OD命令

 

 

命令行插件支持的命令

 

CALC

判断表达式

 

WATCH

添加监视表达式

 

AT

在指定地址进行反汇编

 

FOLLOW

跟随命令

 

ORIG

反汇编于 EIP

 

DUMP

在指定地址进行转存

 

DA

转存为反汇编代码

 

DB

使用十六进制字节格式转存

 

DC

使用 ASCII 格式转存

 

DD

转存在堆栈格式

 

DU

转存在 UNICODE 格式

 

DW

使用十六进制字词格式转存

 

STK

前往堆栈中的地址

 

AS

（AS + 地址 + 字符串）

在指定地址进行汇编

 

BP

进行条件中断（有条件的断点）

 

BPX

中断在全部调用 （Call）

 

BPD

清除全部调用中的断点

 

BC

清除断点

 

MR

内存断点于访问时

 

MW

内存断点于写入时

 

MD

清除内存断点

 

HR

访问时进行硬件中断

 

HW

写入时进行硬件中断

 

HE

执行时进行硬件中断

 

HD

清除硬件断点

 

STOP

停止运行程序调试

 

PAUSE

暂停执行程序调试

 

RUN

运行程序进行调试

 

GE

运行和通过例外

 

SI

单步进入 Call 中

 

SO

步过 Call

 

TI

跟踪进入直到地址

 

TO

跟踪步过直到地址

 

TC

跟踪进入直到满足条件

 

TOC

跟踪步过直到满足条件

 

TR

运行直到返回

 

TU

运行直到用户代码

 

LOG

查看记录窗口

 

MOD

查看模块窗口

 

MEM

查看内存窗口

 

CPU

查看 CPU 窗口

 

CS

查看 Call 堆栈

 

BRK

查看断点窗口

 

TC EIP<500000

 

0071169C E8 2ECEFFFF call videofix.0070E4CF

0071CAC2 E8 8434FFFF call videofix.0070FF4B

0071CB7A 45 inc ebp

 

0071CB7A 45 inc ebp

 

0071E36F E8 9229FFFF call videofix.00710D06

 

00720664 E8 E2F8FEFF call videofix.0070FF4B

 

 

OPT

打开选项设置窗口

 

EXIT

退出 OllyDbg

 

QUIT

退出 OllyDbg

 

OPEN

打开一个可执行文件

 

CLOSE

关闭可执行文件

 

RST

重新运行当前程序

 

HELP

查看 API 函数的帮助

 

 

 

OllyDbg Command Line Cheat SheetExpressions may include constants, registers and memory references and support all standard arithmetical and boolean functions. By default, all constants are hexadecimal. To mark constant as decimal, follow it with decimal point.Examples: AT [EAX+10] - disassemble at address that is the contents of memory doubleword at address EAX+0x10; BP KERNEL32.GetProcAddress - set breakpoint on API function. Note that you can set breakpoint in system DLL only in NT-based operating systems; BPX GetProcAddress - set breakpoint on every call to external function GetProcAddress in the currently selected module; BP 412010,EAX==WM_CLOSE - set conditional breakpoint at address 0x412010. Program pauses when EAX is equal to WM_CLOSE. Expressions [expr]Labels and comments[CALC/?] exprCalculate value of expressionL expr, labelAssign symbolic label to addressexprDitto (first character is not letter)C expr, commentSet comment at addressW[ATCH] exprAdd watch Tracing commandsAssignmentsSTOP / PAUSEPause execution[SET] reg=exprWrites value of expr to 8/16/32-bit general registerRUNRun programSET memory=exprWrites to 8/16/32-bit memoryG [expr]Run till address DisassemblerGE [expr]Pass exception to handler and run till addressAT / FOLLOW exprFollow address in DisassemblerS / SIStep intoORIG / *Go to actual EIPSOStep over AssemblingT[I] [expr]Trace in till addressA expr [,command]Assemble at addressTO [expr]Trace over till address Dump and stackTC conditionTrace in till conditionD[UMP] exprFollow address in dumpTOC conditionTrace over till conditionDA [expr]Dump in assembler formatTRExecute till returnDB [expr]Dump in hex byte formatTUExecute till user codeDC [expr]Dump as ASCII text OllyDbg windowsDD [expr]Dump as addresses (stack format)LOGView Log windowDU [expr]Dump as UNICODE textMODView Executable modulesDW [expr]Dump in hex word formatMEMView Memory windowSTK exprFollow address in stackCPUView CPU window Breakpoint commandsCSView Call StackBP expr [,condition]Set INT3 breakpoint at addressBRKView Breakpoints windowBPX labelSet breakpoint on each call to external'label' within the current moduleOPTEdit optionsBC exprDelete breakpoint at address Miscellaneous commandsMR expr1 [,expr2]Set memory breakpoint on access to rangeEXIT / QUITClose OllyDbgMW expr1 [,expr2]Set memory breakpoint on write to rangeOPEN [filename]Open executable file for debuggingMDRemove memory breakpointCLOSEClose debugged programHR exprSet 1-byte hardware breakpoint on access to addressRSTRestart current programHW exprSet 1-byte hardware breakpoint on write to addressHELPShow help on command line pluginHE exprSet hardware breakpoint on execute at addressHELP OllyDbgShow OllyDbg helpHD [expr]Remove hardware breakpoint(s) at addressHELP APIfunctionShow help on API function