OllyDbg Debuger

What is OllyDbg OllyDbg is a debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries http://en.wikipedia.org/wiki/OllyDbg

Versions Version 1.10 is the final 1.x release. Version 2.0 is in development and is being written from the ground up. Note: The current version of OllyDbg cannot disassemble binaries compiled for 64 bit processors.

Features Executes program in a controlled environment. Allows the flow of the program to be controlled. Uses a convenient layout showing hexadecimal, assembly, CPU registers and stack. Allows the program to be dumped from the memory onto the hard-disk. Highlights recently changed values in memory/stack/CPU registers.

Window Layouts Window layouts are the various parts of the UI that contain pertinent information Code window – Displays the executable machine code Register window – Allows the user to watch the contents of each register during execution Memory window – Allows the user to view the contents of various memory locations Stack window – Displays the stack, including memory addresses and values

Working in OllyDbg Navigation Commenting Listing Names Showing Memory Moving Searching Commenting Can be entered in the code window with the ; or : keys Listing Names The names window displays all functions or imported functions used in the program Listing them is easy via the shortcut Ctrl + N Showing Memory Displaying memory can be useful when looking for strings or other important data Displaying the memory map window can be achieved via Alt + M

Working in OllyDbg Cont… Breakpoints Breakpoints allow the debugger to stop at a specified address or instruction There are two types of breakpoints in general Software breakpoints Handled by the operating system Set by navigating to the specified address and hitting F2 Hardware breakpoints Handled by the processor Set by finding a place in memory you want to break on access and right clicking selecting the proper option Olly also provides a way to view and turn on and off breakpoints via the breakpoints window with Alt + B

Working in OllyDbg Cont… Controlling Execution Starting the process Once the target program is either loaded or attached in Olly you can start execution. This will actually set up an initial breakpoint at the application entry point There are several ways you can proceed from the entry point Single stepping Executes one instruction at a time and can be achieved by hitting F7 Steps into every function Tedious as fuck Execute until return Executes until the ret instuction is encoutered which can be achieved by hitting Ctrl + F9 Executes all instructions in the current function Faster than single stepping but not as comprehensive

Working in OllyDbg Cont… Watching execution Registers Handled in the register window Red highlighting indicates a register has changed Stack Handled in the stack window Display can be address or relative address from ebp Call stack Displays the functions the current function has been called from Can be displayed with the shortcut Alt + K

Demo Cracking a program using buffer overflow Rfile() function address: 0x004013B0 Register address: 0x0013FB78 Return address: 0x0040132C Buffer address: 0x0013FB6C Buffer length: 10 Bytes Address length: 2 Bytes

Tota Tota Story End… The End