Object扫描器[Object scanner]
Object scanner takes specified object files or libraries (both in OMF and COFF formats), extracts code segments and then tries to locate these segments in the code section of the current module. If segment is located, Scanner adds names from the object file to debugging information (the so-called library labels). This greatly improves the understandability of both code and data.
Scanner doesn't try to match labels from the object file with recognized names, so it can't recognize very small or similar procedures (i.e. procedures that differ only in relocations). Always check the list of warnings that scanner writes to log window!
See also: Analysis, Implib scanner
执行到返回[Execute till return]
You may want to skip some routine and return to caller. OllyDbg can trace program execution over all encountered calls and stop on the first encountered return (RET, RETF or IRET). From the main menu, select 'Debug|Execute till return' or press Ctrl+F9. Step-by step execution is relatively slow, only up to 5000 commands per second on Pentium/500 under Windows NT. If tracing takes too much time, press Esc or F12 to stop execution till return.
If you want to execute return command and pause program on the next command after corresponding call, activate option "After execution till RET, step over RET" in Trace options.
See also: Execute till user code, Execute till condition
$#K执行到用户代码[Execute till user code]
Sometimes your application stops somewhere deep in the system code. To return back to the program you are debugging, you can press Ctrl+F9 (Execute till return) several times, each time checking where you are. There is, however, another, faster way of doing this. If you press Alt+F9 or select "Debug|Execute till user code" from the main menu, OllyDbg will step over the code as long as it reaches the first command that is not in system DLL. (From the OllyDbg's point of view, any DLL that resides in system or Windows directory is system). Step-by step execution is relatively slow, only up to 5000 commands per second on Pentium/500 under Windows NT. If tracing takes too much time, press Esc or F12 to stop execution till user code.
Caveat: if system DLL calls user callback function, it will be stepped over. To avoid this, you can set single-shot break on access on the user code (available only for Windows NT 4.0, 2000 and XP).
See also: Execute till condition
自解压文件[Self-extracting (SFX) files]
自解压文件由提取程序和压缩的原程序两部分组成。当遇到自解压文件(SFX)文件时,我们通常希望跳过解压部分,而直接跳到原始程序的入口(真正的入口)。OllyDbg提供了一些便于完成这一目的的一些函数。情况事的Self-extracting file consists of extracting routine and packed original program. When troubleshooting SFX, you usually want to skip extractor and stop on the entry point of original program ("real entry"). OllyDbg contains several functions that facilitate this task.
通常提取器的加载地址都在执行代码Usually extractor loads to address that is outside the executable section of the original program. In this case OllyDbg recognizes file as SFX.
When SFX options request tracing of real entry, OllyDbg sets memory breakpoint on the whole code section. Initialy this is empty or contains compressed data. When program attempts to execute some command within protected area which is neither RET nor JMP, OllyDbg reports real entry. This is how bytewise extraction works.
This method is very slow. There is another, much faster method. Each time exception on data read occurs, OllyDbg enables reading from this 4-K memory block and disables previous read window. On each data write exception it enables writing to this block and disables previous write window. When program executes command within remaining protected area, OllyDbg reports real entry. However, when real entry is inside read or write window, its location will be reported incorrectly.
You can correct entry position. Select new entry and from Disassembler popup menu choose 'Breakpoint|Set real SFX entry here'. If corresponding SFX option is enabled, next time OllyDbg skips extractor quickly and reliably.
Notice that OllyDbg usually fails to trace extracting routine that implements protection or anti-debugging techniques.
寄存器窗口[Registers window]
Registers window displays and interpretes the contents of CPU registers for currently selected thread. It also allows to modify registers and follow addresses in other CPU panes. Pop-up menus associated with each register are self-explanatory, and I will not describe them here.
Following EFL are the suffixes of conditional commands that satisfy current flags. If, for example, you see:
EFL 00000A86 (O,NB,NE,A,S,PE,GE,G),
this means that JO and JNE will be taken whereas JB and JPO not.
In the same manner, following FST is the decoding of FPU flags C0, C2 and C3 as if the last FPU operation were a comparison.
When debugged program pauses execution, OllyDbg highlights all differences since previous pause. If you modify any item, OllyDbg highlights all modified items.
To toggle value of some flag, doubleclick it, or select and press return. Doubleclicking on register invokes dialog where you can modify its contents. To change integer or FPU registers, start typing new contents. Keys Plus (+) and Minus (-) increment and decrement selected integer registers.
You can choose either floating-point, MMX or 3DNow! decoding of FPU registers. If window contains bar, pressing the bar will loop through these three formats. You can also let OllyDbg change this presentation automatically, based on the type of the command where last break occured. Alternatively, register window can display debug registers DR0..DR3, DR6 and DR7. However, you can't modify debug registers.
If you are debugging SSE code, activate option "Decode SSE registers" to view 128-bit SSE registers. Notice that this option is slow and sometimes dangerous (especially when application is multithread), don't use it unless absolutely necessary.
If you backtrace the run trace log, Registers window gets grayed to emphasize that displayed registers are not actual but taken from the trace data. Run trace does not save contents of memory, SSE and debug registers and reads actual memory of debugged process to decode memory pointers.
You can display last error detected by a thread (as returned by call to API function GetLastError). This feature is controlled by option "Show last error". If activated, last error is saved to run race log, but may significantly (up to 20%) slow down the tracing speed.
You can scroll regiser pane by pressing left mouse button somewhere in the window and moving mouse.
执行到返回[Execute till return]
你可以跳过一些过程而返回到调用者,OllyDbg可以跟踪程序执行过程中遇到的所有调用(call)并且终止在遇到的第一个(RET,RETF或者IRET).从主菜单选择"调试|执行直到返回"(debug|Ececute till return)或者按 Ctrl+F9.单步调试相对较慢,在Windows NT,奔腾/500下,最高为每秒5000条指令。如果追踪用了很多时间,按Esc或者F12停止执行,直接返回。
如果你想执行返回指令并且停止在相应调用的下一条指令,点击"After execution till RET,step over RET"在trace选项中。
参见:execute till uers code(执行到用户代码),Execute till condition(执行到条件设置)
$#K执行到用户代码[Execute till user code
有时你的应用程序终止在系统代码很深的地方,为了返回到你所调试的应用程序中,你可以按Ctrl+F9(执行直到返回)若干次,并每次检查所处的位置.但是,有更快的一种方法.如果你按Alt+F9或者从主菜单中选择"调试|执行到用户代码"("Debug|execute till user code"),OD将会单步执行直到到达第一个不在系统DLL中的指令为止.(从DO的角度来看,任何在驻留在系统或windows目录下的DLL都属于系统).单步的调试相对较慢,在Windows NT,奔腾/500下,最高为每秒5000条指令。如果追踪用了很多时间,按Esc或者F12停止执行,直接返回。
你可以显示被一个线程所检测到的最后一个错误(也就是API 函数GetLastError返回的值).这一功能是有"Show last error"控制的.【译者加:在主菜单上option->debugging options,在registers选项卡中选中"Show last error",OD1.09版】最后一个错误保存在"run trace"记录中. 但是会很大程度上降低追踪速度(最高可降低20%).
