10 - OllyDbg hints

Before moving forward into actually reversing something, its a good idea to quickly step through some basic debugging terminology, which you will hear all the time. We'll use OllyDBG as a reference; download both OllyDBG 1.10 and OllyDBG 2.0. There are some features that are available only in the older version. I'll mention the older version whenever needed; otherwise just assume I'm talking about the newer Olly.

1. You can either 'Open' a new executable or 'Attach' to a running executable.

2. Midway through a debugging session, you will want to return to the start many times to understand things better. Use Ctrl+F2 to restart the session.

3. After opening an executable in Olly you will want to run it. Use F9 to run it

4. To analyze the executable you will almost certainly want to break execution midway so you can study it part by part. Move cursor to highlight that line and hit F2 to set a breakpoint. Once you set a breakpoint and then hit F9, your program will run till the breakpoint and wait for user input. If you hit F9 again it will start running again.

5.Programs have functions that are called from within the main program. These functions might be user defined functions or actual system calls. At any time you might want to see how the program is behaving, at ay point in any function. If you want to explore the behavior of a specific function, you must "Step Into" the function using the F7 key. If you know what the function is doing and are interested only in what happens AFTER the function is called, you must use the F8 key to "Step Over" the function.

6. Once you've got to a certain point in the program and want to see where you came from; you can use the '-' key to move the cursor backward and the '+' key to move it forward. This won't actually "re-run" the program; it'll help you understand where you jumped from or the exact path through the code that your program has chosen.

7. If the program that you are debugging is a command line program and needs arguments to even start; you can use the File - Set new arguments menu option to supply those

8. If you want to search for Strings you can right click in the main window and go to "Search for" - All referenced strings

9. To go to a particular memory address you can right click and select Go to -> Expression and type the exact memory address you want to visit

10. You can right click on most values and choose to "Follow in Dump" (bottom left) to understand their content

11. You can hit Ctrl+N to find out all the functions useed by the program and Ctrl+M to find specific sections in memory

12. You can Pause a program by hitting F12

There are plenty of other options as well and they're all explorable yourself or by reading documentation for Olly which is available online. However if you are fully clear about at least all of these options, you should be good to go. We'll explore a few other options as we go along reversing various types of executables along the way.

Next time we will look at a malicious executable and dynamically as well as statically analyze the same. Until then..have fun :)