Reverse Engineering Mentoring Lesson 003

219,272pages on
this wiki
Add New Page
Discuss this page0 Share

Up till now we have performed static analysis of code with IDA Pro: we look at the program to infer its behavior, but the program is not executed. In contrast, dynamic analysis implies the execution of the program to witness its behavior. A debugger is often used for dynamic analysis: it lets you execute the program step by step and see the effect of instructions on the registers and memory.

We will use OllyDbg 1.10 [[1]], it's a free debugger for Windows.

Download the OllyDbg ZIP file and extract it to c:\program files\odbg (there is no installer, I assume you have a c:\program files directory on your machine).

Start OLLYDBG.EXE, you will see this dialog box the first time you execute it:


Just click yes.

We will analyze our previous rem002.c program:

main(int argc, char **argv)
   int a;

   a = 1;

Select File | Open in the OllyDbg menu, and open rem002.exe:


You will see this screen:


The upper-left pane shows the disassembled code. You will not recognize the disassembled main function, because OllyDbg does not show it, in stead, it shows you the very first instruction of the program that will be executed (at 00401000).

Maybe you remember from the IDA Pro disassembly that that the main function starts at 00401150? We will navigate to this location. Right-click and select the Go to | Expression menu entry:


Enter 00401150:


Now you will recognize our main function. Press F2, this will put a breakpoint in the code. A breakpoint is an intentional stopping or pausing place in a program, put in place for debugging purposes. Then press F9 to run the program. The debugger will pause the execution of the program at address 00401150 where we have set our breakpoint.

The upper-right pane shows the registers. Remark this:

  • the instruction pointer (EIP) is equal to 00401150
  • the stack pointer (ESP) is equal to 0012FF90

The lower-right pane shows the stack, remark that the stack is "reversed": the top is 0012FF90 (equal to the stack pointer ESP), and the memory addresses under the top increase with a 4-byte increment.

Now we will single-step through the code of the main function, this means that we will execute the next instruction and then pause. Watch the registry and stack panes while pressing F7.


Values displayed in red indicate registers who's content has changed. First you see that EIP has increased with 1 byte. This is because we have executed the push instruction, which is 1 byte long. ESP has decreased with 4 bytes: this is because we have pushed the content of the EBP register, which is 4 bytes wide, on the stack.

Look a the stack:


The top of the stack is now 0012FF8C and the content is 0012FFB8, this is equal to the content of the EBP register we have pushed on the stack.

Now I will let you single-step (F7) through the program on your own to discover the effects of the other instructions. Watch the registers and the stack closely. Stop after the RETN instruction (this is the end of the main function).

When you exit or load another program, OllyDbg will ask you this:


Just click yes.

Try also to debug the other examples.

--Didier Stevens 20:41, 20 February 2007 (UTC)

Q: When I jump to 00401150 I don't see *the stack pointer (ESP) is equal to 0012FF90 anywhere. What did I do wrong?

EAX 00241EBC
ECX 0000D4ED
EDX 7C97C080 ntdll.7C97C080
EBX 00000000
ESP 0012FE54
EBP 0012FF50
ESI 7C90E88E ntdll.ZwTerminateProcess
EDI 00000001
EIP 7C90EB94 ntdll.KiFastSystemCallRet

--Pand0ra 23:04, 12 March 2007 (UTC)

A: You have moved the cursor to the right location (0x401150) but your program did not actually run to this point. As you can see the instruction pointer (EIP) in your case is somewhere entirely different. Try it again by going to the correct location, pressing F2 and then F9.

Q: Ok, I just realized that the end of the program (RETN) is only 7 steps from the breakpoint. So in those 7 entries that is the whole program?

--Pand0ra 23:46, October 12, 2009 (UTC)

Q: I find all three lessons very useful. Can we discuss some simple malware?. that would be really great for learning. Thanks

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.

Also on Fandom

Random wikia