-
-
0816-onlyu-任务
-
发表于: 2004-8-16 09:03 4912
-
反编译窗口中的菜单[Disassembler menu]
Disassembler pop-up menu is perharps the most important in the whole OllyDbg. To keep menu compact, it displays only items applicable to the selected part of disassembled code. If several lines are selected at once, single-line commands apply to the first selected line.
Backup functions - see description here.
Copy
To clipboard (Ctrl+C) - copies selected part of the code to clipboard. Uses currently selected width of columns. To exclude some column from the copy, reduce its width to the minimal possible (in this case column remnants appear grayed). If some text is wider than column, OllyDbg replaces last visible character in the column by symbol '>'.
To file - copies selected part of the code to file. There apply same rules as when you copy selection to clipboard, but the size of data you can copy is unlimited.
Select all - selects whole code displayed in Disassembler.
Select procedure - selects current recognized procedure.
Binary
Edit (Ctrl+E) - allows you to edit selected part of the code as ASCII, UNICODE or hexadecimal string. All three edit controls are tightly connected to each other, scroll together (first visible byte is the same in all 3 windows) and immediately display the changes you've made in any control. By pressing Ctrl+UpArrow or Ctrl+DownArrow you can quickly go to the corresponding place in different window. Maximal length of edited code is 256 bytes. Incomplete characters are displayed as red question marks. If hexadecimal string contains odd number of nibbles, OllyDbg completes it with 0. When the "Keep size" option is on, you are not allowed to insert or delete characters or write over the end of selected code.
Fill with 00’s ? fills selected part of code with zeros.
Fill with NOP’s ? fills selected part of code with NOPs
Binary copy ? copies selected part of code as a hexadecimal ASCII dump to the clipboard.
Binary paste ? pastes hexadecimal dump from clipboard to selection. OllyDbg scans text on clipboard and extracts hexadecimal digits (0..9, A..F, a..f), ignoring all other symbols. Code outside the selected area remains unchanged. If last byte contains single hex digit, it is ignored. For example: “part of code” is interpreted as AF CD and not as AF CD 0E.
Copy with masked fixups - same as binary copy, but substitutes all fixuped addresses with question marks. Facilitates search for similar code fragments. See also Search for binary strings.
Modify byte - allows you to edit contents of selected byte constant as a decimal signed, decimal unsigned or hexadecimal number.
Modify integer - allows you to edit contents of selected integer constant as a decimal signed, decimal unsigned or hexadecimal number.
Modify float - allows you to edit contents of selected floating-point constant.
Modify MMX - allows you to edit contents of selected MMX constant as a collection of decimal signed, decimal unsigned or hexadecimal fields.
Modify 3DNow! - allows you to edit contents of selected 3DNow! constant as a pair of floating-point or hexadecimal numbers.
Modify SSE - allows you to edit contents of selected SSE constant as a set of 4 floating-point or hexadecimal numbers.
Undo selection (Alt+BkSpc) - substitutes selected part of the code with the corresponding portion of backup data. Available only when backup data exists and differs from selected code.
Assemble (Space) - allows you to edit or overwrite existing code with one or several commands in assembler language. For details, see Assembler.
Label (:) - allows you to assign a user-defined label to the first selected address.
Edit label (:) - allows you to edit or erase the user-defined label assigned to the first selected address.
Comment (;) - allows you to add comment to the first selected address.
Edit comment (;) - allows you to edit or erase user-defined comment assigned to the first selected address.
Breakpoint
Toggle (F2) - toggles INT3 breakpoint on the first selected command.
Conditional (Shift+F2) - allows to set conditional breakpoint on the first selected command.
Conditional log (Shift+F4) - allows to set logging breakpoint. For more details, see Breakpoints.
Message breakpoint on WinProc - allows to edit active message breakpoint. Message breakpoint can be set from the Windows window.
Run to selection (F4) - sets one-shot breakpoint on the first selected command and continues execution of debugged program. If OllyDbg stops execution before the program reached this command, one-shot breakpoint still remains active. If necessary, you can remove it from Breakpoints window.
Memory, on access - sets memory breakpoint on the selected part of memory. Program stops each time the memory is accessed. OllyDbg supports single memory breakpoint of any size. Memory breakpoint can significantly slow down the execution. Under Windows 95/98, memory breakpoint may crash debugged program when system routines access memory blocks containing breakpoint. Use it as a last resort.
Memory, on write - sets memory breakpoint on the selected part of memory. Program stops each time it attempts to write to this memory. OllyDbg supports single memory breakpoint of any size. Memory breakpoint can significantly slow down the execution. Under Windows 95/98, memory breakpoint may crash debugged program when system routines access memory blocks containing breakpoint. Use it as a last resort.
Remove memory breakpoint - removes memory breakpoint.
Remove SFX memory breakpoint - stops search for real entry of self-extractable (SFX) program. This search uses memory breakpoint of a special type.
Hardware, on execution - sets hardware memory breakpoint on the first selected byte. Program stops each time it tries to execute command that begins with this byte. Hardware breakpoints are available only under Windows ME, NT or 2000. 80x86 processors support up to 4 hardware breakpoints. If OllyDbg is unable to find free slot for the hardware breakpoint, it asks you to remove some existing breakpoint. You can set hardware breakpoints on write or access in the CPU Dump pane.
Remove hardware breakpoint - removes hardware breakpoint set on the first selected byte.
#Set real SFX entry here - declares first selected command as a real entry point of the unpacked self-extractable program. If real SFX entry is declared and option "Use real entry from previous run" is activated, OllyDbg can quickly bypass self-extractor and stop on real entry.
Hit trace - commands that manipulate hit trace, available only for analyzed code.
Add selection - request hit trace on selected piece of code.
Add procedure - request hit trace on the current procedure.
Add all recognized procedures - request hit trace on all procedures recognized by Analyzer in the code displayed in Disassembler. To avoid crashes, I recommend that you select strict or heuristical procedure recognition.
Remove from selection - removes hit trace from selection. If there is a forced run trace, removes it too.
Remove from module - removes hit trace from the code section of the module that is currently selected in Disassembler. If there is a forced run trace, removes it too.
