-
-
0816-onlyu-任务
-
发表于: 2004-8-16 09:03 4910
-
反编译窗口中的菜单[Disassembler menu]
Disassembler pop-up menu is perharps the most important in the whole OllyDbg. To keep menu compact, it displays only items applicable to the selected part of disassembled code. If several lines are selected at once, single-line commands apply to the first selected line.
Backup functions - see description here.
Copy
To clipboard (Ctrl+C) - copies selected part of the code to clipboard. Uses currently selected width of columns. To exclude some column from the copy, reduce its width to the minimal possible (in this case column remnants appear grayed). If some text is wider than column, OllyDbg replaces last visible character in the column by symbol '>'.
To file - copies selected part of the code to file. There apply same rules as when you copy selection to clipboard, but the size of data you can copy is unlimited.
Select all - selects whole code displayed in Disassembler.
Select procedure - selects current recognized procedure.
Binary
Edit (Ctrl+E) - allows you to edit selected part of the code as ASCII, UNICODE or hexadecimal string. All three edit controls are tightly connected to each other, scroll together (first visible byte is the same in all 3 windows) and immediately display the changes you've made in any control. By pressing Ctrl+UpArrow or Ctrl+DownArrow you can quickly go to the corresponding place in different window. Maximal length of edited code is 256 bytes. Incomplete characters are displayed as red question marks. If hexadecimal string contains odd number of nibbles, OllyDbg completes it with 0. When the "Keep size" option is on, you are not allowed to insert or delete characters or write over the end of selected code.
Fill with 00’s ? fills selected part of code with zeros.
Fill with NOP’s ? fills selected part of code with NOPs
Binary copy ? copies selected part of code as a hexadecimal ASCII dump to the clipboard.
Binary paste ? pastes hexadecimal dump from clipboard to selection. OllyDbg scans text on clipboard and extracts hexadecimal digits (0..9, A..F, a..f), ignoring all other symbols. Code outside the selected area remains unchanged. If last byte contains single hex digit, it is ignored. For example: “part of code” is interpreted as AF CD and not as AF CD 0E.
Copy with masked fixups - same as binary copy, but substitutes all fixuped addresses with question marks. Facilitates search for similar code fragments. See also Search for binary strings.
Modify byte - allows you to edit contents of selected byte constant as a decimal signed, decimal unsigned or hexadecimal number.
Modify integer - allows you to edit contents of selected integer constant as a decimal signed, decimal unsigned or hexadecimal number.
Modify float - allows you to edit contents of selected floating-point constant.
Modify MMX - allows you to edit contents of selected MMX constant as a collection of decimal signed, decimal unsigned or hexadecimal fields.
Modify 3DNow! - allows you to edit contents of selected 3DNow! constant as a pair of floating-point or hexadecimal numbers.
Modify SSE - allows you to edit contents of selected SSE constant as a set of 4 floating-point or hexadecimal numbers.
Undo selection (Alt+BkSpc) - substitutes selected part of the code with the corresponding portion of backup data. Available only when backup data exists and differs from selected code.
Assemble (Space) - allows you to edit or overwrite existing code with one or several commands in assembler language. For details, see Assembler.
Label (:) - allows you to assign a user-defined label to the first selected address.
Edit label (:) - allows you to edit or erase the user-defined label assigned to the first selected address.
Comment (;) - allows you to add comment to the first selected address.
Edit comment (;) - allows you to edit or erase user-defined comment assigned to the first selected address.
Breakpoint
Toggle (F2) - toggles INT3 breakpoint on the first selected command.
Conditional (Shift+F2) - allows to set conditional breakpoint on the first selected command.
Conditional log (Shift+F4) - allows to set logging breakpoint. For more details, see Breakpoints.
Message breakpoint on WinProc - allows to edit active message breakpoint. Message breakpoint can be set from the Windows window.
Run to selection (F4) - sets one-shot breakpoint on the first selected command and continues execution of debugged program. If OllyDbg stops execution before the program reached this command, one-shot breakpoint still remains active. If necessary, you can remove it from Breakpoints window.
