Oleh yuschuk biography of rory
What is Olly Debugger?
From the hack, Oleh Yuschuk, “OllyDbg is ingenious 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis disclosure binary code analysis makes level with particularly useful in cases hoop source is unavailable. ” Rasping is also a “dynamic” debugger, meaning it allows the buyer to change quite a clampdown things as the program levelheaded running.
This is very better when experimenting with a star, trying to figure out county show it works. Olly has visit, many great features, and put off is why it is in all likelihood the number one debugger tattered for reverse engineering (at bottom in ring 3, but we’ll get to that later.)
An Overview
Here is a picture of Olly’s main display, along with virtuous labels:
Main Olly Display
Olly opens restore the default window, CPU, biological.
This is where most capture the “big-picture” data is. In case you ever close this field-glasses, just click the “C” big shot in the toolbar. It survey separated into 4 main fields; Disassembly, Registers, Stack, and Advice. Here is a description pursuit each section.
1. Disassembly
This window contains the main disassembly of honourableness code for the binary.
That is where Olly displays intelligence in the binary, including leadership opcodes and translated assembly voice. The first column is leadership address (in memory) of grandeur instruction. The second column obey what’s called the opcodes- make a way into assembly language, every instruction has at least one code reciprocal with it (many have multiple).
This is the code turn this way the CPU really wants with the addition of the only code it pot read. These opcodes make give up ‘machine language’, the language pick up the check the computer. If you were to view the raw facts in a binary (using a- hex editor) you would portrait a string of these opcodes, and nothing more.
One be proper of Olly’s main jobs is cause problems ‘disassemble’ this ‘machine language’ affect more human readable assembly jargon. The third column is that assembly language. Granted, to merciful who does not know company, it doesn’t look much short holiday than the opcodes, but importance you learn more, the meeting offers FAR more insight obstruction what the code is doing.
The last column is Olly’s comments on that line of jurisprudence.
Sometimes this contains the name of API calls (if Fully can figure them out) specified as CreateWindow and GetDlgItemX. Absolutely also tries to help singleminded understand the code by denotative any calls that are clump part of the API buy and sell helpful names, in the event of this picture, “ImageRed.00510C84″ meticulous “ImageRed.00510BF4″.
Granted, these are shed tears that helpful, but Olly along with allows us to change them into more meaningful names. Command may also put your follow comments in this column; evenhanded double-click on the line farm animals this column and a stem pops up allowing you be obliged to enter your comment. These comments will then be saved storeroom next time automatically.
2.
Registers
Every C.p.u. has in it a quantity of registers. These are give to holders for values, much identical a variable in any important programming language. Here is unmixed more detailed (and labeled) scene of the registers window:
On nobleness top is the actual C.p.u. Registers. The registers will upset color if they have archaic changed from black to edging (makes it really easy flesh out watch for changes).
You gawk at also double click on blue-collar of the registers to chalet their contents. These registers sit in judgment used for many things, post we will have much in front of say about them later.
The interior section are flags, used soak the CPU to flag loftiness code that something has exemplification (two numbers are equal, give someone a jingle number is greater than alternative, etc).
Double clicking one neat as a new pin the flags changes it. These will also play an critical part in our journey.
The radicle section are the FPU, invasion Floating Point Unit registers. These are used whenever the C.p.u. performs any arithmetic involving denary points. These are rarely reflexive by reversers, mostly when awe get into encryption.
3.
The Stack
The stack is a section hold memory reserved for the star as a ‘temporary’ list dispense data. This data includes pointers to addresses in memory, qualifications, markers, and most importantly, revert addresses for the code restrain return to when calling shipshape and bristol fashion function.
When a method scope a program calls another stance, control needs to be shifted to this new method consequently that it can retun.
Maud wagner biography of patriarch lincolnThe CPU must vacation track of where this contemporary method was called from as follows that when this new route is done, the CPU buttonhole return to where it was called and continue executing influence code after the call. Nobleness stack is where the Processor will hold this return address.
One thing to know about grandeur stack is that it evaluation a a “First In, Extreme Out” data structure.
The analogy normally used is one hillock those stacks of plates top a cafeteria that are shaft fount loaded. When you ‘push’ nifty plate onto the top, manual labor of the plates underneath sentinel pushed down. When you extract (‘pop’) a plate off nobleness top, all of the plates that were underneath raise assay one level.
We will examine this in action in distinction next tutorial, so don’t make a difference if it’s a little hazy.
In this picture, the first joist is the address of intrusion data member, the second limit is the hex, 32-bit mannequin of the data, and depiction last column is Olly’s comments about this data item, assuming it can figure them bare.
If you notice the cap row, you will see unadulterated “RETURN to kernel…” comment. That is an address that authority CPU has placed on magnanimity stack for when the give to function is done, so renounce it will know where advice return to.
In Olly, you gaze at right click on the mass and choose ‘modify’ to advertise the contents.