Mark selection as not traced - marks all selected commands with activated hit trace as not hit.
Mark module as not traced - marks all commands with activated hit trace within the code section of the module selected in Disassembler as not hit.
Run trace - commands that manipulate run trace, available only when code is analyzed.
Add selection - forces run trace on selected piece of code and simultaneously request hit trace.
Add procedure - forces run trace on the current recognized procedure and simultaneously request hit trace.
Add branches in procedure - forces run trace on all recognized jump or call destinations and removes run trace from all other commands in the current procedure. Simultaneously it requests hit trace on the whole procedure.
Add entries of all procedures - forces run trace on entry points of the recognized procedures and removes it from all other commands in the current module. Simultaneously it requests hit trace on all recognized procedures.
Skip selection when tracing - excludes selected quasi-linear piece of code from the run trace. When run trace encounters excluded code, it sets temporary breakpoint at the end of selection and runs code at once. This significantly accelerates run trace.
Set condition (Ctrl+T) - allows to set condition to pause run trace.
Profile current module - opens window with profile data of the current module.
Global profile - opens window with profile data of the whole application. Gathering global profile data may be time-consuming.
Remove from selection - removes forced run trace from selection.
Remove from module - removes forced run trace from the code section of the module that is currently selected in Disassembler.
Follow (ENTER) - follows jump, call, return or switch destination. See also Command history.
Follow immediate constant - if immediate constant in the command points to code, follows address.
Follow SE handler (ENTER) - if actual command installs structured exception handler (SEH), follows entry point of handling routine.
New origin here (Ctrl+Gray *) - sets EIP of the currently selected thread to the address of the first selected byte. You can undo this operation if you go to Registers pane and select EIP.
Go to
Origin (*) - goes to the address contained in EIP of the current thread.
Previous (-) - goes to the previous address in the command history. You can't browse run history when run trace buffer is open.
Previous run trace record (-) - goes to the previous record in the run trace buffer.
Next (+) - goes to the next address in the command history. You can't browse run history when run trace buffer is open.
Next run trace record (+) - goes to the next record in the run trace buffer.
Expression (Ctrl+G) - allows you to follow hexadecimal address or result of expression. Dialog keeps several last entered addresses. To facilitate distinguishing, you can comment addresses, simply type any text separated from address or expression by semicolon.
Previous procedure (Ctrl+Minus) - goes to the beginning of the previous recognized procedure.
Next procedure (Ctrl+Plus) - goes to the beginning of the next procedure.
Previous reference (Alt+F7) - goes to the previous found reference. Selection in References window moves synchronously with Disassembler.
Next reference (Alt+F8) - goes to the next found reference.
Source file (Ctrl+F5) - opens source window and displays code corresponding to the first selected command. Currently this option is available only if executable file contains debugging information in Borland format.
Switch base,
Default case,
Case xxxx - if command is a switch base or one of its cases, these menu items navigate between remaining elements of the recognized switch.
More cases... - if number of cases in a switch exceeds 10, opens window that displays all cases in a switch.
CALL from xxxx,
JMP from xxxx,
JNZ from xxxx,
JMP [ ] from xxxx etc. - goes to command that jumps to or calls selected command. This can be direct or indirect local (intramodular) call, direct unconditional jump, conditional jump or table switch. Notice that calls from different modules are not listed, even if they are present in call tree.
More jumps and calls... (Ctrl+J) - if number of jumps and calls to the current location exceeds 10, opens window that displays all jumps and calls to selected command. Shortcut is always active, even if this item doesn't appear in menu.
Call DLL export - invokes Call export dialog. Available only if you debug standalone DLL and first selected line is entry point of exported function in this DLL.
Thread - in multithread applications, allows quick navigation between different threads.
Follow in Dump
Selection - reopens memory block in CPU Dump and follows first selected address.
Constant - follows immediate constant in the Dump pane.
Address constant - follows constant which is part of address in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210, Dump will display contents of memory starting from address 0x123456.
Immediate constant - follows immediate constant in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210, Dump will display contents of memory starting from address 0x543210.
Implicit stack address - follows stack location implicitly addressed by ESP, like in commands PUSH and RET.
Memory address,
First address,
Second address - follows address in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210 and ESI contains 0x10, Dump will display contents of memory starting from address 0x123466. Some commands, like MOVS, have two memory operands. In this case, first address is the destination and second address is the source.
View call tree (Ctrl+K) - opens Call tree window that displays all known calls to current procedure and all procedures called from the current procedure. If you want to extend tree into different modules, please analyze them.
Search for
Name (label) in current module (Ctrl+N) - displays table containing all names (exports, imports, library, user-defined) defined or used in the current module.
Name in all modules - displays table cointaining all known names.
#Command (Ctrl+F) - allows you to search for assembler command. OllyDbg tries to find all possible encodings. For example, if you search for MOV EAX,[123456], it will look for both A1 56341290 and 8B05 56341200. You can also specify imprecise commands, like MOV R32,[CONST] - which fits both MOV EAX,[10000] and MOV ESI,[123456]. This search, however, cannot find some more complicated address forms. For best results, analyze code before starting search.
Sequence of commands (Ctrl+S) - allows you to search for a sequence of assembler commands. This sequence may include imprecise commands and matching registers and allows to omit intermediate commands.
#Constant - allows you to find for a constant within the code. This constant can be part of address, immediate constant, offset for relative jump or element of switch table. For best results, analyze code before starting search.
Binary string (Ctrl+B) - displays dialog allowing to specify search pattern. Maximal size of search pattern is 256 bytes. You can exclude some bytes or nibbles from the comparison. For example, if you specify pattern 12 ?? ?6 78, it will match both 12 34 56 78 and 12 00 06 78, but not 12 34 55 78. You can also ignore case of ASCII/UNICODE characters.
Modified command - searches for the next command that differs from the backup.
Trace hit - searches for the next contiguous block of commands that are marked as executed (hit) in the hit trace.
Next (Ctrl+L) - repeats last search from the selection.
All intermodular calls - searches for all commands that call (directly or indirectly, may be via several intermediate jumps) functions residing in other modules. Especially useful to find calls to API functions loaded by GetProcAddress().