Memory, on access - sets memory breakpoint on the selected part of memory. Program stops each time the memory is accessed. OllyDbg supports single memory breakpoint of any size. Memory breakpoint can significantly slow down the execution. Under Windows 95/98, memory breakpoint may crash debugged program when system routines access memory blocks containing breakpoint. Use it as a last resort.
Memory, on write - sets memory breakpoint on the selected part of memory. Program stops each time it attempts to write to this memory. OllyDbg supports single memory breakpoint of any size. Memory breakpoint can significantly slow down the execution. Under Windows 95/98, memory breakpoint may crash debugged program when system routines access memory blocks containing breakpoint. Use it as a last resort.
Remove memory breakpoint - removes memory breakpoint.
Remove SFX memory breakpoint - stops search for real entry of self-extractable (SFX) program. This search uses memory breakpoint of a special type.
Hardware, on execution - sets hardware memory breakpoint on the first selected byte. Program stops each time it tries to execute command that begins with this byte. Hardware breakpoints are available only under Windows ME, NT or 2000. 80x86 processors support up to 4 hardware breakpoints. If OllyDbg is unable to find free slot for the hardware breakpoint, it asks you to remove some existing breakpoint. You can set hardware breakpoints on write or access in the CPU Dump pane.
Remove hardware breakpoint - removes hardware breakpoint set on the first selected byte.
#Set real SFX entry here - declares first selected command as a real entry point of the unpacked self-extractable program. If real SFX entry is declared and option "Use real entry from previous run" is activated, OllyDbg can quickly bypass self-extractor and stop on real entry.
Hit trace - commands that manipulate hit trace, available only for analyzed code.
Add selection - request hit trace on selected piece of code.
Add procedure - request hit trace on the current procedure.
Add all recognized procedures - request hit trace on all procedures recognized by Analyzer in the code displayed in Disassembler. To avoid crashes, I recommend that you select strict or heuristical procedure recognition.
Remove from selection - removes hit trace from selection. If there is a forced run trace, removes it too.
Remove from module - removes hit trace from the code section of the module that is currently selected in Disassembler. If there is a forced run trace, removes it too.
Mark selection as not traced - marks all selected commands with activated hit trace as not hit.
Mark module as not traced - marks all commands with activated hit trace within the code section of the module selected in Disassembler as not hit.
Run trace - commands that manipulate run trace, available only when code is analyzed.
Add selection - forces run trace on selected piece of code and simultaneously request hit trace.
Add procedure - forces run trace on the current recognized procedure and simultaneously request hit trace.
Add branches in procedure - forces run trace on all recognized jump or call destinations and removes run trace from all other commands in the current procedure. Simultaneously it requests hit trace on the whole procedure.
Add entries of all procedures - forces run trace on entry points of the recognized procedures and removes it from all other commands in the current module. Simultaneously it requests hit trace on all recognized procedures.
Skip selection when tracing - excludes selected quasi-linear piece of code from the run trace. When run trace encounters excluded code, it sets temporary breakpoint at the end of selection and runs code at once. This significantly accelerates run trace.
Set condition (Ctrl+T) - allows to set condition to pause run trace.
Profile current module - opens window with profile data of the current module.
Global profile - opens window with profile data of the whole application. Gathering global profile data may be time-consuming.
Remove from selection - removes forced run trace from selection.
Remove from module - removes forced run trace from the code section of the module that is currently selected in Disassembler.
Follow (ENTER) - follows jump, call, return or switch destination. See also Command history.
Follow immediate constant - if immediate constant in the command points to code, follows address.
Follow SE handler (ENTER) - if actual command installs structured exception handler (SEH), follows entry point of handling routine.
New origin here (Ctrl+Gray *) - sets EIP of the currently selected thread to the address of the first selected byte. You can undo this operation if you go to Registers pane and select EIP.
Go to
Origin (*) - goes to the address contained in EIP of the current thread.
Previous (-) - goes to the previous address in the command history. You can't browse run history when run trace buffer is open.
Previous run trace record (-) - goes to the previous record in the run trace buffer.
