Hello, all, Im new to Ollydbg, but not to programming and dissasemly in general, I have a question about conditions.

I want to set a condition to only break on an address IF EBX contains a UNICODE STRING

is that possible?

I dont know the string beforehand by the way... just want it to break if there is a string, any string.

Yes! It's simple, You must use Right click on Your instruction -> Breakpoint -> Conditional (or press Shift+F2), then set condition (for example EAX==0). Read more in help to OllyDbg.

Oh now! I don't read correctly Your post.
This is taken from help:
[STRING 123456]=="Brown fox" - true if memory starting from address 0x00123456 contains ASCII string "Brown fox", "BROWN FOX JUMPS", "brown fox???" or similar. The comparison is case-insensitive and limited in length to the length of text constant.
EAX=="Brown fox" - same as above, EAX is treated as a pointer.
UNICODE [EAX]=="Brown fox" - OllyDbg treats EAX as a pointer to UNICODE string, converts it to ASCII and compares with text constant.

I suppose that You can use UNICODE [EBX]=="Your unicode string"
Or UNICODE EBX=="Your unicode string" ???

well without knowing a string beforehand it is really wide open
may be you could try logging it as expression
and then parse through the output

shift +f4
type ebx in expression box
select pointer to unicode string in decode value of expression
select log value of expression to always

then in log window you will see lot of
Log data, item 1
Address=00401027
Message=COND: 00400000 "?P"

crap like that
look if one of the crap is a meaning full string
and then set a conditional break point with
unicode [ebx] == "the string you found out"

2 oh me anon:
Thanks for Your correction.
Mistake is my second name :-)

ok, let me try to explain this better>

The string in EBX can look like this: UNICODE "<a>John Storm says 'Do you want to join my group?'</a>"

Now, as you can see, there is no way I can know what the line will be, because players can say anything... I was just wondering if, there is anyway I can get it to break if EBX 'CONTAINS' "UNICODE*"

hmm hard to explain... in SQL the condition would be "select * from registers where EBX like 'UNICODE%'

well a condition is always two sides it needs an expression on the other side to be compared and acted upon

well like i said you can log or if you know for sure ebx could contain an unicode string you can ask ollydbg to stop on a complex condition like

byte ptr ds:[ebx+1] == 0 && byte ptr ds:[ebx+3] == 0 && byte ptr ds:[ebx+5] == 0 && byte ptr ds:[ebx+7] == 0

an unicode string (especially in english alphanumeric chars not chinese and others which uses both bytes)

is like m0r0w0i0z0m0a0n == mrwizeman


now if you have these strings

00403000 j.o.j.ov..j.a.j.a...jaebj.e...j.u.j.u...j.i.j.i...j.y.j.y...j3r5
00403040 jDr...b.a.b.a...b.i.b.i...b.u.b.u...b.o.b.o...b.e.b.e...d.a.d.a.
00403080 ..d.e.d.e...d.i.d.i...dcudd.u...n.a.n.a...n.e.n.e.D.n.u.n.u.....

it will stop not stop on 403000 (strlength 7 th byte is not 0)
or on 403014 ,40303c ,403096 (ascii string)

but wil stop on all other strings
Log data
Address Message
0040100A COND: 0040300A "jaja"
0040100A COND: 0040301E "juju"
0040100A COND: 00403028 "jiji"
0040100A COND: 00403032 "jyjy"
0040100A COND: 00403046 "baba"
0040100A COND: 00403050 "bibi"
0040100A COND: 0040305A "bubu"
0040100A COND: 00403064 "bobo"
0040100A COND: 0040306E "bebe"
0040100A COND: 00403078 "dada"
0040100A COND: 00403082 "dede"
0040100A COND: 0040308C "didi"
0040100A COND: 004030A0 "nana"
0040100A COND: 004030AA "neneDnunu" <-- it records becuse it is valid unicode string and strlen is greater than 4
0040100A COND: 004030B4 "nunu"
0040100A COND: 004030BE ""
00401011 Breakpoint at msgbox1.00401011



break point details

Breakpoints, item 0
Address=0040100A
Module=msgbox1
Active=Log when byte ptr ds:[eax+1] == 0 && byte ptr ds:[eax+3] == 0 && byte ptr ds:[eax+5] == 0 && byte ptr ds:[eax+7] == 0
Disassembly=CMP EAX, msgbox1.004030BC


code
00401000 >XOR EAX, EAX
00401002 MOV EAX, 00403000
00401007 ADD EAX, 0A
0040100A >CMP EAX, 004030BC <-- set here conditional log and stop
0040100F JB SHORT 00401007
00401011 TEST ESI, 3


hope you understand