#1
|
|||
|
|||
Olly conditional breakpoint help
I am using OllyDbG and am somewhat of a newb.
Anyway, I successfully breakpointed on the function Kernel32.Writefile when I save the file. I want to create a conditional breakpoint on Kernel32.Writefile, but only when it refers to a specific file indentified by the filename. Now the first parameter of Kernel32.Writefile is ".hFile" which identifies the file, so that's exactly what I need to use. So yeah, I only want to break when Kernel32.Writefile writes to a specific file identified by it's filename using a conditional breakpoint in Olly. I don't have any experience in conditional breakpoints. I searched and found this topic, maybe someone can make sense of it? http://ollydbg.win32asmcommunity.net/index.php?action=vthread&forum=1&topic=310&page= Last edited by Rhodium; 07-18-2003 at 08:04. |
#2
|
||||
|
||||
The handle that Writefile uses is a handle to a file, not a filename, so you will have to breakpoint on CreateFileA first to obtain the file handle that will go with the filename before placing the conditional breakpoint on the WriteFileA.
|
#3
|
|||
|
|||
Exactly as Squidge wrote
in last Olly press ALT+F1 (Plugins->Command Line->Command Line) in editbox type bp CreateFileA, STRING [[ESP+4]]=="yourfilename" press F9, when Olly breaks press CTRL+F9 (run until return), press F8 (one step) and read value at eax - it's handle for your file so in Command Line plugin add new breakpoint bp WriteFile, [[ESP+4]]==90 (of course you must replace value 90 by your eax value) and go for debugging hope this helps |
#4
|
|||
|
|||
xobor, I put that into the command line and set the bp, but it still breaks on the CreatefileA for any file.
Are you sure that is a conditional breakpoint? I assume [[ESP+4]] = EAX Why not just do bp CreateFileA, STRING EAX=="yourfilename" ? Last edited by Rhodium; 07-18-2003 at 17:35. |
#5
|
||||
|
||||
Windows API functions take there parameters on the stack, so using EAX is a bad idea, it may work for a single call, but it will not always work.
|
#6
|
|||
|
|||
I read the Ollydbg help file on conditional breakpoints but it isn't easy to understand.
I wish there were more examples. |
#7
|
||||
|
||||
If you look just below the examples, there's a complete description of what an expression is, which is not exactly difficult to understand. The examples just help this along.
I tried this: [STRING [esp+4]]=="ckinfo.zip" And it worked fine, breaking only when "ckinfo.zip" was opened. I didn't try xobor's expression, but it seems that he's looking for a dword? Maybe got the handle confused with the filename. |
#8
|
|||
|
|||
I tried your method with CreatefileA, and it still breaks when any file is created by the process.
|
#9
|
|||
|
|||
I did a regular bp CreatefileA and the path to my file showed up in EDX as ASCII.
|
#10
|
|||
|
|||
sorry for delayed replay but problems with internet provider
so right before I put my reply in this thread I tried this cond breakpoints with last version of ollydbg so I have no idea why it is not working for rhodium (i'm working on W2000 prof SP3 ...) squidge's example is formerly the same as me Ollydbg didn't take a difference between STRING [xxxx] and [STRING xxx] (it's also in helpfile) so rhodium on what windows are you running may be we can try it on same system regards |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
x64dbg conditional branches logger [Plugin] | Kurapica | Community Tools | 3 | 09-16-2016 01:58 |
Is there anything wrong with OllyDbg's conditional breakpoint | BlackWhite | General Discussion | 4 | 05-16-2013 00:47 |
Conditional BPs made easy (wizard style) | Rhodium | General Discussion | 5 | 01-04-2006 00:17 |
Olly conditional BP syntax? | Rhodium | General Discussion | 2 | 07-20-2004 20:30 |
Olly Memory Breakpoint no-show | bgrimm | General Discussion | 1 | 04-22-2004 11:15 |