Results 1 to 11 of 11

Thread: N00b question about test al,al (and a conditional breakpoint question)

  1. #1

    Unhappy N00b question about test al,al (and a conditional breakpoint question)

    Hi, thanks for reading. my eyes are about to melt i've been staring at this screen for so long. I'm in ecuador on a 56k modem and its taken me all night scouring the web to answer some questions I know are idiotic.

    Simply.. I've got a proggy i'm dissecting. There's a portion that says:

    test al,al
    Jnz blablabla

    My question.. the test instruction essential adds al to al. well you can't get zero by adding al to itself. So my question is how is the Z flag supposed to get set.. under what circumstances would that jnz instruction NOT jump?
    ------
    I have another question if anyone has time. I have searched thru these forums. From what I've gathered about conditional breakpoints... they can only be placed at a specific address. Is there a way to give a universal conditional breakpoint (Meaning.. i want the debugger to break WHENEVER or WHEREVER EAX contains the string "6328")?

    is that possible?

    thanks for any help. -b

  2. #2
    the test instruction essential adds al to al
    Wrong. Read the Intel(R) IA-32 Architecture Software Developer's Manual again.

  3. #3
    Peres
    Guest
    Hi Zambuka

    read carefully your opcodes guide. It must say that 'test' actually ANDs its operands, not ADDs. In case it doesn't, please throw it away and find a better one.

    The Z flag gets set whenever one of the operands is zero.

    Good luck.
    Peres
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by zambuka42
    ------
    I have another question if anyone has time. I have searched thru these forums. From what I've gathered about conditional breakpoints... they can only be placed at a specific address. Is there a way to give a universal conditional breakpoint (Meaning.. i want the debugger to break WHENEVER or WHEREVER EAX contains the string "6328")?

    is that possible?
    Look at http://www.woodmann.com/forum/showthread.php?t=9227&highlight=conditional+breakpoint

    You could place a conditional logging breakpoint covering ALL the .text segment, for instance. Olly will pause if: an instruction in .text segment is executed AND EAX == 36333238 (String "6328").

    Press F9 (run) then go watch your favorite movie, because Olly will go veeeery slowly.

    I recomend you read the new tutorial series "Introduccion al cracking con Ollydbg desde Cero"

    http://www.ricardonarvaja.com.ar/
    Last edited by naides; July 25th, 2006 at 10:37.

  5. #5
    first of all, thanks for the responses. As I said my eyes were to the point that they were barely open. I am an idiot (as I should have put in the subject). It is AND! The tut I was reading spoke about cmp directly above the test entry.. and cmp is a subtract.. so my brain just translated and to add. Anyway, thanks for the info. I've been sitting in my room for about two days now trying to accomplish something with this program and I am just lost in a sea of ASM.

  6. #6
    Quote Originally Posted by naides
    You could place a conditional logging breakpoint covering ALL the .text segment, for instance. Olly will pause if: an instruction in .text segment is executed AND EAX == 36333238 (String "6328").
    http://www.ricardonarvaja.com.ar/
    Thanks for your reply as well. Thats a good idea to remember for the future, but the string I am looking for is not hardcoded to the module.. it is entered by the user. (I assume that won't work for your suggestion). Unfortunatly I can't find a single API that deals with the string other than a comparestringA. This happens well after the string has already been loaded into the stack. I can't figure out where it is happeneing. There's not getdlgitem type api's being used.

    Anyway, thanks.

  7. #7
    I do have a followup question about the logic of test'ing a register with itself (which happens very often).

    When doing a:
    test al,al
    jz blablabla

    is this process simply a way for determining if al was 0 to begin with? I mean, that is the only way we will jump... is if al was 0 before we did the test? Basically, is there any other purpose to this command other than what i just said? thanks -b

  8. #8
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Checking if a Register is == 0 is by far the most common use of the opcode test.

    but I have seen other, very ingenious uses in code protection and cryptography.

    For instance: A call to a dongle API is suppossed to return a magic number in EAX, let us say "12345678" (We Do not Know what this magic number should be)

    If the code checks the validity of the magic number by using CMP
    like:

    cmp EAX, 12345678
    jz good boy

    Game is over, you told the cracker the valid magic expected in EAX. but if

    you test the magic against a "mask"':

    12345678 in binary:
    10010001101000101011001111000
    mask:

    084B2800 in binary
    01000010010110010100000000000

    test EAX, 84B2800
    JZ good boy

    JZ flag will be set to 1 if EAX contains the valid magic number but chances are will not be 1 with other non valid magic numbers in EAX. Doing this test, the coder just gave away at most 8 out of the 32 bits of a valid magic. So the cracker needs to keep guessing the correct value that EAX should return.

    Hope it makes sense
    Last edited by naides; July 25th, 2006 at 15:30.

  9. #9
    that makes sense.. mainly i was worried that was some extremely basic peice of information regarding a line like text al,al that I was missing.

    I've decided not to leave this room till I've cracked this crackme. I am pretty new to assembly but I've been programming for a long time.. thus far, soley my sense of intuition has helped me to crack some impressive things.. but this is killing me! I've got sheets of paper scattered everywhere with crazy scribblings. I'm at the point i can barely keep the order of what i've written in my head, much less the code i'm going thru. argh!

  10. #10
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Take a break.
    I am serious.

  11. #11
    thanks for the concern. Actually.. i am forced to take a break now. I have to meet someone for drinks. Although it won't be much of a break because i will be thinking about this the whole time (maybe a few whiskeys will help me to see this clearer)

    grats

Similar Threads

  1. Replies: 4
    Last Post: July 2nd, 2013, 17:25
  2. Nb question: specific string breakpoint
    By cyb0rg in forum OllyDbg Support Forums
    Replies: 3
    Last Post: August 2nd, 2005, 13:04
  3. conditional log expression question
    By kotzeesser in forum OllyDbg Support Forums
    Replies: 2
    Last Post: December 6th, 2004, 09:09
  4. about conditional breakpoint?
    By mike in forum OllyDbg Support Forums
    Replies: 1
    Last Post: February 12th, 2004, 06:08
  5. Log conditional breakpoint API?
    By abs0 in forum Plugins (General)
    Replies: 3
    Last Post: February 6th, 2004, 15:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •