OllyDebug,简称OD,一种反汇编软件,动态追踪工具,将IDA与SoftICE结合起来的思想,Ring 3 级的调试器。OllyDebug的使用界面是可视化操作。
英文版
Read this for quick start. Consult help file for details and more features.
Installation is not necessary. Create new directory and unpack odbg110.zip - now you can start!
Pop-up menus display only items that apply. Frequently used menu functions:
| Function | Window | Menu command | Shortcut |
| Edit memory as binary, ASCII or UNICODE string | Disassembler, Stack Dump | Binary|Edit | Ctrl+E |
| Undo changes | Disassembler, Dump Registers | Undo selection Undo | Alt+BkSp |
| Run application | Main | Debug|Run | F9 |
| Run to selection | Disassembler | Breakpoint|Run to selection | F4 |
| Execute till return | Main | Debug|Execute till return | Ctrl+F9 |
| Execute till user code | Main | Debug|Execute till user code | Alt+F9 |
| Set/reset INT3 breakpoint | Disassembler Names, Source | Breakpoint|Toggle Toggle breakpoint | F2 |
| Set/edit conditional INT3 breakpoint | Disassembler Names, Source | Breakpoint|Conditional Conditional breakpoint | Shift+F2 |
| Set/edit conditional logging breakpoint (logs into the Log window) | Disassembler Names, Source | Breakpoint|Conditional log Conditional log breakpoint | Shift+F4 |
| Temporarily disable/restore INT3 breakpoint | Breakpoints | Disable Enable | Space |
| Set memory breakpoint (only one is allowed) | Disassembler, Dump | Breakpoint|Memory, on access Breakpoint|Memory, on write | |
| Remove memory breakpoint | Disassembler, Dump | Breakpoint|Remove memory breakpoint | |
| Set hardware breakpoint (ME/NT/2000 only) | Disassembler, Dump | Breakpoint|Hardware (select type and size!) | |
| Remove hardware breakpoint | Main | Debug|Hardware breakpoints | |
| Set single-short break on access to memory block (NT/2000 only) | Memory | Set break-on-access | F2 |
| Set break on module, thread, debug string | Options | Events | |
| Set new origin | Disassembler | New origin here | |
| Display list of all symbolic names | Disassembler, Dump Modules | Search for|Name (label) View names | Ctrl+N |
| Context-sensitive help (requires external help file!) | Disassembler, Names | Help on symbolic name | Ctrl+F1 |
| Find all references in code to selected address range | Disassembler Dump | Find references to|Command Find references | Ctrl+R |
| Find all references in code to the constant | Disassembler | Find references to|Constant Search for|All constants | |
| Search whole allocated memory | Memory | Search Search next | Ctrl+L |
| Go to address or value of expression | Disassembler Dump | Go to|Expression Go to expression | Ctrl+G |
| Go to previous address/run trace item | Disassembler | Go to|Previous | Minus |
| Go to next address/run trace item | Disassembler | Go to|Next | Plus |
| Go to previous procedure | Disassembler | Go to|Previous procedure | Ctrl+Minus |
| Go to next procedure | Disassembler | Go to|Next procedure | Ctrl+Plus |
| View executable file | Disassembler, Dump, Modules | View|Executable file | |
| Copy changes to executable file | Disassembler | Copy to executable file | |
| Analyse executable code | Disassembler | Analysis|Analyse code | Ctrl+A |
| Scan object files and libraries | Disassembler | Scan object files | Ctrl+O |
| View resources | Modules, Memory | View all resources View resource strings | |
| Suspend/resume thread | Threads | Suspend Resume | |
| Display relative addresses | Disassembler, Dump, Stack | Doubleclick address | |
| Copy | Most of windows | Copy to clipboard | Ctrl+C |
Frequently used global shortcuts:
| Ctrl+F2 | Restart program |
| Alt+F2 | Close program |
| F3 | Open new program |
| F5 | Maximize/restore active window |
| Alt+F5 | Make OllyDbg topmost |
| F7 | Step into (entering functions) |
| Ctrl+F7 | Animate into (entering functions) |
| F8 | Step over (executing function calls at once) |
| Ctrl+F8 | Animate over (executing function calls at once) |
| F9 | Run |
| Shift+F9 | Pass exception to standard handler and run |
| Ctrl+F9 | Execute till return |
| Alt+F9 | Execute till user code |
| Ctrl+F11 | Trace into |
| F12 | Pause |
| Ctrl+F12 | Trace over |
| Alt+B | Open Breakpoints window |
| Alt+C | Open CPU window |
| Alt+E | Open Modules window |
| Alt+L | Open Log window |
| Alt+M | Open Memory window |
| Alt+O | Open Options dialog |
| Ctrl+T | Set condition to pause Run trace |
| Alt+X | Close OllyDbg |
Frequently used Disasembler shortcuts:
| F2 | Toggle breakpoint |
| Shift+F2 | Set conditional breakpoint |
| F4 | Run to selection |
| Alt+F7 | Go to previous reference |
| Alt+F8 | Go to next reference |
| Ctrl+A | Analyse code |
| Ctrl+B | Start binary search |
| Ctrl+C | Copy selection to clipboard |
| Ctrl+E | Edit selection in binary format |
| Ctrl+F | Search for a command |
| Ctrl+G | Follow expression |
| Ctrl+J | Show list of jumps to selected line |
| Ctrl+K | View call tree |
| Ctrl+L | Repeat last search |
| Ctrl+N | Open list of labels (names) |
| Ctrl+O | Scan object files |
| Ctrl+R | Find references to selected command |
| Ctrl+S | Search for a sequence of commands |
| Asterisk (*) | Origin |
| Enter | Follow jump or call |
| Plus (+) | Go to next location/next run trace item |
| Minus (-) | Go to previous location/previous run trace item |
| Space ( ) | Assemble |
| Colon (:) | Add label |
| Semicolon (;) | Add comment |
中文版
阅读这篇文章来快速入门。有关详细信息和更多功能,请参阅帮助文件。
不需要安装。创建新目录并解压缩odbg110.zip -现在可以开始了!
