A breakpoint problem with Ollydbg [Archive] - RCE Messageboard's Regroupment

View Full Version : A breakpoint problem with Ollydbg

rukawaruki

August 14th, 2006, 01:28

Hi,

I am trying to modify a music program that allows free users to listen to music only for 1 minute. After a song has been played for a minute, the music stops and the program asks you to register.

I figured out that the program uses a function called 'killtimer' to do this. So, I set breakpoints to every killtimer function.
The problem is that Ollydbg is paused and detects breakpoints even though a song hasn't been played for a minute. It literally stops every 0.5 sec and I have to keep my finger on F9 (Run program) to keep the song going.
Due to this condition, I cannot find the correct killtimer function, using breakpoints.

Please respond with a solution, I will be appreciated.

Nacho_dj

August 14th, 2006, 03:19

Hmm I would check all CMP with values 120 = 0x78, stated that every 0.5 sec a counter is increased...

You could try too all CMP with values 0x3C = 60.

If found any, sure this CMP is related to the 1 minute limitation...

Cheers

Nacho_dj

Ricardo Narvaja

August 14th, 2006, 07:06

use conditional breakpoint when the values are close to you want ,olly trigger the bp.

Ricardo Narvaja

rukawaruki

August 14th, 2006, 11:55

Thanks to you both.

I have a question to Nacho's response.
As Nacho said, 0000003C was hidden in the address of one of the CMP statements. Like this: CMP EDI, DWORD PTR DS:[619CA8], which DS: [00619CA8] = 0000003C. (I didn't find this myself)
How do I find or check CMP values that contain such specific adresses?

blabberer

August 14th, 2006, 13:30

well you cant expect ollydbg to find a 0x3c arbitrarily

but ollydbg will help you find such constructs and if available will print the values

use pseudo searches like this

cmp r32 ,[const]

will get you some results like this

Code:



Found commands

Address    Disassembly                               Comment

004012F0   CALL    first.004036B8                    (Initial CPU selection)

0040155E   CMP     ECX, DWORD PTR DS:[40CCB0]        first.0040CBD8

0040157B   CMP     EAX, DWORD PTR DS:[40CAD0]        first.0040C6A8

00403430   CMP     EDI, DWORD PTR DS:[40CCB0]        first.0040CBD8

00403775   CMP     EAX, DWORD PTR DS:[40D400]        DS:[0040D400]=00000000

004037BD   CMP     EAX, DWORD PTR DS:[40D400]        DS:[0040D400]=00000000

00403808   CMP     EAX, DWORD PTR DS:[40D400]        DS:[0040D400]=00000000

004038CF   CMP     EDI, DWORD PTR DS:[40EB20]        DS:[0040EB20]=00000000

00403A14   CMP     ESI, DWORD PTR DS:[40EB20]        DS:[0040EB20]=00000000

00403C98   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000

00403F5F   CMP     ESI, DWORD PTR DS:[40CAD0]        first.0040C6A8

00404A69   CMP     ECX, DWORD PTR DS:[40C400]        DS:[0040C400]=BB40E64E

00405D03   CMP     EAX, DWORD PTR DS:[40D5DC]        DS:[0040D5DC]=00000000

0040647D   CMP     EBX, DWORD PTR DS:[40D5DC]        DS:[0040D5DC]=00000000

00406488   CMP     ECX, DWORD PTR DS:[40D9EC]        DS:[0040D9EC]=00000000

004064B7   CMP     ESI, DWORD PTR DS:[40D9E0]        DS:[0040D9E0]=00000000

00406628   CMP     EAX, DWORD PTR DS:[40D9E0]        DS:[0040D9E0]=00000000

00406740   CMP     ESI, DWORD PTR DS:[40D9E0]        DS:[0040D9E0]=00000000

00406FD9   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000

004070AD   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000

004078F4   CMP     EAX, DWORD PTR DS:[40CDB8]        first.0040CDB4

00407906   CMP     EAX, DWORD PTR DS:[40CDBC]        first.0040D5E8

00407918   CMP     ESI, DWORD PTR DS:[40CDC0]        first.0040D5E8

00407935   CMP     EAX, DWORD PTR DS:[40CDC4]        first.0040D5E8

00407947   CMP     EAX, DWORD PTR DS:[40CDC8]        first.0040D5E8

00407959   CMP     EAX, DWORD PTR DS:[40CDCC]        first.0040D5E8

0040796B   CMP     EAX, DWORD PTR DS:[40CDD0]        first.0040D5E8

0040797D   CMP     EAX, DWORD PTR DS:[40CDD4]        first.0040D5E8

0040798F   CMP     EAX, DWORD PTR DS:[40CDD8]        first.0040D5E8

004079A1   CMP     ESI, DWORD PTR DS:[40CDDC]        first.0040D5E8

00407BA2   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000

0040898E   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000

00408C4B   CMP     ECX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000

00408CE6   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000

now you have to physically look for 0x3c in there

or follow in dump and find referances to them
and narrow it down

Code:



References in first:.text to 0040CCB0..0040CCB0

Address    Disassembly                               Comment

0040155E   CMP     ECX, DWORD PTR DS:[40CCB0]        first.0040CBD8

00403297   MOV     EAX, DWORD PTR DS:[40CCB0]        [0040CCB0]=0040CBD8

00403430   CMP     EDI, DWORD PTR DS:[40CCB0]        first.0040CBD8

00404672   MOV     EDI, DWORD PTR DS:[40CCB0]        first.0040CBD8

rukawaruki

August 14th, 2006, 15:18

Thank you, blabberer.
Your response helped me a lot.
I understand the idea and I like it.
But, I don't understand why you have to search for cmp r32, [constant].
Does this mean find all cmp commands?
Where can I learn such commands? I am currently looking for some tuts about it, but having a hard time.

blabberer

August 15th, 2006, 01:03

it means find all cmp commands that compares any register to a constant
thats in memory location

r32 = match for all registers

so eax to edi all match it

[const] == a constant that is in any of the memory locations
like
dword ptr ds:[code section]
dword ptr ds:[data section]
dword ptr ds:[rdata section]
and so on

r16 = word

r8 = byte

so if you try doing
cmp r32,const <----- notice no square brackets around it

ollydbg will spit all compares that are direct (or immediate constants)

like
cmp eax,0x32

cmp edx, 0xdeadbeef

cmp edi,2badbabe

cmp ebx,1badd00d

cmp ecx,d05f00d5

cmp r16,[const]

will spit out compares for all
cmp ax,word ptr ds: [memory]

cmp r8,[const]
will get you
cmp al,byte ptr ss:[memory]

cmp r32,[r32]

will get you
cmp eax,dword ptr ds:[ecx]
and so on

cmp r32,[r32+const]

will get you

cmp eax,dword ptr ss:[esp+0x3c] kind of compares

apart from r32 you have pseudo matching registers RA and RB

mov ra,[rb]

will get
all of those
that do
mov eax,dword ptr ds:[eax] <---- used a lot in creating exceptions

xor eax,eax
mov eax,[eax] <------- access violation <--- land in seh handler

note both the registers are eax or can be ecx or ebx and so on

its pretty versatile to search for anything

and it is all DOCUMENTED IN HELP FILE look at evaluation of expressions
section in help file

as to why you need to search

just think would it make sense if ollydbg returned a 0x3c

in mov eax,dword ptr ds:[40143c] as a possible result because it contains 0x3c ??? in the address ????

or what if it returns
mov ecx, 0xab3c4122 as another result coz the immed has 0x3c ??

now ollydbg wont say no if you just want to get all the 0x3c in an executable

select dump -> ctrl+g --> type any arbitrary address -> right click -> search for --> in the bytes column -> enter 0x3c --> ok

it will show you all the 0x3c that it finds there
many of them are absolutely senseless hits

but some times you need those kind of brute force approach too

on self modifying codes

rukawaruki

August 15th, 2006, 10:27

Your excellent examples made me fully understand it.

I appreciate your help, blabberer.

Have a great day.