QuickBMS experimental debugging feature
Posted: Wed Mar 06, 2013 11:47 am
I have just released a new version of QuickBMS (0.5.17) with an experimental feature added to get the key from the Simraceway game process.
It's just a simple debugger that breaks when there is a breakpoint or an exception and automatically creates variables containing the x86 registers (so yes you can use print "%EAX%").
It's really very basic and implemented on the fly to help the people who were contacting me about Simraceway but currently the idea works and I can improve it in the next months.
Example script:
How to use it:
when the game is running or maybe just after it has been launched just execute the following command:where PROCESS_NAME is replaced with name of the game.
QuickBMS allows also to specify the exact module if the function you want to monitor is not in the executable: process://PROCESS_NAME:MODULE_NAME/debug
I hope you like the idea but at the moment if you insert a breakpoint then you can't change it back and re-executing the code... oh well maybe in the next version :)
It's just a simple debugger that breaks when there is a breakpoint or an exception and automatically creates variables containing the x86 registers (so yes you can use print "%EAX%").
It's really very basic and implemented on the fly to help the people who were contacting me about Simraceway but currently the idea works and I can improve it in the next months.
Example script:
Code: Select all
# take the image base of the module
savepos OFFSET
# relative offset of the function in the module
math OFFSET += 0x00001122
# or we can just search the instructions of the function
findloc OFFSET string "\x55\x8B\xEC\x8B\x55\x0C\x0F\xB6\x0A"
# set breakpoint
goto OFFSET
put 0xcc byte
# yeah the following cycle takes some cpu, there is no sleep/wait in quickbms
# wait till breakpoint
for EIP = 0 == 0
# do nothing
next
# debug purpose
print "EAX %eax|x%\nEBX %ebx|x%\nECX %ecx|x%\nEDX %edx|x%\nESI %esi|x%\nEDI %edi|x%\nEBP %ebp|x%\nESP %esp|x%\nEIP %eip|x%"
# get the stack arguments
goto ESP
get RET_ADDR long
get ARG1 long
get ARG2 long
get ARG3 long
# read the content of the second argument, maybe a string or data
goto ARG2
getdstring KEY 32when the game is running or maybe just after it has been launched just execute the following command:
Code: Select all
quickbms.exe -p simraceway_getkey.bms process://PROCESS_NAME/debugQuickBMS allows also to specify the exact module if the function you want to monitor is not in the executable: process://PROCESS_NAME:MODULE_NAME/debug
I hope you like the idea but at the moment if you insert a breakpoint then you can't change it back and re-executing the code... oh well maybe in the next version :)