Do you have any questions concerning OllyDbg? There are at leas four good possibilities to get an answer:
- Ask the author, Oleh Yuschuk (also known as Olly) at [email protected]. Usually, I answer your mails within 1-3 days.
- Visit OllyDbg forum at http://ollydbg.win32asmcommunity.net. This forum is created and moderated by TBD.
- If you speak Spanish, send your question to spanish OllyDbg board at http://ollydbg.cjb.net, moderated by uNO mAS.
- Create your own newsgroup :-)
3. How can I set
on a call to API function, like MessageBoxA? - This is very
simple now. Either open command line (Alt+F1) and type "BPX
or search for all itermodular calls in Disassembler, click on any call
to MessageBoxA and set breakpoint on every call to this function.
If you are a happy owner of Windows NT, 2000 or XP, you can set breakpoint directly on the API function in system DLL. Name window contains special menu item "breakpoint on import". In many cases, logging breakpoint that writes call arguments to the log file is a good alternative to ordinary break.
4. Can I set hardware breakpoints under Windows 95? - No! Windows 95/98 doesn't update debug registers when switching tasks or processing interrupts. This means that hardware breakpoint you set in debugged program will appear in all other processes, including OllyDbg and operating system itself. Note that 95-based Windows ME does support HW breakpoints.
5. How can I set breakpoint on a message, for example, WM_PAINT? - Go to list of windows, select window of interest, right-click it and set message breakpoint. Notice that in expressions you can use symbolic names of the most important Windows constants, like WM_PAINT.
6. I can't locate the
displayed in comments. - Unlike some other debuggers,
treats process' memory as a set of separate memory blocks. If you start
your search in Disassembler, it will process only disassembled block,
is normally a code section, but text strings usually reside in data.You
can, however, follow data pointers. Select command that references the
string, right-click on it and choose "Follow in Dump", then "Address"
"Immediate constant". This will open the string in CPU Dump.
OllyDbg allows you to scan the code and extract the list of commands referencing all (well, most of) text strings, either ASCII, UNICODE or, if enabled in options, Pascal-style and search these strings for the occurence of text.
7. Can I analyze only
piece of code? - This question usually comes after you've
several commands in a 10+ MB long program. The answer is no. Perharps
removed a jump, replaced a call or modified a register. These changes
influence analysis outside the selection. As OllyDbg strongly relies on
analysis data, I decided for the most secure solution.