All commands - allows to find all commands that match specified assembler pattern.
All sequences - allows to find all sequences of commands that match specified pattern.
All constants - allows to find all instances of the specified constant in the code section of the current module.
All switches - displays table that lists all switches recognized in the current module.
#All referenced text strings - searches for all ASCII and UNICODE strings that are referenced in the code section of the current module or are embedded in this section.
#User-defined label - displays table of all user-defined labels in the current module.
#User-defined comment - displays table of all user-defined comments in the current module.
#Last record in run trace - searches for the most recent occurrence of the first selected command in the run trace buffer.
#Find references to - these commands search references to the specified item in code section of the module opened in Disassembler window. For best results, analyze code before searching for references. Following search items are supported:
Selected command (Ctrl+R),
Selected address (Ctrl+R) - first selected address;
Selected block - selected range;
Immediate constant - immediate constant which is a part of the first selected command;
Address constant - address constant in the first selected command;
Call destination - call destination of the first selected command;
Jump destination - jump destination of the first selected command;
Call constant,
Jump constant - constant part of destination address in the first selected command.
Stop till return (Esc) - stops execution till return.
Stop tracing (Esc) - stops run tracing.
Stop animation (Esc) - stops animation.
View
Source file (Ctrl+F5) - opens source window and displays code corresponding to the first selected command. Currently this option is available only if executable file contains debugging information in Borland format.
Original comments - displays comments in the fourth column of Disassembler window. If bar is visible, press comment bar to toggle between comments, source and profile.
Source as comments - displays lines of source code in the fourth column of Disassembler window (normally displaying comments). If bar is visible, press comment bar to toggle between comments, source and profile. This option is available only if executable file contains debugging information in Borland's format.
Profile as comments - displays number of times each command appears in the run trace buffer. If bar is visible, press comment bar to toggle between comments, source and profile. This option is available only when profile data is open.
Executable file - displays dump of the executable file at offset that corresponds to the first selected command. If selection is not in the file, dump is positioned at offset 0.
Absolute address - displays absolute addresses in the first column.
Relative address - displays addresses relative to the currently selected. Alternatively, doubleclick base address in the first column.
Module 'xxx' - displays executable code of selected module.
Copy to executable
Selection - copies selection to the executable file. OllyDbg adjusts fixups and warns you if this operation may cause errors.
All modifications - copies all highlighted modification (i.e. differences between actual code and global backup) to executable file.
Analysis
Analyze code (Ctrl+A) - analyzes code section of the module opened in Disassembler window. Other parts of OllyDbg work more reliably if analysis data is available.
Remove analysis - discards analysis data for current module.
Scan object files (Ctrl+O) - allows you to select object files or libraries and locate their positions in the code section of the module opened in Disassembler window.
Remove object scan - discards results of object scan.
#Assume arguments - allows to treat first selected command as entry point of a function with predefined arguments. Currently available function types are:
WinProc(hWnd,msg,wParam,lParam) - windows function that processes messages
WinMain(hInst,hPrevInst,CmdLine,ShowState) - program entry point
DllEntryPoint(hInst,CallReason,pReserved) - DLL entry point
Format(format,...) - function similar to printf
Sformat(ptr,format,...) - function similar to sprintf
StdFunc0(void) - function without arguments
StdFunc1(int) - function with single argument
.....
StdFunc8(int,int,int,int,int,int,int,int) - function with 8 arguments
Remove analysis from selection (BkSpc) - removes analysis from selected block. Useful if Analyzer has misinterpreted code as data.
During next analysis, treat selection as - sets decoding hints.
Help on symbolic name - if first selected line contains symbolic name and API help file is attached to OllyDbg, attempts to open help topic on the symbolic name.
Appearance - see detailed description here.
Disassembler pop-up menu is perharps the most important in the whole OllyDbg. To keep menu compact, it displays only items applicable to the selected part of disassembled code. If several lines are selected at once, single-line commands apply to the first selected line.
Backup functions - see description here.
Copy
To clipboard (Ctrl+C) - copies selected part of the code to clipboard. Uses currently selected width of columns. To exclude some column from the copy, reduce its width to the minimal possible (in this case column remnants appear grayed). If some text is wider than column, OllyDbg replaces last visible character in the column by symbol '>'.
To file - copies selected part of the code to file. There apply same rules as when you copy selection to clipboard, but the size of data you can copy is unlimited.
Select all - selects whole code displayed in Disassembler.
Select procedure - selects current recognized procedure.
Binary
Edit (Ctrl+E) - allows you to edit selected part of the code as ASCII, UNICODE or hexadecimal string. All three edit controls are tightly connected to each other, scroll together (first visible byte is the same in all 3 windows) and immediately display the changes you've made in any control. By pressing Ctrl+UpArrow or Ctrl+DownArrow you can quickly go to the corresponding place in different window. Maximal length of edited code is 256 bytes. Incomplete characters are displayed as red question marks. If hexadecimal string contains odd number of nibbles, OllyDbg completes it with 0. When the "Keep size" option is on, you are not allowed to insert or delete characters or write over the end of selected code.
Fill with 00’s ? fills selected part of code with zeros.
Fill with NOP’s ? fills selected part of code with NOPs
Binary copy ? copies selected part of code as a hexadecimal ASCII dump to the clipboard.
Binary paste ? pastes hexadecimal dump from clipboard to selection. OllyDbg scans text on clipboard and extracts hexadecimal digits (0..9, A..F, a..f), ignoring all other symbols. Code outside the selected area remains unchanged. If last byte contains single hex digit, it is ignored. For example: “part of code” is interpreted as AF CD and not as AF CD 0E.
Copy with masked fixups - same as binary copy, but substitutes all fixuped addresses with question marks. Facilitates search for similar code fragments. See also Search for binary strings.
Modify byte - allows you to edit contents of selected byte constant as a decimal signed, decimal unsigned or hexadecimal number.
Modify integer - allows you to edit contents of selected integer constant as a decimal signed, decimal unsigned or hexadecimal number.
Modify float - allows you to edit contents of selected floating-point constant.
Modify MMX - allows you to edit contents of selected MMX constant as a collection of decimal signed, decimal unsigned or hexadecimal fields.
Modify 3DNow! - allows you to edit contents of selected 3DNow! constant as a pair of floating-point or hexadecimal numbers.
Modify SSE - allows you to edit contents of selected SSE constant as a set of 4 floating-point or hexadecimal numbers.
Undo selection (Alt+BkSpc) - substitutes selected part of the code with the corresponding portion of backup data. Available only when backup data exists and differs from selected code.
Assemble (Space) - allows you to edit or overwrite existing code with one or several commands in assembler language. For details, see Assembler.
Label (:) - allows you to assign a user-defined label to the first selected address.
Edit label (:) - allows you to edit or erase the user-defined label assigned to the first selected address.
Comment (;) - allows you to add comment to the first selected address.
Edit comment (;) - allows you to edit or erase user-defined comment assigned to the first selected address.
Breakpoint
Toggle (F2) - toggles INT3 breakpoint on the first selected command.
Conditional (Shift+F2) - allows to set conditional breakpoint on the first selected command.
Conditional log (Shift+F4) - allows to set logging breakpoint. For more details, see Breakpoints.
Message breakpoint on WinProc - allows to edit active message breakpoint. Message breakpoint can be set from the Windows window.
Run to selection (F4) - sets one-shot breakpoint on the first selected command and continues execution of debugged program. If OllyDbg stops execution before the program reached this command, one-shot breakpoint still remains active. If necessary, you can remove it from Breakpoints window.
Memory, on access - sets memory breakpoint on the selected part of memory. Program stops each time the memory is accessed. OllyDbg supports single memory breakpoint of any size. Memory breakpoint can significantly slow down the execution. Under Windows 95/98, memory breakpoint may crash debugged program when system routines access memory blocks containing breakpoint. Use it as a last resort.
Memory, on write - sets memory breakpoint on the selected part of memory. Program stops each time it attempts to write to this memory. OllyDbg supports single memory breakpoint of any size. Memory breakpoint can significantly slow down the execution. Under Windows 95/98, memory breakpoint may crash debugged program when system routines access memory blocks containing breakpoint. Use it as a last resort.
Remove memory breakpoint - removes memory breakpoint.
Remove SFX memory breakpoint - stops search for real entry of self-extractable (SFX) program. This search uses memory breakpoint of a special type.
Hardware, on execution - sets hardware memory breakpoint on the first selected byte. Program stops each time it tries to execute command that begins with this byte. Hardware breakpoints are available only under Windows ME, NT or 2000. 80x86 processors support up to 4 hardware breakpoints. If OllyDbg is unable to find free slot for the hardware breakpoint, it asks you to remove some existing breakpoint. You can set hardware breakpoints on write or access in the CPU Dump pane.
Remove hardware breakpoint - removes hardware breakpoint set on the first selected byte.
#Set real SFX entry here - declares first selected command as a real entry point of the unpacked self-extractable program. If real SFX entry is declared and option "Use real entry from previous run" is activated, OllyDbg can quickly bypass self-extractor and stop on real entry.
Hit trace - commands that manipulate hit trace, available only for analyzed code.
Add selection - request hit trace on selected piece of code.
Add procedure - request hit trace on the current procedure.
Add all recognized procedures - request hit trace on all procedures recognized by Analyzer in the code displayed in Disassembler. To avoid crashes, I recommend that you select strict or heuristical procedure recognition.
Remove from selection - removes hit trace from selection. If there is a forced run trace, removes it too.
Remove from module - removes hit trace from the code section of the module that is currently selected in Disassembler. If there is a forced run trace, removes it too.
Mark selection as not traced - marks all selected commands with activated hit trace as not hit.
Mark module as not traced - marks all commands with activated hit trace within the code section of the module selected in Disassembler as not hit.
Run trace - commands that manipulate run trace, available only when code is analyzed.
Add selection - forces run trace on selected piece of code and simultaneously request hit trace.
Add procedure - forces run trace on the current recognized procedure and simultaneously request hit trace.
Add branches in procedure - forces run trace on all recognized jump or call destinations and removes run trace from all other commands in the current procedure. Simultaneously it requests hit trace on the whole procedure.
Add entries of all procedures - forces run trace on entry points of the recognized procedures and removes it from all other commands in the current module. Simultaneously it requests hit trace on all recognized procedures.
Skip selection when tracing - excludes selected quasi-linear piece of code from the run trace. When run trace encounters excluded code, it sets temporary breakpoint at the end of selection and runs code at once. This significantly accelerates run trace.
Set condition (Ctrl+T) - allows to set condition to pause run trace.
Profile current module - opens window with profile data of the current module.
Global profile - opens window with profile data of the whole application. Gathering global profile data may be time-consuming.
Remove from selection - removes forced run trace from selection.
Remove from module - removes forced run trace from the code section of the module that is currently selected in Disassembler.
Follow (ENTER) - follows jump, call, return or switch destination. See also Command history.
Follow immediate constant - if immediate constant in the command points to code, follows address.
Follow SE handler (ENTER) - if actual command installs structured exception handler (SEH), follows entry point of handling routine.
New origin here (Ctrl+Gray *) - sets EIP of the currently selected thread to the address of the first selected byte. You can undo this operation if you go to Registers pane and select EIP.
Go to
Origin (*) - goes to the address contained in EIP of the current thread.
Previous (-) - goes to the previous address in the command history. You can't browse run history when run trace buffer is open.
Previous run trace record (-) - goes to the previous record in the run trace buffer.
Next (+) - goes to the next address in the command history. You can't browse run history when run trace buffer is open.
Next run trace record (+) - goes to the next record in the run trace buffer.
Expression (Ctrl+G) - allows you to follow hexadecimal address or result of expression. Dialog keeps several last entered addresses. To facilitate distinguishing, you can comment addresses, simply type any text separated from address or expression by semicolon.
Previous procedure (Ctrl+Minus) - goes to the beginning of the previous recognized procedure.
Next procedure (Ctrl+Plus) - goes to the beginning of the next procedure.
Previous reference (Alt+F7) - goes to the previous found reference. Selection in References window moves synchronously with Disassembler.
