Hi, thanks for reading. my eyes are about to melt i've been staring at this screen for so long. I'm in ecuador on a 56k modem and its taken me all night scouring the web to answer some questions I know are idiotic.

Simply.. I've got a proggy i'm dissecting. There's a portion that says:

test al,al
Jnz blablabla

My question.. the test instruction essential adds al to al. well you can't get zero by adding al to itself. So my question is how is the Z flag supposed to get set.. under what circumstances would that jnz instruction NOT jump?
------
I have another question if anyone has time. I have searched thru these forums. From what I've gathered about conditional breakpoints... they can only be placed at a specific address. Is there a way to give a universal conditional breakpoint (Meaning.. i want the debugger to break WHENEVER or WHEREVER EAX contains the string "6328"?

is that possible?

thanks for any help. -b

Wrong. Read the Intel(R) IA-32 Architecture Software Developer's Manual again.

Hi Zambuka

read carefully your opcodes guide. It must say that 'test' actually ANDs its operands, not ADDs. In case it doesn't, please throw it away and find a better one.

The Z flag gets set whenever one of the operands is zero.

Good luck.
Peres

Look at http://www.woodmann.com/forum/showthread.php?t=9227&highlight=conditional+breakpoint

You could place a conditional logging breakpoint covering ALL the .text segment, for instance. Olly will pause if: an instruction in .text segment is executed AND EAX == 36333238 (String "6328".

Press F9 (run) then go watch your favorite movie, because Olly will go veeeery slowly.

I recomend you read the new tutorial series "Introduccion al cracking con Ollydbg desde Cero"

http://www.ricardonarvaja.com.ar/

first of all, thanks for the responses. As I said my eyes were to the point that they were barely open. I am an idiot (as I should have put in the subject). It is AND! The tut I was reading spoke about cmp directly above the test entry.. and cmp is a subtract.. so my brain just translated and to add. Anyway, thanks for the info. I've been sitting in my room for about two days now trying to accomplish something with this program and I am just lost in a sea of ASM.

Thanks for your reply as well. Thats a good idea to remember for the future, but the string I am looking for is not hardcoded to the module.. it is entered by the user. (I assume that won't work for your suggestion). Unfortunatly I can't find a single API that deals with the string other than a comparestringA. This happens well after the string has already been loaded into the stack. I can't figure out where it is happeneing. There's not getdlgitem type api's being used.

Anyway, thanks.

I do have a followup question about the logic of test'ing a register with itself (which happens very often).

When doing a:
test al,al
jz blablabla

is this process simply a way for determining if al was 0 to begin with? I mean, that is the only way we will jump... is if al was 0 before we did the test? Basically, is there any other purpose to this command other than what i just said? thanks -b

Checking if a Register is == 0 is by far the most common use of the opcode test.

but I have seen other, very ingenious uses in code protection and cryptography.

For instance: A call to a dongle API is suppossed to return a magic number in EAX, let us say "12345678" (We Do not Know what this magic number should be)

If the code checks the validity of the magic number by using CMP
like:

cmp EAX, 12345678
jz good boy

Game is over, you told the cracker the valid magic expected in EAX. but if

you test the magic against a "mask"':

12345678 in binary:
10010001101000101011001111000
mask:

084B2800 in binary
01000010010110010100000000000

test EAX, 84B2800
JZ good boy

JZ flag will be set to 1 if EAX contains the valid magic number but chances are will not be 1 with other non valid magic numbers in EAX. Doing this test, the coder just gave away at most 8 out of the 32 bits of a valid magic. So the cracker needs to keep guessing the correct value that EAX should return.

Hope it makes sense

that makes sense.. mainly i was worried that was some extremely basic peice of information regarding a line like text al,al that I was missing.

I've decided not to leave this room till I've cracked this crackme. I am pretty new to assembly but I've been programming for a long time.. thus far, soley my sense of intuition has helped me to crack some impressive things.. but this is killing me! I've got sheets of paper scattered everywhere with crazy scribblings. I'm at the point i can barely keep the order of what i've written in my head, much less the code i'm going thru. argh!

Take a break.
I am serious.

thanks for the concern. Actually.. i am forced to take a break now. I have to meet someone for drinks. Although it won't be much of a break because i will be thinking about this the whole time (maybe a few whiskeys will help me to see this clearer)

grats