Results 1 to 8 of 8

Thread: A breakpoint problem with Ollydbg

  1. #1
    rukawaruki
    Guest

    A breakpoint problem with Ollydbg

    Hi,

    I am trying to modify a music program that allows free users to listen to music only for 1 minute. After a song has been played for a minute, the music stops and the program asks you to register.

    I figured out that the program uses a function called 'killtimer' to do this. So, I set breakpoints to every killtimer function.
    The problem is that Ollydbg is paused and detects breakpoints even though a song hasn't been played for a minute. It literally stops every 0.5 sec and I have to keep my finger on F9 (Run program) to keep the song going.
    Due to this condition, I cannot find the correct killtimer function, using breakpoints.

    Please respond with a solution, I will be appreciated.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Hmm I would check all CMP with values 120 = 0x78, stated that every 0.5 sec a counter is increased...

    You could try too all CMP with values 0x3C = 60.

    If found any, sure this CMP is related to the 1 minute limitation...

    Cheers

    Nacho_dj

  3. #3

    conditional breakpoint

    use conditional breakpoint when the values are close to you want ,olly trigger the bp.

    Ricardo Narvaja

  4. #4
    rukawaruki
    Guest
    Thanks to you both.

    I have a question to Nacho's response.
    As Nacho said, 0000003C was hidden in the address of one of the CMP statements. Like this: CMP EDI, DWORD PTR DS:[619CA8], which DS: [00619CA8] = 0000003C. (I didn't find this myself)
    How do I find or check CMP values that contain such specific adresses?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    well you cant expect ollydbg to find a 0x3c arbitrarily

    but ollydbg will help you find such constructs and if available will print the values

    use pseudo searches like this

    cmp r32 ,[const]

    will get you some results like this

    Code:
    Found commands
    Address    Disassembly                               Comment
    004012F0   CALL    first.004036B8                    (Initial CPU selection)
    0040155E   CMP     ECX, DWORD PTR DS:[40CCB0]        first.0040CBD8
    0040157B   CMP     EAX, DWORD PTR DS:[40CAD0]        first.0040C6A8
    00403430   CMP     EDI, DWORD PTR DS:[40CCB0]        first.0040CBD8
    00403775   CMP     EAX, DWORD PTR DS:[40D400]        DS:[0040D400]=00000000
    004037BD   CMP     EAX, DWORD PTR DS:[40D400]        DS:[0040D400]=00000000
    00403808   CMP     EAX, DWORD PTR DS:[40D400]        DS:[0040D400]=00000000
    004038CF   CMP     EDI, DWORD PTR DS:[40EB20]        DS:[0040EB20]=00000000
    00403A14   CMP     ESI, DWORD PTR DS:[40EB20]        DS:[0040EB20]=00000000
    00403C98   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000
    00403F5F   CMP     ESI, DWORD PTR DS:[40CAD0]        first.0040C6A8
    00404A69   CMP     ECX, DWORD PTR DS:[40C400]        DS:[0040C400]=BB40E64E
    00405D03   CMP     EAX, DWORD PTR DS:[40D5DC]        DS:[0040D5DC]=00000000
    0040647D   CMP     EBX, DWORD PTR DS:[40D5DC]        DS:[0040D5DC]=00000000
    00406488   CMP     ECX, DWORD PTR DS:[40D9EC]        DS:[0040D9EC]=00000000
    004064B7   CMP     ESI, DWORD PTR DS:[40D9E0]        DS:[0040D9E0]=00000000
    00406628   CMP     EAX, DWORD PTR DS:[40D9E0]        DS:[0040D9E0]=00000000
    00406740   CMP     ESI, DWORD PTR DS:[40D9E0]        DS:[0040D9E0]=00000000
    00406FD9   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000
    004070AD   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000
    004078F4   CMP     EAX, DWORD PTR DS:[40CDB8]        first.0040CDB4
    00407906   CMP     EAX, DWORD PTR DS:[40CDBC]        first.0040D5E8
    00407918   CMP     ESI, DWORD PTR DS:[40CDC0]        first.0040D5E8
    00407935   CMP     EAX, DWORD PTR DS:[40CDC4]        first.0040D5E8
    00407947   CMP     EAX, DWORD PTR DS:[40CDC8]        first.0040D5E8
    00407959   CMP     EAX, DWORD PTR DS:[40CDCC]        first.0040D5E8
    0040796B   CMP     EAX, DWORD PTR DS:[40CDD0]        first.0040D5E8
    0040797D   CMP     EAX, DWORD PTR DS:[40CDD4]        first.0040D5E8
    0040798F   CMP     EAX, DWORD PTR DS:[40CDD8]        first.0040D5E8
    004079A1   CMP     ESI, DWORD PTR DS:[40CDDC]        first.0040D5E8
    00407BA2   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000
    0040898E   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000
    00408C4B   CMP     ECX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000
    00408CE6   CMP     EAX, DWORD PTR DS:[40D9F8]        DS:[0040D9F8]=00000000
    now you have to physically look for 0x3c in there

    or follow in dump and find referances to them
    and narrow it down

    Code:
    References in first:.text to 0040CCB0..0040CCB0
    Address    Disassembly                               Comment
    0040155E   CMP     ECX, DWORD PTR DS:[40CCB0]        first.0040CBD8
    00403297   MOV     EAX, DWORD PTR DS:[40CCB0]        [0040CCB0]=0040CBD8
    00403430   CMP     EDI, DWORD PTR DS:[40CCB0]        first.0040CBD8
    00404672   MOV     EDI, DWORD PTR DS:[40CCB0]        first.0040CBD8

  6. #6
    rukawaruki
    Guest
    Thank you, blabberer.
    Your response helped me a lot.
    I understand the idea and I like it.
    But, I don't understand why you have to search for cmp r32, [constant].
    Does this mean find all cmp commands?
    Where can I learn such commands? I am currently looking for some tuts about it, but having a hard time.
    Last edited by rukawaruki; August 14th, 2006 at 15:21.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    it means find all cmp commands that compares any register to a constant
    thats in memory location

    r32 = match for all registers

    so eax to edi all match it

    [const] == a constant that is in any of the memory locations
    like
    dword ptr ds:[code section]
    dword ptr ds:[data section]
    dword ptr ds:[rdata section]
    and so on

    r16 = word

    r8 = byte

    so if you try doing
    cmp r32,const <----- notice no square brackets around it

    ollydbg will spit all compares that are direct (or immediate constants)

    like
    cmp eax,0x32

    cmp edx, 0xdeadbeef

    cmp edi,2badbabe

    cmp ebx,1badd00d

    cmp ecx,d05f00d5

    cmp r16,[const]

    will spit out compares for all
    cmp ax,word ptr ds: [memory]

    cmp r8,[const]
    will get you
    cmp al,byte ptr ss:[memory]

    cmp r32,[r32]

    will get you
    cmp eax,dword ptr ds:[ecx]
    and so on

    cmp r32,[r32+const]

    will get you

    cmp eax,dword ptr ss:[esp+0x3c] kind of compares

    apart from r32 you have pseudo matching registers RA and RB

    mov ra,[rb]

    will get
    all of those
    that do
    mov eax,dword ptr ds:[eax] <---- used a lot in creating exceptions

    xor eax,eax
    mov eax,[eax] <------- access violation <--- land in seh handler

    note both the registers are eax or can be ecx or ebx and so on

    its pretty versatile to search for anything

    and it is all DOCUMENTED IN HELP FILE look at evaluation of expressions
    section in help file

    as to why you need to search

    just think would it make sense if ollydbg returned a 0x3c

    in mov eax,dword ptr ds:[40143c] as a possible result because it contains 0x3c ??? in the address ????

    or what if it returns
    mov ecx, 0xab3c4122 as another result coz the immed has 0x3c ??


    now ollydbg wont say no if you just want to get all the 0x3c in an executable

    select dump -> ctrl+g --> type any arbitrary address -> right click -> search for --> in the bytes column -> enter 0x3c --> ok

    it will show you all the 0x3c that it finds there
    many of them are absolutely senseless hits

    but some times you need those kind of brute force approach too

    on self modifying codes

  8. #8
    rukawaruki
    Guest
    Your excellent examples made me fully understand it.

    I appreciate your help, blabberer.

    Have a great day.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Ollydbg breakpoint on space bar?
    By olus in forum The Newbie Forum
    Replies: 2
    Last Post: March 20th, 2013, 02:11
  2. A problem about Ollydbg
    By MathewMickle in forum The Newbie Forum
    Replies: 6
    Last Post: November 20th, 2008, 14:39
  3. I am not able to set Ollydbg "memory on access" breakpoint
    By mpoi in forum OllyDbg Support Forums
    Replies: 7
    Last Post: June 27th, 2006, 23:11
  4. breakpoint a var ?
    By Anonymous in forum OllyDbg Support Forums
    Replies: 2
    Last Post: July 16th, 2003, 01:01
  5. Replies: 1
    Last Post: February 5th, 2003, 00:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •