Finally I have released the new version of Offbreak.
The following are the information coming from the homepage and the runtime help:
tool that monitors the offsets of specific files read and written by a target program and breaks its execution for debugging it.
Offbreak can set an INT3, set an hardware and software breakpoint, automatically attach the system debugger and display a MessageBox when the monitored files and offsets are handled by the target.
to make the debugging more easy, Offbreak sets some registers to show the buffer containing the data read/written, the amount of bytes in the operation, name of the API and full name of the file.
additional information are available at runtime.
by Luigi Auriemma
Usage: offbreak [options] <cmd/PID/proc> [file] [offsets] ... [file] [offsets]
-f F O alternative way to specify the file and offsets, you can use it
multiple times for each file you want to monitor and it's useful
if you want to specify arguments for your command to execute,
O can be a single offset or a sequence like 0x123,10,0x00112233445566
-P force the handling of the cmd argument as a process name, that's done
by default if doesn't exist a command to execute and it's not a pid
-K F get other Offbreak options from the file F, they can be written one
per line or all on the same line and so on
Offbreak DLL options, when the files/offsets are catched:
-3 toggle INT3 on success (default on)
-b toggle hardware memory breakpoint (default off)
-s toggle software memory breakpoint on whole page (default off)
-D attach the default system debugger (AEDEBUG) on success
-m display a MessageBox (before INT3) on success
-v verbose debugging of Offbreak DLL, used only for testing
-q quiet, no usage of OutputDebugString
-t toggle debug trace file .\offbreak_%08x_%u.log (default off)
-p no suspend mode, use in case you get immediate crashes
-d attach default system debugger (AEDEBUG) when the command is launched
-0 no injection, launch the target program without any action
The comparison of the monitored filename with the accessed one is based on
the name you specify, the tool supports both relative and absolute paths
without checking the drive letter, so feel free to specify just the name of
the file or its partial or full path.
It's not possible to specify a "range" to monitor, one offset is one byte.
Information about the status of the Offbreak DLL are visible inside the
debugger or with DebugView due to the usage of OutputDebugString, check
the *** pattern.
This build works only with 32bit targets.
Values in the registers when the files/offsets are catched:
EAX exact point of the memory where the data to monitor is located
ECX amount of bytes to read/write requested by the monitored API
EDX name of the monitored API
EBX name of the file
ESI beginning of the buffer that contains the monitored data (EAX)
offbreak target.exe c:\folder\file.dat 0x1234
offbreak target_process_name c:\folder\file.dat 0x1234,0x1000,0x999
offbreak target.exe c:\path\file.dat 0x1234,0x1000 c:\path\file2.dat 0,1000
offbreak -f c:\folder\file.dat 0x1234,0x1000,0x999 c:\target.exe arg1 arg2
offbreak -f c:\folder\file.dat 0x1234,0x1000,0x999 -D -P target
The best solution with games that use protections and are encrypted, is probably:
offbreak -D -P process_name path\file_to_monitor.dat 0xOFFSET