Next (+) - goes to the next address in the command history. You can't browse run history when run trace buffer is open.
Next run trace record (+) - goes to the next record in the run trace buffer.
Expression (Ctrl+G) - allows you to follow hexadecimal address or result of expression. Dialog keeps several last entered addresses. To facilitate distinguishing, you can comment addresses, simply type any text separated from address or expression by semicolon.
Previous procedure (Ctrl+Minus) - goes to the beginning of the previous recognized procedure.
Next procedure (Ctrl+Plus) - goes to the beginning of the next procedure.
Previous reference (Alt+F7) - goes to the previous found reference. Selection in References window moves synchronously with Disassembler.
Next reference (Alt+F8) - goes to the next found reference.
Source file (Ctrl+F5) - opens source window and displays code corresponding to the first selected command. Currently this option is available only if executable file contains debugging information in Borland format.
Switch base,
Default case,
Case xxxx - if command is a switch base or one of its cases, these menu items navigate between remaining elements of the recognized switch.
More cases... - if number of cases in a switch exceeds 10, opens window that displays all cases in a switch.
CALL from xxxx,
JMP from xxxx,
JNZ from xxxx,
JMP [ ] from xxxx etc. - goes to command that jumps to or calls selected command. This can be direct or indirect local (intramodular) call, direct unconditional jump, conditional jump or table switch. Notice that calls from different modules are not listed, even if they are present in call tree.
More jumps and calls... (Ctrl+J) - if number of jumps and calls to the current location exceeds 10, opens window that displays all jumps and calls to selected command. Shortcut is always active, even if this item doesn't appear in menu.
Call DLL export - invokes Call export dialog. Available only if you debug standalone DLL and first selected line is entry point of exported function in this DLL.
Thread - in multithread applications, allows quick navigation between different threads.
Follow in Dump
Selection - reopens memory block in CPU Dump and follows first selected address.
Constant - follows immediate constant in the Dump pane.
Address constant - follows constant which is part of address in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210, Dump will display contents of memory starting from address 0x123456.
Immediate constant - follows immediate constant in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210, Dump will display contents of memory starting from address 0x543210.
Implicit stack address - follows stack location implicitly addressed by ESP, like in commands PUSH and RET.
Memory address,
First address,
Second address - follows address in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210 and ESI contains 0x10, Dump will display contents of memory starting from address 0x123466. Some commands, like MOVS, have two memory operands. In this case, first address is the destination and second address is the source.
View call tree (Ctrl+K) - opens Call tree window that displays all known calls to current procedure and all procedures called from the current procedure. If you want to extend tree into different modules, please analyze them.
Search for
Name (label) in current module (Ctrl+N) - displays table containing all names (exports, imports, library, user-defined) defined or used in the current module.
Name in all modules - displays table cointaining all known names.
#Command (Ctrl+F) - allows you to search for assembler command. OllyDbg tries to find all possible encodings. For example, if you search for MOV EAX,[123456], it will look for both A1 56341290 and 8B05 56341200. You can also specify imprecise commands, like MOV R32,[CONST] - which fits both MOV EAX,[10000] and MOV ESI,[123456]. This search, however, cannot find some more complicated address forms. For best results, analyze code before starting search.
Sequence of commands (Ctrl+S) - allows you to search for a sequence of assembler commands. This sequence may include imprecise commands and matching registers and allows to omit intermediate commands.
#Constant - allows you to find for a constant within the code. This constant can be part of address, immediate constant, offset for relative jump or element of switch table. For best results, analyze code before starting search.
Binary string (Ctrl+B) - displays dialog allowing to specify search pattern. Maximal size of search pattern is 256 bytes. You can exclude some bytes or nibbles from the comparison. For example, if you specify pattern 12 ?? ?6 78, it will match both 12 34 56 78 and 12 00 06 78, but not 12 34 55 78. You can also ignore case of ASCII/UNICODE characters.
Modified command - searches for the next command that differs from the backup.
Trace hit - searches for the next contiguous block of commands that are marked as executed (hit) in the hit trace.
