Hi,

im fairly new to IDA and i cant figure out how to look at the value the following instruction is pointing to

cmp dword ptr [esi+edi*4+0B10h], 0

neither the registers or the stack view is helpful. Any hints ?

Thanks

The simplest answer is that you cannot (or should not) know the value pointed by this complicated instruction unless you are using IDA debugger in real time. Moreover, the value pointed by dword ptr [esi+edi*4+0B10h], may change in different runs by either address or contents, representing particular states of your program. So debugging real time is the only sensible answer. . .

sorry if i did not make myself clear - of course im doing a debugging session and want to see what the value is and also memory data around it.

when i know how todo that, i would like to watch the value for any changes

maybe if i elaborate my problem a bit more:

the ptr is pointing at an int array, i need to figure out when and how this array is modified - its one array that is valid for the whole process afaik

if mouse-over doesnt work then do the calculations, press g, enter address you came up with and hit enter

the problem is not viewing the value - i need a write/read trace at that value, to view which sub function modifies the memory

doesnt doubleclick bring you to memory location that expression is pointing? i rly cant remember, but i think it does. if not - do calculations as i said, when you are at address - put a breakpoint and trace all you need :] note - doing all this you first have to break on that exact line, because only then this expression is certainly valid.

@harakiri: open the break point list choose add new breakpoint in the menu, enter your address ( you said that viewing the address is not a problem ) and select trace instead of break. You will get the results in a seperate window, telling you what write access is, what read access is, and so on...

Regards,
OHPen.

Thanks, but isnt the address there a breakpoint for the function address (file offset? virtual memory?)
i need a breakpoint into the memory - but of [esi+edi*4+0B10h]

just follow that address in IDA view and put a breakpoing there. since everything is in memory (including code section) your breakpoint will be in memory too. then its matter of setting right breakpoint. i bet you need read/write type and not execute.

@harakiri: You can not set a generic memory breakpoint like [esi+edi*4+0B10h], but you can resolve the address once, and when the memory location is interesting for you can set a breakpoint on that memory address.

harakiri:

Interesting choice of username. Are you planning to do it here?

Perhaps "toshiro mifune" would have worked.

Don't forget to write your death poem first.

Regards,

hah, reversing is serious business, and a bit dangerous