OllyDbg

OllyDbg is a powerful 32-bit and 64-bit debugger for Windows used in reverse engineering and malware analysis. This guide covers debugging, breakpoints, memory inspection, and plugin usage.

Installation

Download and Setup

# OllyDbg v1.10 (32-bit): http://www.ollydbg.de/
# OllyDbg v2.01 (64-bit): http://www.ollydbg.de/ (beta)
# Extract to C:\OllyDbg or preferred location
# Run ollydbg.exe or ollydbg64.exe

# Install plugins
# Copy .dll files to OllyDbg\plugins\ directory
# Restart OllyDbg to load plugins

Basic Debugging

Starting a Debug Session

Action	Method
Open binary	File > Open or Ctrl+O
Attach to process	File > Attach or Ctrl+G
Debug with args	File > Open, specify command line
Set breakpoint	Click address, press F2
Start/resume execution	Debug > Run or F9
Step into instruction	Debug > Step into or F7
Step over function	Debug > Step over or F8
Pause execution	Debug > Pause or Ctrl+Alt+Break
Stop debugging	Debug > Close or Alt+F4

Breakpoints

Software Breakpoints (INT 3 - 0xCC):
- F2 toggles breakpoint at current address
- Can be set on code
- Replaces original byte

Hardware Breakpoints:
- Right-click breakpoint, select Hardware
- Limited to 4 per CPU (x86/x64)
- Can trigger on memory read/write/execute

Memory Breakpoints:
- Right-click in memory window
- Set breakpoint on memory access
- Slower but useful for heap issues

Breakpoint Management

Shortcut	Action
F2	Toggle breakpoint
Ctrl+B	List all breakpoints
Ctrl+Shift+B	Conditional breakpoint (right-click menu)
Ctrl+D	Disable breakpoint
Ctrl+H	Hit count breakpoint

Conditional Breakpoints

Right-click breakpoint > Set condition

Examples:
EAX == 0x401000
ESI > 100
[ESP] == 0xdeadbeef
(EDX & 0xFF) == 'A'

Memory Inspection

Memory Windows

Window	Purpose
Disasm	Disassembler view with real-time execution
Dump	Hex/ASCII memory dump
Stack	Current stack contents
Registers	CPU register values (live updates)
Memory Map	All memory segments with permissions

Examining Data

In Dump window:
- Press Ctrl+G to go to address
- Right-click > Binary > Text/Code/Array
- Follow pointers: Ctrl+F (follow in Dump)
- Search for bytes/strings: Ctrl+B

Stack operations:
- View return addresses
- Follow ESP (stack pointer)
- Identify function arguments

Memory Search

Task	Method
Search for bytes	Ctrl+B in Dump window
Search for string	Ctrl+F in Dump window
Search for xrefs	Ctrl+X (shows code refs)
Find pattern	Right-click > Search for > Binary/Text

Register and Flag Analysis

Key Registers (x86/x64)

Register	Purpose
EAX/RAX	Accumulator (return value, arithmetic)
EBX/RBX	Base (general purpose)
ECX/RCX	Counter (loops, function arg #1 x64)
EDX/RDX	Data (arithmetic, function arg #2 x64)
ESI/RSI	Source index (string ops, arg #3)
EDI/RDI	Dest index (string ops, arg #4)
EBP/RBP	Stack frame base
ESP/RSP	Stack pointer
EIP/RIP	Instruction pointer (current address)

Flags

Flag	Meaning
ZF	Zero Flag (result is zero)
CF	Carry Flag (overflow from addition)
OF	Overflow Flag (signed overflow)
SF	Sign Flag (result is negative)
PF	Parity Flag
AF	Auxiliary Flag

Common Debugging Tasks

Finding String References

1. Open Strings window (Ctrl+I)
2. Search for known string
3. Right-click string > Follow
4. Double-click to jump to reference
5. Reverse-engineer code using string

Tracing Function Calls

1. Set breakpoint at function entry
2. F9 to hit breakpoint
3. Press F7 to step into function
4. Watch stack and registers
5. F8 to step over sub-calls
6. ESC to exit current function

Dumping Process Memory

File > Dump debugged process
Select memory range
Choose format (text, binary)
Save to file for analysis

Finding Buffer Overflows

1. Set breakpoint before vulnerable copy
2. F9 to reach breakpoint
3. Watch ESP and EBP
4. Step through copy operation
5. Check if write exceeds buffer bounds
6. Look for stack smashing patterns

Advanced Techniques

Modifying Registers During Execution

In Registers window:
1. Double-click register value
2. Enter new value (hex or decimal)
3. Press Enter to update
4. Continue execution with modified value

Common patches:
- Set EAX = 1 to force function return
- Modify EIP to skip instructions
- Clear ECX for loop conditions

Patching Instructions

Right-click instruction > Assemble:
- Modify instruction in place
- Press Tab to see byte changes
- Apply patch to memory

Or manually in Dump window:
- Ctrl+E to edit bytes
- Enter hex values
- Copy to file when done

Following Jumps and Calls

Ctrl+F - Follow selected address
Ctrl+N - Follow return value
Double-click address - Jump there
ESC - Return to previous location
Enter - Jump to selected address

Plugin Usage

Popular Plugins

Plugin	Purpose
Ollyscript	Automate debugging scripts
OllyExt	Extended commands and features
TraceCodeChip	Execution trace
OllyDump	Dump memory regions to file
PhantOm	Hiding from detection
CFF Explorer Integration	PE parsing

Running Scripts

Plugins > Ollyscript > Execute script
Or: Alt+Shift+O

Example script (Ollyscript syntax):
run
bp 0x401000
run

Dealing with Common Issues

Anti-Debugging Detection

Detect IsDebuggerPresent:
- SetEvent tracing
- OutputDebugString failures
- GetTickCount checks
- NtQueryInformationProcess

Solutions:
- Patch detection code (F2 on instruction, modify)
- Plugins to hide debugger
- Modify return values in real-time

Packed/Encrypted Binaries

1. Debug packed executable
2. Set breakpoint at likely OEP (Original Entry Point)
   - Often at end of packer stub
   - Look for large memory allocation
3. Execute until memory is decrypted
4. Dump decrypted executable
5. Use IDA on dumped binary

Handling Exceptions

Debug > Exceptions:
- Choose to ignore or break on exception
- Common: Access Violation, INT 3, etc
- Filter unwanted exceptions

Automation with Ollyscript

; Dump process memory to file
log "dump.log", "Log opened"
rtr                          ; Run to return
bpx ExitProcess              ; Break on exit
run

Performance Analysis

Watching Specific Code Paths

1. Set conditional breakpoints
2. Log hits and values
3. Trace through critical sections
4. Identify bottlenecks
5. Check register values at each point

Practical Workflows

Reverse Engineering a Function

1. Open binary in OllyDbg
2. Find function entry (search strings or IDA)
3. Set breakpoint at entry
4. F9 to hit breakpoint
5. F7 to step through each instruction
6. Watch stack and registers
7. Note memory addresses and values
8. Document control flow
9. Repeat with different inputs

Malware Behavior Analysis

1. Open malware sample
2. Identify suspicious imports:
   - CreateRemoteThread
   - WriteProcessMemory
   - RegSetValueEx
   - InternetOpen/InternetConnect
3. Set breakpoints on these calls
4. F9 to reach each call
5. Examine arguments:
   - Stack above ESP contains arguments
   - First arg at [ESP+4]
   - Check pointed-to data in Dump
6. Document C&C addresses, registry keys, etc

Patching Protection Schemes

1. Identify protection check
2. Find conditional jump (JE, JNZ, etc)
3. Set breakpoint before jump
4. Modify EAX/ZF flag to force jump direction
5. Continue execution
6. Or: Right-click instruction > Assemble, change JNZ to JMP
7. Copy patched bytes to new executable

Tips and Best Practices

Use Ctrl+G frequently to jump to addresses
Set breakpoints before executing untrusted code
Monitor ESP for stack smashing
Save memory dumps for binary analysis
Use search (Ctrl+B/F) heavily for pattern finding
Document interesting findings with comments
Use plugins to automate repetitive tasks
Watch for anti-debugging tricks
Verify all assumptions with step-by-step execution

Last updated: 2026-03-30