lists the most popular methods., stepping refers to the concept of executing a single instruction, and then immediately pausing execution afterward, allowing you to keep track of the program instruction by instruction.OllyDbg offers the two types of stepping described in the previous chapter: single-stepping (also known as stepping-into) and stepping-over. To single-step, press the F7 key. To step-over, press F8.
As we noted, single-stepping is the easiest form of stepping and means that OllyDbg will execute a single instruction and then pause, no matter which type of instruction you are executing. For example, if you single-step the instruction call 01007568, OllyDbg will pause at the address 01007568 (because the call instruction transferred EIP to that address).
Conceptually, stepping-over is almost as simple as single-stepping. Consider the following listing of instructions:
010073a4 call 01007568 010073a9 xor ebx, ebx
If you step-over the call instruction, OllyDbg will immediately pause execution at 010073a9 (the xor ebx, ebx instruction after the call). This is useful because you may not want to dive into the subroutine located at 01007568.
Although stepping-over is conceptually simple, under the hood, it is much more complicated. OllyDbg places a breakpoint at 010073a9, resumes execution (as if you had hit the Run button), and then when the subroutine eventually executes a ret instruction, it will pause at 010073a9 due to the hidden breakpoint.
Warning
In almost all cases, stepping-over will work as expected. But in rare cases, it’s possible for obfuscated or malicious code to take advantage of this process. For example, the subroutine at 01007568 might never execute a ret, or it could be a so-called get-EIP operation that pops the return address off the stack. In rare cases such as these, stepping-over could cause the program to resume execution without ever pausing, so be aware and use it cautiously.
Назад: Viewing Threads and Stacks
Дальше: Breakpoints
OllyDbg offers the two types of stepping described in the previous chapter: single-stepping (also known as stepping-into) and stepping-over. To single-step, press the F7 key. To step-over, press F8.
As we noted, single-stepping is the easiest form of stepping and means that OllyDbg will execute a single instruction and then pause, no matter which type of instruction you are executing. For example, if you single-step the instruction call 01007568, OllyDbg will pause at the address 01007568 (because the call instruction transferred EIP to that address).
Conceptually, stepping-over is almost as simple as single-stepping. Consider the following listing of instructions:
010073a4 call 01007568 010073a9 xor ebx, ebx
If you step-over the call instruction, OllyDbg will immediately pause execution at 010073a9 (the xor ebx, ebx instruction after the call). This is useful because you may not want to dive into the subroutine located at 01007568.
Although stepping-over is conceptually simple, under the hood, it is much more complicated. OllyDbg places a breakpoint at 010073a9, resumes execution (as if you had hit the Run button), and then when the subroutine eventually executes a ret instruction, it will pause at 010073a9 due to the hidden breakpoint.
Warning
In almost all cases, stepping-over will work as expected. But in rare cases, it’s possible for obfuscated or malicious code to take advantage of this process. For example, the subroutine at 01007568 might never execute a ret, or it could be a so-called get-EIP operation that pops the return address off the stack. In rare cases such as these, stepping-over could cause the program to resume execution without ever pausing, so be aware and use it cautiously.
Войти в систему
Войти с помощью соц. сетей:
