View Full Version : Howto put advanced breakpoint
hosiminh
January 30th, 2005, 07:59
I want to put bp something like this :
Bpx RegQueryValueExA if (**(esp+8)=='blah') || (**(esp+8)=='jeje')
Is this possible in Ollydbg ?
MaRKuS TH DJM
January 30th, 2005, 08:44
why not use a conditional breakpoint? i think you can do these things with it
garryw
January 30th, 2005, 10:33
bp RegQueryValueExA STRING [[esp+8]]=="blah" || STRING [[esp+8]]=="jeje"
at least I think that's what you're asking
blabberer
January 31st, 2005, 06:52
alt+e (executable modules)
navigate to advapi32.dll
press ctrl+n find names
type RegQueryValueExa
right click follow in disassembler
press shift+f4
use the following
condition
[string [esp+08]] == "bluh" || [string [esp+08]] == "bleh"
explanation
this is some trial crap
expression
[string [esp+08]]
decode value of expression as : pointer to ascii string
pause program radio button never
log value of expression radio button always
log function argument radio button on condition
press ok
now if you run the exe
you will get an output like this in log window
Log data
Address Message
77DB858E COND: this is some trial crap = vptray
77DB858E COND: this is some trial crap = bluh
77DB858E CALL to RegQueryValueExA from requery.00401058
hKey = 30
ValueName = "bluh"
Reserved = NULL
pValueType = requery.004030B0
Buffer = requery.004030B4
pBufSize = requery.004030A5
77DB858E COND: this is some trial crap = bleh
77DB858E CALL to RegQueryValueExA from requery.00401079
hKey = 30
ValueName = "bleh"
Reserved = NULL
pValueType = requery.004030B0
Buffer = requery.004030B4
pBufSize = requery.004030A5
77DB858E COND: this is some trial crap = tingting
77DB858E COND: this is some trial crap = tongtong
77DB858E COND: this is some trial crap = bluhbluh
77DB858E CALL to RegQueryValueExA from requery.004010DC
hKey = 30
ValueName = "bluhbluh"
Reserved = NULL
pValueType = requery.004030B0
Buffer = requery.004030B4
pBufSize = requery.004030A5
77DB858E COND: this is some trial crap = reaahhh
77DB858E COND: this is some trial crap = huhuhu
77DB858E COND: this is some trial crap = dadada
77DB858E COND: this is some trial crap = gugugu
77DB858E COND: this is some trial crap = hehehe
77DB858E COND: this is some trial crap = Synchronization Manager
77DB858E COND: this is some trial crap = Default
004011CA Breakpoint at requery.004011CA (<ModuleEntryPoint>+1CA)
notice it has logged the function arguments on the condition and has not recorded when the condition was not met notice it also recorded
when the string was bluh as well as bluhbluh also
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.