3

i am analysing a crash, the crash occurs in a function that its always on use, if set a break point in this function always stop the program.

When the crash occurs, overwrite mm3 register, i want when overwrite mm3 with my values use the breakpoint.

the original estate of mm3 register its 0:0:e3cb:f144, when crash its aaaa:aa00:0:0.

when try this :

bp abpatch ".if @mm3  = aaaa:aa00:0:0  {} .else {gc}"

error, i cant use ":" on bp

if try this:

bp abpatch ".if @mm3  = aaaaaa000:0  {} .else {gc}"

or

bp abpatch ".if (@mm3 & 0x0`ffffffff) = 0x0`aaaaaa0000  {} .else {gc}"

Program crash and dont stop.

commonly i analyse the crash with -4 at the address that function crash, but now this function is always running on the program.

I put aaaa for easy location.

I think too need stop just before mm3 have got this values, but i don't know :(

How I can put a break point on a mm3 register?? any other solution for this ??

Any help or suggestion? . Thank you in advanced.

Regards

Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
spider-45
  • 95
  • 5

1 Answers1

3

bp abpatch ".if mm3 = aaaaaa0000000000 {} .else {gc}"

Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
  • Perfect, Great, It works, Thank you very much, Regards. – spider-45 Jan 21 '14 at 23:17
  • Make mm3 as @mm3 using @ in front of registers avoids spurious symbol search times as mm3 can also be interpreted as a symbol – blabb Jan 22 '14 at 04:35
  • Thanks for the commentary, and why need six zero more ?? on register I see aaaa:aa00:0:0., with other reg I need too add the zero?? sorry I am new with windbg, and the other zeros confuses me. – spider-45 Jan 22 '14 at 21:38
  • @spider-45: aaaa:aa00:0:0 is shorthand for aaaaaa0000000000. WinDbg doesn't accept the shorthand form as input for conditional statements. – Jason Geffner Jan 22 '14 at 23:11