ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Wed Nov 22, 2017 8:54 am

All times are UTC




Post new topic  Reply to topic  [ 24 posts ]  Go to page 1 2 Next
Author Message
 Post subject: Offbreak 0.3
PostPosted: Tue Oct 21, 2014 10:44 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7126
http://aluigi.org/mytoolz.htm#offbreak

Finally I have released the new version of Offbreak.

The following are the information coming from the homepage and the runtime help:
Code:
tool that monitors the offsets of specific files read and written by a target program and breaks its execution for debugging it.
Offbreak can set an INT3, set an hardware and software breakpoint, automatically attach the system debugger and display a MessageBox when the monitored files and offsets are handled by the target.
to make the debugging more easy, Offbreak sets some registers to show the buffer containing the data read/written, the amount of bytes in the operation, name of the API and full name of the file.
additional information are available at runtime.

Code:
Offbreak 0.3
by Luigi Auriemma
e-mail: me@aluigi.org
web:    aluigi.org


Usage: offbreak [options] <cmd/PID/proc> [file] [offsets] ... [file] [offsets]

Options:
-f F O   alternative way to specify the file and offsets, you can use it
         multiple times for each file you want to monitor and it's useful
         if you want to specify arguments for your command to execute,
         O can be a single offset or a sequence like 0x123,10,0x00112233445566
-P       force the handling of the cmd argument as a process name, that's done
         by default if doesn't exist a command to execute and it's not a pid
-K F     get other Offbreak options from the file F, they can be written one
         per line or all on the same line and so on

Offbreak DLL options, when the files/offsets are catched:
-3       toggle INT3 on success (default on)
-b       toggle hardware memory breakpoint (default off)
-s       toggle software memory breakpoint on whole page (default off)
-D       attach the default system debugger (AEDEBUG) on success
-m       display a MessageBox (before INT3) on success

Verbose options:
-v       verbose debugging of Offbreak DLL, used only for testing
-q       quiet, no usage of OutputDebugString
-t       toggle debug trace file .\offbreak_%08x_%u.log (default off)

Other options:
-p       no suspend mode, use in case you get immediate crashes
-d       attach default system debugger (AEDEBUG) when the command is launched
-0       no injection, launch the target program without any action

Information:
  The comparison of the monitored filename with the accessed one is based on
  the name you specify, the tool supports both relative and absolute paths
  without checking the drive letter, so feel free to specify just the name of
  the file or its partial or full path.
  It's not possible to specify a "range" to monitor, one offset is one byte.
  Information about the status of the Offbreak DLL are visible inside the
  debugger or with DebugView due to the usage of OutputDebugString, check
  the *** pattern.
  This build works only with 32bit targets.

Values in the registers when the files/offsets are catched:
  EAX    exact point of the memory where the data to monitor is located
  ECX    amount of bytes to read/write requested by the monitored API
  EDX    name of the monitored API
  EBX    name of the file
  ESI    beginning of the buffer that contains the monitored data (EAX)

Examples:
  offbreak target.exe c:\folder\file.dat 0x1234
  offbreak target_process_name c:\folder\file.dat 0x1234,0x1000,0x999
  offbreak target.exe c:\path\file.dat 0x1234,0x1000 c:\path\file2.dat 0,1000
  offbreak -f c:\folder\file.dat 0x1234,0x1000,0x999 c:\target.exe arg1 arg2
  offbreak -f c:\folder\file.dat 0x1234,0x1000,0x999 -D -P target


The best solution with games that use protections and are encrypted, is probably:
offbreak -D -P process_name path\file_to_monitor.dat 0xOFFSET


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Wed Mar 25, 2015 1:51 am 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 132
Is there a plan for x64 offbreak?
It would be very useful for these games because there are not a lot of good x64 debugging programs.


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Wed Mar 25, 2015 9:37 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7126
Just released 0.3.1a that should work with 64bit applications (offbreak64).
Let me know if it's all ok.


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Wed Mar 25, 2015 10:16 pm 

Joined: Fri Aug 08, 2014 6:29 am
Posts: 5
cool, tried 32-bit one and it works great. one question though luigi: what's the difference between using offbreak and just using the debugger with breakpoints set on calls to CreateFile, SetFilePointer, ReadFile, etc.?

thanks


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Thu Mar 26, 2015 1:12 am 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 132
I tried the x64 version and it seemed to work good also.
Do you have any tutorials you have done using offbreak for various things.
is there a way to break on an area in memory being written to or a certain value passed to something like a hash.


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Thu Mar 26, 2015 4:44 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7126
Unfortunately I don't have a tutorial.
Usually it's enough to locate the desired offset (or offsets) with a hex editor and then launching offbreak using the examples at the bottom of the runtime help:
Code:
  offbreak target.exe c:\folder\file.dat 0x1234
  offbreak PID c:\folder\file.dat 0x1234
  offbreak target_process_name c:\folder\file.dat 0x1234,0x1000,0x999
  offbreak -P target_process_name c:\folder\file.dat 0x1234,0x1000,0x999
  offbreak target.exe c:\path\file.dat 0x1234,0x1000 c:\path\file2.dat 0,1000
  offbreak -f c:\folder\file.dat 0x1234,0x1000,0x999 c:\target.exe arg1 arg2
  offbreak -f c:\folder\file.dat 0x1234,0x1000,0x999 -D -P target
Personally I think that the -b -D options are the only semi-mandatory options of the tool because they really make the whole work easy like a joke: -b automatically puts an hardware breakpoint on the first byte of the memory read from the file at the desired offset and -D launches the debugger when the target program reads the offset.
So it's not even necessary to manually start the debugger and placing the breakpoint :)

Your second question is about something different, that's a job for a debugger.


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Sat Mar 28, 2015 12:12 am 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 132
How do I launch an exe that needs a parameter with offbreak.
example
working directory
c:\CosmicBreak2\
but I need to launch the game by being in this directory and passing it
programs\cosmic.exe -launch


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Sat Mar 28, 2015 4:41 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7126
offbreak "programs\cosmic.exe -launch" FILE OFFSET


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Sat Mar 28, 2015 6:38 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 132
i get
Code:
- command-line, PID or process name:
  "cosmic.exe -launch"

- change path: programs

- execute:
  "cosmic.exe -launch"

- get pid of process cosmic.exe -launch

Error: The parameter is incorrect.


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Sat Mar 28, 2015 10:31 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7126
Ah ok try:
offbreak -f FILE OFFSET programs\cosmic.exe -launch

Just as-is without "".


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Sat Mar 28, 2015 10:59 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 132
it loaded but it did not combine the commands so the game would not start.

- command-line, PID or process name:
"cosmic" "-launch"

- change path: programs

- execute:
"cosmic" "-launch"

- PID: 20492


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Tue Mar 31, 2015 9:45 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7126
The syntax is correct in fact I checked it here too by running an editor with a file to load like:
offbreak -f z:\monitor.dat 0x123 xvi32 z:\other_file.dat

In fact in your case offbreak launched the exact arguments you chosed.


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Tue Mar 31, 2015 10:27 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 132
its the - in the command
that is whats throwing it off
i can run
mygame.exe launch
no problem but i can not run
mygame.exe -launch


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Wed Apr 01, 2015 7:01 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7126
Mah, can you check with procexp what's the command-line reported for the spawned process?

In my tests here the process is created correctly with the provided -option because -f automatically considers everyhing after the command as an argument without parsing it.

I need to understand and replicate the issue for fixing it.


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Wed Apr 01, 2015 9:24 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 132
its putting quotes around it.
"cosmic.exe" "-launch"


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Thu Apr 02, 2015 6:33 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7126
Ok some programs don't like the quotes, it depends by how they parse the command-line.
0.3.1b released.


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Tue Jul 21, 2015 10:58 am 

Joined: Thu Aug 14, 2014 3:29 am
Posts: 5
Hi Aluigi,
I'm trying to locate routine of watch_dogs for decompressing loc files.
When I use your tool(offbreak64) with any combination, I got following crash:
I'm using Windows 7 x64
Code:
Sorun imzası:
  Sorunlu Olay Adı:   APPCRASH
  Uygulama Adı:   watch_dogs.exe
  Uygulama Sürümü:   0.1.0.1
  Uygulama Zaman Damgası:   54182752
  Hata Modülü Adı:   offbreak_c48055ae24b3.dll
  Hata Modülü Sürümü:   0.0.0.0
  Hata Modülü Zaman Damgası:   551ce066
  Özel Durum Kodu:   80000003
  Özel Durum Uzaklığı:   0000000000005c71
  OS Sürümü:   6.1.7601.2.1.0.256.48
  Yerel Kimlik:   1055
  Ek Bilgiler 1:   61ba
  Ek Bilgiler 2:   61bacd73c6517dd22b47429407260070
  Ek Bilgiler 3:   5647
  Ek Bilgiler 4:   56474fa39cb9e3f4dedc209598740bd8
 


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Tue Jul 21, 2015 2:41 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7126
Try to play with the options of the tool.
The -D -3 mix of options is probably the one good for you, it automatically starts the default debugger when the file/offset is read.
Remember to set your preferred debugger as default first (an x64 debugger in your case like windbg or x64dbg and so on because I guess the target is a 64bit program)


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Wed Jul 22, 2015 12:52 pm 

Joined: Thu Aug 14, 2014 3:29 am
Posts: 5
Thank you, I set x64dbg as JIT debugger and used -D -3, it loaded correctly. However, it does not continue from where the functions is called.


Top
   
 Post subject: Re: Offbreak 0.3
PostPosted: Wed Jul 22, 2015 1:40 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7126
That's strange. Do you mean that it raises a particular exception that can't be bypassed or what?
When it breaks maybe put a hardware breakpoint on the data pointed by EAX (the data read from the file), you can even doing it automatically with the -b option but sometimes it's better to do it manually.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 24 posts ]  Go to page 1 2 Next

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited