So I have been reversing a piece of malware recently and figured I could use a conditional breakpoint that would break whenever the zero flag was set for a specific jz command. I read the documentation on the web and in the help file that olly provides but can't find any examples of how I would do that. In the online documentation it says that the EFL or Flags registers can be used in a watch/conditional breakpoint expression but no mention on how to refer to them. I tried a simple expression such as ZF == 1 as well as ZF = 1 (just in case i had it wrong) and it didnt work. I searched google like mad and nothing so I am hoping someone out there has found some way to reference the flags register. For those of you who wonder why I don't just use an expression without the flags register well, I am more curious as to how to reference the flags register in the event I really need it.
Thanks in advance!
AFAIK you can't break on a particular flag name for EFLAGS, but you can get the value from EFLAGS, so you still have multiple possibilities from there:
note: tested on Ollydbg v2.01
1) Break on the whole value of EFLAGS (note that the value of EFLAGS register for ollydbg conditionnal syntax is either EFL or FLAGS).
EFL==0x246
2) break on a particular flag
Either use the bit position as a mask:
example with ZF (bit 6 set to 1 is 0x40): (EFL & 0x40)==0x40
Shift the flags by its position, mask it only and test for it:
example with ZF (bit 6): (EFL >> 6) & 1==1