Next reference (Alt+F8) - goes to the next found reference.
Source file (Ctrl+F5) - opens source window and displays code corresponding to the first selected command. Currently this option is available only if executable file contains debugging information in Borland format.
Switch base,
Default case,
Case xxxx - if command is a switch base or one of its cases, these menu items navigate between remaining elements of the recognized switch.
More cases... - if number of cases in a switch exceeds 10, opens window that displays all cases in a switch.
CALL from xxxx,
JMP from xxxx,
JNZ from xxxx,
JMP [ ] from xxxx etc. - goes to command that jumps to or calls selected command. This can be direct or indirect local (intramodular) call, direct unconditional jump, conditional jump or table switch. Notice that calls from different modules are not listed, even if they are present in call tree.
More jumps and calls... (Ctrl+J) - if number of jumps and calls to the current location exceeds 10, opens window that displays all jumps and calls to selected command. Shortcut is always active, even if this item doesn't appear in menu.
Call DLL export - invokes Call export dialog. Available only if you debug standalone DLL and first selected line is entry point of exported function in this DLL.
Thread - in multithread applications, allows quick navigation between different threads.
Follow in Dump
Selection - reopens memory block in CPU Dump and follows first selected address.
Constant - follows immediate constant in the Dump pane.
Address constant - follows constant which is part of address in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210, Dump will display contents of memory starting from address 0x123456.
Immediate constant - follows immediate constant in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210, Dump will display contents of memory starting from address 0x543210.
Implicit stack address - follows stack location implicitly addressed by ESP, like in commands PUSH and RET.
Memory address,
First address,
Second address - follows address in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210 and ESI contains 0x10, Dump will display contents of memory starting from address 0x123466. Some commands, like MOVS, have two memory operands. In this case, first address is the destination and second address is the source.
View call tree (Ctrl+K) - opens Call tree window that displays all known calls to current procedure and all procedures called from the current procedure. If you want to extend tree into different modules, please analyze them.
Search for
Name (label) in current module (Ctrl+N) - displays table containing all names (exports, imports, library, user-defined) defined or used in the current module.
Name in all modules - displays table cointaining all known names.
#Command (Ctrl+F) - allows you to search for assembler command. OllyDbg tries to find all possible encodings. For example, if you search for MOV EAX,[123456], it will look for both A1 56341290 and 8B05 56341200. You can also specify imprecise commands, like MOV R32,[CONST] - which fits both MOV EAX,[10000] and MOV ESI,[123456]. This search, however, cannot find some more complicated address forms. For best results, analyze code before starting search.
Sequence of commands (Ctrl+S) - allows you to search for a sequence of assembler commands. This sequence may include imprecise commands and matching registers and allows to omit intermediate commands.
#Constant - allows you to find for a constant within the code. This constant can be part of address, immediate constant, offset for relative jump or element of switch table. For best results, analyze code before starting search.
Binary string (Ctrl+B) - displays dialog allowing to specify search pattern. Maximal size of search pattern is 256 bytes. You can exclude some bytes or nibbles from the comparison. For example, if you specify pattern 12 ?? ?6 78, it will match both 12 34 56 78 and 12 00 06 78, but not 12 34 55 78. You can also ignore case of ASCII/UNICODE characters.
Modified command - searches for the next command that differs from the backup.
Trace hit - searches for the next contiguous block of commands that are marked as executed (hit) in the hit trace.
Next (Ctrl+L) - repeats last search from the selection.
All intermodular calls - searches for all commands that call (directly or indirectly, may be via several intermediate jumps) functions residing in other modules. Especially useful to find calls to API functions loaded by GetProcAddress().
All commands - allows to find all commands that match specified assembler pattern.
All sequences - allows to find all sequences of commands that match specified pattern.
All constants - allows to find all instances of the specified constant in the code section of the current module.
All switches - displays table that lists all switches recognized in the current module.
#All referenced text strings - searches for all ASCII and UNICODE strings that are referenced in the code section of the current module or are embedded in this section.
#User-defined label - displays table of all user-defined labels in the current module.
#User-defined comment - displays table of all user-defined comments in the current module.
#Last record in run trace - searches for the most recent occurrence of the first selected command in the run trace buffer.
#Find references to - these commands search references to the specified item in code section of the module opened in Disassembler window. For best results, analyze code before searching for references. Following search items are supported:
Selected command (Ctrl+R),
Selected address (Ctrl+R) - first selected address;
Selected block - selected range;
Immediate constant - immediate constant which is a part of the first selected command;
Address constant - address constant in the first selected command;
Call destination - call destination of the first selected command;
Jump destination - jump destination of the first selected command;
Call constant,
Jump constant - constant part of destination address in the first selected command.
Stop till return (Esc) - stops execution till return.
Stop tracing (Esc) - stops run tracing.
Stop animation (Esc) - stops animation.
View
Source file (Ctrl+F5) - opens source window and displays code corresponding to the first selected command. Currently this option is available only if executable file contains debugging information in Borland format.
Original comments - displays comments in the fourth column of Disassembler window. If bar is visible, press comment bar to toggle between comments, source and profile.
Source as comments - displays lines of source code in the fourth column of Disassembler window (normally displaying comments). If bar is visible, press comment bar to toggle between comments, source and profile. This option is available only if executable file contains debugging information in Borland's format.
Profile as comments - displays number of times each command appears in the run trace buffer. If bar is visible, press comment bar to toggle between comments, source and profile. This option is available only when profile data is open.
Executable file - displays dump of the executable file at offset that corresponds to the first selected command. If selection is not in the file, dump is positioned at offset 0.
Absolute address - displays absolute addresses in the first column.
Relative address - displays addresses relative to the currently selected. Alternatively, doubleclick base address in the first column.
Module 'xxx' - displays executable code of selected module.
Copy to executable
Selection - copies selection to the executable file. OllyDbg adjusts fixups and warns you if this operation may cause errors.
All modifications - copies all highlighted modification (i.e. differences between actual code and global backup) to executable file.
Analysis
Analyze code (Ctrl+A) - analyzes code section of the module opened in Disassembler window. Other parts of OllyDbg work more reliably if analysis data is available.
