This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=277

aluigi, posted Tue Oct 21, 2014 10:44 am (1098)

---

http://aluigi.org/mytoolz.htm#offbreak

Finally I have released the new version of Offbreak.

The following are the information coming from the homepage and the runtime help:

Code:

tool that monitors the offsets of specific files read and written by a target program and breaks its execution for debugging it.
Offbreak can set an INT3, set an hardware and software breakpoint, automatically attach the system debugger and display a MessageBox when the monitored files and offsets are handled by the target.
to make the debugging more easy, Offbreak sets some registers to show the buffer containing the data read/written, the amount of bytes in the operation, name of the API and full name of the file.
additional information are available at runtime.

Code:

Offbreak 0.3
by Luigi Auriemma
e-mail: [email protected]
web:    aluigi.org


Usage: offbreak [options]  [file] [offsets] ... [file] [offsets]

Options:
-f F O   alternative way to specify the file and offsets, you can use it
         multiple times for each file you want to monitor and it's useful
         if you want to specify arguments for your command to execute,
         O can be a single offset or a sequence like 0x123,10,0x00112233445566
-P       force the handling of the cmd argument as a process name, that's done
         by default if doesn't exist a command to execute and it's not a pid
-K F     get other Offbreak options from the file F, they can be written one
         per line or all on the same line and so on

Offbreak DLL options, when the files/offsets are catched:
-3       toggle INT3 on success (default on)
-b       toggle hardware memory breakpoint (default off)
-s       toggle software memory breakpoint on whole page (default off)
-D       attach the default system debugger (AEDEBUG) on success
-m       display a MessageBox (before INT3) on success

Verbose options:
-v       verbose debugging of Offbreak DLL, used only for testing
-q       quiet, no usage of OutputDebugString
-t       toggle debug trace file .\offbreak_x_%u.log (default off)

Other options:
-p       no suspend mode, use in case you get immediate crashes
-d       attach default system debugger (AEDEBUG) when the command is launched
-0       no injection, launch the target program without any action

Information:
  The comparison of the monitored filename with the accessed one is based on
  the name you specify, the tool supports both relative and absolute paths
  without checking the drive letter, so feel free to specify just the name of
  the file or its partial or full path.
  It's not possible to specify a "range" to monitor, one offset is one byte.
  Information about the status of the Offbreak DLL are visible inside the
  debugger or with DebugView due to the usage of OutputDebugString, check
  the *** pattern.
  This build works only with 32bit targets.

Values in the registers when the files/offsets are catched:
  EAX    exact point of the memory where the data to monitor is located
  ECX    amount of bytes to read/write requested by the monitored API
  EDX    name of the monitored API
  EBX    name of the file
  ESI    beginning of the buffer that contains the monitored data (EAX)

Examples:
  offbreak target.exe c:\folder\file.dat 0x1234
  offbreak target_process_name c:\folder\file.dat 0x1234,0x1000,0x999
  offbreak target.exe c:\path\file.dat 0x1234,0x1000 c:\path\file2.dat 0,1000
  offbreak -f c:\folder\file.dat 0x1234,0x1000,0x999 c:\target.exe arg1 arg2
  offbreak -f c:\folder\file.dat 0x1234,0x1000,0x999 -D -P target

The best solution with games that use protections and are encrypted, is probably:
offbreak -D -P process_name path\file_to_monitor.dat 0xOFFSET

chrrox, posted Wed Mar 25, 2015 1:51 am (4078)

---

Is there a plan for x64 offbreak?
It would be very useful for these games because there are not a lot of good x64 debugging programs.

aluigi, posted Wed Mar 25, 2015 9:37 am (4084)

---

Just released 0.3.1a that should work with 64bit applications (offbreak64).
Let me know if it's all ok.

semory, posted Wed Mar 25, 2015 10:16 pm (4103)

---

cool, tried 32-bit one and it works great. one question though luigi: what's the difference between using offbreak and just using the debugger with breakpoints set on calls to CreateFile, SetFilePointer, ReadFile, etc.?

thanks

chrrox, posted Thu Mar 26, 2015 1:12 am (4104)

---

I tried the x64 version and it seemed to work good also.
Do you have any tutorials you have done using offbreak for various things.
is there a way to break on an area in memory being written to or a certain value passed to something like a hash.

aluigi, posted Thu Mar 26, 2015 4:44 am (4107)

---

Unfortunately I don't have a tutorial.
Usually it's enough to locate the desired offset (or offsets) with a hex editor and then launching offbreak using the examples at the bottom of the runtime help:

Code:

  offbreak target.exe c:\folder\file.dat 0x1234
  offbreak PID c:\folder\file.dat 0x1234
  offbreak target_process_name c:\folder\file.dat 0x1234,0x1000,0x999
  offbreak -P target_process_name c:\folder\file.dat 0x1234,0x1000,0x999
  offbreak target.exe c:\path\file.dat 0x1234,0x1000 c:\path\file2.dat 0,1000
  offbreak -f c:\folder\file.dat 0x1234,0x1000,0x999 c:\target.exe arg1 arg2
  offbreak -f c:\folder\file.dat 0x1234,0x1000,0x999 -D -P target

Personally I think that the -b -D options are the only semi-mandatory options of the tool because they really make the whole work easy like a joke: -b automatically puts an hardware breakpoint on the first byte of the memory read from the file at the desired offset and -D launches the debugger when the target program reads the offset.
So it's not even necessary to manually start the debugger and placing the breakpoint

Your second question is about something different, that's a job for a debugger.

chrrox, posted Sat Mar 28, 2015 12:12 am (4152)

