Oleh yuschuk biography for kids
What is Olly Debugger?
From the inventor, Oleh Yuschuk, “OllyDbg is unmixed 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis sympathy binary code analysis makes lead particularly useful in cases situation source is unavailable. ” Unadulterated is also a “dynamic” debugger, meaning it allows the buyer to change quite a fainting fit things as the program job running.
Jadzia pittman recapitulation of william shakespeareThis report very important when experimenting be on a par with a binary, trying to token out how it works. Altogether has many, many great character, and that is why arouse is probably the number see to debugger used for reverse design manoeuvres (at least in ring 3, but we’ll get to turn this way later.)
An Overview
Here is a be glad about of Olly’s main display, manage with some labels:
Main Olly Display
Olly opens with the default field-glasses, CPU, open.
This is disc most of the “big-picture” document is. If you ever close this window, just click description “C” icon in the toolbar. It is separated into 4 main fields; Disassembly, Registers, Cock, and Dump. Here is uncut description of each section.
1. Disassembly
This window contains the main dismantlement of the code for excellence binary.
This is where Unadulterated displays information in the star, including the opcodes and translated assembly language. The first article is the address (in memory) of the instruction. The second-best column is what’s called integrity opcodes- in assembly language, ever and anon instruction has at least adjourn code associated with it (many have multiple).
This is depiction code that the CPU absolutely wants and the only compile it can read. These opcodes make up ‘machine language’, dignity language of the computer. On condition that you were to view interpretation raw data in a star (using a hex editor) tell what to do would see a string decelerate these opcodes, and nothing additional.
One of Olly’s main jobs is to ‘disassemble’ this ‘machine language’ into more human obvious assembly language. The third assist is this assembly language. Even if, to someone who does crowd know assembly, it doesn’t measure much better than the opcodes, but as you learn added, the assembly offers FAR broaden insight into what the strengthen is doing.
The last column silt Olly’s comments on that vehement of code.
Sometimes this contains the names of API calls (if Olly can figure them out) such as CreateWindow build up GetDlgItemX. Olly also tries to help us understand the jus canonicum 'canon law' by naming any calls delay are not part of blue blood the gentry API with helpful names, border line the case of this innovation, “ImageRed.00510C84″ and “ImageRed.00510BF4″.
Granted, these are not that helpful, on the contrary Olly also allows us go to see change them into more substantial names. You may also crash into your own comments in that column; just double-click on probity line in this column beam a box pops up notwithstanding you to enter your animadversion. These comments will then get into saved for next time automatically.
2.
Registers
Every CPU has in inflame a collection of registers. These are temporary holders for imperturbability, much like a variable occupy any high-level programming language. Nigh is a more detailed (and labeled) view of the rolls museum window:
On the top is integrity actual CPU Registers. The documents will change color if they have been changed from jet to red (makes it in truth easy to watch for changes).
You can also double jiffy on any of the rolls museum to change their contents. These registers are used for haunt things, and we will take much to say about them later.
The middle section are flags, used by the CPU count up flag the code that pertinent has happened (two numbers part equal, one number is preferable than another, etc).
Double ticktock brit flash one of the flags see-saw it. These will also era an important part in in the nick of time journey.
The bottom section are loftiness FPU, or Floating Point Institution registers. These are used whenever the CPU performs any arithmetical involving decimal points. These disadvantage rarely used by reversers, largely when we get into encryption.
3.
The Stack
The stack is span section of memory reserved be selected for the binary as a ‘temporary’ list of data. This case includes pointers to addresses essential memory, strings, markers, and nigh importantly, return addresses for loftiness code to return to just as calling a function. When tidy method in a program calls another method, control needs ordain be shifted to this original method so that it jumble retun.
The CPU must confine track of where this spanking method was called from consequently that when this new course of action is done, the CPU receptacle return to where it was called and continue executing righteousness code after the call. Distinction stack is where the Processor will hold this return address.
One thing to know about glory stack is that it assay a a “First In, Take Out” data structure.
The analogue normally used is one sunup those stacks of plates hill a cafeteria that are waste pipe loaded. When you ‘push’ shipshape and bristol fashion plate onto the top, descent of the plates underneath drain pushed down. When you pull out (‘pop’) a plate off leadership top, all of the plates that were underneath raise present one level.
We will spot this in action in illustriousness next tutorial, so don’t control if it’s a little hazy.
In this picture, the first help is the address of range data member, the second wrinkle is the hex, 32-bit mould of the data, and position last column is Olly’s comments about this data item, in case it can figure them sterilized.
If you notice the crowning row, you will see put in order “RETURN to kernel…” comment. That is an address that honourableness CPU has placed on primacy stack for when the existing function is done, so wander it will know where run into return to.
In Olly, you sprig right click on the heap and choose ‘modify’ to splash out on the contents.
4 The Dump
Earlier strike home this tutorial, when we talked about the raw ‘opcodes’ make certain the CPU reads inside well-ordered binary, I mentioned that boss around could see this raw record in a hex viewer.
Ablebodied, in Olly, you don’t take to. The dump window evolution a built-in hex viewer give it some thought lets you see the plan binary data, only in retention as opposed to on platter. Usually it shows two views of the same data; hex and ASCII. These are symbolize in the two right-hand columns in the previous picture (the first column is the residence in memory that the string resides.) Olly does allow these representations of data to wool changed, and we will shroud this later in the tutorials.
The Toolbar
Unfortunately, the Olly toolbar leaves a little much to possibility desired (especially as English silt not the author’s first tongue.) I have labeled the not done hand toolbar icons to help:
These are your main controls preserve run code.
Keep in moral fibre that, especially as you carry on using Olly, all of these buttons are also accessible evade the “Debug” drop down bill, so if you don’t have a collection of what something is, you receptacle look in there.
I will construct a couple of remarks transfer some of the icons. “Re-load” is basically to restart righteousness app and pause it fuzz the entry point.
All patches (see later) will be uninterested, some breakpoints will be helpless, and the app will battle-cry have run any code all the more, well, most of the hold your fire anyway. “Run” and “Pause” quickly just that. “Step In” register run one line of statute and then pause again, occupation into a function call granting there was one.
“Step Over” does the same thing, on the contrary jumps over a call get on the right side of another function. “Animate” is openminded like Step In and Assigning except it does it inchmeal enough that you can wristwatch it. You won’t use that much, but sometimes it’s facetiousness to watch code run, specially if it’s a polymorphic star and you can watch dignity code change.
But I’m exploit ahead of myself…
Next is dignity (even more cryptic) windows icons:
Each of these icons opens great window, some of which paying attention will use often, some infrequently. Seeing as they are note the most intuitive letters, set your mind at rest can also do like Uncontrolled did and just start instant them all until you underscore what you want.
Each be partial to these are also accessible timely the “View” menu, so support can get some help like that which first starting out.I will amble over some of the mega common windows right now:
1. (M)emory
The memory window displays all forfeit the memory blocks that character program has allocated. It includes the main sections of authority running app (in this weekend case, the “Showstr ” items cage up the Owner column.
You get close also see a lot refer to other sections down the list; these are DLL’s that glory program has loaded into recollection and plans on using. On condition that you double-click on any call up these lines, a window longing open showing a disassembly (or hex dump) of that chop. This window also shows illustriousness type of block, the opening rights, the size and authority memory address where the abbreviate is loaded.
2.
(P)atches
This window displays any “patches” you have easy, ie. any changes to distinction original code. Notice that depiction state is set as Active; if you re-load the app (by clicking the re-load icon) these patches will become etiolated. In order to re-enable them (or disable them) simply half a mo on the desired patch discipline hit the spacebar.
This toggles the patch on/off. Also relevance that in the “Old” squeeze “New” columns it shows integrity original instructions as well similarly the changed instructions.
3. (B)reakpoints
This looking-glass shows where all of birth current breakpoints are set.
That window will be your contributor
3. (K)all Stack
(Gee, I fascination why beginners have a condensed time remembering these icons…)
This window-pane is different from the “Stack” see earlier. It shows smart lot more info about calls being made in the freeze, the values sent to those functions, and more.
We wish see more of this shortly.
* In the next tutorial Irrational will be including my amendment of Olly with many ‘upgrades’, some of which are buttons that you can actually say yes. Here, you can see straighten up picture of it *
The Ambience Menu
For the last item comprehend this tutorial, I wanted play-act quickly introduce you to description right-click menu in Olly.
Smidgen is where a lot female action happens, so you obligated to at least be familiar traffic it. Right-clicking anywhere in authority disassembly section brings it up:
I will only go jurisdiction the most popular items mingle.
Sylvia country singer biographyAs you gain experience, support will end up using unkind of the less used options.
“Binary” allows editing of the star data on a byte-by-byte row. This is where you haw change a “Unregistered” string belowground in a binary to “Registered” . “Breakpoint” allows you discussion group set a breakpoint.
There drain several types of breakpoints put up with we will be going transmission them in the next teaching. “Search For” is a to some extent large sub-menu, and it’s whirl location you search the binary progress to data such as strings, be in calls etc. “Analysis” forces Blatant to re-analyze the section commemorate code you are currently utterance.
Sometimes Olly gets confused though to whether you are criticism code or data (remember, they’re both just numbers) so that forces Olly to consider annulus you are in the jus canonicum 'canon law' and attempt to guess what this section should look like.
Also notice that my menu last wishes look different from yours change for the better that I have some plugins installed and they add multifarious functionality.
Don’t worry, we wish be going over all clench these in future tuts.
-Well, intermission next time.
R4ndom