Remove analysis - discards analysis data for current module.
Scan object files (Ctrl+O) - allows you to select object files or libraries and locate their positions in the code section of the module opened in Disassembler window.
Remove object scan - discards results of object scan.
#Assume arguments - allows to treat first selected command as entry point of a function with predefined arguments. Currently available function types are:
WinProc(hWnd,msg,wParam,lParam) - windows function that processes messages
WinMain(hInst,hPrevInst,CmdLine,ShowState) - program entry point
DllEntryPoint(hInst,CallReason,pReserved) - DLL entry point
Format(format,...) - function similar to printf
Sformat(ptr,format,...) - function similar to sprintf
StdFunc0(void) - function without arguments
StdFunc1(int) - function with single argument
.....
StdFunc8(int,int,int,int,int,int,int,int) - function with 8 arguments
Remove analysis from selection (BkSpc) - removes analysis from selected block. Useful if Analyzer has misinterpreted code as data.
During next analysis, treat selection as - sets decoding hints.
Help on symbolic name - if first selected line contains symbolic name and API help file is attached to OllyDbg, attempts to open help topic on the symbolic name.
Appearance - see detailed description here.
赞赏
|
|
|---|---|
|
|
译文∶
反编译窗口中的菜单[Disassembler menu] 反汇编快捷菜单在整个OllyDbg中可能是最重要的。为了保持菜单简洁,它只显示被选定的反汇编代码部分的相关选项。如果有几行被同时选定 ,单行命令只对选定的第一行有效。 备份功能――看看这里的描述。 复制 到剪贴板(Ctrl+C)――把代码的选定部分复制到剪贴板。使用当前选定的栏宽。为了使某些栏不复制,把它的宽度减到最小(在这种情况下栏剩下的部分看起来是灰色的)。如果某些文本比栏宽,OllyDbg就把栏中的最后的可见字符取代为符号'>'。 到文件――把代码的选定部分复制到文件中。规则和您复制选定内容到剪贴板一样,但是您能复制的数据的大小没有限制。 全选――把反汇编窗口中显示的所有代码选定。 选定函数――选定当前认出的函数。 二进制 编辑(Ctrl+E)――允许您把代码选定的部分作为ASCII,UNICODE或者十六进制字符串来编辑。所有这三个编辑框是互相关联的,同时卷动(第一个可视字节在所有的3个窗口中是一样的)而且一旦你在任何编辑框中作了改动,其它的立刻改变。通过按Ctrl+UpArrow 或者 Ctrl+DownArrow,您可以很快地到达不同窗口的相应位置。所编辑的代码的最大长度为256个字节。不完整的字符用红色的问号显示。如果十六进制字符串包含奇数个字符,OllyDbg用0把它补全。当“保留大小”选项被打开,您就不能在选定的代码中插入、删除字符或超出范围。 使用00填充――把选定的代码部分用00填充。 使用NOP填充――把选定的代码部分用NOP填充。 二进制复制――把代码的选定部分作为十六进制ASCII码复制到剪贴板。 二进制粘贴――把剪贴板中的十六进制数据粘贴到选定位置。OllyDbg扫描剪贴板中的文本,并提取十六进制数字(0..9, A..F, a..f),忽略所有其它的字符。在选定区域之外的代码仍然保持不变。如果最后的字节只包含一个十六进制数字,那么它将被忽略。例如:“part of code”将被解释成AF CD而不是AF CD 0E。 Copy with masked fixups――和二进制复制差不多,但是会把用问号标识的地址用修复后的地址取代,这样更容易搜索类似的代码片断了。可以参考搜索二进制字符串。 修改字节――您能够把选定的字节常量以有符号十进制数,无符号十进制数或者16进制数来编辑。 修改指数――您能够把选定的整数常量以有符号十进制数,无符号十进制数或者16进制数来编辑。 修改浮点数――您能够编辑选定的浮点数。 修改MMX――您把选定的MMX常量作为有符号十进制数,无符号十进制数或者16进制数域里的数来编辑。 修改3DNow!――您把选定的3DNow!常量作为一对浮点或16进制数来编辑。 修改SSE――您把选定的SSE常量作为一个含有4个浮点数或16进制数的集合来编辑。 撤销选择(Alt+BkSpc)――把选定的代码用相关的备份的数据代替。仅仅在备份数据存在而且和选定代码不同的时候有效。 汇编(空格键)――您用一个或多个指令来编辑或覆盖已有的代码。详细请看汇编器一节。 标号(:)――您在选定的首地址指派一个自定义的标签。 编辑标号(:)――您能够编辑或删除已经指派给选定的首地址的自定义标签。 注释(;)――您能够对选定的首地址添加注释。 编辑注释(;)――您能够编辑或删除已经指派给选定的首地址的自定义注释。详细请看断点一节。 断点 切换(F2)――对选定的第一条指令切换INT3断点。 条件(Shift+F2)――对选定的第一条指令设置条件断点。 条件记录(Shift+F4)――设置记录断点。 WinPro消息断点――编辑激活的消息断点。消息断点可以从Windows窗口设置。 运行到所选(F4)――在第一选定的命令设置一次性断点并在被调试的程序执行完后继续。如果OllyDbg程序在到底这个命令之前停止执行了,一次性断点仍然保持激活。如果必要,你可以从断点窗口把它删除。 内存访问――对选定的内存部分设置内存断点。每次这块内存被访问,程序都会暂停。OllyDbg支持任意大小的内存设置断点。内存断点会明显降低执行速度。在Windows 95/98下,当系统例程访问包含了内存断点的内存块的时候会使被调试程序崩溃。您应该在不得以的时候使用它。 内存写入――对选定的内存部分设置内存断点。每次程序试图写这块内存的时候,程序都会暂停。OllyDbg支持任意大小的内存设置断点。内存断点会明显降低执行速度。在Windows 95/98下,当系统例程访问包含了内存断点的内存块的时候会使被调试程序崩溃。您应该在不得以的时候使用它。 清除内存断点――把内存断点清除。 硬件执行――在选定的首字节上设置硬件内存断点。每次程序试图执行以这个字节开始的命令的时候会暂停。硬件断点只对Windows ME, NT or 2000有效。80x86处理器最多能够支持4个硬件断点。如果OllyDbg找不到多余的位置来设置硬件断点,它会询问你清除一些已有的断点。你可以在CPU dump面板上设置硬件写入或访问断点。 清除硬件断点――清除设置在第一个选定的字节的硬件断点。 #在这里设置SFX入口――把选定的第一个命令作为脱壳后的自解压程序的真正入口。如果真正的SFX入口被指定了,而且选项"使用上次运行的真正入口"被激活了,OllyDbg就能快速通过自解压并停在真正入口处。 Hit跟踪――操作Hit跟踪的命令,只对已经分析过的代码有效。 添加选择――要求Hit跟踪对选定的代码打开。 添加函数――要求Hit跟踪对当前函数打开。 添加全部认可程序――要求Hit跟踪对被分析器认出并显示在反汇编窗口的所有程序打开。为了避免崩溃,我建议您选择严格或启发式函数识别。 从选择中删除――从选择中删除Hit跟踪。如果同时有被动的Run跟踪,也会把它删除。 从模块中删除――把Hit跟踪从代码模块也就是当前在反汇编窗口选定的代码中删除。如果同时有被动的Run跟踪,也会把它删除。 标记所选为尚未跟踪――标记所有选定的命令中的已Hit跟踪为未跟踪的。 标记模块为尚未跟踪――标记在反汇编窗口中选定的模块中的所有标记为已跟踪的为未跟踪的。 Run跟踪――操作Hit跟踪的命令,只对已经分析过的代码有效。 添加选择――使Run跟踪对选定的代码块打开并同时请求Hit跟踪。 添加函数――使Run跟踪对当前已认出的函数打开并同时请求Hit跟踪。 在函数中添加分支――使Run跟踪对所有认出的jump或者call目标打开并从所有在当前函数中的其它命令中删除Run跟踪。同时它还对整个函数请求Hit跟踪。 在所有函数中添加分支――使Run跟踪在所有认出的函数的入口点打开并把它在当前模块的其它模块中删除。同时它对所有认出的函数请求Hit跟踪。 跟踪时跳过所选部分――把选定的伪线性代码从Run跟踪中排除。当Run跟踪遇到排除的代码的时候,它在所选代码的最后设置临时断点并一次运行完代码。这个显著地加快了Run跟踪。 设置条件(Ctrl+T)――设置条件来暂停Run跟踪。 当前模块镜像――打开包含当前模块镜像数据的窗口。 全局镜像――打开包含整个程序镜像数据的窗口。收集全局镜像数据可能会非常耗时。 从选择中删除――把被动运行的Run跟踪从选择中删除。 从模块中删除――把被动运行的Run跟踪从当前选择的代码模块中删除。 跟随(ENTER)――跟随jump,call,return或者切换目标。参考命令历史。 跟随立即变量――如果指令中的立即变量指向代码,就跟随地址。 跟随SE句柄(ENTER)――如果实际指令安装了结构化异常处理(SEH),就跟随处理例程的人口点。 前往 起源(*)――前往包含在当前线程的EIP中的地址。 上个(-)――前往命令历史中的前一个地址。当Run跟踪缓冲已经打开的时候你不能浏览运行历史。 上个Run跟踪记录(-)――前往Run跟踪缓冲区中的前一个记录。 下个(+)――前往命令历史中的下个地址。当Run跟踪已经打开的时候你不能浏览运行历史。 下个跟踪记录(+)――前往Run跟踪缓冲区中的下一条记录。 表达(Ctrl+G)――使得你跟随16进制地址或者表达式的结果。对话框会保存前几次输入的地址。为了方便区分,你可以通过打分号来分开地址或表达式。 上个函数(Ctrl+Minus)――前往以前认出的函数的开始。 下个函数(Ctrl+Plus)――前往下个函数的开始。 上个参考(Alt+F7)――前往上个找到的参考。参考窗口中的选择会和反汇编器同步移动。 下个参考(Alt+F8)――前往下个找到的参考。 源文件(Ctrl+F5)――打开源代码窗口并显示和第一个选定的命令相关的代码。目前这个选项只在可执行文件包含Borland格式的调试信息的时候有效。 Switch base, Default case, Case xxxx ――如果命令是一个switch base或者是它的一种情况,这个菜单就只包含认出的switch的剩余分支。 More cases...――如果分支情况超过了10个,就打开显示switch的所有分支的窗口。 CALL from xxxx, JMP from xxxx, JNZ from xxxx, JMP [ ] from xxxx 等―― 来到选定的命令跳转到或者调用的命令。这可以是直接或间接的无条件跳转,条件跳转或者切换表。注意从不同模块调用的Call不会列出来的,甚至它们已经在调用树里列出来了。 更多jump和call...(Ctrl+J)――如果到当前位置的跳转或调用的个数超过了10个,打开窗口显示所有的跳转和调用来选择命令。快捷键总是激活的,甚至某一选项并没有出现在菜单中。 DLL Call输出――打开调用输出对话框。只有当你调试单独的DLL,并且第一个选定的行是这个DLL中的输出函数的入口时才能使用。 Dump中跟随 选择――在CPU Dump中重新打开内存块并跟随选定的首地址。 常量――在Dump面板中跟随立即常量。 地址常量――在Dump面板中跟随是地址的一部分的那些常量。例如,如果当前选定的命令是MOV [ESI+123456],543210,那么Dump将显示从内存地址0x123456开始的内容。 直接常量――在Dump中跟随直接常量。例如,如果当前选定的命令是MOV [ESI+123456],543210,那么Dump将显示从内存地址0x543210开始的内容。 隐含堆栈地址――跟随由ESP隐含的堆栈位置,如命令PUSH和RET。 内存地址, 首地址, 次地址――在Dump面板中跟随地址。例如,如果当前选定的命令是MOV [ESI+123456],543210,而ESI的值为0x10,Dump将显示内存地址从0x123456开始的内容。一些命令,如MOVS,有两个内存操作,在这种情形下,首地址是目标地址,而次地址是源地址。 查看调用树(Ctrl+K)――打开调用树窗口来显示所以调用当前函数和所有从当前函数开始的所有函数。如果你想吧这个树扩展到不同的模块中去,请自行分析它们。 搜索 当前模块中的名字(标签)(Ctrl+N)――显示定义或在当前模块中使用的所有名字(输出,输入,库,自定义)。 所有模块中的名字――显示包含所有已知名字的表。 #命令(Ctrl+F)――使得您能够搜索汇编命令。OllyDbg会试图寻找所有可能的编码。例如,如果你搜索MOV EAX,[123456],它将对A1 56341290和8B05 56341200都进行搜索。您还可以不精确地指定指令,如MOV R32,[CONST]――这个即符合MOV EAX,[10000],也符合MOV ESI,[123456]。然而这种搜索不能搜索更复杂的地址格式的命令。想要得到最好的结果,在开始搜索之前最好分析一下代码。 命令序列(Ctrl+S)――使得您能够搜索汇编命令序列。这个序列可以包含不精确的命令,可以符合寄存器,并允许省略中间命令。 #常数――使得您能够在代码中查找常量。这个常量可以是地址的一部分,立即数,相关跳转的偏移地址或者switch表的某个元素。为了得到最好的结果,最好在开始搜索之前分析一下代码。 二进制字符串(Ctrl+B)――以对话框显示并运行指定搜索模式。搜索模式的最大大小为256个字节。您可以排除一些字节或者可以对比较指定得更细。例如,如果您指定了模式12 ?? ?6 78,它将符合12 34 56 78 和 12 00 06 78,但是不符合12 34 55 78。您还可以忽略ASCII/UNICODE字符的条件。 修改的命令――搜索和备份不同中内容不同的下一条命令。 Trace hit――搜索邻近的hit跟踪中被标识成executed (hit)的命令块。 下一步――重复最近的搜索。 所有模块中的调用――搜索所有在其它模块中的调用函数(直接或间接,可以通过一些立即跳转)。对搜索由GetProcAddress()函数装载的一些API函数特别有用。 所有序列――使得您搜索符合指定模式的所有命令序列。 所有常数――使得您可以在当前模块的代码段中搜索指定常数的所有位置。 所有switch――显示在当前模块中认出的所有switch。 #所有参考字符串――搜索所有当前模块或嵌入在这个模块中的代码段中引用的所有ASCII和UNICODE字符串。 #自定义标签――显示当前模块中的所有自定义标签。 #自定义注释――显示当前模块中的所有自定义注释。 #Run跟踪最新记录――在Run跟踪缓冲区中搜索选定的首命令最近出现在哪里。 #查找参考――这些命令在打开的反汇编窗口模块中的代码中搜索指定的选项。 选定的命令(Ctrl+R), 选定的地址(Ctrl+R)――选定的首地址; 选定的块――选定的范围; 立即常数――立即常数是选定的命令的第一个命令中的立即常数。 调用目标――选定的第一个命令的调用目标; 跳转目标――选定的第一个命令的跳转目标; 调用常数, 跳转常数――第一个选定的命令的目标地址的常数部分。 停止到返回(Esc)――在返回的地方停止执行。 停止跟踪(Esc)――停止Run跟踪。 停止动画(Esc)――停止动画。 查看 源文件(Ctrl+F5)――打开源代码窗口并显示和第一条选定的命令相关的代码。只有当可执行文件是Borland格式的并包含调试信息的时候,这个选项才有效。 原始注释――在反汇编窗口的第4栏里显示注释。如果光条可见,press comment bar to toggle between comments, source and profile. 源代码作为注释――在反汇编窗口的第4栏里(通常显示注释)显示源代码。如果光条可见,可以按光条在注释,源代码和镜像间切换。这个选项只有在可执行文件包含Borland格式的调试信息时才可用。 镜像作为注释――显示每条命令在Run跟踪缓冲区里出现的次数。如果光条可见,可以按光条在注释,源代码和镜像间进行切换。这个选项只有在镜像数据被打开时才可用。 可执行文件――显示从选定的首命令开始的偏移地址出的可执行文件的镜像数据。如果选择的不是文件中的,就显示从偏移0开始的镜像。 绝对地址――在第一栏里显示绝对地址。 相对地址――显示当前选定的相对地址。还可以通过单击第一栏的基址来切换。 模块"xxx"――显示选定模块的可执行代码。 复制到可执行文件 选择部分――把选定的部分复制到可执行文件中去。OllyDbg会调整修正值并提示你这个操作可能会引起错误。 全部修正――把所有高亮的修改(例如,实际代码和全局备份之间的区别)复制到可执行文件中去。 分析 分析代码(Ctrl+A)――分析在反汇编窗口打开的模块中的代码段。如果分析数据可用的话OllyDbg的其它部分会更可靠地工作。 删除分析――删除当前模块的分析数据。 扫描目标文件(Ctrl+O)――运行您能够选择目标文件或者库并在反汇编窗口中的打开的模块的代码段进行定位。 删除目标扫描――删除目标的扫描结果。 #假设参数――使得您可以把第一个选定的命令作为一个预定义了函数的入口点。当前可利用的函数类型是: WinProc(hWnd,msg,wParam,lParam) - 处理消息的Windows函数 WinMain(hInst,hPrevInst,CmdLine,ShowState) - 程序入口点 DllEntryPoint(hInst,CallReason,pReserved) - DLL 入口点 Format(format,...) - 类似于printf的函数 Sformat(ptr,format,...) - 类似于sprintf的函数 StdFunc0(void) - 无参数的函数 StdFunc1(int) - 只有一个参数的函数 ..... StdFunc8(int,int,int,int,int,int,int,int) - 有8个参数的函数 从选定中删除分析(BkSpc)――从选定模块中删除分析。如果分析器已经把代码认成了数据的时候有用。 在下一个分析中,把选择看成――一些解码线索。 符号名帮助――如果选定的第一行包含符号名而且API帮助文件已经附加到OllyDbg上了,可以试着打开关于这个符号名的帮助主题。 外观――可以在这里看详细的描述。 (完) |
|
|
赞赏
雪币:
留言:
