CIS-77 Home http://www.c-jump.com/CIS77/CIS77syllabus.htm

Lab M07. Opcode Analysis using OllyDbg

1. Getting Started
2. ABC.ASM
3. Loading OllyDbg
4. View Executable Modules
5. Memory View
6. Disassembly View
7. User Code
8. Dump View (Program Data View)
9. Entering Opcodes Manually
10. Alternative Solution
11. Opcode Analysis
12. Saving Modified Program Image (optional)
13. What to Submit

1. Getting Started

• Download and assemble program ABC.ASM. (Recall guidelines of HOWTO assemble and debug an .ASM program.)

• If you are assembling your program using Visual Studio 2005, make sure to switch to Release build:

  • click Build menu -> Configuration Manager... -> change Active solution configuration to Release.

• Alternatively, you can build your program from the command line:

  "C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\vsvars32.bat"
  ML /coff /c /Fl M1.ASM
  LINK /subsystem:console /entry:main /out:M1.exe M1.obj
  

   

; CIS-77 Lab exercise M01
; ABC.asm
; Empty program that reserves 3 bytes of memory
; in the data segment.

.386                ; Tells MASM to use Intel 80386 instruction set.
.MODEL FLAT         ; Flat memory model
option casemap:none ; Treat labels as case-sensitive

.CONST          ; Constant data segment
.STACK 100h     ; (default is 1-kilobyte stack)

.DATA           ; Begin initialised data segment
        BYTE  'A'
        BYTE  'B'
        BYTE  'C'

.CODE           ; Begin code segment
_main PROC      ; Main entry point into program
    BYTE 16 DUP (90h)
    ret
_main ENDP
END _main       ; Marks the end of the module and sets the program entry point label

2. Loading OllyDbg

• Start OllyDbg.

  • NOTE: If using Microsoft Vista, run OllyDbg as Administrator.

• Click File menu -> Open, then locate and load the executable file.

• Debugging session will start automatically.

   

3. View Executable Modules

• Click View menu -> Executable Modules.

• Why are there more than one module in this view?

  • Your Answer:

• Double-click your program to bring up the CPU view.

• Which CPU register contains the address of the next executable instruction?

  • Your Answer:

• What is the address of the next executable instruction?

  • Your Answer:

• What is the next executable instruction as shown by OllyDbg?

  • Your Answer:

   

4. Memory View

• Click View menu -> Memory.

• Examine the view and briefly describe what do you see in the window.

  • Your Answer:

• In your own words, explain the purpose of

      .text
      .rdata
      .data
  

  • Your Answer:

   

5. Disassembly View

• In Memory View window, right-click the .text section of your program, and choose View in Disassembler.

• In your own words, explain what do you see in the Disassembler window.

  • Your Answer:

  • Hint: you can copy and paste the information from any OllyDbg window at any time.

   

6. User Code

• Press ALT+F9 (or click Debug menu -> Execute till user code.)

• Recall that the original program ABC.ASM contains the line

      BYTE 16 DUP (90h)
  

  in its .CODE segment. What happened to the original line of code? What do you see in the Disassembler window instead?

  • Please explain:

   

7. Dump View (Program Data View)

• Recall that the original program ABC.ASM reserved three bytes corresponding to characters A, B, and C:

          BYTE  'A'
          BYTE  'B'
          BYTE  'C'
  

• In Memory View window, double-click the .data section of your program to open the Dump View window.

• What is the starting address of each character?

  • Your Answer:

          'A'
          'B'
          'C'
  

   

8. Entering Opcodes Manually

• Switch back to the CPU window.

• You next task is to modify the EXE file so that program does something useful and replaces "ABC" with "XYZ".

• Consider using instructions

      mov BYTE PTR [ addr-of-A ], 'X'
      mov BYTE PTR [ addr-of-B ], 'Y'
      mov BYTE PTR [ addr-of-C ], 'Z'
  

  where addr-of-A, addr-of-B, and addr-of-C are the corresponding hexadecimal addresses of each character in memory.

• Replace the NOP instructions (opcodes 90h) by entering the first of the three MOV instructions,

      mov BYTE PTR [ addr-of-A ], 'X'
  

• To do this, double-click the first NOP instruction in the disassembly window. You should see the following prompt:

   

• Enter the MOV instruction mnemonic and operands, then click Assemble.

• Click Cancel to close the assemble prompt.

• OllyDbg instantly assembles entered instructions and patches your program in memory.

• Copy and paste the result of your modification here:

  • Your Answer:

• How many bytes does the MOV instruction occupy?

  • Your Answer:

• Why the "XYZ" problem cannot be solved by simply entering the three of the above MOV instructions in a row?

  • Your Answer:

• Why BYTE PTR operator was needed by the destination operand of the MOV instruction?

  • Your Answer:

   

9. Alternative Solution

• Restore program to its original state by pressing CTRL+F2 (or clicking Debug menu -> Restart.)

• This time, replace the NOP instructions by the following fragment of code:

      MOV EDI, addr-of-A
      MOV AL,58
      MOV [EDI],AL
      INC EDI
      INC AL
      CMP AL,5A
      JLE addr-of-mov
  

  where addr-of-mov is the address of the

      MOV [EDI],AL
  

  instruction, and addr-of-A is the addresses of character 'A' in memory.

• Run program step-by-step (F8) in OllyDbg.

• Explain the logic of the new solution:

  • Your Answer:

   

10. Opcode Analysis

• Recall x86 instruction format:

   

   

• Copy and paste the result of your latest modifications from the Disassembly window here:

  • Program modifications:

   

• For each instruction from the above fragment, please describe the following:

  1. What is the instruction opcode? If possible, provide additional info about specific bit fields in the opcode:

     • Your Answer:

  2. Does the instruction include Mod-R/M byte? If so, explain briefly how Mod-R/M fields are used:

     • Your Answer:

  3. Explain the presence of any additional bytes in the instruction format (for example, the immediate value):

     • Your Answer:

• Feel free to refer to the following materials while working on this part of the Lab:

  • Intel Instruction Set Reference Volume 2 , Chapters 2 and 3, Instruction Format and Reference.

  • Encoding Real x86 Instructions lecture.

   

11. Saving Modified Program Image (optional)

• You can save the changes back to the original EXE file. Here is how:

  1. In CPU window, right-click the modified fragment, and select Copy to executable -> All modifications.

  2. Click Copy All.

  3. New Disassembly window will open. Close this window. When File changed prompt appears, indicating that EXE file differs from the original, click YES.

  4. Answer positively that you wish to overwrite the original executable.

   

12. What to Submit

• Submit your answers to the questions highlighted in this handout.

• It is okay to copy and paste the entire lab description into a word processor of your choice and add your answers there.

• PLEASE DO NOT send any EXEcutables or Visual Studio project files.