how to do this in OllyDbg et al?

[boya]

hi all,

how to set a breakpoint to a specific button/menu in ollydbg(or other debuggers) quickly and effectively?

i mean: when you click a button, the debugger will pop up right away.
or you click a menu item, you will be trapped to the debugger window with the target program thread.

as we can use resource tools to identify the handles for menu items and buttons? how to utilize these info to set bp quickly?

thanks.

[Hero]

Hi
I should say I think setting breakpoint in that way is not very efective way.
But if you want to do that,and your program is not packed,use Resource Hacker
to find ID of that item you need.Then set your conditional breakpoint after WndProc
for example WM_LBUTTONDOWN and lparam==ID(as I remember,correct me if wrong).
This will solve your problem.

sincerely yours

[Archer]

There is no univeral way to do it. You can really put bp on WndProc, as Hero said, but sometimes Olly finds address of WndProc incorrectly. Then it's more reliable to use decompiler and look the address of desired procedure there. Unfortunately it works only for a few programming languages.

view windows rightclick set msg break point on wndproc

if it is simple and doesnt have tricks then
options debugging options allow code injection to find address of wnd proc
should get you correct wndproc ie it will fetch the wndproc
which was differenent during RegisterClassEx() but subsequently modified by
GetWindowLong() api

or bp TranslateMessage() or bp DispatchMesssage in kernel.dll
condition to always pause and then log all arguments
then set a break on condition with proper arguments

[boya]

@JuneMouse
in ollydbg, it's effective to "view windows rightclick set msg break point on wndproc". i just do rightclik on the windows, select "Message breakpoint on ClassProc", set WM_LBUTTONDOWN is effective in my test.

by bp TranslateMessage, it's impractical in ollydbg. it always trigger the debugger. how to set up parameter for bp TranslateMessage??

for bp DispatchMesssage, ollydbg says: Unknown identifier. <== how to set it straight for this?

thanks again.

[boya]

how to set the breakpoint for a menu item (without the couterpart of icon/button) in ollydbg, in the style of button trick?

in another approach, by set bp at certain functions, which of the following should be set?
CheckMenuItem
CheckMenuRadioItem
CreateMenu
CreatePopupMenu
DeleteMenu
DestroyMenu
DrawMenuBar
EnableMenuItem
GetMenu
GetMenuCheckMarkDimensions
GetMenuDefaultItem
GetMenuItemCount
GetMenuItemID
GetMenuItemInfo
GetMenuItemRect
GetMenuState
GetMenuString
GetSubMenu
GetSystemMenu
HiliteMenuItem
InsertMenuItem
IsMenu
LoadMenu
LoadMenuIndirect
MenuItemFromPoint
SetMenu
SetMenuDefaultItem
SetMenuItemBitmaps
SetMenuItemInfo
TrackPopupMenu
TrackPopupMenuEx

bp Translatemessage condition string is you are using commandline plugin
some thing like
bp Translatemessage "[ESP+###] == WM_COMMAND"
i dont have tools to give you right command atm may be will edit this post later

the general graphical way is to
find names -->TranslateMessage in kernel32.dll
right click follow in disassembler
you will mostly be at a push ebp instruction
hit shift+f4 (conditional log break point)
set the condition you prefer using the stack parameters (the arguments to the proc will be on stack top+4 [esp+4] when you have stopped on break point

so condition like [ESP+###] == "WM_WHATEVER OR ES_WHATEVER OR WHATEVR_WHATEVER" should trigger the break only on conditions

if it triggers always that means you are not setting a conditional break point but
a hard break point (see the color hard means red colour conditional means pink or yello colour marker will be there)

also you can ask olly dbg to never pause on any thing but log everything or log only on condition pause and log on condition etc etc

Dispatch Spelling may be wrong it may be Despatch or just ansi version is available
use find names (ctrl+n) on kernel32.dll and start typing d and look for the api
"unknown identifier means you asked ollydbg to look for some rubbish name and it says
hey that name is rubbish it doesnt exist go find the right name dont give me rubbish names"

second question i didnot understand any part of it
you set break point according to your need or set break point on everything and when it hit remove them one by one if the hit is not what you are looking for

for example
right click
find command->call r32-->enter ---> right click -> set log break points on all referance
would set 10000 of break points at one