ZenHAX
http://zenhax.com/

Offbreak 0.3
http://zenhax.com/viewtopic.php?f=17&t=277
Page 2 of 2

Author:  rengareng [ Wed Jul 22, 2015 2:25 pm ]
Post subject:  Re: Offbreak 0.3

It breaks on ntdll.DbgUiRemoteBreakin. When I continue, it go through offbreak_*.dll

Author:  aluigi [ Wed Jul 22, 2015 2:40 pm ]
Post subject:  Re: Offbreak 0.3

Exactly that's the expected behaviour :)
There you should have an INT3 with RAX pointing to the data read from the file.
The rest is just normal debugging, if you want to return to the program you must first return from offbreak and from the Windows APIs that have been called for reading the data... but you should not care about that because your interest are the operations made on the data read from the file (hardware bp).

Author:  rengareng [ Fri Jul 24, 2015 1:25 pm ]
Post subject:  Re: Offbreak 0.3

thanks, it's really hard to follow assembly. In x64dbg, I cannot put conditional breakpoint.
I want to set IDA as JIT debugger. I don't know how to do for 64 bit.
I know the Aedebug registry entry. However, using idaq64 -I1, does not change entry for x64. It sets for the one under the Wow6432Node.
Do you have any knowledge about it?
Or can you suggest a good x64 debugger?

Author:  aluigi [ Fri Jul 24, 2015 4:10 pm ]
Post subject:  Re: Offbreak 0.3

You need Administrator privileges to do that operation.

If offbreak still loads the old debugger (may happen), check the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

Page 2 of 2 All times are UTC
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/