---

How do I launch an exe that needs a parameter with offbreak.
example
working directory
c:\CosmicBreak2\
but I need to launch the game by being in this directory and passing it
programs\cosmic.exe -launch

aluigi, posted Sat Mar 28, 2015 4:41 pm (4173)

---

offbreak "programs\cosmic.exe -launch" FILE OFFSET

chrrox, posted Sat Mar 28, 2015 6:38 pm (4178)

---

i get

Code:

- command-line, PID or process name:
  "cosmic.exe -launch"

- change path: programs

- execute:
  "cosmic.exe -launch"

- get pid of process cosmic.exe -launch

Error: The parameter is incorrect.

aluigi, posted Sat Mar 28, 2015 10:31 pm (4184)

---

Ah ok try:
offbreak -f FILE OFFSET programs\cosmic.exe -launch

Just as-is without "".

chrrox, posted Sat Mar 28, 2015 10:59 pm (4187)

---

it loaded but it did not combine the commands so the game would not start.

- command-line, PID or process name:
"cosmic" "-launch"

- change path: programs

- execute:
"cosmic" "-launch"

- PID: 20492

aluigi, posted Tue Mar 31, 2015 9:45 pm (4264)

---

The syntax is correct in fact I checked it here too by running an editor with a file to load like:
offbreak -f z:\monitor.dat 0x123 xvi32 z:\other_file.dat

In fact in your case offbreak launched the exact arguments you chosed.

chrrox, posted Tue Mar 31, 2015 10:27 pm (4268)

---

its the - in the command
that is whats throwing it off
i can run
mygame.exe launch
no problem but i can not run
mygame.exe -launch

aluigi, posted Wed Apr 01, 2015 7:01 am (4272)

---

Mah, can you check with procexp what's the command-line reported for the spawned process?

In my tests here the process is created correctly with the provided -option because -f automatically considers everyhing after the command as an argument without parsing it.

I need to understand and replicate the issue for fixing it.

chrrox, posted Wed Apr 01, 2015 9:24 pm (4295)

---

its putting quotes around it.
"cosmic.exe" "-launch"

aluigi, posted Thu Apr 02, 2015 6:33 am (4297)

---

Ok some programs don't like the quotes, it depends by how they parse the command-line.
0.3.1b released.

rengareng, posted Tue Jul 21, 2015 10:58 am (6495)

---

Hi Aluigi,
I'm trying to locate routine of watch_dogs for decompressing loc files.
When I use your tool(offbreak64) with any combination, I got following crash:
I'm using Windows 7 x64

Code:

Sorun imzas?:
  Sorunlu Olay Ad?:   APPCRASH
  Uygulama Ad?:   watch_dogs.exe
  Uygulama Surumu:   0.1.0.1
  Uygulama Zaman Damgas?:   54182752
  Hata Modulu Ad?:   offbreak_c48055ae24b3.dll
  Hata Modulu Surumu:   0.0.0.0
  Hata Modulu Zaman Damgas?:   551ce066
  Ozel Durum Kodu:   80000003
  Ozel Durum Uzakl?g?:   0000000000005c71
  OS Surumu:   6.1.7601.2.1.0.256.48
  Yerel Kimlik:   1055
  Ek Bilgiler 1:   61ba
  Ek Bilgiler 2:   61bacd73c6517dd22b47429407260070
  Ek Bilgiler 3:   5647
  Ek Bilgiler 4:   56474fa39cb9e3f4dedc209598740bd8
  

aluigi, posted Tue Jul 21, 2015 2:41 pm (6498)

---

Try to play with the options of the tool.
The -D -3 mix of options is probably the one good for you, it automatically starts the default debugger when the file/offset is read.
Remember to set your preferred debugger as default first (an x64 debugger in your case like windbg or x64dbg and so on because I guess the target is a 64bit program)

rengareng, posted Wed Jul 22, 2015 12:52 pm (6530)

---

Thank you, I set x64dbg as JIT debugger and used -D -3, it loaded correctly. However, it does not continue from where the functions is called.

aluigi, posted Wed Jul 22, 2015 1:40 pm (6533)

---

That's strange. Do you mean that it raises a particular exception that can't be bypassed or what?
When it breaks maybe put a hardware breakpoint on the data pointed by EAX (the data read from the file), you can even doing it automatically with the -b option but sometimes it's better to do it manually.

rengareng, posted Wed Jul 22, 2015 2:25 pm (6539)

---

It breaks on ntdll.DbgUiRemoteBreakin. When I continue, it go through offbreak_*.dll

aluigi, posted Wed Jul 22, 2015 2:40 pm (6541)

---

Exactly that's the expected behaviour
There you should have an INT3 with RAX pointing to the data read from the file.
The rest is just normal debugging, if you want to return to the program you must first return from offbreak and from the Windows APIs that have been called for reading the data... but you should not care about that because your interest are the operations made on the data read from the file (hardware bp).

rengareng, posted Fri Jul 24, 2015 1:25 pm (6579)

---

thanks, it's really hard to follow assembly. In x64dbg, I cannot put conditional breakpoint.
I want to set IDA as JIT debugger. I don't know how to do for 64 bit.
I know the Aedebug registry entry. However, using idaq64 -I1, does not change entry for x64. It sets for the one under the Wow6432Node.
Do you have any knowledge about it?
Or can you suggest a good x64 debugger?

aluigi, posted Fri Jul 24, 2015 4:10 pm (6584)

---

You need Administrator privileges to do that operation.

If offbreak still loads the old debugger (may happen), check the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger