Hello,

I'm rather new to ollydbg and have several questions. I've searched the help and this forum for the answers but had no success.

1/
Is it possible to set a conditional bp such as:

(EAX > 00000001) && (EAX <= 000000FF)

2/
Is it possible to set "on access" or "on write" bp's on multiple memory addresses? If so, how can I see a list of these memmory bp's. They don't show up in ALT + b.

3/
Is it possible to read the contents of a **pointer on a bp?

MOV EAX, 00123456// pointer loaded in register
MOV EBX, [EAX]

grrrr, entered a Tab + CR which posted my incomplete message.

Here's question 3 is initially intended:

3/
Is it possible to read the contents of a **pointer on a bp?

1 MOV EAX, 00123456 // Dword at memory 0x00123456 holds a second pointer.
2 MOV EBX, [EAX] // Second pointer loaded in EBX
3 MOV ECX, [EBX] // Content at second pointer loaded in ECX

Is it possible to do something like [[EAX]] at a bp on 1 to get the value stored at pointer1->pointer2->value?

Thanks in advance,

David

yes you can set multiple conditions on on break points refer to ollydbg.hlp and experiment
i mean if you want to set a breakpoint on eax then eax must have been filled by a prior instuction
assuming you have mov eax,fs:[0]
mov eax,[eax+2]
and whne you have set the break point on mov eax,fs:[0] you wont be getting any out put becuase the instruction is yet to be executed and the expresion fails

it is kinda tedious to explain the concept of condition

assume you have this code

00401026 B8 38304000 MOV EAX,MSGBOXMO.00403038
0040102B 8B00 MOV EAX,DWORD PTR DS:[EAX]
0040102D 8B00 MOV EAX,DWORD PTR DS:[EAX]

and you have on 403038
00403038 40 30 40 00 @0@.

on 403040
00403040 50 30 40 00 P0@.

on 403050
00403050 79 6F 75 00 you.

and if you wish to evaluate eax on first instruction it doesnt have any meaning because eax may contain any random garbage
breakpoint is hit first and the instruction at ip is executed later

but if you use the constant addr to evaluate then it will succed to get you the string you

try string [[[403038]]] on the first instuction
and olly will log it for you
Log data, item 1
Address=00401026
Message=COND: you


memory breakpoints by thier very nature or not set at a single address
but on a whole page as such only one memory break point is available
it is clearly mentioned in the help file



Set memory breakpoint on access - sets memory breakpoint on the whole memory block. Program will stop each time memory block is accessed. OllyDbg supports only one memory breakpoint. Under Windows 95/98, debugged program may crash when system routines access memory blocks containing memory breakpoint. Use it as a last resort.

Set memory breakpoint on write - sets memory breakpoint on the whole memory block. Program will stop each time when it writes to the memory block. Under Windows 95/98, debugged program may crash when system routines access memory blocks containing memory breakpoint. Use it as a last resort.



and to your first question yes it is possible to set multiple conditions
but you have to unsderstand the concept to effectively utilise it

tkae a look again in help file


To set breakpoint on message, OllyDbg creates specially prepared conditional logging breakpoint with explanation "<WinProc>". To see how it works, assume that we have button with handle 00001234 and request pause on all button messages. After breakpoint is set, open it as a conditional logging breakpoint. You will see the following options set:


Condition: [ESP+4]==00001234 && [ESP+8] IN (0F0..0F7,135)
Explanation: <WinProc>
Pause program: On condition