Page 1 of 1

Conditional Hardware break on memory address not working

Posted: Mon Mar 18, 2013 2:48 pm
by OpenStrife

I have been search for the past week for a solution to this, but cannot find one. I have the memory address 0012EBFC that constantly has data being written to it 1200+ times per second by over 300 different instructions. Software memory breakpoints basically prevent the application from moving since the address is being written so many times. My goal is to breakpoint the program when 0012EBFC = 0x0000003C, and then at that point find out the instruction that wrote to it.

When I set a conditional Hardware Breakpoint with the condition to pause when 0012EBFC == 3C, it never pauses, even though I know that the address is infact turning to 3C for at least a split second.

I need to figure out what instruction, out of the 300+, writes 3C to this address. 3C corresponds to a specific action in this program. If I can breakpoint the memory right when it turns 3C 00 00 00 or 0x0000003C, then it should show me the last instruction to write to it... but I can't get the hardware to break on it at all.

Even if I do a hardware breakpoint with no conditions on this address, it still never pauses, as if it's not being hit, but I know the address is changing. Is my Ollydbg 2 bugged or am I just doing this wrong?

Posted: Mon Mar 18, 2013 5:07 pm
by naides
The problem might be that you are referring to a 4 byte address but trying to monitor a single byte. Are you sure that the "flag" is 4 byte long? FFFFFF3C != 3454323C != 0000003C. . .
If the key is only in the less significant byte, you need to reconsider your break point strategy.

Posted: Mon Mar 18, 2013 8:09 pm
by OpenStrife

Here is a picture of how I have it setup. It's random. Sometimes it will work and flash in the bottom bar in yellow saying "xxxx writes per second" or it will not do anything at all. It's very strange.

Posted: Mon Mar 18, 2013 11:06 pm
by Aimless

Why don't you try a completely different approach?

Use CHEAT ENGINE 6.2 --- Don't dismiss it because it's a "game" related application.

Go through the tutorials, and learn how to find code that write a particular value, to a particular location (direct, indirect, pointer based, multiple stacked pointer based --- this gem handles everything), which I am sure is what you want. This program is specifically written for HIGH VOLUME memory location and instruction access/writes.

THEN, open that in your disassembler and take it forward?

Have Phun