Next (Ctrl+L) - repeats last search from the selection.
All intermodular calls - searches for all commands that call (directly or indirectly, may be via several intermediate jumps) functions residing in other modules. Especially useful to find calls to API functions loaded by GetProcAddress().
All commands - allows to find all commands that match specified assembler pattern.
All sequences - allows to find all sequences of commands that match specified pattern.
All constants - allows to find all instances of the specified constant in the code section of the current module.
All switches - displays table that lists all switches recognized in the current module.
#All referenced text strings - searches for all ASCII and UNICODE strings that are referenced in the code section of the current module or are embedded in this section.
#User-defined label - displays table of all user-defined labels in the current module.
#User-defined comment - displays table of all user-defined comments in the current module.
#Last record in run trace - searches for the most recent occurrence of the first selected command in the run trace buffer.
#Find references to - these commands search references to the specified item in code section of the module opened in Disassembler window. For best results, analyze code before searching for references. Following search items are supported:
Selected command (Ctrl+R),
Selected address (Ctrl+R) - first selected address;
Selected block - selected range;
Immediate constant - immediate constant which is a part of the first selected command;
Address constant - address constant in the first selected command;
Call destination - call destination of the first selected command;
Jump destination - jump destination of the first selected command;
Call constant,
Jump constant - constant part of destination address in the first selected command.
Stop till return (Esc) - stops execution till return.
Stop tracing (Esc) - stops run tracing.
Stop animation (Esc) - stops animation.
View
Source file (Ctrl+F5) - opens source window and displays code corresponding to the first selected command. Currently this option is available only if executable file contains debugging information in Borland format.
Original comments - displays comments in the fourth column of Disassembler window. If bar is visible, press comment bar to toggle between comments, source and profile.
Source as comments - displays lines of source code in the fourth column of Disassembler window (normally displaying comments). If bar is visible, press comment bar to toggle between comments, source and profile. This option is available only if executable file contains debugging information in Borland's format.
Profile as comments - displays number of times each command appears in the run trace buffer. If bar is visible, press comment bar to toggle between comments, source and profile. This option is available only when profile data is open.
Executable file - displays dump of the executable file at offset that corresponds to the first selected command. If selection is not in the file, dump is positioned at offset 0.
Absolute address - displays absolute addresses in the first column.
Relative address - displays addresses relative to the currently selected. Alternatively, doubleclick base address in the first column.
Module 'xxx' - displays executable code of selected module.
Copy to executable
Selection - copies selection to the executable file. OllyDbg adjusts fixups and warns you if this operation may cause errors.
All modifications - copies all highlighted modification (i.e. differences between actual code and global backup) to executable file.
Analysis
Analyze code (Ctrl+A) - analyzes code section of the module opened in Disassembler window. Other parts of OllyDbg work more reliably if analysis data is available.
Remove analysis - discards analysis data for current module.
Scan object files (Ctrl+O) - allows you to select object files or libraries and locate their positions in the code section of the module opened in Disassembler window.
Remove object scan - discards results of object scan.
#Assume arguments - allows to treat first selected command as entry point of a function with predefined arguments. Currently available function types are:
WinProc(hWnd,msg,wParam,lParam) - windows function that processes messages
WinMain(hInst,hPrevInst,CmdLine,ShowState) - program entry point
DllEntryPoint(hInst,CallReason,pReserved) - DLL entry point
Format(format,...) - function similar to printf
Sformat(ptr,format,...) - function similar to sprintf
StdFunc0(void) - function without arguments
StdFunc1(int) - function with single argument
.....
StdFunc8(int,int,int,int,int,int,int,int) - function with 8 arguments
Remove analysis from selection (BkSpc) - removes analysis from selected block. Useful if Analyzer has misinterpreted code as data.
During next analysis, treat selection as - sets decoding hints.
Help on symbolic name - if first selected line contains symbolic name and API help file is attached to OllyDbg, attempts to open help topic on the symbolic name.
Appearance - see detailed description here.
