conditional log breakpoint in Olly был вопрос по тому как его юзать. пишу для всех как. (будут свои варианты - в студию!) 1) открываем calc.exe в Olly 1.10 2) ждем Crtl+N получаем список функций 3) ждем по очереди клавиши 'T' 'R' 'A' - срабатывает автопоиск 4) выбираем TranslateMessage жмем Enter - попали на разобранную таблицу импорта - жмем Enter 5) после последнего Enter попадаем в USER32 модуль на функцию TranslateMessage 6) правой кнопкой по началу функции (move edi,edi) breakpoint -> conditional log 7) в поле Explanation пишем EAX в поле Expression пишем [ESP] pause Program - never log value of expression - always log function arguments - always 8) жмем ALt+L вдим Log Data жмем F9 и смотрим результат: 7E418BF6 COND: EAX = 0100219D 7E418BF6 CALL to TranslateMessage from calc.01002197 pMsg = WM_SYSTIMER hw = 24089C (class="Edit") wParam = FFFF lParam = BF8C39DA 7E418BF6 COND: EAX = 0100219D 7E418BF6 CALL to TranslateMessage from calc.01002197 pMsg = WM_SYSTIMER hw = 24089C (class="Edit") wParam = FFFF lParam = BF8C39DA 7E418BF6 COND: EAX = 0100219D 7E418BF6 CALL to TranslateMessage from calc.01002197 pMsg = WM_SYSTIMER hw = 24089C (class="Edit") wParam = FFFF lParam = BF8C39DA 7E418BF6 COND: EAX = 0100219D 7E418BF6 CALL to TranslateMessage from calc.01002197 pMsg = WM_SYSTIMER hw = 24089C (class="Edit") wParam = FFFF lParam = BF8C39DA 7E418BF6 COND: EAX = 0100219D 7E418BF6 CALL to TranslateMessage from calc.01002197 pMsg = WM_SYSTIMER hw = 24089C (class="Edit") wParam = FFFF lParam = BF8C39DA отсюда делаем вывод: ФИЧА Olly Condition log предназначена для логирования аргументов (указаннго значения) или остановки выполнения программы на определенном месте программы. Вещь довольно интересная, если знаешь где поставить cond log...
Удивишься, но не одного нормального примера. Вот например ситуация в trace condition the following situation: somewhere in the big EXE disasm code is: push eax // offset to “mydll.dll” call LoadLibrary so I want to find this and do “RunTrace” with setting a condition (in section “Condition 1 is true”): EAX == “mydll.dll” – it writes that error exist in condition: Invalid operation ‘=’ So I wrote STRING [EAX] == “mydll.dll” , STRING EAX == “mydll.dll” ‑ result is the same. After this I made the decision: ‘mydll’ in hex is ‘6d 79 64 6c 6c 00’, so [EAX] is 0x6C64796D with this I try to wrote the new trace condition: (EAX>400000) && (EAX<4DA000) && ([EAX] == 0x6C64796D) But in executing the trace stops with error : unable to get contents of memory BUT I understand that the reason of this is situation when EAX==0 , so the address [EAX] is invalid. Why are you checking the value of [EAX] in this condition? Look! (a>5) && some_condition Normally the operation priority is == , && then ||, and checking from left-to-right. So when a==0 !!! the first condition a>5 is false, the operand is && , so you need not to check some_condition!!! Because the first is already false! Also, if condition is Cond1 || Cond2 and Cond1 is true, then you should not check condition Cond2!!! Why? Because the result is independence of Cond2 when Cond1 is TRUE and operator is ||. With this suggestions you can SPEED UP the RunTrace condition checking on-the-fly! And with this, it is possible to check the situation I have wrote: (EAX>400000) && (EAX<4DA000) && ([EAX] == 0x6C64796D) You can see that operator is &&, so, if ONE of this condition is FALSE – DO NOT CHECK OTHERS!!! и как ее решать - а хер ее знает!
