Nb question: specific string breakpoint [Archive] - RCE Messageboard's Regroupment

cyb0rg

August 2nd, 2005, 05:30

Hello world,
I'd like to know how to set a global conditional breakpoint (that will be evaluated after any instruction) that will break when EAX value is equal to a specific string (EAX->value == ASCII("string_to_break_on"

)?

joe

August 2nd, 2005, 12:29

I think, that this isn't possible. You must specify where You can sen BP. You can trace program with log & then set BP.
You can right click -> Search for -> All command -> mov eax, const
Seach too for: inc eax, dec eax, pop eax ...
In Foud commands window right click -> Set log breakpoint on every command ->
Condition: eax==0
Pause program: On condition

joe

August 2nd, 2005, 12:40

Look to older post in which are answers from oh me anon. He has very useful tips.

blabberer

August 2nd, 2005, 13:04

thanks joe

well the search function in this board at present is not optimum
and tbd it seems cant find what is messed up

so to answer

use ctrl+t and type string [eax] == "your preferred string" int the condition is true box and hit ctrl+ f11 (trace into it will stop when the condition is true

for example

you have this code
00401000 >MOV EAX, 4DC9C0 ; ASCII "hello"
00401005 PUSH EAX
00401006 POP ECX ; OLLYDBG.004DC9C0
00401007 PUSH EAX
00401008 JMP SHORT 0040100C ; 0040100C
0040100A DB 4F ; CHAR 'O'
0040100B DB 4B ; CHAR 'K'
0040100C JMP SHORT 00401000 ; <ModuleEntryPoint>

now this is an infinite loop and eax will always contain the string "hello"

if you specify this as condition
STRING [EAX] == "hello" & eip != 401000 & eip != 401005

you will see it will stop according tho the condition

like this
look at the address the stops are always in 401006

Log data
Address Message
00401006 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401007 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401008 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
0040100C Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401006 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401007 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401008 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
0040100C Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401006 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401007 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401008 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
0040100C Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401006 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401007 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401008 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
0040100C Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005
00401006 Conditional pause: STRING [EAX] == "hello" & eip != 401000 & eip != 401005

have fun