we can use various kinds of breaks for stoppinng an app at the required eip in olly
1) toggle f2
2) memory on access
3) memory on write
4) hardware on execution
5) log bpt
6) conditional log
7) pause runtrace on condition
8) run till selection f4
what are the differences between them and how to effectively use them
ie how to determine which bpt is going to be the most effective on what conditions

suppose i have a loop which loads all the bytes from specific address to another specific address using lodsb and then xors al with some byte and stosbs it and i put a f2 toggle bpt in that place olly will load the cc (int 3)instead of the original opcode in the lodsb instruction and xor the int3 and store it back which will obviously screw up the result

in one such case i used hardware on execution and find that the result is different than normal f2
i also bookmarked the place and then restarted the app used goto bookmark
and used f4 (run till selection)it returns the same result as hardware on execution

so what is the inherent difference between those two

can i use memory on access break point on same situation and still get good results

if this also will return good result why so many options are required

any and all explanations are welcome
hope i get some answers

F2 uses "debugger breakpoint" (overwrites original code with INT 3 instruction, places back original code when the INT 3 has been reached).

Hardware execution doesn't need this code alteration, and so code like you describe above will execute corretly. However, you only have 4 of these hardware breakpoints, so need to use them wisely. The "debugger breakpoints" are infinite in use.

Secondly, a "hardware on execution" will only break if the code is executed, a "hardware on access" will break if the code is executed OR read by the program (eg. for CRC check).

hardware on access u mean memory on access isnt it
btw this hardware on execution is available only on nt based systems it seems
viz win2k it is not available on win9x

but run till selection(f4) is available in both 9x and w2k

if it doesnt alter the opcode with cc (int3) how is it accomplished just general idea is ok (dont ask me to google )

and does run till selection uses this hardware processess or what ever it is
called

why should it be limited to just 4 bpts ( i know it is 4 and you can delete them and follow them in debugger hard ware break points options)and set them with rightclick

some kind of theoratical explanation in laymans terms would be helpful to
understand these break points

hope i get some more replies

"Run till selection" uses a one-shot hardware on execution breakpoint.

The Intel (and AMD/etc) CPU's have some special registers which are intended for debugging use only. By storing special values into these registers, a program can ask the CPU to execute an INT 1 (interrupt 1) instruction immediately whenever a specified memory location is read from or written to. They can also stop when a memory address is about to be executed as code. The number of these registers is finite, and with the current processors, it's limited to 4 breakpoints. The wonders of Windows however, allows this to be 4 breakpoints per process as it will change the registers on each process switch.

The only limitation here is that if a breakpoint is placed by a ring 3 (application layer) program and occurs in ring 0 (system layer) space, then the ring 3 program will not be notified of the breakpoint until the system returns to the ring 3 layer.

"Run till selection" uses a one-shot hardware on execution breakpoint.

do they behave differently on w2k and w98 coz in 98 i see a different result and in w2k i see a different result
w2k s result is consistent with hardware break point
and do you mean debug registers when you talk about special registers
dr1 to dr7
is this registers visible only in w2k and not w98

Yes, behave differently in win98/2k, and special registers == debug registers. debug registers however are possible in both 98 and 2k, but 2k has more restrictions.

so with w98 and above situation (the app tracing itself for cc) what break point should i use since i cannot use either int 3 or run till selection

Use anything that will throw an exception and then let Olly catch it - for example, an access violation, or invalid lock sequence. I've used LOCK NOP before which stops execution in it's track with an INVALID LOCK SEQUENCE exception. Now, most assemblers will not let you create such an invalid command, so just use hex mode and use something like F0 90.

Use anything that will throw an exception and then let Olly catch it

i didnt understand (yep iknow db 8d c0 lea eax,[eax]will create an access violation and i can trap it with seh but how you propose this can be done with
a precoded exe that i just only trace ) do you say i use hexed to modify the bytes at the place where i want to stop (i dont think it will work coz the app is tracing itself and will create a hash based on the modified bytes) iam interested in finding the hash without any modification to exe as soon as it is created (ie i need to stop at the exit point of loop where it traces itself)

and i want to do this in w98 (w2k is ok i can use hardware bpt or run till selection ) but i just dont see a possibilty in w98

any ideas

You can still do hardware breakpoint in win98, they are just done differently than in WinXP/2K. Noticed hundreds of examples by using google.

Or you can use a complete Intel processor emulator (such as TR) which allows you to set as many "hardware" breakpoints as you like as it's emulating the entire processor.

Hi,
I know this is an old thread. But still can anyone tell me where I can get such an emulator. Google only tells me about embedded system emulators only.

Thomas Antony