Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Olly conditional breakpoint help (https://forum.exetools.com/showthread.php?t=2375)

Rhodium 07-18-2003 07:55
Olly conditional breakpoint help
 
I am using OllyDbG and am somewhat of a newb.

Anyway, I successfully breakpointed on the function Kernel32.Writefile when I save the file.

I want to create a conditional breakpoint on Kernel32.Writefile, but only when it refers to a specific file indentified by the filename. Now the first parameter of Kernel32.Writefile is ".hFile" which identifies the file, so that's exactly what I need to use.

So yeah, I only want to break when Kernel32.Writefile writes to a specific file identified by it's filename using a conditional breakpoint in Olly. I don't have any experience in conditional breakpoints.

I searched and found this topic, maybe someone can make sense of it?

http://ollydbg.win32asmcommunity.net/index.php?action=vthread&forum=1&topic=310&page=

Squidge 07-18-2003 15:36
The handle that Writefile uses is a handle to a file, not a filename, so you will have to breakpoint on CreateFileA first to obtain the file handle that will go with the filename before placing the conditional breakpoint on the WriteFileA.

xobor 07-18-2003 15:49
Exactly as Squidge wrote

in last Olly press ALT+F1 (Plugins->Command Line->Command Line)

in editbox type bp CreateFileA, STRING [[ESP+4]]=="yourfilename"

press F9, when Olly breaks press CTRL+F9 (run until return), press F8 (one step) and read value at eax - it's handle for your file

so in Command Line plugin add new breakpoint

bp WriteFile, [[ESP+4]]==90

(of course you must replace value 90 by your eax value)

and go for debugging :D

hope this helps

Rhodium 07-18-2003 17:31
xobor, I put that into the command line and set the bp, but it still breaks on the CreatefileA for any file.

Are you sure that is a conditional breakpoint?

I assume [[ESP+4]] = EAX

Why not just do bp CreateFileA, STRING EAX=="yourfilename" ?

Squidge 07-18-2003 18:13
Windows API functions take there parameters on the stack, so using EAX is a bad idea, it may work for a single call, but it will not always work.

Rhodium 07-19-2003 04:30
I read the Ollydbg help file on conditional breakpoints but it isn't easy to understand.

I wish there were more examples.

Squidge 07-19-2003 06:01
If you look just below the examples, there's a complete description of what an expression is, which is not exactly difficult to understand. The examples just help this along.

I tried this:

[STRING [esp+4]]=="ckinfo.zip"

And it worked fine, breaking only when "ckinfo.zip" was opened.

I didn't try xobor's expression, but it seems that he's looking for a dword? Maybe got the handle confused with the filename.

Rhodium 07-19-2003 06:22
I tried your method with CreatefileA, and it still breaks when any file is created by the process.

Rhodium 07-19-2003 06:34
I did a regular bp CreatefileA and the path to my file showed up in EDX as ASCII.

xobor 07-21-2003 14:19
sorry for delayed replay but problems with internet provider

so right before I put my reply in this thread I tried this cond breakpoints with last version of ollydbg so I have no idea why it is not working for rhodium (i'm working on W2000 prof SP3 ...)

squidge's example is formerly the same as me Ollydbg didn't take a difference between STRING [xxxx] and [STRING xxx] (it's also in helpfile)

so rhodium on what windows are you running may be we can try it on same system

regards


All times are GMT +8. The time now is 16:26.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX