A thorough knowledge and ability to execute code within a debugger is important to debugging success, and there are many different ways to execute code in OllyDbg. Table 9-1 lists the most popular methods.
The simplest options, Run and Pause, cause a program to start or stop running. However, Pause is seldom used, because it can cause a program to pause in a location that is not very useful (such as on library code). Rather than use Pause, you will typically want to be more selective by setting breakpoints, as discussed in the next section.
The Run option is used frequently to restart a stopped process, often after hitting a breakpoint, in order to continue execution. The Run to Selection option will execute the code until just before the selected instruction is executed. If the selected instruction is never executed, the program will run indefinitely.
The Execute till Return option will pause execution just before the current function is set to return. This can be useful when you want a program to pause immediately after the current function is finished executing. However, if the function never ends, the program will continue to run indefinitely.
The Execute till User Code option is useful during malware analysis when you get lost in
library code while debugging. When paused within library code, select Debug
▶ Execute till User Code to cause the program to run until the execution returns to
compiled malware code (typically the .text
section) you were
debugging.
OllyDbg provides several ways to step through code. As discussed in Chapter 8, stepping refers to the concept of executing a single instruction, and then immediately pausing execution afterward, allowing you to keep track of the program instruction by instruction.
OllyDbg offers the two types of stepping described in the previous chapter: single-stepping (also known as stepping-into) and stepping-over. To single-step, press the F7 key. To step-over, press F8.
As we noted, single-stepping is the easiest form of stepping and means that OllyDbg will
execute a single instruction and then pause, no matter which type of instruction you are executing.
For example, if you single-step the instruction call 01007568
,
OllyDbg will pause at the address 01007568 (because the call instruction transferred EIP to that
address).
Conceptually, stepping-over is almost as simple as single-stepping. Consider the following listing of instructions:
010073a4 call 01007568 010073a9 xor ebx, ebx
If you step-over the call instruction, OllyDbg will immediately pause execution at 010073a9
(the xor ebx, ebx
instruction after the call). This is useful
because you may not want to dive into the subroutine located at 01007568.
Although stepping-over is conceptually simple, under the hood, it is much more complicated.
OllyDbg places a breakpoint at 010073a9, resumes execution (as if you had hit the Run button), and
then when the subroutine eventually executes a ret
instruction,
it will pause at 010073a9 due to the hidden breakpoint.
In almost all cases, stepping-over will work as expected. But in rare cases,
it’s possible for obfuscated or malicious code to take advantage of this process. For example,
the subroutine at 01007568 might never execute a ret
, or it could
be a so-called get-EIP operation that pops the return address off the stack. In
rare cases such as these, stepping-over could cause the program to resume execution without ever
pausing, so be aware and use it cautiously.