Exetools - Is there anything wrong with OllyDbg's conditional breakpoint

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Is there anything wrong with OllyDbg's conditional breakpoint (https://forum.exetools.com/showthread.php?t=14989)

Is there anything wrong with OllyDbg's conditional breakpoint

In Windows XP SP3, there is an instruction
call [ebp+8]
at address +77D18731 for message processing:
77D1870C push ebp
77D1870D mov ebp, esp
77D1870F push esi
77D18710 push edi
77D18711 push ebx
77D18712 push DCBAABCD
77D18717 push esi
77D18718 push dword ptr [ebp+18]
77D1871B push dword ptr [ebp+14]
77D1871E push dword ptr [ebp+10]
77D18721 push dword ptr [ebp+C]
77D18724 mov eax, fs:[18]
77D1872A or byte ptr [eax+FB4], 1
==>77D18731 call [ebp+8]
77D18734 mov ecx, fs:[18]
77D1873B and byte ptr [ecx+FB4], 0
77D18742 cmp dword ptr [esp+4], DCBAABCD
77D1874A jnz 77D403B0
77D18750 add esp, 8
77D18753 pop ebx
77D18754 pop edi
77D18755 pop esi
77D18756 pop ebp
77D18757 retn 14

If I set a breakpoint at +77D18731 with the condition as follows:
[esp+4]==SomeHandle && [SomeAddress]==SomeValue
that breakpoint always fails, that is to say, the breakpoint
will not be triggered when the conditions have been true.

So, is there anything wrong with OllyDbg?

1. Use paretheses, liberally, even if they are or look redundant.

2. Is [SomeAddress] an absolute reference, or relative to ESP ?
If relative, it has to be explicit.

3. ESP is a pain and keeps changing. Are you sure that [ESP+4] points to the right address, at the right moment of the conditional BP?

4. The use of watches and a dry run under single step tracing, will help debug the debugger.

Quote:

Originally Posted by Naides (Post 84622)

1. Use paretheses, liberally, even if they are or look redundant.

Yes, I have tried using parentheses, but got the same result.

Quote:

2. Is [SomeAddress] an absolute reference, or relative to ESP ?
If relative, it has to be explicit.

[SomeAddress] is an absolute reference,
if it's relative to ESP, the breakpoint will be triggered.
I wonder OllyDbg gets confused when the breakpoint is
set at kernel while the condition is concerned with the
debugged process memory.

Quote:

3. ESP is a pain and keeps changing. Are you sure that [ESP+4] points to the right address, at the right moment of the conditional BP?

[esp+4] is actually hWND which is ready to process the current message.

Thanks.

Quote:

Originally Posted by BlackWhite (Post 84645)

[esp+4] is actually hWND which is ready to process the current message.

Thanks.

Well, taking a look at the Actual BP in your code

Code:

77D1872A or byte ptr [eax+FB4], 1

Here77D18731 call [ebp+8] There

77D18734 mov ecx, fs:[18]

In Here ESP+4 Is indeed pointing at the right address but when you are at There, ESP has changed because the call instruction pushes the return address into the stack.

So the question is, and I DO NOT know the answer off hand, does the Conditional gets evaluated before, during or after the call instruction??

I know that by design, 'Break on Read' or 'Break on Write' are evaluated AFTER the instruction at the bp has executed. . .

Quote:

Originally Posted by Naides (Post 84657)

Well, taking a look at the Actual BP in your code

Code:

77D1872A or byte ptr [eax+FB4], 1

Here77D18731 call [ebp+8] There

77D18734 mov ecx, fs:[18]

I do not think I am There when I set the
breakpoint at +77D18731, because if I change the condition to
[esp+4] ==SomeHandle
that breakpoint will always be triggered.

So the problem is actually concerned with the condition
[SomeAddress]==SomeValue
for example
[401000] == 12345678
Whether the above condition is satisfied or not when I reach
the breakpoint, OllyDbg does not stop.