#1
|
|||
|
|||
Is there anything wrong with OllyDbg's conditional breakpoint
In Windows XP SP3, there is an instruction
call [ebp+8] at address +77D18731 for message processing: 77D1870C push ebp 77D1870D mov ebp, esp 77D1870F push esi 77D18710 push edi 77D18711 push ebx 77D18712 push DCBAABCD 77D18717 push esi 77D18718 push dword ptr [ebp+18] 77D1871B push dword ptr [ebp+14] 77D1871E push dword ptr [ebp+10] 77D18721 push dword ptr [ebp+C] 77D18724 mov eax, fs:[18] 77D1872A or byte ptr [eax+FB4], 1 ==>77D18731 call [ebp+8] 77D18734 mov ecx, fs:[18] 77D1873B and byte ptr [ecx+FB4], 0 77D18742 cmp dword ptr [esp+4], DCBAABCD 77D1874A jnz 77D403B0 77D18750 add esp, 8 77D18753 pop ebx 77D18754 pop edi 77D18755 pop esi 77D18756 pop ebp 77D18757 retn 14 If I set a breakpoint at +77D18731 with the condition as follows: [esp+4]==SomeHandle && [SomeAddress]==SomeValue that breakpoint always fails, that is to say, the breakpoint will not be triggered when the conditions have been true. So, is there anything wrong with OllyDbg? |
#2
|
|||
|
|||
1. Use paretheses, liberally, even if they are or look redundant.
2. Is [SomeAddress] an absolute reference, or relative to ESP ? If relative, it has to be explicit. 3. ESP is a pain and keeps changing. Are you sure that [ESP+4] points to the right address, at the right moment of the conditional BP? 4. The use of watches and a dry run under single step tracing, will help debug the debugger. Last edited by Naides; 05-12-2013 at 05:57. |
#3
|
|||
|
|||
Quote:
Quote:
if it's relative to ESP, the breakpoint will be triggered. I wonder OllyDbg gets confused when the breakpoint is set at kernel while the condition is concerned with the debugged process memory. Quote:
Thanks. |
#4
|
|||
|
|||
Quote:
Code:
77D1872A or byte ptr [eax+FB4], 1 Here77D18731 call [ebp+8] There 77D18734 mov ecx, fs:[18] So the question is, and I DO NOT know the answer off hand, does the Conditional gets evaluated before, during or after the call instruction?? I know that by design, 'Break on Read' or 'Break on Write' are evaluated AFTER the instruction at the bp has executed. . . |
#5
|
|||
|
|||
Quote:
breakpoint at +77D18731, because if I change the condition to [esp+4] ==SomeHandle that breakpoint will always be triggered. So the problem is actually concerned with the condition [SomeAddress]==SomeValue for example [401000] == 12345678 Whether the above condition is satisfied or not when I reach the breakpoint, OllyDbg does not stop. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
how does ollydbg memory breakpoint works | deXep | General Discussion | 5 | 10-15-2005 21:48 |
Olly conditional BP syntax? | Rhodium | General Discussion | 2 | 07-20-2004 20:30 |
Olly conditional breakpoint help | Rhodium | General Discussion | 9 | 07-21-2003 14:19 |