Is there anything wrong with OllyDbg's conditional breakpoint

[BlackWhite]

Quote:

Originally Posted by Naides

1. Use paretheses, liberally, even if they are or look redundant.

Yes, I have tried using parentheses, but got the same result.

Quote:

2. Is [SomeAddress] an absolute reference, or relative to ESP ?
If relative, it has to be explicit.

[SomeAddress] is an absolute reference,
if it's relative to ESP, the breakpoint will be triggered.
I wonder OllyDbg gets confused when the breakpoint is
set at kernel while the condition is concerned with the
debugged process memory.

Quote:

3. ESP is a pain and keeps changing. Are you sure that [ESP+4] points to the right address, at the right moment of the conditional BP?

[esp+4] is actually hWND which is ready to process the current message.

Thanks.

[Naides]

Quote:

Originally Posted by BlackWhite

[esp+4] is actually hWND which is ready to process the current message.

Thanks.

Well, taking a look at the Actual BP in your code

Code:

77D1872A or byte ptr [eax+FB4], 1
Here77D18731 call [ebp+8] There
77D18734 mov ecx, fs:[18]

In Here ESP+4 Is indeed pointing at the right address but when you are at There, ESP has changed because the call instruction pushes the return address into the stack.

So the question is, and I DO NOT know the answer off hand, does the Conditional gets evaluated before, during or after the call instruction??

I know that by design, 'Break on Read' or 'Break on Write' are evaluated AFTER the instruction at the bp has executed. . .

[BlackWhite]

Quote:

Originally Posted by Naides

Well, taking a look at the Actual BP in your code

Code:

77D1872A or byte ptr [eax+FB4], 1
Here77D18731 call [ebp+8] There
77D18734 mov ecx, fs:[18]

In Here ESP+4 Is indeed pointing at the right address but when you are at There, ESP has changed because the call instruction pushes the return address into the stack.

So the question is, and I DO NOT know the answer off hand, does the Conditional gets evaluated before, during or after the call instruction??

I know that by design, 'Break on Read' or 'Break on Write' are evaluated AFTER the instruction at the bp has executed. . .

I do not think I am There when I set the
breakpoint at +77D18731, because if I change the condition to
[esp+4] ==SomeHandle
that breakpoint will always be triggered.

So the problem is actually concerned with the condition
[SomeAddress]==SomeValue
for example
[401000] == 12345678
Whether the above condition is satisfied or not when I reach
the breakpoint, OllyDbg does not stop.