Offbreak 0.3
-
rengareng
- Posts: 46
- Joined: Thu Aug 14, 2014 3:29 am
Re: Offbreak 0.3
It breaks on ntdll.DbgUiRemoteBreakin. When I continue, it go through offbreak_*.dll
-
aluigi
- Site Admin
- Posts: 12984
- Joined: Wed Jul 30, 2014 9:32 pm
Re: Offbreak 0.3
Exactly that's the expected behaviour 
There you should have an INT3 with RAX pointing to the data read from the file.
The rest is just normal debugging, if you want to return to the program you must first return from offbreak and from the Windows APIs that have been called for reading the data... but you should not care about that because your interest are the operations made on the data read from the file (hardware bp).
There you should have an INT3 with RAX pointing to the data read from the file.
The rest is just normal debugging, if you want to return to the program you must first return from offbreak and from the Windows APIs that have been called for reading the data... but you should not care about that because your interest are the operations made on the data read from the file (hardware bp).
-
rengareng
- Posts: 46
- Joined: Thu Aug 14, 2014 3:29 am
Re: Offbreak 0.3
thanks, it's really hard to follow assembly. In x64dbg, I cannot put conditional breakpoint.
I want to set IDA as JIT debugger. I don't know how to do for 64 bit.
I know the Aedebug registry entry. However, using idaq64 -I1, does not change entry for x64. It sets for the one under the Wow6432Node.
Do you have any knowledge about it?
Or can you suggest a good x64 debugger?
I want to set IDA as JIT debugger. I don't know how to do for 64 bit.
I know the Aedebug registry entry. However, using idaq64 -I1, does not change entry for x64. It sets for the one under the Wow6432Node.
Do you have any knowledge about it?
Or can you suggest a good x64 debugger?
-
aluigi
- Site Admin
- Posts: 12984
- Joined: Wed Jul 30, 2014 9:32 pm
Re: Offbreak 0.3
You need Administrator privileges to do that operation.
If offbreak still loads the old debugger (may happen), check the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
If offbreak still loads the old debugger (may happen), check the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger