Posts

OllyDbg and Learning Reverse Engineering Safely

OllyDbg was a classic tool for studying Windows programs at the assembly level — useful for learning, malware analysis, and understanding how software really runs.
Author: Omid FarhangOmid Farhang Published: October 17, 2008 Reading Time: 3 min
Copy Link Bluesky Threads Mastodon X LinkedIn Reddit Telegram WhatsApp Email Facebook Hacker News
Table of Contents

If Sysinternals shows you what is running, OllyDbg shows you what a program is thinking — one x86 instruction at a time. In 2008 it is the standard debugger for 32-bit Windows binaries: unpack a crackme, trace a malware sample in a lab, or understand why an installer behaves oddly when the vendor will not answer support calls.

OllyDbg 1.10 is the version most people use. It is freeware, debugger-only (no disassembler license debates), and extensible with plugins.

Legitimate Reasons to Learn

Reverse engineering is not only for pirates:

  • Malware analysis in isolated VMs — understand what a sample does before writing detection
  • Debugging when source code is lost or the vendor is gone
  • Interoperability research on closed protocols — within law and contract limits
  • Security education — seeing a stack overflow in a training binary teaches respect for patches

The skill transfers: administrators who read assembly recognize packer behavior, suspicious API calls, and anti-debug tricks faster than people who only run scanners.

A Safe Lab Setup

Never learn on your daily PC:

  1. Virtual machine with snapshots — Virtual PC or VMware on a host with enough RAM
  2. No shared folders to documents you care about
  3. Disabled network when studying unknown binaries — many samples phone home
  4. Known samples from controlled courses, crackme collections, or curated malware archives
  5. Document findings — screenshots, notes, file hashes

Restore the snapshot after every session. Treat the VM as disposable.

What OllyDbg Teaches You to See

  • How calls and returns structure programs
  • Where strings and API names hide in executables — FindText in the CPU window
  • Why packers like UPX and ASPack frustrate antivirus and analysts alike
  • How small logic changes — one patched jump — alter behavior dramatically
  • Import Address Table entries revealing which Windows APIs a program uses

Load a benign executable first — notepad.exe is boring but safe. Step through a few instructions. Toggle registers. Set a breakpoint on a Windows API call and watch what triggers it.

Supporting Tools

OllyDbg is the center of a small toolkit:

  • PEiD — guess whether a binary is packed and with which packer
  • LordPE or CFF Explorer — inspect PE headers and sections
  • Sandboxie — run unknown samples before they reach OllyDbg
  • Sysinternals Process Monitor — compare what the program does at the OS level vs what you see in the debugger

Ethics Matter

Studying cracks to steal software is illegal and boring. Studying how protection works to build better defenses is valuable. Stay on the right side:

  • Your binaries, your contracts, your lab
  • Do not redistribute malware samples
  • Do not bypass licensing on production systems

Limits in 2008

OllyDbg is 32-bit x86 only. Sixty-four-bit binaries need other tools — WinDbg for kernel and 64-bit work, or waiting for OllyDbg 2 (still in development and uneven). Most malware and legacy apps you encounter on XP and Vista desktops are still 32-bit, so OllyDbg remains relevant.

Learn Just Enough Assembly

OllyDbg sits alongside Sandboxie, Sysinternals, and AutoIt as another way to understand the same Windows machine.

You do not need to become a full reverser. Learn enough assembly to recognize API calls, branches, strings, and packers. That alone makes the next suspicious .exe less mysterious.

Related Posts

Windows Vista Launch, UAC, and the First Month

Feb 14, 2007

Sysinternals Suite for Windows Troubleshooting

Nov 8, 2006

WMF Exploit and the Zero-Day Patch Rush

Feb 2, 2006