Results 1 to 6 of 6

Thread: Break on memory read!

  1. #1

    Break on memory read!

    Hey guys, I'm here again!

    I'm having a little problem...

    I have this assembly on my PE file:
    MOV AL, BYTE PTR DS:[EAX]

    EAX is a memory address, in other word, the code is trying to read a byte from a address memory.. i need to break when this happen at the address memory of EAX.
    Supposed that i know which is the address but i need to break every time that it try to "read" the byte of that address.

    Anybody have any suggestion ?
    I've tried memory breakpoint but it doesn't worked..

    thanks!!

  2. #2

    As Above

    Instead, why don't you put a EXECUTE h/w breakpoint on this very instruction itself?

    Then you can examine the contents of the memory address at your leisure, dump it and it's even helping you in case the exec/dll rebases everything everytime.

    Have Phun
    Blame Microsoft, get l337 !!

  3. #3
    Quote Originally Posted by Aimless View Post
    Instead, why don't you put a EXECUTE h/w breakpoint on this very instruction itself?

    Then you can examine the contents of the memory address at your leisure, dump it and it's even helping you in case the exec/dll rebases everything everytime.

    Have Phun
    Because I want to automate this verification, then I need to know WHO is reading that part of memory and if is sequential read, then i can guess the code is doing it to do some CRC checksum.

    I've tried to Mem BP, HW Bp and both.... unsuccessful.

    I don't know what to do.. BTW here is the code.. http://pastebin.com/x8vbiHLE
    Last edited by opc0d3; October 20th, 2012 at 13:33.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,481
    Blog Entries
    15
    you got some problmes problems in the code your you pasted
    it crashes tryong trying to read some address

    anyway if all you are interested is to know what "eax" is every time that specific line executes and assuming

    you are using ollydbg

    set a conditional log breakpoint

    press shift + f4
    in the dialog box that pops up

    explanation = "Your String for your Referance like Eax = blah blah"

    expression = "EAX" <without quotes>
    pause program = "never" (radio button)
    lo value of expression = "ALWAYS" (radio button)

    optional
    you can use log to file in log window

    you will get output like this

    Log data
    Address Message
    004010C0 COND: the content of eax on = 0040120A
    004010C0 Access violation when reading [00418000]
    Last edited by blabberer; October 22nd, 2012 at 01:15.

  5. #5
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    I've tried memory breakpoint but it doesn't worked..
    simple "memory breakpoint" or "memory breakpoint with a condition" too...
    A mind is like a parachute. It doesnt work if it's not open.

  6. #6

Similar Threads

  1. Break on Keypress???
    By GATO_NEGRO in forum OllyDbg Support Forums
    Replies: 4
    Last Post: April 19th, 2005, 12:15
  2. Hardware-based read-only memory
    By disavowed in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: January 12th, 2004, 21:57
  3. Unable to read memory of debugged program
    By yaa in forum OllyDbg Support Forums
    Replies: 7
    Last Post: August 15th, 2003, 13:39
  4. Conditional breakpoint on memory read access*
    By ollynewby in forum OllyDbg Support Forums
    Replies: 2
    Last Post: March 25th, 2003, 06:12
  5. Break point on memory not work?
    By neshannel in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: May 7th, 2002, 19:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •