Question

当EBP-44包含指向特定字符串的指针时，我需要使用条件断点来查找位置。我尝试使用 ollydbg ，但由于EBP-44大部分为0（或其他无法读取的内存），因此运行跟踪失败并显示Run trace: invalid condition 1 - Unable to get contents of memory。有没有办法做到这一点？

我的状况：

[ASCII [EBP-1C]]=="MYSTRING"

此条件仅在代码中触发一次

Answer 1

tool ollydbg 1.10

演示代码

ebp-44:\>dir /b
ebp-44.cpp

ebp-44:\>type ebp-44.cpp
#include <stdio.h>
#include <windows.h>
int main (void)
{
    char *mystrarray[]  = {
        "humble bee", "bumblebee", NULL,"my naughty string", "my notty string",
        "my nauty string","my native string",NULL, "want to string me ",
        "come on string with me","string sings the song strong", NULL, NULL,
        "what's this string doing here in onederlaand", NULL,NULL,NULL,NULL,
        "teaching lice to string the strong","my golden bug is strumming here",
        "my gold trinket's stringing here", "my gold trinket's stringing hare",
        "want to string me ","come string me", "string sings the song strong",
        NULL,NULL,NULL,NULL,NULL,"my gold trinket's stringing hire",NULL,NULL
    };
    for (int i = 0; i < _countof(mystrarray) ; i++ )
    {
        register char *yoyo;
        yoyo = mystrarray[i];
        printf("%s\n", yoyo);
    }
    return 0;
}
ebp-44:\>cl /nologo /Zi /analyze /W4 ebp-44.cpp /link /RELEASE
ebp-44.cpp

ebp-44:\>ebp-44.exe
humble bee
bumblebee
(null)
my naughty string
my notty string
my nauty string
my native string
(null)
want to string me
come on string with me
string sings the song strong
(null)
(null)
what's this string doing here in onederlaand
(null)
(null)
(null)
(null)
teaching lice to string the strong
my golden bug is strumming here
my gold trinket's stringing here
my gold trinket's stringing hare
want to string me
come string me
string sings the song strong
(null)
(null)
(null)
(null)
(null)
my gold trinket's stringing hire
(null)
(null)

ebp-44:\>OLLYDBG.EXE ebp-44.exe

ebp-44:\>

设置breakpoint on main and f9来运行exe 当它打破主要点击ctrl+t (condition to pause run trace) check mark condition is true复选框在条件框中输入

STRING [[ EBP-90]] == "my gold trinket's stringing hare"

{EBP-90]取决于查看反汇编可能因您的情况而有所不同使用适当的地址

0040111A   |MOV     ECX, DWORD PTR SS:[EBP-8C]             ; yoyo = mystrarray[i];
00401120   |MOV     EDX, DWORD PTR SS:[EBP+ECX*4-88]
00401127   |MOV     DWORD PTR SS:[EBP-90], EDX
0040112D   |MOV     EAX, DWORD PTR SS:[EBP-90]             ; printf("%s\n", yoyo);
00401133   |PUSH    EAX
00401134   |PUSH    ebp-44.0041235C
00401139   |CALL    ebp-44.printf

点击ctrl + f11（追踪到）

当[ebp-90]包含字符串

时，

ollydbg将中断

Log data, item 0
 Message=Conditional pause: STRING [[ EBP-90]] == "my gold trinket's stringing hare"

请参阅上面的汇编，edx将我们的字符串转发给[ebp-90]

EDX=004122D0 (ebp-44.004122D0), ASCII "my gold trinket's stringing hare"
Stack SS:[0013FEE8]=004122D0 (ebp-44.004122D0), ASCII "my gold trinket's stringing hare"
ebp-44.cpp:18.  yoyo = mystrarray[i];

这是打破时的ebp打印

Log data, item 0
 Message=ebp  = 13ff78  ebp-90 = 13fee8   [ebp-90] = 4122d0  [[ebp-90]]  = 6720796d  STRING [[ebp-90]]  = my gold trinket's stringing hare " see 6d792067 ascii equivalent for "my g"

条件断点，EBP包含字符串指针

1 个答案: