View Full Version : problems with DLL cond. bpx 's failing to match regexp
Paul6253
December 22nd, 2004, 11:23
Hi ,
Probs with this:
Breakpoints, item 3
Address=77DD7883 ADVAPI32.RegQueryValueExA
Module=ADVAPI32
Active=When [[STRING esp+8]] == 'LoggedKeys'
Disassembly=MOV EDI,EDI
Comment=RegQueryValueExA Valuename Check
As you can see from
< Active=When [[STRING esp+8]] == 'LoggedKeys' >
in the above that I am checking the 2nd param to the function for a specific valuename...
well It's not working! Sometimes the match is dead on...sumx it
matches every other name under the sun, bpxing on every name
Whats wrong here? Is this a bug in Olly or is my Regexp not clear enough?
I've perused the Ollyhlp many x's ...my syntax appears to fit
Thanks for any help
Paul
Lord_Looser
December 22nd, 2004, 12:13
[[STRING esp+8]] == "LoggedKeys"
" " != ' '
Paul6253
December 22nd, 2004, 15:31
um....no
that did not help ...but I assume your cryptic " " != ' ' means I should
use double qoutes around the test string...
I tried,doesnt work either
Thanks anyway Lord
Anyone else have a suggestion???
garryw
December 22nd, 2004, 16:01
bp RegQueryValueExA STRING [[esp+8]]=="LoggedKeys"
Paul6253
December 22nd, 2004, 21:59
Nope ...didnt work
when run it breaked on :
0012F9CC 73792228 /CALL to RegQueryValueExA from DDRAW.73792226
0012F9D0 0000007C |hKey = 7C
0012F9D4 737622FC |ValueName = "Name" <-- nothing even close
0012F9D8 00000000 |Reserved = NULL a match!
0012F9DC 0012FB00 |pValueType = 0012FB00
0012F9E0 0012FC54 |Buffer = 0012FC54
0012F9E4 0012FAFC \pBufSize = 0012FAFC
Lord_Looser
December 23rd, 2004, 01:29
You have to modify conditional log breakpoint settings (Shift-F4) at RegQueryValueExA.
Change attitude "Pause Program" from "Always" to "On Condition".
Paul6253
December 24th, 2004, 11:19
I did that...still dont work,
I even tried other match patterns...i
Thats not to say it's not working at all but it should run until it
sees my search expression and it does not...it breaks on EVERY
Valuename parameter
blabberer
December 25th, 2004, 07:48
your format string is not right so it does not break
where it needs to break
[STRING [ESP+8]] == "YOUR STRING HERE"
Breakpoints, item 1
Address=77DB858E ADVAPI32.RegQueryValueExA
Module=ADVAPI32
Active=Log "oh my shit" when [string [esp+8]] == "YOUR STRING HERE"
Disassembly=PUSH EBP
Log data
Address Message
77DB858E COND: oh my shit = YOUR STRING HERE
77DB858E CALL to RegQueryValueExA from 00401058
hKey = 30
ValueName = "YOUR STRING HERE"
Reserved = NULL
pValueType = 00403044
Buffer = 00403048
pBufSize = 0040303C
77DB858E Conditional breakpoint at ADVAPI32.RegQueryValueExA: YOUR STRING HERE
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.