Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-18-2003, 07:55
Rhodium
 
Posts: n/a
Question Olly conditional breakpoint help

I am using OllyDbG and am somewhat of a newb.

Anyway, I successfully breakpointed on the function Kernel32.Writefile when I save the file.

I want to create a conditional breakpoint on Kernel32.Writefile, but only when it refers to a specific file indentified by the filename. Now the first parameter of Kernel32.Writefile is ".hFile" which identifies the file, so that's exactly what I need to use.

So yeah, I only want to break when Kernel32.Writefile writes to a specific file identified by it's filename using a conditional breakpoint in Olly. I don't have any experience in conditional breakpoints.

I searched and found this topic, maybe someone can make sense of it?

http://ollydbg.win32asmcommunity.net/index.php?action=vthread&forum=1&topic=310&page=

Last edited by Rhodium; 07-18-2003 at 08:04.
Reply With Quote
  #2  
Old 07-18-2003, 15:36
Squidge's Avatar
Squidge Squidge is offline
Drunken Squirrel
 
Join Date: Oct 2002
Posts: 408
Rept. Given: 4
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
Squidge Reputation: 9
The handle that Writefile uses is a handle to a file, not a filename, so you will have to breakpoint on CreateFileA first to obtain the file handle that will go with the filename before placing the conditional breakpoint on the WriteFileA.
Reply With Quote
  #3  
Old 07-18-2003, 15:49
xobor xobor is offline
Friend
 
Join Date: May 2002
Location: Slovakia
Posts: 103
Rept. Given: 6
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 10 Times in 7 Posts
xobor Reputation: 5
Exactly as Squidge wrote

in last Olly press ALT+F1 (Plugins->Command Line->Command Line)

in editbox type bp CreateFileA, STRING [[ESP+4]]=="yourfilename"

press F9, when Olly breaks press CTRL+F9 (run until return), press F8 (one step) and read value at eax - it's handle for your file

so in Command Line plugin add new breakpoint

bp WriteFile, [[ESP+4]]==90

(of course you must replace value 90 by your eax value)

and go for debugging

hope this helps
Reply With Quote
  #4  
Old 07-18-2003, 17:31
Rhodium
 
Posts: n/a
xobor, I put that into the command line and set the bp, but it still breaks on the CreatefileA for any file.

Are you sure that is a conditional breakpoint?

I assume [[ESP+4]] = EAX

Why not just do bp CreateFileA, STRING EAX=="yourfilename" ?

Last edited by Rhodium; 07-18-2003 at 17:35.
Reply With Quote
  #5  
Old 07-18-2003, 18:13
Squidge's Avatar
Squidge Squidge is offline
Drunken Squirrel
 
Join Date: Oct 2002
Posts: 408
Rept. Given: 4
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
Squidge Reputation: 9
Windows API functions take there parameters on the stack, so using EAX is a bad idea, it may work for a single call, but it will not always work.
Reply With Quote
  #6  
Old 07-19-2003, 04:30
Rhodium
 
Posts: n/a
I read the Ollydbg help file on conditional breakpoints but it isn't easy to understand.

I wish there were more examples.
Reply With Quote
  #7  
Old 07-19-2003, 06:01
Squidge's Avatar
Squidge Squidge is offline
Drunken Squirrel
 
Join Date: Oct 2002
Posts: 408
Rept. Given: 4
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
Squidge Reputation: 9
If you look just below the examples, there's a complete description of what an expression is, which is not exactly difficult to understand. The examples just help this along.

I tried this:

[STRING [esp+4]]=="ckinfo.zip"

And it worked fine, breaking only when "ckinfo.zip" was opened.

I didn't try xobor's expression, but it seems that he's looking for a dword? Maybe got the handle confused with the filename.
Reply With Quote
  #8  
Old 07-19-2003, 06:22
Rhodium
 
Posts: n/a
I tried your method with CreatefileA, and it still breaks when any file is created by the process.
Reply With Quote
  #9  
Old 07-19-2003, 06:34
Rhodium
 
Posts: n/a
I did a regular bp CreatefileA and the path to my file showed up in EDX as ASCII.
Reply With Quote
  #10  
Old 07-21-2003, 14:19
xobor xobor is offline
Friend
 
Join Date: May 2002
Location: Slovakia
Posts: 103
Rept. Given: 6
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 10 Times in 7 Posts
xobor Reputation: 5
sorry for delayed replay but problems with internet provider

so right before I put my reply in this thread I tried this cond breakpoints with last version of ollydbg so I have no idea why it is not working for rhodium (i'm working on W2000 prof SP3 ...)

squidge's example is formerly the same as me Ollydbg didn't take a difference between STRING [xxxx] and [STRING xxx] (it's also in helpfile)

so rhodium on what windows are you running may be we can try it on same system

regards
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
x64dbg conditional branches logger [Plugin] Kurapica Community Tools 3 09-16-2016 01:58
Is there anything wrong with OllyDbg's conditional breakpoint BlackWhite General Discussion 4 05-16-2013 00:47
Conditional BPs made easy (wizard style) Rhodium General Discussion 5 01-04-2006 00:17
Olly conditional BP syntax? Rhodium General Discussion 2 07-20-2004 20:30
Olly Memory Breakpoint no-show bgrimm General Discussion 1 04-22-2004 11:15


All times are GMT +8. The time now is 13:41.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )