Log in

View Full Version : OllyDbg memory breakpoint management

shERis
January 9th, 2006, 15:26
Hi!
OllyDbg only has 2 ways to handle a memory exception:
1. memory on access
2. memory on write

but there is no
3. memory on execution

I read, that there is a patched olly for point 3.
Can anybody help me to get that patched version ?
Newbie_Cracker
January 9th, 2006, 17:23
Mem on access is similar to mem on execute...
Ricardo Narvaja
January 9th, 2006, 20:12
Are you wrong, is not similar, BPM on access stop in execute and stop in read, and he need only stop in execute only, not read is very very different.

In a packer you put a BPM ON ACCESS in the code section and OLLY stop each time write a value in the section (can stop 1000 or 2000 times before reach OEP), and with a BPM ON EXECUTE only OLLY stop in the OEP or the first line of the section executed is very different.

I patch a olly for non stop in read and only on execute the problem in each time the program skip a possible stop for read take a little time, and for a complete unpacking can take 5 or 10 minutes for reach the oep, but you can take a coffe and return and OLLY will be waiting sttoped in OEP.

Ah you need put all marks in debugging options-exceptions, and try in a previous RUN, the program skip all exceptions, for OLLY don´t stop in exceptions, and only in the BPM on EXECUTION.

http://www.ricnar456.dyndns.org/HERRAMIENTAS/L-M-N-Ñ-O-P/OLLY%20PARCH EADO%20PARA%20BUSCAR%20OEPs.rar
("http://www.ricnar456.dyndns.org/HERRAMIENTAS/L-M-N-Ñ-O-P/OLLY%20PARCHEADO%20PARA%20BUSCAR%20OEPs.rar
")

user and pass:hola

And this OLLY never stop in BPM reads, for this use a common OLLY.

This can be useful for VB programs you put a BPM on ACCESS in code and stop only when execute program and not the VB dll, jeje.

Ricardo Narvaja
shERis
January 10th, 2006, 13:40
Hi Ricardo!
Thank you for your patched OllyDbg and for giving the link to me.
It´s a great improvement!
Do you have an idea why Olly didn´t implement a command "Memory Breakpoint on Execution" ?
shERis
Ricardo Narvaja
January 10th, 2006, 19:12
is not possible in RING3 always you have permission for execute, the read permision work togheter, only in RING 0 is possible separate BPM ON EXECUTION fron BPM ON READ.

In my patched,if OLLY stop in read in BPM ON ACCESS, i patch to force to continue running, the effect is the same but only more slow, but works.

Ricardo
shERis
January 12th, 2006, 11:38
I assume that Olly didn´t want to implement that command, because your way of solving the problem is wasting much execution time and so OllyDbg would be very slowly. But it is good that you made it working.
Thanx Ricardo!
It´s fascinating for me what you know.