ollydbg

Will arguments to a function be passed on the stack or in a register?

I'm currently analyzing a program I wrote in assembly and was thinking about moving some code around in the assembly. I have a procedure which takes one argument, but I'm not sure if it is passed on the stack or a register. When I open my program in IDA Pro, the first line in the procedure is: ThreadID= dword ptr -4 If I hover my cur...

Modifying a program to fake a button press

I have an MFC application that I was given (without source code) which opens a window with an 'Update' button, which then performs a very long update after being clicked. I'd like to modify the program so that when the window is created (or somewhere else such as DoModal), a message is sent to the program to make it think that the butto...

Tips for debugging a made-for-linux application on windows?

I'm trying to find the source of a bug I have found in an open-source application. I have managed to get a build up and running on my Windows machine, but I'm having trouble finding the spot in the disassembly where the issue is. I have tried three different debuggers (WinDbg, OllyDbg, and VisualStudio) and each pretty much gives me th...

Is there a Perl module that can automate ollydbg?

Is there a CPAN module that can automate the famous ollydbg debugger? If yes, could someone provide such module and some tutorials/documentaitons/example about it? ...

Ollydbg condition

I need Ollydbg to pause when one of the registers contains a certain string. Any way I could accomplish that? ...

Decompiling x86 PE binary to C?

I'd like to know if there's any way to generate the C code of a x86 PE binary. I don't really need this, I just want to learn how some closed-source software are working. From my common sense, I think the process is: Converting the x86 binary to Assembly, which can be done with a disassembler like OllyDbg. Converting this Assembly to ...

Debugging and Analyzing a Trojan

I'm interested in using something like OllyDbg to examine a program that potentially has Trojan-like characteristics. Does anyone know any good tutorials on how to do this safely? Basically the program is a "bot" for a video game, but I suspect that it has back doors and/or will upload information it gathers (such as passwords) to a re...

Explanation of the disassembly of the simplest program (x86)

The following code int _main() {return 0;} Compiled using the command: gcc -s -nostdlib -nostartfiles 01-simple.c -o01-simple.exe gcc version 4.4.1 (TDM-1 mingw32) OllyDbg produced this output: Can you explain what happens here? Analysis so far: // these two seems to be an idiom: PUSH EBP // places EBP on stack MOV EBP...

Help deciphering a few lines of assembly

I have found these few lines of assembly in ollydbg: MOV ECX,DWORD PTR DS:[xxxxxxxx] ; xxxxxxxx is an address MOV EDX,DWORD PTR DS:[ECX] MOV EAX,DWORD PTR DS:[EDX+116] CALL EAX Could someone step through and tell me what's happening here? ...

Patching Arm Executable?

Hi, I must patch an arm executable in my Pocket PC. I am dissassembling the ARM executable with IDA Pro. But I can not edit binary. As you know Ollydbg let us to edit binary / add assembly code (Right Click->Assemble) But it doesnt support ARM. So I dissassembly it with IDA Pro. But in IDA , I can not add my assembly code into my ARM E...

Calling DLL from Assembly? Dis. Ollydbg

Hi there, I'm using Ollydbg to disasemble a program. What I need to do is inject code into the program and save an EDX value at a certain point. I'm guessing the easiest way would be for me to create a dll with a single function like so... function WriteEAXValue(EAX: PChar): LongBool and then inject code into the program so it calls t...

Disassemble a Dynamic Link Library with OllyDbg

Is there a option I can choose how to launch the DLL(like when debugging a dll project in visual studio)? As it seems to me when I drop the DLL into OD,the only option I have is to launch it by LOADDLL.EXE, is that the whole story? ...

About reverse with ollydbg

When I debug an EXE in it,will first stop on a specific line,how does OD know where to initially stop? And the disassembly code is pretty short, is it true that OD only displays stuff within a single memory page? If true,how can I make it show all stuff? ...

How can I watch the complete disassembly code when open PE binary in ollydbg?

I opened cstrike.exe(for game Counter Strike) with ollydbg, but the disassembly code isn't complete,it starts at 01401000 and stops at 0140BFFF(I mean it should at least start from 00000000 to be complete, and I can't say for sure whether 0140BFFF is the exact end or just a stripped part) 01401000 . E8 05000000 CALL cstrike.0140100...

What's the difference to set breakpoint in HexDump or Disassembly in ollydbg?

When I double click on the hex dump or disassembly column, both can achieve the goal of setting a breakpoint, so what's the difference? ...

How to set this kind of breakpoint in ollydbg?

I want to break on where Executable Module X is called, but I've no idea which function is actually called. Is it possible to set this kind of matching-all breakpoint? ...

How to open executable binary without running it in ollydbg?

When I try to open a PE executable , it's automatically run. How can I just open it statically without running it? I just want to see the binary file in hex format. ...

What's the principle of ollydbg's memory breakpoint ?

It seems only 1 memory breakpoint can be set, and it seems doesn't matter at which line the memory breakpoint is set,very weird,anyone can explain? ...

What does the quote mean in ollydbg?

What does this mean in the 2nd column? == | | | | == ...

How to understand the register window of ollydbg?

What does Z 1 DS 0023 32bit 0(FFFFFFFF) mean? ...