe, in Ollydbg (F3, or the open icon or menu entry).
This will take you to the module entry point. Note in section 6 it should say ollydbgp.
Ofcourse, that wasn't much use, we learnt zip all about the program! Let's examine it line by line (To restart the program inside Ollydbg press ctrl + F2). This time, let's examine some of the previously mentioned parts of Ollydbg.
If we look at the main code window (2, 3, 4 & 5), we will see the instructions our program is made up of (short and sweet eh?). There are comments which show the arguments of the two calls (to MessageBox and ExitProcess) etc. Nothing too special, but it might be worth just taking in what the different symbols look like.
If we move on to (7) we will see the various registers. The main CPU registers will always be shown (EAX, ECX, EIP, ESP etc.) as will the flags and segment registers. It should be fairly easy to see the contents of each register at this point in the program and you can try to modify a register. For example, right click the hex number next to EAX and click modify (take time to note the other functions available for modifying registers' contents). You can set this register to whatever you want, ofcourse this may not always be wise in other programs. You can also modify the contents of a register by double clicking the hex value next to the register you wish to modify.
Also, if you wish to view the contents of other sets of registers (for example, the MMX registers) you can do so by either clicking the title of the section (which says "Registers (FPU)" by default) or by right clicking the section and selecting View -> registers. For some reason it seems you can only view the debug registers by the latter method. Can't have everything I guess ;)
Next, let's look at (8), the hex dump. The hex dump will try to show the .data section by default. In this program the .data section contains our strings, msgTitle and msgCaption (see the asm source). If we wanted to edit the data, we'd simply highlight the bytes we wish to edit in the hex dump by left clicking and dragging then right click and choose Binary -> Edit. This allows us to edit the data selected in three ways, as hexadecimal numbers, UNICODE characters or as ASCII characters. Let's try ASCII first, replace the word 'mum' with 'dad' and OK.
Now run the program and, with a bit of luck, the changes should be evident when the message box appears. The messagebox should now say "Hi dad!" and execute as normal.
It is important to realise that you can generally only edit a hardcoded string to make one of equal or lesser length (without doing a bit more work). This is because:
- Increasing the length of a string could overwrite other data or code,
- The length of the serial may be hardcoded in to a function, ie. it may have no 'null terminator', just a set size.
However, this should be apparent from knowledge of assembly.
For a graphic tutorial, click here.
- -Stew (AdminStew).
| Attachment | Size | Date Added | |
| Target1_Ollydbg1Tut.rar | 1.53 KB | 5/02/2005 5:07 pm | |
| OllydbgInterface.png | 63.19 KB | 5/02/2005 2:07 pm | |
| HiDad.png | 2.23 KB | 5/02/2005 4:55 pm | |
There are no comments on this page. [Add comment]