5. Continue to add , Common operation instructions :
Ctrl+G Go to Move to the specified address , Used to view code or memory , Not available at runtime
F4 Execute till Cursor Execute to cursor position , That is, go directly to the address to be debugged
; Comment Add comments
User-defined comment Right mouse button menu Search for User-defined comment
: Label Add tags
User-defined label The right mouse button is bleak Search for User-defined label
F2 Set/Reset BreakPoint Set or cancel breakpoints (BP)
F9 function ( If a breakpoint is set , Then execute to the breakpoint )
* Show current EIP( Command pointer ) position
- Displays the position of the previous cursor
Enter If there is a CALL/JMP Etc , Track and display the relevant address ( Not available at runtime , It's useful to simply look at the contents of a function )
6.Basecamp Four ways , Go straight to where you want to go .
(1)Goto(Ctrl+G), open Enter expression to follow( Input trace expression ) dialog box .
(2) Set breakpoint ,BP(Break Point, breakpoint )( Shortcut key F2).
Program in OD When it's loaded , direct F9 Run , It will automatically stick to the breakpoint .
ALT+B Can be opened Breakpoints dialog box , Lists breakpoints set by the code .
(3) notes , Shortcut key ; , Right click Search for-User defined comment You can view a list of comments , You can jump .
(4) label , Add a specific name to the specified address . Shortcut key : Like above Search for-User defined labels
6. Four ways to quickly find and formulate code
Target search main() Medium MessageBox() API call
(1) Method 1 , No brain performs all , Step by step , There must be a step to call this . forehead , There's nothing to say about this , Most of the time , No tricks , It's going to be crazy . time consuming .
(2) Positioning string , This is more commonly used . Right click Find all text strings .
Double click to jump to the calling address , Actually, I found it directly MessageBox()
At this time, I was about to HelloWorld This string address is pushed onto the stack , What about the parameters . This is followed by call This function .
(3)API Retrieval method -1: Setting breakpoints in calling code
Right click menu -Search for - All intermodular calls Look at all API call , be careful MessageBox It's in user32 Inside .
Double click to jump to the calling location .
(4)API Retrieval method -1: stay API Setting breakpoints in code
Right click Search for - Name in all calls
For each of the dll Derived functions in ( The compressor can not be seen on the protector )
find MessageBoxW double-click
Pay attention to the address , In fact, this is no longer within the scope of the previous program , This is Windows In order to save the cost, the result after processing , Many systems dll, Let's load one together . If you need special modification, something will be triggered automatically copy-on-write mechanism . double-click MessageBoxW after , Jump to this function memory , then F2 View next breakpoint .
7. modify Hello World! character string ( Two methods )
Modify string buffer directly (buffer)/ Generates a string in other memory regions and passes it to the message function
(1) Modify string buffer directly
Ctrl+F2 Re debug program .
Then right click to find all strings , find HelloWorld character string , double-click . See the address
In memory area Ctrl+G Jump to this address (VA)
Select a range , then Ctrl+E Modify string
then F9 Run , See that the output has changed . Note that only the memory is changed .PE The document itself has not been changed , If re executed, the memory will be reloaded to the previous one . So you need to synchronize the current changes to PE In the papers .
continue , Right click in the address area Copy to executable file
Continue right clicking , Save executable .A.exe. Then double click .
(2) Creates a new string in another memory region and passes it to the message function .
Jump to the position of the previous string first , look down :
Found a lot of space . Just start saving a paragraph here
And then put MessageBox call Push When the parameter is set, the address is directly changed to the new address of your own, and the figure above is 01102148
then F9 Run , The result is the following .
However, there is no way to right-click to save the changes , Because it can't be executed after saving , Address offset is involved . I said after this .
At the same time, for the scheme 1 If the string you modify is longer than the previous one , At the same time, the string data is followed by the storage , It will destroy the later data . So be careful . For the second way , It's not all the places that write content casually . I'll talk about it later . But pay attention to this problem .
Technology