Basic elements
Expressions may include:
Byte registers AL, BL, CL, DL, AH, BH, CH, DH
Word registers AX, BX, CX, DX, SP, BP, SI, DI
Doubleword registers EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI
Segment registers CS, DS, ES, SS, FS, GS
FPU registers ST0, ST1, ST2, ST3, ST4, ST5, ST6, ST7 or alternative forms ST, ST(0), ST(1), ST(2), ST(3), ST(4), ST(5), ST(6), ST(7)
Index pointer EIP
CPU flags EFL or alternative form FLAGS
Simple labels, like GetWindowTextA or userdefinedlabel1
Known constants, like WM_PAINT or ERROR_FILE_NOT_FOUND
Labels with prepended module name, like user32.GetWindowTextA
Immediate integer numbers, like ABCDEF01, 123, 0x123 (all hexadecimal) or 123. (decimal)
Immediate floating point numbers, like 123.456e-33
Immediate strings, like "String"
Parameters %A and %B
Thread identifier %THR (or alternative form %THREAD)
Ordinal number of the current thread %ORD (or alternative form %ORDINAL)
Contents of memory (requires square brackets [ ], see detailed description below)
Contents of memory
To access memory, take address into the square brackets and optionally specify type and size of the item. OllyDbg supports following modifiers:
Modifier How the contents of memory is interpreted
BYTE Unsigned 8-bit integer
CHAR Signed 8-bit integer
WORD Unsigned 16-bit integer
SHORT Signed 16-bit integer
DWORD Unsigned 32-bit integer (default)
INT, LONG Signed 32-bit integer
FLOAT 32-bit floating-point number
DOUBLE 64-bit floating-point number
LONG DOUBLE 80-bit floating-point number
ASCII Address inside the brackets will be interpreted as a pointer to ASCII string, but numerical value of expression remains unchanged
UNICODE Address inside the brackets will be interpreted as a pointer to UNICODE string, but numerical value of expression remains unchanged
