Ollydbg condition

Question

I need Ollydbg to pause when one of the registers contains a certain string. Any way I could accomplish that?

Answer 1

right click on your code and select

search for > All intermodular calls

look for RegQueryValueEx or RegCreateKeyEx functions. they are in Advapi32.dll

you should know which parameter set an string to write.

look here: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724875%28v=vs.85%29.aspx

Answer 2

I dont understand you clearly. You cant load strings in a register at all :) You can set a breakpoint on the loading data. for example -> your value "Have a nice day!", set a BP on this adress. Olly will break everytime the string is loaded. Else I cant understand your question.

But still here a little tutorial.

First I loaded my pe file and found a string "GAMMA" its a configuration creation programm for a onlinegame.

http://img7.imagebanana.com/img/hu6kg56k/findstr.png

Now lets find it in the Dump. Doubleclick on "GAMMA" in the references, now we are it the disasm window, doubleclick the PUSH or follow in dump section and goto string expression. Select Your string and set a hardwarebp like below.

http://img7.imagebanana.com/img/pejyx72i/bp.png

Hit F9 or the play button at the top of Olly and we break at the first point where our string is loaded. Sure if you want to find a specific place you have to step and step again until you find your point.

http://img6.imagebanana.com/img/f7w15fr6/hwbp1.png

EDIT:

You may trace the code with F7 to see when the string is called from the stack.

Answer 3

Try OllyStepNSearch
It gives you a simple way to make debugging stop when one of the register has a specific string

Answer 4

What version of OllyDbg are you using?
Have you tried version 2.0? It has some condition checking that may help you (although I'm not sure if OllyDbg can watch a specific register).

Trace -> Set condition...