[转载文档]OllyDbg条件断点-仅转存留自己看和记

- Conditional breakpoint (shortcut Shift+F2) is an ordinary INT3 breakpoint with associated expression. Each time Debugger encounters this breakpoint, it estimates expression and, if result is non-zero or expression is invalid, stops debugged program. Of course, the overhead caused by false conditional breakpoint is very high (mostly due to latencies of the operational system). On PII/450 under Windows NT OllyDbg processes up to 2500 false conditional breakpoints per second. An important case of conditional breakpoint is break on Windows message (like WM_PAINT). For this purpose you can use pseudovariable MSG together with proper interpretation of arguments. If window is active, consider message breakpoint described below.

- 条件断点［Conditional breakpoint］ （快捷键 Shift+F2） 是一个带有条件表达式的普通INT3断点。当调试器遇到这类断点时，它将计算表达式的值，如果结果非零或者表达式无效，将暂停被调试程序，当然，由条件为假的断点引起的开销是非常高的（主要归因于操作系统的反应时间）。在Windows NT、奔腾Ⅱ/450处理器环境下OllyDbg每秒最多处理2500个条件为假的断点。条件断点的一个典型使用情况就是在Windows消息上设置断点（比如 WM_PAINT）。为此，您可以将伪变量 MSG 同适当的参数说明联合使用。如果窗口被激活，参考一下后面的消息断点描述。

原版

OllyDbg supports very complex expressions. Formal grammar of expressions is described at the end of this topic, but honestly - you are not interested in it, are you? So I'll begin with examples:




10 - constant 0x10 (unsigned). All integer constants are assumed hexadecimal unless followed by a decimal point;


10. - decimal constant 10 (signed);


'A' - character constant 0x41;


EAX - contents of register EAX, interpreted as unsigned number;


EAX. - contents of register EAX, interpreted as signed number;


[123456] - contents of unsigned doubleword at address 123456. By default, OllyDbg assumes doubleword operands;


DWORD PTR [123456] - same as above. Keyword PTR is optional;


[SIGNED BYTE 123456] - contents of signed byte at address 123456. OllyDbg allows both MASM- and IDEAL-like memory expressions;


STRING [123456] - ASCII zero-terminated string that begins at address 123456. Square brackets are necessary because you display the contents of memory;


[[123456]] - doubleword at address that is stored in doubleword at address 123456;


2+3*4 - evaluates to 14. OllyDbg assigns standard C priorities to arithmetical operations;


(2+3)*4 - evaluates to 20. Use parentheses to change the order of operations;


EAX.<0. - 0 if EAX is in range 0..0x7FFFFFFF and 1 otherwise. Notice that constant 0 is also signed. When comparing signed with unsigned, OllyDbg always converts signed operand to unsigned.


EAX<0 - always 0 (false), because unsigned numbers are always positive.


MSG==111 - true if message is WM_COMMAND. 0x0111 is the code for WM_COMMAND. Use of MSG makes sense only within conditional or conditional logging breakpoint set on call to or entry of known function that processes messages.


[STRING 123456]=="Brown fox" - true if memory starting from address 0x00123456 contains ASCII string "Brown fox", "BROWN FOX JUMPS", "brown fox???" or similar. The comparison is case-insensitive and limited in length to the length of text constant.


EAX=="Brown fox" - same as above, EAX is treated as a pointer.


UNICODE [EAX]=="Brown fox" - OllyDbg treats EAX as a pointer to UNICODE string, converts it to ASCII and compares with text constant.


[ESP+8]==WM_PAINT - in expressions, you can use hundreds of symbolic constants from Windows API.


([BYTE ESI+DWORD DS:[450000+15*(EAX-1)]] & 0F0)!=0 - absolutly valid expression.