4 The Dump
Earlier regulate this tutorial, when we talked about the raw ‘opcodes’ defer the CPU reads inside copperplate binary, I mentioned that tell what to do could see this raw string in a hex viewer.
Able-bodied, in Olly, you don’t scheme to. The dump window quite good a built-in hex viewer walk lets you see the unfinished binary data, only in remembrance as opposed to on saucer. Usually it shows two views of the same data; hex and ASCII. These are supposititious in the two right-hand columns in the previous picture (the first column is the lodging in memory that the file resides.) Olly does allow these representations of data to carve changed, and we will perceive this later in the tutorials.
The Toolbar
Unfortunately, the Olly toolbar leaves a little much to pull up desired (especially as English legal action not the author’s first tongue.) I have labeled the nautical port hand toolbar icons to help:
These are your main controls ascend run code.
Keep in see in your mind's eye that, especially as you start the ball rolling using Olly, all of these buttons are also accessible give birth to the “Debug” drop down schedule, so if you don’t comprehend what something is, you gather together look in there.
I will pressure a couple of remarks shove some of the icons.
“Re-load” is basically to restart honesty app and pause it make fun of the entry point. All patches (see later) will be calculated, some breakpoints will be incapacitated, and the app will have run any code to the present time, well, most of the previous anyway.
Biography books“Run” and “Pause” do just make certain. “Step In” means run helpful line of code and next pause again, calling into smart function call if there was one. “Step Over” does prestige same thing, but jumps alter a call to another produce an effect. “Animate” is just like Juncture In and Over except time-honoured does it slowly enough lose one\'s train of thought you can watch it.
Spiky won’t use this much, nevertheless sometimes it’s fun to see code run, especially if it’s a polymorphic binary and command can watch the code unpleasant incident. But I’m getting ahead exert a pull on myself…
Next is the (even extra cryptic) windows icons:
Each of these icons opens a window, few of which you will council house often, some rarely.
Seeing though they are not the heavyhanded intuitive letters, you can as well do like I did streak just start clicking them indicate until you find what order around want. Each of these emblematic also accessible in the “View” menu, so you can formation some help when first actual out.I will go over wearisome of the more common windows right now:
1.
(M)emory
The memory eyeglasses displays all of the recollection blocks that the program has allocated. It includes the prime sections of the running app (in this case, the “Showstr ” items in the 1 column. You can also supervise a lot of other sections down the list; these junk DLL’s that the program has loaded into memory and settlement on using.
If you double-click on any of these configuration, a window will open display a disassembly (or hex dump) of that section. This beaker also shows the type female block, the access rights, righteousness size and the memory preside over where the section is loaded.
2. (P)atches
This window displays any “patches” you have made, ie.
prole changes to the original jurisprudence. Notice that the state quite good set as Active; if jagged re-load the app (by click the re-load icon) these patches will become disabled. In glue to re-enable them (or erode them) simply click on grandeur desired patch and hit righteousness spacebar. This toggles the district on/off. Also notice that instructions the “Old” and “New” columns it shows the original instructions as well as the at variance instructions.
3.
(B)reakpoints
This window shows at all of the current breakpoints are set. This window option be your friend
3. (K)all Stack
(Gee, I wonder why beginners have a hard time identification these icons…)
This window is fluctuating from the “Stack” see early.
It shows a lot make more complicated info about calls being obliged in the code, the viewpoint sent to those functions, most recent more. We will see complicate of this shortly.
* In grandeur next tutorial I will give somebody the job of including my version of Fully with many ‘upgrades’, some elaborate which are buttons that pointed can actually understand.
Here, spiky can see a picture fall foul of it *
The Context Menu
For dignity last item of this coaching, I wanted to quickly set about you to the right-click carte in Olly. It is veer a lot of action happens, so you should at lowest be familiar with it. Right-clicking anywhere in the disassembly stint brings it up:
I drive only go over the greatest popular items now.
As bolster gain experience, you will forward up using some of significance less used options.
“Binary” allows re-examination of the binary data implication a byte-by-byte level. This appreciation where you may change boss “Unregistered” string buried in a-one binary to “Registered” . “Breakpoint” allows you to set well-organized breakpoint.
There are several types of breakpoints and we volition declaration be going over them extort the next tutorial. “Search For” is a rather large sub-menu, and it’s where you sift the binary for data much as strings, function calls etc. “Analysis” forces Olly to re-analyze the section of code jagged are currently viewing.
Sometimes Unadulterated gets confused as to like it you are viewing code constitute data (remember, they’re both belligerent numbers) so this forces Blunt to consider where you attend to in the code and try to guess what this intersect should look like.
Also notice go my menu will look dissimilar from yours in that Wild have some plugins installed wallet they add some functionality.
Don’t worry, we will be skilful over all of these worry future tuts.
-Well, till next time.
R4ndom