How do I work with the tools?
[Cracking 4 Newbies]

Before starting!
This essay is for knowledge purposes only!!
Software developers spend much time in making their programs. They live from the money we give them!
Please buy good software!!

I. SoftICE
God it is a beautiful debugger :) Press CTRL-D and go see it! Press CTRL-D again to get back here...yeah it looks like some old-fashioned DOS program, but oh believe me once you learn how to work with it you start to appreciate its power!
If you downloaded my configuration file (winice.dat), SoftIce looks like this, starting from above: register window, locals window, data window, code window and input window. There are also the watch and the stack window, but i don't use them. Here are the codes on how to enable/disable the windows: (you have to type them in the input window below and press enter)
  • WC :enable/disable code window
  • WD: enable/disable data window
  • WF: enable/disable stack window
  • WL: enable/disable locals window
  • WR: enable/disable register window
  • WW: enable/disable watch window

Okay, next thing you have to learn is setting breakpoints. A breakpoint is a place in a program where that program stops running. What are they used for? Okay, try to follow me: imagine you have a program, you enter a (wrong) serial and the program displays a messagebox with the text: "Invalid serial number!". To crack the program, you need to know where the comparison between your serial and the real serial number is made. As the code of a program is very big, it would be an impossible job to just go and seek for that procedure. It would take months, if not years to find out! Now, if you set a breakpoint at the messagebox, it's obvious that somewhere before that messagebox the comparison between your serial and the real serial is made! So to set the breakpoint you'd have to type (in the input window): bpx messageboxa
If you are a total newbie I can imagine you don't understand a thing. Don't bother for now, it's only important that you can set a breakpoint. Okay let's do that! Press CTRL-D (SoftICE pops up), type in: bpx messageboxa, press CTRL-D. If now any program you start shows a messagebox, SoftICE will popup, in the lower right corner of SoftICE you will see what program SoftICE is tracing (in this case the program that showed the messagebox). To clear the breakpoint you've just set type: bc *
Messageboxa is the 32-bit instruction to draw a window. If you're a programmer: it equals a procedure or function in Pascal / C(++)/ Assembler. Messagebox (without the "a") is the 16-bit instruction used by 16-bit programs. Of course there are lots of those instructions like: getdlgitemtexta, getwindowtexta, showwindow, updatewindow, etc... .
All procedures we need to crack are mostly located in KERNEL32.DLL, USER32.DLL and GDI32.DLL .These are library files, like you have .TPU files in Pascal, or .H files in C(++).
That about the breakpoints. Btw, there are many other breakpoints than "bpx" (=break on execution). Examples: bpm, bpr, bmsg. We'll discuss them later when we actually need them.
Next thing you have to know is how to dump a register or memory place. The syntax (without the quotes of course...) :"d register". So to display the eax register you'd have to type: "d eax". Memory adresses are displayed the same way. Ex.: "d 130501".
Okay, last fundamental point is tracing through the code. This is done with F10 (step over) or F8 (trace into). Open SoftICE (CTRL-D) and press F10 a fiew times. You'll see that the red bar (if you use my config) goes down, e.a. instructions are being executed. When using F10, you'll see that the red bar goes over CALL procedures. If you want to trace through those procedures you have to press F8.
Other useful keys are: F12=execute until the end of the procedure, F4=view current status of the screen.
Oh yeah, before I (or you) forget: you can disable SoftICE by "REM-ing" the activation line in your autoexec.bat.

Note: there are many other possibilities with SoftICE but you can only learn them when they are needed. If you really want to know everything about SoftICE: read the guide that's included with it!
For problems concerning SoftICE, you can get information on the irc channel #cracking4newbies on EFNet.

II. w32dasm

Yess, this is a very powerful (yet easy-to-use) debugger for 16/32 bit programs. It's réally easy to use and has a clean and smooth layout. Fire up W32DSM! You'll see some menu's and 20 buttons. You can almost completely controle W32DSM with those 20 buttons. Hold you mouse on a button and wait a second...a little yellow box appears that tells you what that specific button does. In this case there are only 2 buttons clickable.
Ok, let's disassemble a file. Just take any executable you want, but be sure it is a 32 bit program that is NOT TOO BIG (!!!). The smaller the less time it will take to disassemble. Choose a file by clicking the most left button. When the file is disassembled, you can save the text by clicking the second button. That way you don't have to disassemble the file time after time!
Now scroll to somewhere in the code and search for a "jmp" instruction. Go stand on it (with the green bar) with help of your cursors :) You'll see that there's a button that lights up. Click on it and you will see you've jumped to the place the program would jump. Click on the button on the right of the jump button to return where you came from. There's also a button for "call" instructions.
Very important are the string references. String references are strings like: "Invalid registration" or "Thank you for registering!", etc... . You can see them by clicking the last but one button. When you doubleclick on a string, W32DSM places the cursor on the place where that string appears in the dead listing.
Very important is that you notice the "@Offset xxxxxxxxh" at the bottom of you screen. The "xxxxxxxx" is the offset value for the code that's highlighted with the green bar. You'll need it to patch the program in a hex editor.

Note: Of course W32DSM has many other features.....find them out yourself. Most of them are just too easy to include here. (like how to search for a string, instruction,...).
To read how to use IDA, just click here.

III. Hiew

This is the best hex-editor I've ever seen, so I use it a lot. The only "disadvantage" is that it's a DOS-based hex-editor. But that does not weigh up against the many advantages you have with it!
HIEW is controlled with the function keys (F1, F2, F3, etc...) and the arrows on your keyboard. A bit Norton Commander look-a-like. Well, load a .exe file and explore the possibilities :) At the bottom of your screen you can see what all function keys will do. If you press ALT or CTRL you'll see that the bar at the bottom of the screen will change and will you give other possibilities.
Quick start: load a .EXE, press F4 (choose mode), press F3 (disassembling mode), press F5 (goto) and type in the offset number (the number you can get in W32DSM), press enter. Changing the hexcode can be done by pressing F3. Save the changes with F9.
Now, the big advantage of HIEW is that you can insert real assembly code. Imagine you have to change a "cmp eax, ebx" to "xor eax, eax". Well, u could try and find out the machine code (i.e. hex code) for that instruction, but wouldn't it be easier to just type "xor eax, eax" ? Well, that's possible! Press F3 to edit an instruction, then press F2 (insert assembly). Now you can type in the instruction you want. When done, press enter, then ESC and press F9 to save the changes you made.
Further, I can only recommend you read the help documents included with HIEW.

IV. FileMon/ Regmon

Those two tools monitor file operations, like reading and writing (FileMon) and monitor registery operations, like creating a registery key or reading one (RegMon). They are pretty straightforward to use. The only thing that is worth mentioning is that it's good to exclude some processes before continuing. Otherwise you will get hundreds (if not: thousands) reads and writes from the operating system itself and not of the program you're monitoring. Therefore always exclude processes like iexplore, explore, filemon/regmon itself, and other programs that are disturbing. To exlude, just look what programs are loaded in Windows (ctrl-alt-del once) and put their name(s) seperated with ';' in the exclude process list. That's it.

Endnote:
Essay written by The Blackbird © 1999-2001
This essay can be freely distributed/ published/ printed etc... as long as no modifications are made to the .html and/or content.