And now the formal grammar. Eeach element in braces ( {} ) may occur only once, order of embraced elements is not important:




expression = memterm | memterm <binary operation> memterm


memterm = term | { sigmod sizemod prefix [ } expression ]


term = (expression) | unaryoperation memterm | signedregister | register | fpuregister | segmentregister | integerconst | floatingconst | stringconst | parameter | pseudovariable


unaryoperation = ! | ~ | + | -


signedregister = register .


register = AL | BL | CL ... | AX | BX | CX ... | EAX | EBX | ECX ...


fpuregister = ST | ST0 | ST1 ...


segmentregister = CS | DS | ES | SS | FS | GS


integerconst = <decimal constant>. | <hexadecimal constant> | <character constant> | <symbolic API constant>


floatingconst = <floating constant>


stringconst = "<string constant>"


sigmod = SIGNED | UNSIGNED


sizemod = BYTE | CHAR | WORD | SHORT | DWORD | LONG | QWORD | FLOAT | DOUBLE | FLOAT10 | STRING | UNICODE


prefix = term:


parameter = %A | %B // Allowed in inspectors only


pseudovariable = MSG // Code of window message


This grammar is not too strict, there is an intrinsic ambiguity in the interpretation of [WORD [EAX]] or similar expressions. Is this a DWORD on address which is stored in two bytes on address EAX, or is this a WORD on address to be taken from 4-byte memory addressed by EAX? OllyDbg tries to add modifiers to the outermost address as long as it's possible. In our case, [WORD [EAX]] is equivalent to WORD [[EAX]].


By default, BYTE, WORD and DWORD are unsigned whereas CHAR, SHORT and LONG are signed. All general-purpose registers are unsigned. One may use explicit modifiers SIGNED and UNSIGNED (even with registers). In binary operations, if one of operands is float, another will be converted to float, else if one is unsigned, another will be also converted to unsigned. Floating-point types do not accept UNSIGNED. MASM-compatible keyword PTR after size modifier (like in BYTE PTR) is also allowed but not required. Register names and size modifiers are not case-sensitive.


You can use following C-like arithmetical operations (priority 0 is highest):


Priority Type Operations
0 Unary ! ~ + -
1 Multiplication * / %
2 Addition + -
3 Shifts << >>
4 Comparisons < <= > >=
5 Comparisons == !=
6 Boolean AND &
7 Boolean XOR ^
8 Boolean OR |
9 Logical AND &&
10 Logical OR ||
In calculations, intermediate results are kept as either DWORD or FLOAT10. Some combinations of term types and operations are not allowed. For example, QWORDs can be only displayed; STRING and UNICODE allow only + and - (as if they were C pointers) and comparison for equal/not equal with STRING, UNICODE or string constant; you cannot shift FLOAT etc.

中文

OllyDbg能够支持非常复杂的表达式。表达式的语法格式将在这个主题的后面进行介绍，但我想您对此不一定真的感兴趣。那么我先举几个实例来说明：

10 - 常量 0x10 （无符号）。所有整数常量都认为是十六进制的，除非后面跟了点；


10. - 十进制常量10（带符号）；


'A' - 字符常量 0x41；


EAX - 寄存器EAX的内容，解释为无符号数；


EAX. -寄存器EAX的内容，解释为带符号数；


[123456] - 在地址123456处的无符号双字内容。默认情况，OllyDbg假定是双字长操作数；
 
DWORD PTR [123456] - 同上。关键字 PTR 可选；


[SIGNED BYTE 123456] - 在地址123456处带符号单字节。OllyDbg支持类MASM和类IDEAL两种内存表达式；
 
STRING [123456] - 以地址123456作为开始，以零作为结尾的ASCII字符串。中括号是必须的，因为您要显示内存的内容；
 
[[123456]] - 在地址123456处存储的双字所指向的地址内的双字内容；


2+3*4 - 值为14。OllyDbg 按标准C语言的优先级进行算术运行；


(2+3)*4 - 值为20。使用括号改变运算顺序。


EAX.<0. - 如果EAX在0到0x7FFFFFFF之间，则值为0，否则值为1。注意0也是有符号的。当带符号数与无符号数比较时，OllyDbg会将带符号数转成无符号数。


