Hardware memory breakpoints

Posted: Sat Jul 13, 2013 7:42 pm
by remdynamic

When I have a certain byte or range of bytes of which I know it will contain certain interesting data at some point, I usually set a hardware breakpoint on it.

However, I noticed that it doesn't always break. For example, now I want to keep an eye on the byte at DS:[9F2020], so I set a hardware BP there. However

(EAX = 9F2020)

won't cause Olly to break. However

(EDI = 9F2024)

will cause Olly to break.

Am I misinterpreting the adressing system in Olly? I assume that

009F2020 | 00 00
__________^this is the byte on 009F2020

Do I need just to set my breakpoint a byte or 4 bytes before that?

Posted: Sun Jul 14, 2013 2:36 pm
by blabberer
how did you set hardware breakpoint
for memory read and write
you either need to set
hardware bp->memory on access->byte // word // dword or
hardware bp -> memory on write ->byte // word // dword

if you had set an execute break it will not break on access of that memory

i dont see any problems in hw bp

Code: Select all

00401000 >MOV     EAX, 403000
00401005  NOP
00401006  NOP
00401007  MOV     DWORD PTR DS:[EAX], EBP
00401009  MOV     DWORD PTR DS:[EAX], EBP
0040100B  NOP
0040100C  NOP
0040100D  NOP
0040100E  CALL    00403000
00401013  JMP     SHORT 00401013
Log data
Address Message

Code: Select all

00401009   Hardware breakpoint 2 at msgbox.00401009		<----------------- second breakpoint @401009 hit
						 	first 401007 did not hit though eax contains 403000
00403000   Hardware breakpoint 1 at msgbox.MsgCaption               execution hw bp hit