i BreakPoint in OllyDBG – Part 1 – All things in moderation

BreakPoint in OllyDBG – Part 1

Common BreakPoint (BPX)

Usually, for a certain command that we want to put BPX on, it is simplest to simply select the command line we want and press F2, if we press F2 again we remove BP from the command.

Now, you open OllyDBG and load file executable. If you want to place BP at any command line, just remember to press F2 at the command line.

You can see on the illustration, at 00401052 when I press F2, I will immediately reply only this is highlighted in red (can you be red or any color you configured Olly), this means I have placed BP at 00401052 |. E8 D1030000 CALL ; \LoadIconA. You can view windows manage breakpoint by pressing B or go to Menu and chose Windows -> BreakPoints:

You can see the BP that we have just listed is listed in this window.

We learn about this BreakPoints management window.

We see that in the Active column, the BP state we set to Always is this means that this BP will always be executed or in other words it will be activated when we execute the program. When we select and right-click on the command line we will get a context menu as follows:

Remove: Remove breakpoints from the list of BP set points that this window manages.
Disable: temporarily disable our bp without removing it from the list, when you need to activate it again.
Edit Condition: when selecting this option, we are trying to convert our bp to another format, this bp set will be discussed below.
Follow in Disassembler: With a long list of bp, we can hardly remember what code it relates, this feature allows us to find the point we set bp at the code window.
Disable all: Similar to the Disable feature, however, it will disable all the bp in the Breakpoints window.
Copy to clipboard: copy information about bp to clipboard. When selecting this feature, there will appear some additional sub-functions.

Try selecting Copy to Clipboard -> Whole line, this feature will copy the original line that we specify. The Whole table will copy all the existing list items in the Breakpoints window. This is the result when we choose Whole line:

Breakpoints, item 0
Address=00401052
Module=Crackme1
Active=Always
Disassembly=CALL

we have set a bp at 0x00401052, now we need to check if the bp we set is working as we want. Press F9 to execute the program, you will immediately see that we have stopped at the place where we put it:

You can see status the following:

Now we will find out what really happened? Is there any change when we set BP at the command we want. OK, right mouse button at 0x00401052 and select:

View dump window you can see:


Comparing the information in the Dump window with the information in the CPU window, we see nothing has changed, in the Dump window you see bytes E8 D1 03 00 00 equivalent to the command CALL<JMP.&USER32>LoadIconA> at the CPU window. This makes us wonder, if there is no change, why when I run the program, does it stop at the point where I put BP? To verify if there is a change, restart Olly (Ctrl + F2) and make sure we are still setting BP at 0x00401052.

After Restart Olly, we will stop at the EP of the program, proceed to edit the following code in EP:

The purpose of this code is to simply read the content at address 0x401052 and save it to eax register. To make it easier to understand, look at the Tip window:

Looking at the Dump window we will know that these are the original bytes that have not been changed. Press F7 to trace and the EAX register has a very interesting change:

Notice the Dump window that you see the bytes remain the same, but in the EAX register, we see another value is: 0x0003d1cc. This is roughly explained as follows: when I place a BP at 0x401052, Olly will proceed to replace the first byte which is 0B with a different value of 0xCC. If you convert this CC byte into an asm command, it is int3, this is a special command (it is also called a Trap to Debugger) which will cause an exception when we try to execute the program. More information: “So generally it is complex to set a breakpoint in an arbitrary place of the program. The debugger should save the current value of the memory location at the specified address, then write the code 0xCC there. Before exiting the debug interrupt, the debugger should return everything to its former place, and should modify IP saved in the stack so that it points to the beginning of the restored instruction. (Otherwise, it points to its middle.)”

In addition to placing BP through selecting the command and pressing F2, we have another way of placing BP as follows, find the address to set BP and type the command at the Command Bar plugin:

BPX is often used for placing BP at the program’s API functions, plus it depends on the version of Windows you are using. For those who use Windows NT / 2000 / XP / 2003, placing BP in a specific API function is simple, just type BP [name of the function] in the Command Bar as follows:

Result:

So we have seen the difference between BPX and BP, BPX does not set a breakpoint at a specified address as BP did but it only puts BP at the reference to that address. The theory must be practical, you put BP and BPX at the same time in the MessageBoxA API and observe the Breakpoints window:

In the next section, I will continue to introduce Breakpoint in OllyDBG. Hope you will follow this series. Thank you!

Leave a Reply