Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Conditional Hardware break on memory address not working

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
Locked
OpenStrife
Junior Member
Posts: 2
Joined: Mon Mar 18, 2013 2:43 pm

Conditional Hardware break on memory address not working

Post by OpenStrife »

Hello,

I have been search for the past week for a solution to this, but cannot find one. I have the memory address 0012EBFC that constantly has data being written to it 1200+ times per second by over 300 different instructions. Software memory breakpoints basically prevent the application from moving since the address is being written so many times. My goal is to breakpoint the program when 0012EBFC = 0x0000003C, and then at that point find out the instruction that wrote to it.

When I set a conditional Hardware Breakpoint with the condition to pause when 0012EBFC == 3C, it never pauses, even though I know that the address is infact turning to 3C for at least a split second.

I need to figure out what instruction, out of the 300+, writes 3C to this address. 3C corresponds to a specific action in this program. If I can breakpoint the memory right when it turns 3C 00 00 00 or 0x0000003C, then it should show me the last instruction to write to it... but I can't get the hardware to break on it at all.

Even if I do a hardware breakpoint with no conditions on this address, it still never pauses, as if it's not being hit, but I know the address is changing. Is my Ollydbg 2 bugged or am I just doing this wrong?
naides
Posts: 1655
Joined: Sat Jan 12, 2002 12:00 pm
Location: Planet Earth

Post by naides »

The problem might be that you are referring to a 4 byte address but trying to monitor a single byte. Are you sure that the "flag" is 4 byte long? FFFFFF3C != 3454323C != 0000003C. . .
If the key is only in the less significant byte, you need to reconsider your break point strategy.
OpenStrife
Junior Member
Posts: 2
Joined: Mon Mar 18, 2013 2:43 pm

Post by OpenStrife »

http://i.imgur.com/VEmRKNQ.png

Here is a picture of how I have it setup. It's random. Sometimes it will work and flash in the bottom bar in yellow saying "xxxx writes per second" or it will not do anything at all. It's very strange.
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

Hello,

Why don't you try a completely different approach?

Use CHEAT ENGINE 6.2 --- Don't dismiss it because it's a "game" related application.

Go through the tutorials, and learn how to find code that write a particular value, to a particular location (direct, indirect, pointer based, multiple stacked pointer based --- this gem handles everything), which I am sure is what you want. This program is specifically written for HIGH VOLUME memory location and instruction access/writes.

THEN, open that in your disassembler and take it forward?

Have Phun
Blame Microsoft, get l337 !!
Locked