Od shift + F4 condition breakpoint usage

Let's talk about ALT + L to view the record ~

After you press SHIFT + F4 on a statement, a dialog box is displayed,


1) The first line is "condition": You must enter the conditions you are interested in. For example, the following two sentences:

0041150 push eax
0041151 call [TranslateMessage]

If you want to know that ESI is not equal to 0 at this time, you can set the condition ESI = 0 or ESI! = 0 it is about the ESI condition, instead of using the EAX of this line. of course, you can also disconnect and chase messages at 0041150. For example, if you want to know how to move messages with the old mouse, set MSG = WM_MOUSEMOVE or MSG = 0200 (the number code to move ). someone should ask, does the message record seem to be correct only when there is a function disconnection in the next line? In fact, it is not necessary to break down 0041151 of the row that transmits the message, but the advantage of the line break is that the function parameters can be recorded, which will be discussed below ~
The "condition" is written in the form of MASM32 assembly, for example, =! => <

2) "Description" = "expression"
"Decoded expression value"

"NOTE" is a comment. It doesn't matter if you add a comment. Unless you have many interruptions to the record, you can understand it in the record ~
"Expression" is actually the core of our record. When the "condition" in our 1st records is true, the program will record the content we entered in "expression, for example, when ESI = 0, we record the value of [eax + 4 ].
It is the content you are interested in. If you want to record the message, you need to add MSG. In many cases, we only add "conditions" instead of "expressions ", after the program is interrupted, an unknown function or identifier is displayed! ", That's why.
You can select the value of the decoded expression below as you like. He just analyzed the recorded data, for example, if we record that the value of [eax + 4] is 201, When you select "Information Code (WM_XXX)", you are recording it (ALT + L viewing records) 201 WM_LBUTTONDOWN is analyzed.
When you select a Boolean value, the value 201 in the record will be followed by a TRUE value. In fact, the OD analyzes the data again according to the selected type ~~

3) suspend the program => always when the conditions are never met
The three options are that the program will not be suspended when the conditions are expressed as true records. It depends on your debugging needs ~

4) record expression value => always when the never condition is met
Well, if we choose "never", what is the significance of setting a record to "Express"? If we choose "always", then it doesn't seem meaningless, because the record is no longer conditional, as long as it runs to this record expression. but it seems you can also use it. Think about it yourself .. I will not talk about it.
Generally, "conditions are met.

5) record function parameters => always when the never condition is met
This line will be grayed out if you have no function in it ~~ It makes sense to record the function parameters. We can see a lot of information directly. For example, we can record the condition in the row where the function is located. "condition" is EAX = 0 "expression" is [EAX + 4], and then select record function parameter here when "condition is met "; of course, if you only want to record the function parameters that run here, there will be no "conditions" and "expressions", 3) and 4) at the same time) will also change to "never... you may not be able to see anything in the record, because it is possible that EAX is not equal to 0 when running this line, so it is better to change EAX> 0, as if you have read a bunch, then there is PMSG = XXXX Hw = XXXX, which is the parameter for running the function here ~~ We can also record the CREATFILEA function, so we will know what files are opened ~~

6) "Running Times": 0 is unlimited

7) "If the program is suspended, launch the following parameters to the plug-in ..."
I don't know. I will do the above. I hope the experts can help us to learn from these cainiao ~~

Note: You can also right-click the message breakpoint in the OD menu "View" => "window" and choose "SHIFF_F4" to open the message breakpoint, it is actually a form of conditional recording of breakpoints ~~~

For example:
For example, if a program requires registration and a registration window appears after clicking it, we need to break down the point Registration button to see what is executed after it ~~

If the registration window is a dialog box, you must use the CreatDialoParam or DialogBoxParam functions. If you do not know either of these functions, go to the book... first, use the plug-in "window tool" in OD to obtain the Registration button identifier (that is, ID), for example, 0422, and record it for backup ~,

Break down these two functions in OD, and then execute the program so that the display in the registration window will be interrupted. Look at the stack in OD, the 4th parameter pDlgProc of this function is the process portal of the dialog box. Here, 0041b0b0 is the portal.

Go to the portal of the dialog box, SHIFT + F4, and enter [ESP + 8] = 0111 & [ESP + C] = 0422 in "condition"
"Expression" can be blank, pause the program when "conditions are met"
I should ask again why? Please remember: because it is a process call, you must first press data into the stack, that is, the standard saying: Passing parameters! For the dialog process or window process, the data in the MSG message structure must be pushed in the stack when it is executed at the entrance. Then [ESP + 8] is exactly the WM_xxx message, after clicking the button, we must capture the WM_COMMAND message, that is, 111. This is not clear ~ [ESP + C] is the Wparam parameter, which is the ID of the window. This condition is interrupted when you press the Registration button with ID 422, next, you can read it in a single step ~~ Of course, you can also see the sub-window handle of the button when using the window tool. At this time, {ESP + 10] is its value, you can also replace the {ESP + C] = 0422 condition. they are all the same,
What should I do if I say this to a friend? What should I do if I don't use tools? SHIFT + F4 at the process entry, and the conditions and expressions are empty. I only choose to record the function parameters, then we can get a bunch of records, find the message that shows WM_COMMAND, and use the ID in its content as the value of [ESP + C] =, one by one.