弹出式菜单只显示适用的项目。常用菜单功能:
功能窗口菜单命令快捷方式
编辑内存为二进制,ASCII或UNICODE字符串反汇编程序,堆栈
编辑二进制|按ctrl +E
撤销更改反汇编程序,转储
撤销选择
撤销alt + BkSp
运行application main debug |执行f9
运行到选择反汇编断点|运行到选择f4
执行直到返回主调试|执行直到返回ctrl +F9
执行至用户代码主调试|执行至用户代码alt +F9
设置/重置INT3断点反汇编程序
名称,源断点|切换
切换断点f2
设置/编辑条件INT3断点反汇编程序
名称、源断点|条件必选
条件断点shift +F2
设置/编辑条件日志断点(日志到日志窗口)反汇编程序
名称、源断点|条件必选日志
条件日志断点shift +F4
临时禁用/恢复INT3断点禁用
使空间
设置内存断点(只允许一个)反汇编程序,转储断点|内存,访问
断点|内存,写入时
删除内存断点反汇编程序,转储断点|删除内存断点
设置硬件断点(仅限ME/NT/2000)
主要调试|硬件断点
Set single short break on access to memory block (NT/2000 only
在模块、线程、调试字符串选项事件上设置中断
在这里设置新的原点
显示列表的所有符号名称反汇编,转储
模块搜索|名称(label)
查看名称ctrl +N
上下文敏感的帮助(需要外部帮助文件!)反汇编程序,名称帮助的符号名称ctrl +F1
在代码中找到所选地址范围的所有引用反汇编程序
dump查找|命令的参考信息
查找参考资料ctrl +R
查找代码中对常量disassembler的所有引用
搜索|所有常量
搜索整个已分配内存
搜索下一个
Ctrl + L
转到表达式反汇编程序的地址或值
dump转到|表达式
切换到表达式ctrl +G
进入上一个地址/运行跟踪项目反汇编进入|上一个减去
转到下一个地址/运行跟踪项目反汇编转到|下一个加
执行上一步操作反汇编程序执行|上一步操作ctrl +Minus
转到下一个步骤反汇编转到|下一个步骤按ctrl + +
查看可执行文件disassembler, Dump, modules查看|可执行文件
复制更改到可执行文件反汇编复制到可执行文件
分析可执行代码反汇编分析|分析代码ctrl +A
扫描对象文件和库反汇编扫描对象文件ctrl +O
查看资源模块、内存查看所有资源
查看资源字符串
Suspend/resume thread线程暂停
重新开始
显示相对地址反汇编程序,转储,堆栈双击地址
复制大部分窗口复制到剪贴板ctrl +C
常用的全局快捷键:
Ctrl+ f2重启程序
Alt+ f2关闭程序
f3打开新程序
f5最大化/恢复活动窗口
Alt+ f5使OllyDbg顶部
f7 step into(输入函数)
Ctrl+ f7 animate into(进入函数)
f8过渡(一次执行函数调用)
Ctrl+ f8动画结束(一次执行函数调用)
f9运行
Shift+ f9将异常传递给标准处理器并运行
Ctrl+ f9执行直到返回
Alt+ f9执行至用户代码
Ctrl+ f11 trace into
f12暂停
Ctrl+ f12跟踪结束
Alt+ b打开断点窗口
Alt+ c打开“CPU”窗口
Alt+ e打开“模块”窗口
Alt+ l打开日志窗口
Alt+ m打开内存窗口
Alt+ o打开选项对话框
Ctrl+ t设置条件暂停运行跟踪
Alt+ x关闭OllyDbg
常用的反汇编器快捷方式:
f2切换断点
Shift+ f2设置条件断点
f4跑到选择区
Alt+ f7返回之前的参考
Alt+ f8进入下一个参考
Ctrl+ a分析代码
Ctrl+ b开始二分查找
Ctrl+ c复制选择到剪贴板
按Ctrl+ e编辑二进制格式的选择
Ctrl+ f搜索命令
Ctrl+ g跟随表达式
Ctrl+ j显示跳转到选定行的列表
Ctrl+ k查看调用树
Ctrl+ l重复上次搜索
Ctrl+ n打开标签列表(名称)
Ctrl+ o扫描目标文件
Ctrl+ r查找所选命令的引用
Ctrl+ s搜索命令序列
![[HarekazeCTF2019]Easy Notes](https://img-blog.csdnimg.cn/88656c0b54b943c6b24a99e40e33ba17.png)
