OllyDbg 2.01 is a 32-bit assembler-level analyzing Debugger with intuitive interface. It is especially useful if source code is not available or when you experience problems with your compiler.
Requirements. Developed and tested mainly under Windows XP, but should work under any 32-bit Windows version: NT, 2000, XP, 2003 Server, Vista, Windows 7 and so on. Old DOS-based versions (95, 98, ME) are no longer supported. That is, if you install Microsoft Layer for UNICODE, you will be able to start OllyDbg and even set breakpoints, but I can't promise stable operation. Version 2.01 will not work under 64-bit Windows yet! For a comfortable debugging you will need at least 1-GHz processor. OllyDbg is memory hungry. If you debug large application with all features enabled, it may easily allocate 200-300 megabytes for backup and analysis data.
Supported instruction sets. OllyDbg 2.01 supports all existing 80x86-compatible CPUs: MMX, 3DNow!, including Athlon extensions, SSE instructions up to SSSE3 and SSE4, and AVX instructions.
Configurability. More than 120 options (oh, no! This time it's definitely too much!) control OllyDbg's behaviour and appearance.
Data formats. Dump windows display data in all common formats: hexadecimal, ASCII, multibyte, UNICODE, 16-and 32-bit signed/unsigned/hexadecimal integers, 32/64/80-bit floats, addresses, disassembly (MASM, IDEAL, HLA or AT&T). It also decodes and comments many Windows-specific structures, including PE headers, PEBs, Thread data blocks and so on. You can dump system memory (XP only), files and raw disks.
Help. OllyDbg 2.01 includes built-in help on all 80x86 integer and floating-point commands. If you possess Windows API help (win32.hlp, not included due to copyright reasons), you can attach it and get instant help on system API calls.
Startup. You can specify executable file in command line, select it from menu, drag-and-drop file to OllyDbg, restart last debugged program or attach to already running application. OllyDbg supports just-intime debugging and debugging of child processes. You can detach from the debugged process, and it will continue execution. Installation is not necessary!
Code highlighting. Disassembler can highlight different types of commands (jumps, conditional jumps, pushes and pops, calls, returns, privileged and invalid) and different operands (general, FPU/SSE or segment/system registers, memory operands on stack or in other memory, constants). You can create custom highlighting schemes.
Threads. OllyDbg can debug multithread applications. You can switch from one thread to another, suspend, resume and kill threads or change their priorities. Threads window displays errors for each thread (as returned by call to GetLastError).
Analysis. Analyzer is one of the most significant parts of OllyDbg. It recognizes procedures, loops, switches, tables, GUIDs, constants and strings embedded in code, tricky constructs, calls to API functions, number of function’s arguments, import sections and so on. It attempts to determine not only the number of stack arguments in the unknown functions, but even their meaning. Analysis makes binary code much more readable, facilitates debugging and reduces probability of misinterpretations and crashes. It is not compiler-oriented and works equally good with any PE program.
Full UNICODE support. All operations available for ASCII strings are also available for UNICODE, and vice versa. OllyDbg is able to recognize UTF-8 strings.
Names. OllyDbg knows symbolic names of many (currently 10800) constants, like window messages, error codes or bit fields, and decodes them in calls to known functions.
Known functions. OllyDbg knows more than 2300 frequently used Windows API functions and decodes their arguments. You can add your own descriptions. You may set logging breakpoint on a known or guessed function and protocol arguments to the log.
Calls. OllyDbg can backtrace nested calls on the stack even when debugging information is unavailable and procedures use non-standard prologs and epilogs.
Stack. In the Stack window, OllyDbg uses heuristics to recognize return addresses and stack frames. If program is paused on the known function, stack window decodes arguments of known and guessed functions. Stack also traces and displays the chain of SE handlers. If integrated stack walk fails, you may switch to Dbghelp.dll.
Search. Plenty of possibilities! Search for command (exact or imprecise) or sequence of commands, for constant, binary or text string (not necessarily contiguous), for all commands that reference address, constant or address range, for all jumps to selected location, for all referenced text strings, for all intermodular calls, for masked binary sequence in the whole allocated memory, for integer or floating-point number and so on. If multiple locations are found, you can quickly navigate between them.
Breakpoints. OllyDbg supports all common kinds of breakpoints: soft (INT3 or several other commands), memory and hardware. You may specify number of passes and set conditions for pause. Breakpoints may conditionally protocol data to the log. Number of soft and memory breakpoints is unlimited: in the extreme case of hit trace, OllyDbg may set hundreds of thousands INT3 breakpoints. On a fast CPU, OllyDbg can process up to 20-30 thousand breakpoints per second.
Watches. Watch is an expression evaluated each time the program pauses. You can use registers, constants, address expressions, boolean and algebraic operations of any complexity.
Execution. You can execute program step-by-step, either entering subroutines or executing them at once. You can run program till next return, to the specified location, or backtrace it from the deeply nested system API call back to the user code. When application runs, you keep full control over it. For example, you can view memory, set breakpoints and even modify code "on-the-fly". At any time, you can pause or restart the debugged program.
Hit trace. Hit trace shows which commands or procedures were executed so far, allowing you to test all branches of your code. Hit trace starts from the actual location and sets soft breakpoints on all branches that were not traced so far. The breakpoints are removed when command is reached (hit).
Run trace. Run trace executes program in the step-by-step mode and protocols execution to the large circular buffer. Run trace is fast: when fast command emulation is enabled, OllyDbg traces up to 1 million commands per second! Run trace protocols registers (except for SSE/AVX), flags, contents of accessed memory, thread errors and -for the case that your code is self-modifying -the original commands. You may specify the condition to stop run trace, like address range, expression or command. You can save run trace to the file and compare two independent runs. Run trace allows to backtrack and analyse history of execution in details, millions and millions of commands.
Profiling. Profiler calculates how many times some instruction is listed in the run trace buffer. With profiler, you know which part of the code takes most of execution time.
Patching. Built-in assembler automatically selects the shortest possible code. Binary editor shows data simultaneously in ASCII, UNICODE and hexadecimal form. Old good copy-and-paste is also available. Automatic backup allows to undo changes. You can copy modifications directly to executable file, OllyDbg will even adjust fixups.
UDD. OllyDbg saves all program-and module-related information to the individual file and restores it when module is reloaded. This information includes labels, comments, breakpoints, watches, analysis data, conditions and so on.
UDL. You may convert standard libraries supplied with your compiler to the UDL library and tell Analyser to recognize library functions in the code.
Plugins. You may extend the functionality of the OllyDbg 2.01 by writing your own plugins (or downloading plugins from the Internet).
Customization. You can specify custom fonts, colour and highlighting schemes.
Text-to-speech. For handicapped users: activate text-to-speech option, and OllyDbg will read the selections.
And much more! This list is far from complete, there are many features that make OllyDbg 2.01 the friendly debugger.
Special highlights are:
• Intuitive user interface, no cryptical commands
• Code analysis - traces registers, recognizes procedures, loops, API calls, switches, tables, constants and strings
• Directly loads and debugs DLLs
• Object file scanning - locates routines from object files and libraries
• Allows for user-defined labels, comments and function descriptions
• Understands debugging information in Borland® format
• Saves patches between sessions, writes them back to executable file and updates fixups
• Open architecture - many third-party plugins are available
• No installation - no trash in registry or system directories
• Debugs multithread applications
• Attaches to running programs
• Configurable disassembler, supports both MASM and IDEAL formats
• MMX, 3DNow! and SSE data types and instructions, including Athlon extensions
• Full UNICODE support
• Dynamically recognizes ASCII and UNICODE strings - also in Delphi format!
• Recognizes complex code constructs, like call to jump to procedure
• Decodes calls to more than 1900 standard API and 400 C functions
• Gives context-sensitive help on API functions from external help file
• Sets conditional, logging, memory and hardware breakpoints
• Traces program execution, logs arguments of known functions
• Shows fixups
• Dynamically traces stack frames
• Searches for imprecise commands and masked binary sequences
• Searches whole allocated memory
• Finds references to constant or address range
• Examines and modifies memory, sets breakpoints and pauses program on-the-fly
• Assembles commands into the shortest binary form
• Starts from the floppy disk
and much, much more!
New version with many new features, among them:
• Help on 77 pages. Please read it first - most of new features are described there
• Multilanguage GUI (experimental, as yet no translation files - please do it by yourself)
• Support for AVS instuctions (as yet no AVS2 and high 16 bytes of YMM registers are not displayed)
• Call stack window (similar to the version 1.10)
• Handles window (similar to the version 1.10)
• SEH and VEH chains. To decode addresses of VEH handlers, OllyDbg hacks NTDLL.RtlAddVectoredExceptionHandler(), therefore process must be started from the OllyDbg
• Multibyte character dumps
• .udl image libraries, replace scan of object files from v1.10
• Search for integers and floats in dump
• Search for procedures (entry points)
• Limited support for NTFS streams
• Drive dump
• Software breakpoints that use INT1, HLT, CLI, STI or INSB instead of INT3
• Multiple watches in one line, support for repeat count
• Dump of arrays of structures
• Micro-analysers
• Accelerated search
• Assembling of immediate data statements (DB xx etc.)
• Highlighting in run trace
• Up to 2 ordinals per address
• Limited support for Win95 via Microsoft Layer for UNICODE
• More tricky code sequences
• Show free memory, or was it the previous version?
• Multiple bugfixes
OllyDbg v2.01 Final (September 27, 2013)
Official site: www.ollydbg.de
Developer: Oleh Yuschuk
Platform: Windows OS
Release date: September 27, 2013
Download: OllyDbg v2.01
|