OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: October 16, 2007 05:17 CDT by ravinc30 .

I am using OllyDbg to debug an application which read/write a number of files. Can anyone help me if it is possible to put breakpoint on CreateFileA/CreateFileW for a specific file name?

Arcane		October 16, 2007 06:31.51 CDT
afaik thats not possible in standard olly..but maby OllyScript can help you

frankboldewin		October 16, 2007 06:34.39 CDT
memorywatch plugin by ziggy/snd should do the job.

fnkt		October 16, 2007 11:13.14 CDT
> ravinc30: I am using OllyDbg to debug an application which read/write a number of files. Can anyone help me if it is possible to put breakpoint on CreateFileA/CreateFileW for a specific file name? you can use a conditional breakpoint and check for the filename on the stack. if you set the bp in kernel32.dll you could use something like STRING[[esp+4]] == "C:\\your\\filename.here" for the condition. additional conditions could be add with \|\| operator, at least as far as I remember.. ollydbgs manual will help

anonymouse		October 16, 2007 12:09.29 CDT
yes you can stop on every file Create in ollydbg ctrl+g -> type CreateFileW --> shift+f4 --> expression [esp+4] in the decode value of expression as drop down box select pointer to unicode string pause never --> log value of expression always --> log value of functions never --> ok and hit f9 you will get a nice output of all files accessed (saveable to a text file and greppable at leisure using log to file in log window) here is a sample output of all files ollydbg itself accesses on opening itself edit since my orignal post is quoted in its entirety in the reply i am cutting the bs from my post

jms		October 16, 2007 12:10.47 CDT
Yeah you could do this in ImmunityDebugger with a couple of lines of python as well. If you are interested I can drop a quick post on it.

ravinc30		October 18, 2007 00:33.00 CDT
> anonymouse: yes you can stop on every file Create in ollydbg > > ctrl+g -> type CreateFileW --> shift+f4 --> expression [esp+4] > > in the decode value of expression as drop down box select pointer to unicode string > > pause never --> log value of expression always --> log value of functions never --> ok > > > and hit f9 > > you will get a nice output of all files accessed (saveable to a text file and greppable at leisure using log to file in log window) > > here is a sample output of all files ollydbg itself accesses on opening itself > > > Log data > Address Message > 00401000 Program entry point > 773D0000 Module C:\\WINDOWS\\WinSxS\\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\\comctl32.dll > 5AD70000 Module C:\\WINDOWS\\system32\\uxtheme.dll > 74720000 Module C:\\WINDOWS\\system32\\MSCTF.dll > 76BF0000 Module C:\\WINDOWS\\system32\\PSAPI.DLL > 76C90000 Module C:\\WINDOWS\\system32\\IMAGEHLP.DLL > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\common.arg\" > 02450000 Module C:\\Documents and Settings\\speed\\Desktop\\odbg110\\Cmdline.dll > 6D510000 Module C:\\Documents and Settings\\speed\\Desktop\\odbg110\\DBGHELP.DLL > 02870000 Module C:\\Documents and Settings\\speed\\Desktop\\odbg110\\BOOKMARK.DLL > 7C810976 COND: 0012EEAC \"\\\\.\\PIPE\\lsarpc\" > 605D0000 Module C:\\WINDOWS\\system32\\mslbui.dll > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.EXE\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\common.arg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.arg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.EXE\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.EXE\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.EXE\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.EXE\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\OLLYDBG.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\OLLYDBG.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\OLLYDBG.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\OLLYDBG.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\OLLYDBG.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\EXE\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\EXE\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"OLLYDBG.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMCTL32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMCTL32.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMCTL32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMCTL32.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMCTL32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\COMCTL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\COMCTL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMCTL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\COMCTL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\COMCTL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMCTL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\COMCTL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMCTL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\DLL\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\DLL\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"COMCTL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMDLG32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMDLG32.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMDLG32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMDLG32.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMDLG32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\COMDLG32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\COMDLG32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMDLG32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\COMDLG32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\COMDLG32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMDLG32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\COMDLG32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\COMDLG32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\DLL\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\DLL\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"COMDLG32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\OLE32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLE32.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\OLE32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\OLE32.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\OLE32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\OLE32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\OLE32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLE32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\OLE32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\OLE32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\OLE32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\OLE32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\OLE32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\DLL\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\DLL\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"OLE32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\VERSION.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\VERSION.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\VERSION.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\VERSION.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\VERSION.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\VERSION.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\VERSION.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\VERSION.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\VERSION.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\VERSION.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\VERSION.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\VERSION.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\VERSION.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\DLL\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\DLL\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"VERSION.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\msvcrt.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\msvcrt.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\msvcrt.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\msvcrt.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\msvcrt.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\msvcrt.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\msvcrt.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\msvcrt.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\msvcrt.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\msvcrt.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\msvcrt.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\msvcrt.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\msvcrt.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\dll\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\dll\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"msvcrt.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\USER32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\USER32.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\USER32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\USER32.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\USER32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\USER32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\USER32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\USER32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\USER32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\USER32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\USER32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\USER32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\USER32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\dll\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\dll\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"USER32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ADVAPI32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ADVAPI32.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ADVAPI32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ADVAPI32.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ADVAPI32.DLL\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\ADVAPI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\ADVAPI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ADVAPI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\ADVAPI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\ADVAPI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ADVAPI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\ADVAPI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ADVAPI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\DLL\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\DLL\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"ADVAPI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\RPCRT4.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\RPCRT4.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\RPCRT4.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\RPCRT4.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\RPCRT4.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\RPCRT4.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\RPCRT4.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\RPCRT4.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\RPCRT4.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\RPCRT4.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\RPCRT4.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\RPCRT4.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\RPCRT4.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\dll\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\dll\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"RPCRT4.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\GDI32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\GDI32.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\GDI32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\GDI32.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\GDI32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\GDI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\GDI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\GDI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\GDI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\GDI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\GDI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\GDI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\GDI32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\dll\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\dll\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"GDI32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHLWAPI.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHLWAPI.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHLWAPI.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHLWAPI.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHLWAPI.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\SHLWAPI.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\SHLWAPI.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHLWAPI.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\SHLWAPI.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\SHLWAPI.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHLWAPI.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\SHLWAPI.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHLWAPI.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\dll\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\dll\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"SHLWAPI.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\kernel32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\kernel32.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\kernel32.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\kernel32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\kernel32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\kernel32.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\kernel32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\kernel32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\kernel32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\kernel32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\kernel32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\kernel32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\kernel32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\kernel32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\kernel32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\dll\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\dll\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"kernel32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ntdll.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ntdll.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ntdll.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ntdll.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ntdll.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\ntdll.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\ntdll.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ntdll.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\ntdll.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\ntdll.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ntdll.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\ntdll.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\ntdll.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\dll\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\dll\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"ntdll.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHELL32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHELL32.udd\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHELL32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHELL32.tds\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHELL32.dll\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\symbols\\sym\\SHELL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\SHELL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHELL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\sym\\SHELL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\sym\\SHELL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHELL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\sym\\SHELL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\Documents and Settings\\speed\\Desktop\\odbg110\\SHELL32.sym\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\symbols\\dll\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\dll\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"C:\\WINDOWS\\system32\\SHELL32.dbg\" > 7C810976 COND: 7FFDDC00 \"SHELL32.dbg\" > I tried it. But may be I am not expert to use, it I do not understand it fully, can you please explain all inputs needed to fill in the box or if you can provide some screenshot.

anonymouse		October 18, 2007 12:24.52 CDT
> ravinc30: > > I tried it. But may be I am not expert to use, it I do not understand it fully, can you please explain all inputs needed to fill in the box or if you can provide some screenshot. i dont know how to explain it better than what i already explained still i will attempt once again find and go to CreateFileW api in kernel32.dll easiest way is to hit ctrl+g (goto ) and type CreateFileW and hit ok you should be somewhere near here 7C810976 kernel32.CreateFileW MOV EDI, EDI or view -> executable modules -> select kernel32.dll--> right click -> view names -> scroll down in the new window and find CreateFileW Names in kernel32, item 492 Address=7C810976 Section=.text Type=Export (Known) Name=CreateFileW Comment=7 arguments and double click on the line you should be in CreatFileW() 7C810976 kernel32.CreateFileW MOV EDI, EDI with that line selected press shift key and f4 key at same time one after another (like you do ctrl+alt+delete ) shift +f4 should pop up a dialog its heading should be set conditional log breakpoint at kernel32.CreateFileW if not stop and redo till you get this dialogbox with this heading now you should see a condition edit box ignore it in the next line you will see explanation = expression (two edit boxes ) ignore explanation in the expression edit box type [esp+4] in the next line you should see decode value of expression as drop down box (a small arrow will be visible and you can click it and it will drop down a list that you can select and use) it will have a default Assumed by Expression string already clcik the arrow point your mouse to Pointer to Unicode String and click it you should see the decode box filled with Pointer to Unicode string now below this there should be three radio buttons leave the first radio button pause program at IN its default location never pause change the second radio button (log value of exprresssion )to Always you should notice the ok button will be enabled now which was grayed out by default leave the third radio button in its default value never hit ok after you hit ok you should see a pink marker in the first line 7C810976 kernel32.CreateFileW MOV EDI, EDI ; ntdll.7C910738 if there is a pink marker than you have set a conditional breakpoint you can do view -> breakpoints and confirm your breakpoint is set correctly or not (alt+b) Breakpoints, item 1 Address=7C810976 kernel32.CreateFileW Module=kernel32 Active=Log Disassembly=MOV EDI, EDI if it is there do view log (alt +l) right click --> log to file --> choose your path to the log file and your name of the log file (or leave it to default log.txt) now you are all set hit f9 (or run or step through or trace or animate or whatever ) when you are finished you can close the log file view -> log (alt+l) --> right click -> close log file Log data, item 0 Message=Log file closed now you can read grep edit your log file 7C810976 COND: 0012EEAC "\\.\PIPE\lsarpc" and when you have narrowed down some thing you can use the shift +f4 again and set conditions change the pause program to on condition radio button and do all other things you fancy and while replying please dont quote full reply quote only relevent parts and no i cant provide screenshot as i dont think this forum accepts image uploading to threads

ravinc30		October 19, 2007 01:34.51 CDT
I could make it to work now. Thanks a lot for your kind help.

Note: Registration is required to post to the forums.

There are 31,311 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit