Stepping

Introduction

Single-stepping is one of the most powerful features of a debugger, as it allows a reverse engineer to execute a single instruction at a time before returning control to the debugger. This feature comes in handy when one needs to analyze a binary by executing a single instruction or a section of instructions of his/her interest. 

In this article, we will explore how stepping over and stepping into features can help when analyzing a binary with a debugger. We will use OllyDbg as our choice of debugger, but the concept remains the same with any other debugger.

Stepping

During malware analysis and reverse engineering, we may need to execute instructions one after the other (one instruction at a time) to understand the behavior at a certain point. This is called single-stepping, which provides a detailed view of what is going on when the binary is run. 

Debuggers allow us to single-step the program execution. In OllyDbg, we can do single-stepping by using the F8 key or by clicking the button highlighted in the image below. 

This button is used for step-over. This means that the single-stepping happens per line of code. However,  if we press this key when the debugger is about to execute a CALL instruction, the execution of the subroutine will be completed and the single-step continues to the next instruction after the CALL instruction. When this happens, there is a chance that we may miss the analysis of important instructions inside the subroutine.

If you want to single-step through the instructions inside the subroutine, we should use step-into on CALL instruction. In OllyDbg, this can be done by using the F7 key or the button highlighted below.

Another way to use step-into and step-over in OllyDbg is by navigating to the Debug Menu (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/lKGRDmF0Q1M/