5. Continue to add , Common operation instructions :

Ctrl+G    Go to        Move to the specified address , Used to view code or memory , Not available at runtime

F4        Execute till Cursor  Execute to cursor position , That is, go directly to the address to be debugged

;         Comment      Add comments  

User-defined comment   Right mouse button menu Search for User-defined comment

:         Label        Add tags

User-defined label     The right mouse button is bleak Search for User-defined label

F2        Set/Reset BreakPoint  Set or cancel breakpoints (BP)

F9         function ( If a breakpoint is set , Then execute to the breakpoint )

*          Show current EIP( Command pointer ) position

-          Displays the position of the previous cursor

Enter      If there is a CALL/JMP Etc , Track and display the relevant address ( Not available at runtime , It's useful to simply look at the contents of a function )


6.Basecamp  Four ways , Go straight to where you want to go .

(1)Goto(Ctrl+G), open Enter expression to follow( Input trace expression ) dialog box .

(2) Set breakpoint ,BP(Break Point, breakpoint )( Shortcut key F2).

Program in OD When it's loaded , direct F9 Run , It will automatically stick to the breakpoint .

ALT+B  Can be opened Breakpoints dialog box , Lists breakpoints set by the code .


(3) notes , Shortcut key  ; , Right click Search for-User defined comment  You can view a list of comments , You can jump .


(4) label , Add a specific name to the specified address . Shortcut key  :  Like above Search for-User defined labels

6. Four ways to quickly find and formulate code

Target search main() Medium MessageBox() API call

(1) Method 1 , No brain performs all , Step by step , There must be a step to call this . forehead , There's nothing to say about this , Most of the time , No tricks , It's going to be crazy . time consuming .

(2) Positioning string , This is more commonly used . Right click   Find all text strings .

Double click to jump to the calling address , Actually, I found it directly MessageBox()

At this time, I was about to HelloWorld This string address is pushed onto the stack , What about the parameters . This is followed by call This function .

(3)API Retrieval method -1: Setting breakpoints in calling code

  Right click menu -Search for - All intermodular calls  Look at all API call , be careful MessageBox It's in user32 Inside .

Double click to jump to the calling location .

(4)API Retrieval method -1: stay API Setting breakpoints in code

Right click  Search for - Name in all calls

For each of the dll Derived functions in ( The compressor can not be seen on the protector )

find MessageBoxW double-click

Pay attention to the address , In fact, this is no longer within the scope of the previous program , This is Windows In order to save the cost, the result after processing , Many systems dll, Let's load one together . If you need special modification, something will be triggered automatically copy-on-write mechanism . double-click MessageBoxW after , Jump to this function memory , then F2 View next breakpoint .

7. modify Hello World! character string ( Two methods )

Modify string buffer directly (buffer)/ Generates a string in other memory regions and passes it to the message function

(1) Modify string buffer directly

Ctrl+F2 Re debug program .

Then right click to find all strings , find HelloWorld character string , double-click . See the address

In memory area Ctrl+G Jump to this address (VA)

Select a range , then Ctrl+E  Modify string

then F9 Run , See that the output has changed . Note that only the memory is changed .PE The document itself has not been changed , If re executed, the memory will be reloaded to the previous one . So you need to synchronize the current changes to PE In the papers .

continue , Right click in the address area  Copy to executable file

Continue right clicking , Save executable .A.exe. Then double click .

(2) Creates a new string in another memory region and passes it to the message function .

Jump to the position of the previous string first , look down :

Found a lot of space . Just start saving a paragraph here

And then put MessageBox call Push When the parameter is set, the address is directly changed to the new address of your own, and the figure above is 01102148

then F9 Run , The result is the following .

However, there is no way to right-click to save the changes , Because it can't be executed after saving , Address offset is involved . I said after this .

At the same time, for the scheme 1 If the string you modify is longer than the previous one , At the same time, the string data is followed by the storage , It will destroy the later data . So be careful . For the second way , It's not all the places that write content casually . I'll talk about it later . But pay attention to this problem .