OllyDbg

Do you have any questions concerning OllyDbg? There are at leas four good possibilities to get an answer:

• Ask the author, Oleh Yuschuk (also known as Olly) at [email protected]. Usually, I answer your mails within 1-3 days.
• Visit OllyDbg forum at http://ollydbg.win32asmcommunity.net. This forum is created and moderated by TBD.
• If you speak Spanish, send your question to spanish OllyDbg board at http://ollydbg.cjb.net, moderated by uNO mAS.
• Create your own newsgroup :-)

1. When will you release the new version of OllyDbg? - I can't tell you when first beta of v2.00 will be ready.

2. Please keep OllyDbg free! - I have no intentions to make OllyDbg commercial, even in second version. It is rated as a shareware for copyright reasons only.

3. How can I set breakpoint on a call to API function, like MessageBoxA? - This is very simple now. Either open command line (Alt+F1) and type "BPX MessageBoxA", or search for all itermodular calls in Disassembler, click on any call to MessageBoxA and set breakpoint on every call to this function.
If you are a happy owner of Windows NT, 2000 or XP, you can set breakpoint directly on the API function in system DLL. Name window contains special menu item "breakpoint on import". In many cases, logging breakpoint that writes call arguments to the log file is a good alternative to ordinary break.

4. Can I set hardware breakpoints under Windows 95? - No! Windows 95/98 doesn't update debug registers when switching tasks or processing interrupts. This means that hardware breakpoint you set in debugged program will appear in all other processes, including OllyDbg and operating system itself. Note that 95-based Windows ME does support HW breakpoints.

5. How can I set breakpoint on a message, for example, WM_PAINT? - Go to list of windows, select window of interest, right-click it and set message breakpoint. Notice that in expressions you can use symbolic names of the most important Windows constants, like WM_PAINT.

6. I can't locate the string displayed in comments. - Unlike some other debuggers, OllyDbg treats process' memory as a set of separate memory blocks. If you start your search in Disassembler, it will process only disassembled block, which is normally a code section, but text strings usually reside in data.You can, however, follow data pointers. Select command that references the string, right-click on it and choose "Follow in Dump", then "Address" or "Immediate constant". This will open the string in CPU Dump.
OllyDbg allows you to scan the code and extract the list of commands referencing all (well, most of) text strings, either ASCII, UNICODE or, if enabled in options, Pascal-style and search these strings for the occurence of text.

7. Can I analyze only selected piece of code? - This question usually comes after you've patched several commands in a 10+ MB long program. The answer is no. Perharps you've removed a jump, replaced a call or modified a register. These changes can influence analysis outside the selection. As OllyDbg strongly relies on analysis data, I decided for the most secure solution.