➢ View memory locations referenced by each argument in either the Disassembler of Dump panes.
➢ Decodes and displays the values of the CPU and FPU (Floating- Point Unit) registers for the currently executing thread.
➢ Floating point register decoding can be configured for MMX (Intel) or 3DNow! (AMD) multimedia extensions.
➢ Modify the value of CPU registers.
➢ Display the stack of the currently executing thread. ➢ Trace stack frames. In general, stack frames are used to:
Restore the state of registers and memory on return from a call statement.
Allocate storage for the local variables, parameters, and return value of the called subroutine.
Provide a return address.
4.4 Animated Solution to the Wintel Reversing Exercise
Using OllyDbg, one can successfully reverse engineer a non-trivial Windows®
application like Password Vault, and make permanent changes to the behavior of the
executable. The purpose of placing a trial limitation in the Password Vault application is
to provide a concrete objective for reverse engineering the application: disable or relax
the trial limitation. Of course the goal here is not teach how to avoid paying for software,
but rather to see oneself in the role of a tester, a tester who is evaluating how difficult it
would be for reverse engineer to circumvent the trial limitation. This is a fairly relevant
exercise to go through for any individual or software company that plans to provide trial
versions of their software for download on the Internet. In later sections, we discuss anti-
reversing techniques, which can significantly increase the difficulty a reverse engineer
will encounter when reversing an application.