Wednesday, 4 May 2016

Starting with OllyDbg

In the Last post , we learnt the basics of x86 Assembly. In this post we are gonna use them.

We need to know about DEBUGGING. Debugging is a process of analyzing code or a program, to find mistakes, bugs or anything else. To do thus, we use DEBUGGERS. Debuggers help us to learn how a program is structured and see whats the code of that program. They also allow us to Execute the code line after line, which helps us in observing the behavior of the program.

We Use OllyDbg debugger, as it is easy to use. This tool helps us to see the Assembly code of any executable and run instructions one after another, thus helping us to analyse how the program works.

Download OllyDbg from www.ollydbg.de. I use modified version of ollydbg. You can download it from here: Download

After you download, open it. You should see a windows like this:


"1" is the disassemble window. All the Disassembled code of any executable will be shown here.
"2" is the register windows. It shows the values of all the registers.
"3" is the stack windows. It shows all the information in stack.
"4" is the hex windows. It shows the Hexadecimal code of the executable.

Now click on file and open notepad.exe . You should see this:

if u see the disassembled code in the 1st window,it means that ollydbg succesfully worked.

In ollydbg, we can analyze the code instruction after instruction by two ways : Step Into & Step Onto.

Step Into helps us to see each and every line of the program, not only the main code but also the code of each and every function that the program calls.
Step Onto will just execute the main code of the program, and not the codes of the functions called.

For example, here is some code:
mov ebx, 2
mov eax, 3
call 00401250
jnz 00401000
push 00401823

In the above code, if you Step Into each instruction one after another, you will see the code of the function at 00401250 . If you step onto each instruction, the whole CALL 00401250 will be considered as a single instruction. In ollydbg, we use F7 to step into & F8 to step onto.

This feature of debuggers very helpful us to learn how a program or a malware works.

Another amazing feature of debuggers is, Breakpoints . Breakpoints help us to choose till where we want to execute the code. In ollydbg, we use F2 to set breakpoints on any kind of instruction. In the above given example code, if we set a breakpoint at jnz 00401000 and run the program, the debugger will run only till call 00401250 and will wait for us to step into or step onto.

And that is the basics of OllyDbg. Thnk you ! :)

No comments:

Post a Comment