Debugging 条件断点，EBP包含字符串指针_Debugging_Breakpoints_Ollydbg_Conditional Breakpoint

Debugging 条件断点，EBP包含字符串指针

debugging

Debugging 条件断点，EBP包含字符串指针,debugging,breakpoints,ollydbg,conditional-breakpoint,Debugging,Breakpoints,Ollydbg,Conditional Breakpoint,当EBP-44包含指向特定字符串的指针时，我需要使用条件断点来查找位置。我尝试使用ollydbg，但由于EBP-44大部分为0（或其他不可读内存），运行跟踪失败，出现Run Trace:invalid condition 1-无法获取内存内容。有没有办法做到这一点我的情况： [ASCII [EBP-1C]]=="MYSTRING" 此条件仅在代码ollydbg 1.10工具中触发一次演示代码 ebp-44:\>dir /b ebp-44.cpp ebp-44:\>type e

当

EBP-44

包含指向特定字符串的指针时，我需要使用条件断点来查找位置。我尝试使用ollydbg，但由于

EBP-44

大部分为0（或其他不可读内存），运行跟踪失败，出现

Run Trace:invalid condition 1-无法获取内存内容。有没有办法做到这一点
我的情况：
[ASCII [EBP-1C]]=="MYSTRING"

此条件仅在代码ollydbg 1.10工具中触发一次
演示代码
ebp-44:\>dir /b
ebp-44.cpp

ebp-44:\>type ebp-44.cpp
#include <stdio.h>
#include <windows.h>
int main (void)
{
    char *mystrarray[]  = {
        "humble bee", "bumblebee", NULL,"my naughty string", "my notty string",
        "my nauty string","my native string",NULL, "want to string me ",
        "come on string with me","string sings the song strong", NULL, NULL,
        "what's this string doing here in onederlaand", NULL,NULL,NULL,NULL,
        "teaching lice to string the strong","my golden bug is strumming here",
        "my gold trinket's stringing here", "my gold trinket's stringing hare",
        "want to string me ","come string me", "string sings the song strong",
        NULL,NULL,NULL,NULL,NULL,"my gold trinket's stringing hire",NULL,NULL
    };
    for (int i = 0; i < _countof(mystrarray) ; i++ )
    {
        register char *yoyo;
        yoyo = mystrarray[i];
        printf("%s\n", yoyo);
    }
    return 0;
}
ebp-44:\>cl /nologo /Zi /analyze /W4 ebp-44.cpp /link /RELEASE
ebp-44.cpp

ebp-44:\>ebp-44.exe
humble bee
bumblebee
(null)
my naughty string
my notty string
my nauty string
my native string
(null)
want to string me
come on string with me
string sings the song strong
(null)
(null)
what's this string doing here in onederlaand
(null)
(null)
(null)
(null)
teaching lice to string the strong
my golden bug is strumming here
my gold trinket's stringing here
my gold trinket's stringing hare
want to string me
come string me
string sings the song strong
(null)
(null)
(null)
(null)
(null)
my gold trinket's stringing hire
(null)
(null)

ebp-44:\>OLLYDBG.EXE ebp-44.exe

ebp-44:\>

{EBP-90]是从查看中提取的。在您的情况下，反汇编可能会有所不同，请使用适当的地址
0040111A   |MOV     ECX, DWORD PTR SS:[EBP-8C]             ; yoyo = mystrarray[i];
00401120   |MOV     EDX, DWORD PTR SS:[EBP+ECX*4-88]
00401127   |MOV     DWORD PTR SS:[EBP-90], EDX
0040112D   |MOV     EAX, DWORD PTR SS:[EBP-90]             ; printf("%s\n", yoyo);
00401133   |PUSH    EAX
00401134   |PUSH    ebp-44.0041235C
00401139   |CALL    ebp-44.printf

按ctrl+f11键（跟踪到）
当[ebp-90]包含字符串时，ollydbg将中断
Log data, item 0
 Message=Conditional pause: STRING [[ EBP-90]] == "my gold trinket's stringing hare"

参见上面的组件edx正在将我们的字符串传送到[ebp-90]
EDX=004122D0 (ebp-44.004122D0), ASCII "my gold trinket's stringing hare"
Stack SS:[0013FEE8]=004122D0 (ebp-44.004122D0), ASCII "my gold trinket's stringing hare"
ebp-44.cpp:18.  yoyo = mystrarray[i];

这是一张ebp破损的照片
Log data, item 0
 Message=ebp  = 13ff78  ebp-90 = 13fee8   [ebp-90] = 4122d0  [[ebp-90]]  = 6720796d  STRING [[ebp-90]]  = my gold trinket's stringing hare " see 6d792067 ascii equivalent for "my g"

您可以尝试在GDB中使用条件断点。我建议您
Log data, item 0
 Message=ebp  = 13ff78  ebp-90 = 13fee8   [ebp-90] = 4122d0  [[ebp-90]]  = 6720796d  STRING [[ebp-90]]  = my gold trinket's stringing hare " see 6d792067 ascii equivalent for "my g"