Ch9-ollydbg
Ch9-ollydbg
Ch 9: OllyDbg
Disassembler
Highlight: next instruction
to be executed
Stack
Memory
dump
Modifying Data
• Disassembler window
– Press spacebar
• Registers or Stack
– Right-click, modify
• Memory dump
– Right-click, Binary, Edit
– Ctrl+G to go to a memory location
– Right-click a memory address in another pane and
click "Follow in dump"
Memory Map
Undocumented technique
Easy Way to Analyze Shellcode
• Copy shellcode from a hex editor to clipboard
• Within memory map, select a region of type
"Priv" (Private memory)
• Double-click rows in memory map to show a
hex dump
– Find a region of hundreds of consecutive zeroes
• Right-click chosen region in Memory Map, Set
Access, Full Access (to clear NX bit)
Analyzing Shellcode
• Highlight a region of zeroes, Binary, Binary
Paste
• Set EIP to location of shellcode
– Right-click first instruction, New Origin Here
Assistance Features
Log
• View, Log
– Shows steps to reach here
Watches Window
• View, Watches
– Watch the value of an expression
– Press SPACEBAR to set expression
– OllyDbg Help, Contents
• Instructions for Evaluation of Expressions
Labeling
• Label subroutines and loops
– Right-click an address, Label
Plug-ins
Recommended Plugins
• OllyDump
– Dumps debugged process to a PE file
– Used for unpacking
• Hide Debugger
– Hides OllyDbg from debugger detection
• Command Line
– Control OllyDbg from the command line
– Simpler to just use WinDbg
• Bookmarks
– Included by default in OllyDbg
– Bookmarks memory locations
Scriptable Debugging
Immunity Debugger (ImmDbg)
• Unlike OllyDbg, ImmDbg employs python
scripts and pas an easy-to-use API
• Scripts are located in the PyCommands
subdirectory under the install directory of
ImmDbg
• Easy to create custom scripts for ImmDbg