EAX<0 - 总为0（假），因为无符号数永远是正的。


MSG==111 - 如果消息为WM_COMMAND，则为真。0x0111是命令 WM_COMMAND 的数值。MSG只能用于设置在进程消息函数的条件断点内。


[STRING 123456]=="Brown fox" - 如果从地址0x00123456开始的内存为ASCII字符串"Brown fox"、"BROWN FOX JUMPS"、 "brown fox???"，或类似的串，那么其值为1。比较不区分大小写和文本长度。


EAX=="Brown fox" - 同上，EAX按指针对待。


UNICODE [EAX]=="Brown fox" - OllyDbg认为EAX是一个指向UNICODE串的指针，并将其转换为ASCII，然后与文本常量进行比较。


[ESP+8]==WM_PAINT - i在表达式中您可以使用上百种Windows API符号常量。


([BYTE ESI+DWORD DS:[450000+15*(EAX-1)]] & 0F0)!=0 - 这绝对是个有效的表达式。


现在我们介绍语法格式。在大括号（{}）内的每个元素都只能出现一次，括号内的元素顺序可以交换：




表达式 = 内存中间码|内存中间码<二元操作符>内存中间码


内存中间码 = 中间码| { 符号标志 大小标志 前缀} [表达式 ]


中间码 = （表达式）| 一元操作符 内存中间码 | 带符号寄存器 | 寄存器 | FPU寄存器 | 段寄存器 | 整型常量 | 浮点常量 | 串常量 | 参数 | 伪变量


一元操作符 = ! | ~ | + | 


带符号寄存器 = 寄存器.


寄存器 = AL | BL | CL ... | AX | BX | CX ... | EAX | EBX | ECX ...


FPU寄存器 = ST | ST0 | ST1 ...


段寄存器 = CS | DS | ES | SS | FS | GS


整型常量 = <十进制常量>. | <十六进制常量> | <字符常量> | <API符号常量>


浮点常量 = <符点常量>


串常量 = "<串常量>"


符号标志 = SIGNED | UNSIGNED


大小标志 = BYTE | CHAR | WORD | SHORT | DWORD | LONG | QWORD | FLOAT | DOUBLE | FLOAT10 | STRING | UNICODE


前缀 = 中间码:


参数 = %A | %B // 仅允许在监察器［inspector］ 中使用


伪变量 = MSG // 窗口消息中的代码


这个语法并不严格。在解释[WORD [EAX]]或类似的表达式时会产生歧义。可以理解为以寄存器EAX所指向地址的两字节内容为地址，所指向的双字内容；也可以理解为以寄存器EAX所指向地址的四字节内容为地址，所指向的两字节内容。而
OllyDbg会将修饰符尽可能的放在地址最外面，所以在这种情况下，[WORD [EAX]] 等价于 WORD [[EAX]]。


默认情况下，BYTE、WORD 和 DWORD 都是无符号的，而CHAR、SHORT 和 LONG都是带符号的。也可以使用明确的修饰符SIGNED 或 UNSIGNED。例如在二元操作时，如果一个操作数是浮点的，那么另外一个就要转成浮点数；或者如果一个是无符号胆，那么另外一个要转成无符号的。浮点类型不支持UNSIGNED。大小修饰符后面跟 MASM兼容关键字PTR（如：BYTE PTR）也允许的，也可以不要PTR。寄存器名和大小修饰符不区分大小写。


您可以使用下面类C的运算符（0级最高）：
 


优先级 类型 运算符
0 一元运算符 ! ~ + -
1 乘除运算 * / %
2 加减运算 + -
3 位移动 << >>
4 比较 < <= > >=
5 比较 == !=
6 按位与 &
7 按位异或 ^
8 按位或 |
9 逻辑与 &&
10 逻辑或 ||
在计算时，中间结果以 DWORD 或 FLOAT10 形式保存。某些类型组合和操作是不允许的。例如：QWODRD 类型只能显示；STRING 和 UNICODE 只能进行加减操作（像C语言里的指针）以及与 STRING、UNICODE 类型或串常量进行比较操作；您不能按位移动 浮点［FLOAT］ 类型，等等。