Reverse Engineering Mentoring Lesson 003

Up till now we have performed static analysis of code with IDA Pro: we look at the program to infer its behavior, but the program is not executed. In contrast, dynamic analysis implies the execution of the program to witness its behavior. A debugger is often used for dynamic analysis: it lets you execute the program step by step and see the effect of instructions on the registers and memory.

We will use OllyDbg 1.10 [], it's a free debugger for Windows.

Download the OllyDbg ZIP file and extract it to c:\program files\odbg (there is no installer, I assume you have a c:\program files directory on your machine).

Start OLLYDBG.EXE, you will see this dialog box the first time you execute it:



Just click yes.

We will analyze our previous rem002.c program:

main(int argc, char **argv) {   int a;    a = 1; }

Select File | Open in the OllyDbg menu, and open rem002.exe:



You will see this screen:



The upper-left pane shows the disassembled code. You will not recognize the disassembled main function, because OllyDbg does not show it, in stead, it shows you the very first instruction of the program that will be executed (at 00401000).

Maybe you remember from the IDA Pro disassembly that that the main function starts at 00401150? We will navigate to this location. Right-click and select the Go to | Expression menu entry:



Enter 00401150:



Now you will recognize our main function. Press F2, this will put a breakpoint in the code. A breakpoint is an intentional stopping or pausing place in a program, put in place for debugging purposes. Then press F9 to run the program. The debugger will pause the execution of the program at address 00401150 where we have set our breakpoint.

The upper-right pane shows the registers. Remark this:
 * the instruction pointer (EIP) is equal to 00401150
 * the stack pointer (ESP) is equal to 0012FF90

The lower-right pane shows the stack, remark that the stack is "reversed": the top is 0012FF90 (equal to the stack pointer ESP), and the memory addresses under the top increase with a 4-byte increment.

Now we will single-step through the code of the main function, this means that we will execute the next instruction and then pause. Watch the registry and stack panes while pressing F7.



Values displayed in red indicate registers who's content has changed. First you see that EIP has increased with 1 byte. This is because we have executed the push instruction, which is 1 byte long. ESP has decreased with 4 bytes: this is because we have pushed the content of the EBP register, which is 4 bytes wide, on the stack.

Look a the stack:



The top of the stack is now 0012FF8C and the content is 0012FFB8, this is equal to the content of the EBP register we have pushed on the stack.

Now I will let you single-step (F7) through the program on your own to discover the effects of the other instructions. Watch the registers and the stack closely. Stop after the RETN instruction (this is the end of the main function).

When you exit or load another program, OllyDbg will ask you this:



Just click yes.

Try also to debug the other examples.