Log in

View Full Version : conditional bp


Jo_ti
August 29th, 2009, 18:26
Hi,

Want to ask very silly question so please guys dont get angry.

I know very well how to put bp over specific api with condition regarding specific value in eax.


But i dont know how to bp on specific api when an ASCII string shows in EAX.


I want to put bp over over get module handle api when the EAX contain an Specified Ascii string for eaxample like :

eax 0012533 ASCII "woodmann"


Can any give me some example related to this. Only a small example.

Thanks

usernombre
August 30th, 2009, 03:06
For OllyDbg - t-12617.html

APACHE
August 30th, 2009, 03:46
Dear jo_ti I think itz not quite possible at ease..
Search string in memory area and try BPM on access on first byte may help you..Along with this you can Point-H (Great work
Ricardo Narvaja Sir) for reg schemes calculation..It works in almost cases..Or Try softice but I dont know much about that....

dELTA
August 30th, 2009, 19:06
We won't get angry for lame questions, but we will for double posting...

I replied in your other thread about this exact same topic...

http://www.woodmann.com/forum/showthread.php?t=12984

Jo_ti
September 1st, 2009, 15:15
Hi Delta,

ya i saw that but that process is similar to tracing. It will take a long time. But i know the location of api, on putting bp and running the application the string show. So i just want to put the conditional bp out there so that it should stop there. Because its taking nearly 70-80 runs when that strigns pops in Eax so its hard to run 70-80 times. So just wnt to know the quick way. So that after running if EAX reach to that value it should stop.

SiGiNT
September 2nd, 2009, 01:55
Run the program in Olly, put a HW BP on the memory section it shows up in - run again, after break, search, if not there it should be a short trace - dont expect it to be at exactly the same byte, strings move around but generally stay in the same section.



Could it be a resource? check the prog, then each API then put a break on push XXX,(resource hex identifier), in the prog or API.

SiGiNT

Jo_ti
September 2nd, 2009, 07:37
Thanks i will try this one.