Disassembler pop-up menu is perharps the most important in the whole OllyDbg. To keep menu compact, it displays only items applicable to the selected part of disassembled code. If several lines are selected at once, single-line commands apply to the first selected line.
Backup functions - see description here.
Copy
To clipboard (Ctrl+C) - copies selected part of the code to clipboard. Uses currently selected width of columns. To exclude some column from the copy, reduce its width to the minimal possible (in this case column remnants appear grayed). If some text is wider than column, OllyDbg replaces last visible character in the column by symbol '>'.
To file - copies selected part of the code to file. There apply same rules as when you copy selection to clipboard, but the size of data you can copy is unlimited.
Select all - selects whole code displayed in Disassembler.
Select procedure - selects current recognized procedure.
Binary
Edit (Ctrl+E) - allows you to edit selected part of the code as ASCII, UNICODE or hexadecimal string. All three edit controls are tightly connected to each other, scroll together (first visible byte is the same in all 3 windows) and immediately display the changes you've made in any control. By pressing Ctrl+UpArrow or Ctrl+DownArrow you can quickly go to the corresponding place in different window. Maximal length of edited code is 256 bytes. Incomplete characters are displayed as red question marks. If hexadecimal string contains odd number of nibbles, OllyDbg completes it with 0. When the "Keep size" option is on, you are not allowed to insert or delete characters or write over the end of selected code.
Fill with 00’s ? fills selected part of code with zeros.
Fill with NOP’s ? fills selected part of code with NOPs
Binary copy ? copies selected part of code as a hexadecimal ASCII dump to the clipboard.
Binary paste ? pastes hexadecimal dump from clipboard to selection. OllyDbg scans text on clipboard and extracts hexadecimal digits (0..9, A..F, a..f), ignoring all other symbols. Code outside the selected area remains unchanged. If last byte contains single hex digit, it is ignored. For example: “part of code” is interpreted as AF CD and not as AF CD 0E.
Copy with masked fixups - same as binary copy, but substitutes all fixuped addresses with question marks. Facilitates search for similar code fragments. See also Search for binary strings.
Modify byte - allows you to edit contents of selected byte constant as a decimal signed, decimal unsigned or hexadecimal number.
Modify integer - allows you to edit contents of selected integer constant as a decimal signed, decimal unsigned or hexadecimal number.
Modify float - allows you to edit contents of selected floating-point constant.
Modify MMX - allows you to edit contents of selected MMX constant as a collection of decimal signed, decimal unsigned or hexadecimal fields.
Modify 3DNow! - allows you to edit contents of selected 3DNow! constant as a pair of floating-point or hexadecimal numbers.
Modify SSE - allows you to edit contents of selected SSE constant as a set of 4 floating-point or hexadecimal numbers.
Undo selection (Alt+BkSpc) - substitutes selected part of the code with the corresponding portion of backup data. Available only when backup data exists and differs from selected code.
Assemble (Space) - allows you to edit or overwrite existing code with one or several commands in assembler language. For details, see Assembler.
Label (:) - allows you to assign a user-defined label to the first selected address.
Edit label (:) - allows you to edit or erase the user-defined label assigned to the first selected address.
Comment (;) - allows you to add comment to the first selected address.
Edit comment (;) - allows you to edit or erase user-defined comment assigned to the first selected address.
Breakpoint
Toggle (F2) - toggles INT3 breakpoint on the first selected command.
Conditional (Shift+F2) - allows to set conditional breakpoint on the first selected command.
Conditional log (Shift+F4) - allows to set logging breakpoint. For more details, see Breakpoints.
Message breakpoint on WinProc - allows to edit active message breakpoint. Message breakpoint can be set from the Windows window.
Run to selection (F4) - sets one-shot breakpoint on the first selected command and continues execution of debugged program. If OllyDbg stops execution before the program reached this command, one-shot breakpoint still remains active. If necessary, you can remove it from Breakpoints window.
Memory, on access - sets memory breakpoint on the selected part of memory. Program stops each time the memory is accessed. OllyDbg supports single memory breakpoint of any size. Memory breakpoint can significantly slow down the execution. Under Windows 95/98, memory breakpoint may crash debugged program when system routines access memory blocks containing breakpoint. Use it as a last resort.
Memory, on write - sets memory breakpoint on the selected part of memory. Program stops each time it attempts to write to this memory. OllyDbg supports single memory breakpoint of any size. Memory breakpoint can significantly slow down the execution. Under Windows 95/98, memory breakpoint may crash debugged program when system routines access memory blocks containing breakpoint. Use it as a last resort.
Remove memory breakpoint - removes memory breakpoint.
Remove SFX memory breakpoint - stops search for real entry of self-extractable (SFX) program. This search uses memory breakpoint of a special type.
Hardware, on execution - sets hardware memory breakpoint on the first selected byte. Program stops each time it tries to execute command that begins with this byte. Hardware breakpoints are available only under Windows ME, NT or 2000. 80x86 processors support up to 4 hardware breakpoints. If OllyDbg is unable to find free slot for the hardware breakpoint, it asks you to remove some existing breakpoint. You can set hardware breakpoints on write or access in the CPU Dump pane.
Remove hardware breakpoint - removes hardware breakpoint set on the first selected byte.
#Set real SFX entry here - declares first selected command as a real entry point of the unpacked self-extractable program. If real SFX entry is declared and option "Use real entry from previous run" is activated, OllyDbg can quickly bypass self-extractor and stop on real entry.
Hit trace - commands that manipulate hit trace, available only for analyzed code.
Add selection - request hit trace on selected piece of code.
Add procedure - request hit trace on the current procedure.
Add all recognized procedures - request hit trace on all procedures recognized by Analyzer in the code displayed in Disassembler. To avoid crashes, I recommend that you select strict or heuristical procedure recognition.
Remove from selection - removes hit trace from selection. If there is a forced run trace, removes it too.
Remove from module - removes hit trace from the code section of the module that is currently selected in Disassembler. If there is a forced run trace, removes it too.
Mark selection as not traced - marks all selected commands with activated hit trace as not hit.
Mark module as not traced - marks all commands with activated hit trace within the code section of the module selected in Disassembler as not hit.
Run trace - commands that manipulate run trace, available only when code is analyzed.
Add selection - forces run trace on selected piece of code and simultaneously request hit trace.
Add procedure - forces run trace on the current recognized procedure and simultaneously request hit trace.
Add branches in procedure - forces run trace on all recognized jump or call destinations and removes run trace from all other commands in the current procedure. Simultaneously it requests hit trace on the whole procedure.
Add entries of all procedures - forces run trace on entry points of the recognized procedures and removes it from all other commands in the current module. Simultaneously it requests hit trace on all recognized procedures.
Skip selection when tracing - excludes selected quasi-linear piece of code from the run trace. When run trace encounters excluded code, it sets temporary breakpoint at the end of selection and runs code at once. This significantly accelerates run trace.
Set condition (Ctrl+T) - allows to set condition to pause run trace.
Profile current module - opens window with profile data of the current module.
Global profile - opens window with profile data of the whole application. Gathering global profile data may be time-consuming.
Remove from selection - removes forced run trace from selection.
Remove from module - removes forced run trace from the code section of the module that is currently selected in Disassembler.
Follow (ENTER) - follows jump, call, return or switch destination. See also Command history.
Follow immediate constant - if immediate constant in the command points to code, follows address.
Follow SE handler (ENTER) - if actual command installs structured exception handler (SEH), follows entry point of handling routine.
New origin here (Ctrl+Gray *) - sets EIP of the currently selected thread to the address of the first selected byte. You can undo this operation if you go to Registers pane and select EIP.
Go to
Origin (*) - goes to the address contained in EIP of the current thread.
Previous (-) - goes to the previous address in the command history. You can't browse run history when run trace buffer is open.
Previous run trace record (-) - goes to the previous record in the run trace buffer.
Next (+) - goes to the next address in the command history. You can't browse run history when run trace buffer is open.
Next run trace record (+) - goes to the next record in the run trace buffer.
Expression (Ctrl+G) - allows you to follow hexadecimal address or result of expression. Dialog keeps several last entered addresses. To facilitate distinguishing, you can comment addresses, simply type any text separated from address or expression by semicolon.
Previous procedure (Ctrl+Minus) - goes to the beginning of the previous recognized procedure.
Next procedure (Ctrl+Plus) - goes to the beginning of the next procedure.
Previous reference (Alt+F7) - goes to the previous found reference. Selection in References window moves synchronously with Disassembler.
Next reference (Alt+F8) - goes to the next found reference.
Source file (Ctrl+F5) - opens source window and displays code corresponding to the first selected command. Currently this option is available only if executable file contains debugging information in Borland format.
Switch base,
Default case,
Case xxxx - if command is a switch base or one of its cases, these menu items navigate between remaining elements of the recognized switch.
More cases... - if number of cases in a switch exceeds 10, opens window that displays all cases in a switch.
CALL from xxxx,
JMP from xxxx,
JNZ from xxxx,
JMP [ ] from xxxx etc. - goes to command that jumps to or calls selected command. This can be direct or indirect local (intramodular) call, direct unconditional jump, conditional jump or table switch. Notice that calls from different modules are not listed, even if they are present in call tree.
More jumps and calls... (Ctrl+J) - if number of jumps and calls to the current location exceeds 10, opens window that displays all jumps and calls to selected command. Shortcut is always active, even if this item doesn't appear in menu.
Call DLL export - invokes Call export dialog. Available only if you debug standalone DLL and first selected line is entry point of exported function in this DLL.
Thread - in multithread applications, allows quick navigation between different threads.
Follow in Dump
Selection - reopens memory block in CPU Dump and follows first selected address.
Constant - follows immediate constant in the Dump pane.
Address constant - follows constant which is part of address in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210, Dump will display contents of memory starting from address 0x123456.
Immediate constant - follows immediate constant in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210, Dump will display contents of memory starting from address 0x543210.
Implicit stack address - follows stack location implicitly addressed by ESP, like in commands PUSH and RET.
Memory address,
First address,
Second address - follows address in the Dump pane. For example, if currently selected command is MOV [ESI+123456],543210 and ESI contains 0x10, Dump will display contents of memory starting from address 0x123466. Some commands, like MOVS, have two memory operands. In this case, first address is the destination and second address is the source.
View call tree (Ctrl+K) - opens Call tree window that displays all known calls to current procedure and all procedures called from the current procedure. If you want to extend tree into different modules, please analyze them.
Search for
Name (label) in current module (Ctrl+N) - displays table containing all names (exports, imports, library, user-defined) defined or used in the current module.
Name in all modules - displays table cointaining all known names.
#Command (Ctrl+F) - allows you to search for assembler command. OllyDbg tries to find all possible encodings. For example, if you search for MOV EAX,[123456], it will look for both A1 56341290 and 8B05 56341200. You can also specify imprecise commands, like MOV R32,[CONST] - which fits both MOV EAX,[10000] and MOV ESI,[123456]. This search, however, cannot find some more complicated address forms. For best results, analyze code before starting search.
Sequence of commands (Ctrl+S) - allows you to search for a sequence of assembler commands. This sequence may include imprecise commands and matching registers and allows to omit intermediate commands.
#Constant - allows you to find for a constant within the code. This constant can be part of address, immediate constant, offset for relative jump or element of switch table. For best results, analyze code before starting search.
Binary string (Ctrl+B) - displays dialog allowing to specify search pattern. Maximal size of search pattern is 256 bytes. You can exclude some bytes or nibbles from the comparison. For example, if you specify pattern 12 ?? ?6 78, it will match both 12 34 56 78 and 12 00 06 78, but not 12 34 55 78. You can also ignore case of ASCII/UNICODE characters.
Modified command - searches for the next command that differs from the backup.
Trace hit - searches for the next contiguous block of commands that are marked as executed (hit) in the hit trace.
Next (Ctrl+L) - repeats last search from the selection.
All intermodular calls - searches for all commands that call (directly or indirectly, may be via several intermediate jumps) functions residing in other modules. Especially useful to find calls to API functions loaded by GetProcAddress().
