E N D
OllyDbg Debuger
What is OllyDbg OllyDbg is a debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries http://en.wikipedia.org/wiki/OllyDbg
Versions • Version 1.10 is the final 1.x release. • Version 2.0 is in development and is being written from the ground up. • Note: The current version of OllyDbg cannot disassemble binaries compiled for 64 bit processors.
Features • Executes program in a controlled environment. • Allows the flow of the program to be controlled. • Uses a convenient layout showing hexadecimal, assembly, CPU registers and stack. • Allows the program to be dumped from the memory onto the hard-disk. • Highlights recently changed values in memory/stack/CPU registers.
Window Layouts • Window layouts are the various parts of the UI that contain pertinent information • Code window – Displays the executable machine code • Register window – Allows the user to watch the contents of each register during execution • Memory window – Allows the user to view the contents of various memory locations • Stack window – Displays the stack, including memory addresses and values
Working in OllyDbg • Navigation • Moving • Searching • Commenting • Can be entered in the code window with the ; or : keys • Listing Names • The names window displays all functions or imported functions used in the program • Listing them is easy via the shortcut Ctrl + N • Showing Memory • Displaying memory can be useful when looking for strings or other important data • Displaying the memory map window can be achieved via Alt + M
Working in OllyDbg Cont… • Breakpoints • Breakpoints allow the debugger to stop at a specified address or instruction • There are two types of breakpoints in general • Software breakpoints • Handled by the operating system • Set by navigating to the specified address and hitting F2 • Hardware breakpoints • Handled by the processor • Set by finding a place in memory you want to break on access and right clicking selecting the proper option • Olly also provides a way to view and turn on and off breakpoints via the breakpoints window with Alt + B
Working in OllyDbg Cont… • Controlling Execution • Starting the process • Once the target program is either loaded or attached in Olly you can start execution. This will actually set up an initial breakpoint at the application entry point • There are several ways you can proceed from the entry point • Single stepping • Executes one instruction at a time and can be achieved by hitting F7 • Steps into every function • Tedious as fuck • Execute until return • Executes until the ret instuction is encoutered which can be achieved by hitting Ctrl + F9 • Executes all instructions in the current function • Faster than single stepping but not as comprehensive
Working in OllyDbg Cont… • Watching execution • Registers • Handled in the register window • Red highlighting indicates a register has changed • Stack • Handled in the stack window • Display can be address or relative address from ebp • Call stack • Displays the functions the current function has been called from • Can be displayed with the shortcut Alt + K
Demo • Cracking a program using buffer overflow • Rfile() function address: 0x004013B0 • Register address: 0x0013FB78 • Return address: 0x0040132C • Buffer address: 0x0013FB6C • Buffer length: 10 Bytes • Address length: 2 Bytes
Tota Tota Story End… The End