Hardware memory breakpoints [Archive] - RCE Messageboard's Regroupment

remdynamic

July 13th, 2013, 19:42

Hi!

When I have a certain byte or range of bytes of which I know it will contain certain interesting data at some point, I usually set a hardware breakpoint on it.

However, I noticed that it doesn't always break. For example, now I want to keep an eye on the byte at DS:[9F2020], so I set a hardware BP there. However

(EAX = 9F2020)
MOV DWORD PTR DS:[EAX],EBP

won't cause Olly to break. However

(EDI = 9F2024)
REP STOS DWORD PTR ES:[EDI]

will cause Olly to break.

Am I misinterpreting the adressing system in Olly? I assume that

009F2020 | 00 00
__________^this is the byte on 009F2020

Do I need just to set my breakpoint a byte or 4 bytes before that?

blabberer

July 14th, 2013, 14:36

how did you set hardware breakpoint
for memory read and write
you either need to set
hardware bp->memory on access->byte // word // dword or
hardware bp -> memory on write ->byte // word // dword

if you had set an execute break it will not break on access of that memory

i dont see any problems in hw bp

Code:

00401000 >MOV     EAX, 403000

00401005  NOP

00401006  NOP

00401007  MOV     DWORD PTR DS:[EAX], EBP

00401009  MOV     DWORD PTR DS:[EAX], EBP

0040100B  NOP

0040100C  NOP

0040100D  NOP

0040100E  CALL    00403000

00401013  JMP     SHORT 00401013

Log data
Address Message

Code:

00401009   Hardware breakpoint 2 at msgbox.00401009		<----------------- second breakpoint @401009 hit

						 	first 401007 did not hit though eax contains 403000

00403000   Hardware breakpoint 1 at msgbox.MsgCaption               execution hw bp hit