Scribd
Upload
499 views

Ollydbg: Crash Course in Ollydbg

This document provides an overview of the disassembler and debugger OllyDbg. It discusses that OllyDbg is used to analyze 32-bit executable files by converting machine code to assembly code. It describes OllyDbg's interface, stepping functions, breakpoints, tracing capabilities, and how to debug applications and DLLs. The document also notes some advantages of OllyDbg like its intuitive interface and ability to debug without installing anything.

Uploaded by

Sandro Melo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
499 views

Ollydbg: Crash Course in Ollydbg

This document provides an overview of the disassembler and debugger OllyDbg. It discusses that OllyDbg is used to analyze 32-bit executable files by converting machine code to assembly code. It describes OllyDbg's interface, stepping functions, breakpoints, tracing capabilities, and how to debug applications and DLLs. The document also notes some advantages of OllyDbg like its intuitive interface and ability to debug without installing anything.

Uploaded by

Sandro Melo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 45

OllyDbg

Crash Course in OllyDbg


Instructor: Hadi Alnabriss
What is OllyDBG?
• OllyDbg is a 32-bit Disassembler and Debugger
▫ Sometimes called assembler
• OllyDbg was found before 10 years
• Used for Cracking applications and Malware Analysis
▫ Caution : Use this application for legal issues only
Software Cycle
• Software Developers use high level programming
languages to create binary application
CPU
High Level
Compiler Machine
Language
(C, C++, C#,
Code
etc) (Like .exe
Files)

CPU
High Level Assembler Compiler
Assembly Machine
Language
(C, C++, C#, Language Code
etc) (Like .exe
Files)
Software Cycle
• To debug or analyze binary application we need to
convert the machine code to its real source code
▫ This is impossible yet

CPU
High Level Disassembler
Machine
Language
(C, C++, C#, etc) Code
(Like .exe Files)
Software Cycle
• We can only convert machine code to assembly !!
▫ Some projects are working on converting machine code to source code,
but they are not mature yet

Disassembler
CPU
Assembly Machine
Language Code
(Like .exe Files)
Disassembler vs Debugger
• Disassembler will only convert Machine Code to
Assembly Code (Like IDA Pro)
Disassembler vs Debugger
• Debuggers (Like OllyDBG) will show you the assembly code, it will
run the application, in addition to tracing:
▫ Memory
▫ Registers
▫ Stack
• Note: you will see the values of (memory, registers and stack)
changing during processing, and you can change any values.
• Note: If you are debugging a malicious code, it will infect your
machine.
Two Debuggers
• Ollydbg
▫ Most popular for malware analysis
▫ User-mode applications debugging only
• Windbg
▫ Supports kernel-mode debugging
▫ More complex and command line knowledge required
▫ This is Out of the Scope of Our Course
OllyDBG Advantages
• Intuitive user interface.
• Directly loads and debugs DLLs
• Allows for user-defined labels, comments and function descriptions
• No installation - no trash in registry or system directories
• Debugs multithread applications
• Attaches to running programs
• Recognizes ASCII and UNICODE strings
• Sets conditional, logging, memory and hardware breakpoints
• Can export modified version of your Machine Code.
System Requirements
• Works with most Windows Operating Systems
▫ During this course I’ll use Windows 10, 64bit
• 64 MB physical memory (128 MB recommended)
• At least 20 MB free disk space
• VGA display (SVGA with screen resolution at least 800x600 is strongly
recommended)
• Mouse or compatible pointing device (required)
• Administrative Rights
Download OllyDBG
• Download the final stable version from the URL:
▫ http://www.ollydbg.de/download.htm
Start Debugging (2 ways)
• Start the program with the debugger
▫ It stops running immediately prior to the execution of its entry point
• Attach a debugger to a program that is already running
▫ All its threads are paused
▫ Useful to debug a process that is affected by malware
OllyDBG Interface

Disassembler
Shows Instructions Registers

Memory Dump Stack


Instructions Sample
Start Routine

May be Loop

End Routine
and Return
Menu Buttons

Step Into Run Until


Return

Step Over Go To Address

Trace Into
Run/Play Trace Over
Pause
Windows Launching
• L : Log Data
• E : Executable Modules
• M : Memory Map
• T : Threads
• W : Windows
• H : Handles
• C : CPU
• / : Patches
• K : Stack
• B : Break Points
• R : References
• … : Run Trace
• S : Source
Stepping
• When you start debugging OllyDBG will detect the entry point of your
application (i.e the Main Function), it will stop there.

• Then you can use stepping


▫ Stepping executes instructions one-by-one
Stepping INTO vs OVER
• Assume that we have a function call, this call prints “hello”

• Stepping Over will execute the call as one


command, and it will return to the next command
▫ Stepping over doesn’t show you the details of the
function
• Stepping Into will take you to the instructions’ details of
this Call

Note: Only use the Step Into if you think that this call has important functionality,
otherwise use step over
Stepping INTO vs OVER
• To Step Into > F7
• To Step Over > F8
Breakpoints
• Software execution
• Hardware execution
• Conditional
Software Execution Breakpoints
• The default option for most debuggers
• Debugger overwrites the first byte of the instruction with 0xCC
▫ The instruction for INT 3
▫ An interrupt designed for use with debuggers
▫ When the breakpoint is executed, the OS generates an exception and transfers
control to the debugger

• Example : The toggle breakpoint


Hardware Execution Breakpoints
• Uses Debug Registers
▫ DR0 through DR3 – addresses of breakpoints
▫ DR7 stores control information
• No change in code bytes
Conditional Breakpoints
• Breaks only if a condition is true
• Implemented as software breakpoints
Conditional Breakpoints
Modifying Data
• You can Modify Register, Memory or Stack data:
▫ In Disassembler window you can use Spacebar
▫ To modify Registers or Stack, Right Click then Modify
▫ In Memory dump, Right Click then Binary Edit
How To Debug? Practical Lab
• To debug an application, Actually we will use run, breakpoints, step over
and step into
▫ To create Breakpoint use F2
▫ To Step Into use F7
▫ To Step Over use F8
Debugging Steps
• Open the application, run until you expect the first important call
• Create breakpoint on important calls, then restart the debugging process
and use step into
▫ Note: when you close OllyDBG , Breakpoints are saved
Example
• We have a CLI program, this program requires a password or secret
number, then it prints Failed or Success
• But we don’t know how it works!!
• Lets analyze it , and check how does it work
What is Tracing
• During the application runtime you can watch registers, stack and memory
changing.
• Can you check the value of registers before two instructions ???
▫ NO
• Tracing Like Recording Detailed Execution Information
Tracing Types
• Standard Back Trace
• Run Trace
Standard Back Trace
• You move through the disassembler with the Step Into and Step Over
buttons
• OllyDbg is recording your movement
• Use minus key and plus keys on keyboard to see previous instructions
▫ But you won't see previous register values
• If you used Step Over, you cannot go back and decide to step into
Run Trace
• OllyDbg saves every executed instruction and all changes to registers and
flags
• To enable Run Trace : Select code, right-click, Run Trace, Add Selection
• After code executes, View, Run Trace
▫ To see instructions that were executed use + and - keys to step forward
and backwards
Exporting Modified Executable
• (1) Change the required Instructions
• (2) Right Click > Copy to executable
Exporting Modified Executable
• (3) Copy to executable will show you a new window
• (4) Right Click on the new window and Save file
Debugging DLLs
• OllyDBG supports DLL debugging
Debugging DLLs
• Open c:\windows\system32\ws2_32.dll
▫ This DLL is used for network connections establishing and creating sockets
Debugging DLLs
• Run until you see the OllyDBG DLL Loader
Debugging DLLs
• Open the Call DLL export utility
Debugging DLLs
• Call DLL Export will open the following window
Debugging DLLs
• You need to understand the exported functions, in our example we can use Micrososft
MSDN for DLL details (i.e NTOHL Function)
Debugging DLLs (NTOHL Example)
• Click argument 1, type in 7f000001
▫ The IP : 127.0.0.1 in Little Endian
• Then click : Follow in Disassembler
• Click call to run the function
• The answer in EAX
Debugging DLLs (NTOHL Example)
• Click argument 1, type in 7f000001
▫ The IP : 127.0.0.1 in Little Endian
• Then click : Follow in Disassembler
• Click call to run the function
• The answer in EAX
Debugging DLLs (NTOHL Example)
• The answer in EAX
Summary
• OllyDBG is important for analyzing executable codes
• Usually used for cracking applications or malware analysis
• Can be used to export a modified binary copy of the application
• Supports breakpoints, tracing, stepping into and over.
Thank You
• Thank you for attending this course
• If you think that this crash course was useful for you, please rate it

• I will be happy to read your reviews and comments

You might also like