All commands - allows to find all commands that match specified assembler pattern.
All sequences - allows to find all sequences of commands that match specified pattern.
All constants - allows to find all instances of the specified constant in the code section of the current module.
All switches - displays table that lists all switches recognized in the current module.
#All referenced text strings - searches for all ASCII and UNICODE strings that are referenced in the code section of the current module or are embedded in this section.
#User-defined label - displays table of all user-defined labels in the current module.
#User-defined comment - displays table of all user-defined comments in the current module.
#Last record in run trace - searches for the most recent occurrence of the first selected command in the run trace buffer.
#Find references to - these commands search references to the specified item in code section of the module opened in Disassembler window. For best results, analyze code before searching for references. Following search items are supported:
Selected command (Ctrl+R),
Selected address (Ctrl+R) - first selected address;
Selected block - selected range;
Immediate constant - immediate constant which is a part of the first selected command;
Address constant - address constant in the first selected command;
Call destination - call destination of the first selected command;
Jump destination - jump destination of the first selected command;
Call constant,
Jump constant - constant part of destination address in the first selected command.
Stop till return (Esc) - stops execution till return.
Stop tracing (Esc) - stops run tracing.
Stop animation (Esc) - stops animation.
View
Source file (Ctrl+F5) - opens source window and displays code corresponding to the first selected command. Currently this option is available only if executable file contains debugging information in Borland format.
Original comments - displays comments in the fourth column of Disassembler window. If bar is visible, press comment bar to toggle between comments, source and profile.
Source as comments - displays lines of source code in the fourth column of Disassembler window (normally displaying comments). If bar is visible, press comment bar to toggle between comments, source and profile. This option is available only if executable file contains debugging information in Borland's format.
Profile as comments - displays number of times each command appears in the run trace buffer. If bar is visible, press comment bar to toggle between comments, source and profile. This option is available only when profile data is open.
Executable file - displays dump of the executable file at offset that corresponds to the first selected command. If selection is not in the file, dump is positioned at offset 0.
Absolute address - displays absolute addresses in the first column.
Relative address - displays addresses relative to the currently selected. Alternatively, doubleclick base address in the first column.
Module 'xxx' - displays executable code of selected module.
Copy to executable
Selection - copies selection to the executable file. OllyDbg adjusts fixups and warns you if this operation may cause errors.
All modifications - copies all highlighted modification (i.e. differences between actual code and global backup) to executable file.
Analysis
Analyze code (Ctrl+A) - analyzes code section of the module opened in Disassembler window. Other parts of OllyDbg work more reliably if analysis data is available.
Remove analysis - discards analysis data for current module.
Scan object files (Ctrl+O) - allows you to select object files or libraries and locate their positions in the code section of the module opened in Disassembler window.
Remove object scan - discards results of object scan.
#Assume arguments - allows to treat first selected command as entry point of a function with predefined arguments. Currently available function types are:
WinProc(hWnd,msg,wParam,lParam) - windows function that processes messages
WinMain(hInst,hPrevInst,CmdLine,ShowState) - program entry point
DllEntryPoint(hInst,CallReason,pReserved) - DLL entry point
Format(format,...) - function similar to printf
Sformat(ptr,format,...) - function similar to sprintf
StdFunc0(void) - function without arguments
StdFunc1(int) - function with single argument
.....
StdFunc8(int,int,int,int,int,int,int,int) - function with 8 arguments
Remove analysis from selection (BkSpc) - removes analysis from selected block. Useful if Analyzer has misinterpreted code as data.
During next analysis, treat selection as - sets decoding hints.
Help on symbolic name - if first selected line contains symbolic name and API help file is attached to OllyDbg, attempts to open help topic on the symbolic name.
Appearance - see detailed description here.
赞赏
他的文章
- [分享]咕咚智能健康称的开源硬件下载地址 9025
- [推荐]打造无人机编队 14864
- [调查]那些年,一起玩过的智能外设 10997
看原图
赞赏
雪币:
留言: