Hey,

As I'm sure there are alot of users here more experienced with OllyDbg than I am, I thought I would simply put out a few questions that I've had regarding issues I've always put up with, but not really sure if there is a better way:

(1) When you GPF or have some access violation, the debugger naturally halts and presents a CTRL+F7/F8/F9 option to bypass the fault. I have never been successfully able to satisfy OllyDbg to allow the program to continue (with my corrective support in some way).

(2) Sometimes while tracing, I will get impatient and accidentally pass my target code and want to back up (with the understanding it will not affect anything critically in the memory/register assignments). Can you actually back up the EIP, and control the program on in a way to avioid the fault??  This way I can stear things back to the message loop and allow memory and things to propertly be released when closed.

(3) A long while ago, when i was first introduced to OllyDbg, someone told me how to set it up so that it would trace through you actually source in a separate 'extended debug information' window.  How do you get this going again?

(4) Does the program need to be haulted in pause/step mode to view memory?  If i want to go to memory locations in the data segment via the "CTRL+G: go to expression" option, it only seems to accept my entry if the program is haulted, even if I punch in the memory location as a constant.  That is, if the program is simply idling with its message loop running, i can only look at the last memory locations it was last paused at.Šnbsp; This may be a far cry to actually achieve, but I thought I would ask anyways.

Thanks alot for your input.
Regards,
:NaN:
Posted on 2006-08-20 10:58:07 by NaN
you could try posting these questions at ollydbg forum hosted at woodmanns

anyway ill try to answer as much as i know though


I have never been successfully able to satisfy OllyDbg to allow the program to continue (with my corrective support in some way).


do you mean you know this exception will arise in future and you dont want to
keep on pressing shift+f/7/8/9 everytime it arises

add exception to ignore list ctrl+o ->exceptions ->add last exception checkmark ignore these ->ok


with my corrective support in some way


do you mean to say there is no native exception handler that you coded and you would like to twiddle around with clearing up stacks etc ?

though i have never done it i think that shouldnt be hard enough to add an on the fly seh handler


Sometimes while tracing, I will get impatient and accidentally pass my target code and want to back up (with the understanding it will not affect anything critically in the memory/register assignments).


you mean you f8 instead of f7 and execute a subroutine in one step
normally if its stdcall and the subroutine cleared up the stack
and the subroutine isnt register dependent (like having this pointer)
you can simply select a line before and use right click -> new origin here
(one line as in source one line including all args) (if you dont have args handy
(due to lea eax ,#whatever kind of opcodes that vanished ) you can use
push dword option in stack and provided the subroutine with manual arguments
by editing the stack contents


trace through source ? compile with debug information and use ctrl+f5 or view source the window will show you  along with markers on which line you are presently stepping both bcc tds as well as ms pdb work fine for source level debugging



Does the program need to be haulted in pause/step mode to view memory?


no need you can use ctrl+g while the binary is running
i just checked again to confirm it


but i think iam not understanding your question here

hope that helped if you have further question try shooting them at
ollydbg forums at woodmanns









Posted on 2006-09-01 13:20:53 by bluffer
Thanks for your help.  I will try your suggestions and then comment. ( BTW: I apologize for the poorly written post above.  I must have been brain dead at the time ;) )

That said, regarding the 'how do I debug with source information' bit, I thought i did all that, and all i keep getting is a blank source window.  I will try again, and if I still can't get this working, i will post what switches im using to compile with (I do get a *.pdb file in the compile directory so I'm assuming it links in correctly).  Anywho, I will play some more and see what damage I can create.

Thanks again for your input!
Regards,
:NaN:
Posted on 2006-09-02 12:57:19 by NaN
best way to look if ollydbg recognises the pdb is to drag and drop it into ollydbg folder (if possible along with source files if project is small)

if it found the pdb file (you will see ollydbg loging a message in log window )

debugging format found microsoft format (nb10 or pdb 2.0) or dia format (RSDS or pdb 7.0) format

if it loaded the pdb file you can use view--> sources menu

there it will show what source files are indexed if any of them are present or not etc etc

btw if you are using msvc (vc2005 express to be exact) it hardcodes
the path of pdb in the exe as well as pdb like c:\progra~\msvc\vc\project\foo.pdb

also if possible get the latest dbghlp and  symsrv srcsrv dlls i think they are redistributable (anyway it comes with windbg package) and substitute the one thats available by default in ollydbg package

to make short story ollydbg can work ,fetch and load  ms symbols from symsrv


Posted on 2006-09-08 09:43:19 by bluffer