Hi,

first off, please don't flame, this is my first post, and I'm very excited to be here

second, I've searched (this forum and google) for an answer to my question, and although I have found someone asking for help in this area, I'm not able to follow the answers he/she got. In case I did miss a post where my problem is answered, I appologize. I have tried to find it, and I have read OllyDbg.hlp on the subject.

Anyway, here goes:

I'm trying to familiarize myself with conditional breakpoints. Specifically I'm trying to set a breakpoint for when ECX = "some ascii text".
What I've found that should work is: UNICODE [ECX]=="some ascii text", but I never break on it. For testing purpose I set a (manual) breakpoint above where I know ECX is set to "some ascii text", and run from there I never break again - so it's not that this code happens in a external loaded exe or similar.

The info I can give, if helpful, is:
at some point ECX is set to 01F186B8 (in hex) with OllyDbg saying it's "ASCII xxxx".
I have ctrl+t, checked Condition is TRUE and put in .

Just for the record, I also tried ECX=="xxx" (without unicode), and neither of the two break.

Can anyone help me as to why these conditions don't break?
- and yes, as I tried explaining above, I have verified that ECX is set to "xxxx" at specific adress.

Any help is greatly appreciated.

- James

Thank you for having started off "on the right foot." You'll get no complaint from me about your "first" post. You must have actually read the FAQ.

Regards,

Thanks, JMI.

In case it helps, I've uploaded a screenshot of "what I'm doing": http://i39.tinypic.com/bdut1w.png

I'm still clueless as to why it does not work. At first (since this text is entered in one of the application's windows, not the main window) I thought it might be due to the code being "out of reach", if you know what I mean. However, I'm fully able to break manually above the code, so right now... I don't have any idea what I'm doing wrong.

UPDATE: I've realized one problem is OllyDbg allowed me to set a bp like ECX=="xxxx" without an address. With an address it works at the location I know. However, I wanted to be able to break whenever ECX is set to xxxx, not just the place I know. I'm studying the helpfile like crazy, but I come up looking like one big questionmark.

Any help is greatly appreciated

Is my question too vague (or too trivial)?

It just seems like an obvious feature to have. Breaking whenever a registry gets a certain value

I know it's hard, but learning patience is one of the "arts" of Reverse Engineering.

Not everyone has the opportunity to check in everyday and someone with the information might have missed you original post.

Regards,

Yeah I know, and sorry, I didn't mean to be rude

I didn't think you were being rude, only experiencing the impatience of youth, used to the somewhat "instant gratification" of the modern world.



I also know the feeling of working hard on a reversing project, getting stuck on something, and wanting to be "unstuck" NOW.

Just remember that in the scheme of life, this is not really that big a thing to "test" your patience. Life does, at times, throw real challenges into one's life.

But enough philosophy for one day.

Regards,

put the conditional Breakpoint, in this example EAX will break when point to string "pepe"

Put a conditional breakpoint in the address you think EAX can point to "pepe"

Set condition

EAX=="pepe"

Pause program "ON CONDITION"

and decode value "POINTER TO ASC STRING"

if when the program pass for the breakpoint conditional, and EAX point to string "pepe" the conditional BP trigger and the program stop, if EAX point to other string continue running without stopping.

ricnar

I'm not sure I follow.

Ctrl+T, Condition is TRUE: EAX=="pepe",
that I can do just fine. Are you summing up how conditional breakpoints work or am I misunderstanding your post? The way I read it, you say what will happen if I put a conditional breakpoint on an address. The essense in my question is, how do I set a conditional breakpoint on ALL addresses (so I break whenever EAX=="pepe".

If I've misunderstood you, please clearify what you mean by:


Thanks for the reply

You ask for other thing, not for a conditional breakpoint at all, and i tell you how a conditional breakpoint in a address work.(the only possible method of work of conditional BP)
Now if you want other thing, well only tracing with a condition EAX=="pepe", or with a slow script, putting a BP in all sections, and each time when the bp is trigged, compare if EAX=="pepe" and stop if true will work, but is a slow process and not recommended.

ricnar

you title your post

OllyDBG conditional BP help

and I explain to you how OllyDBG conditional BP works, other different thing is not OllyDBG conditional BP at all.

ricnar

Thanks. I'll put my money on memory stack -> memory read/write then I just thought it was a pretty obvious feature that should be there, but hey, I'm new, what do I know, right?

Thanks again, and sorry for the vague question, I thought I made it clear

- James

It's a slow process too, this BP will be triggered in each pop, push, mov from and to stack, etc etc, next will be compared and start execution again, very slow, but possible.

ricnar