|God it is a beautiful debugger :) Press CTRL-D and go see
it! Press CTRL-D again to get back here...yeah it looks like some old-fashioned
DOS program, but oh believe me once you learn how to work with it you start
to appreciate its power!
If you downloaded my configuration file (winice.dat), SoftIce looks like
this, starting from above: register window, locals window, data window,
code window and input window. There are also the watch and the stack window,
but i don't use them. Here are the codes on how to enable/disable the windows:
(you have to type them in the input window below and press enter)
- WC :enable/disable code window
- WD: enable/disable data window
- WF: enable/disable stack window
- WL: enable/disable locals window
- WR: enable/disable register window
- WW: enable/disable watch window
Okay, next thing you have to learn is setting breakpoints. A breakpoint
is a place in a program where that program stops running. What are they
used for? Okay, try to follow me: imagine you have a program, you enter
a (wrong) serial and the program displays a messagebox with the text:
"Invalid serial number!". To crack the program, you need to know where
the comparison between your serial and the real serial number is made.
As the code of a program is very big, it would be an impossible job to
just go and seek for that procedure. It would take months, if not years
to find out! Now, if you set a breakpoint at the messagebox, it's obvious
that somewhere before that messagebox the comparison between your serial
and the real serial is made! So to set the breakpoint you'd have to type
(in the input window): bpx messageboxa
If you are a total newbie I can imagine you don't understand a thing.
Don't bother for now, it's only important that you can set a breakpoint.
Okay let's do that! Press CTRL-D (SoftICE pops up), type in: bpx messageboxa,
press CTRL-D. If now any program you start shows a messagebox, SoftICE
will popup, in the lower right corner of SoftICE you will see what program
SoftICE is tracing (in this case the program that showed the messagebox).
To clear the breakpoint you've just set type: bc *
Messageboxa is the 32-bit instruction to draw a window. If you're a programmer:
it equals a procedure or function in Pascal / C(++)/ Assembler. Messagebox
(without the "a") is the 16-bit instruction used by 16-bit programs. Of
course there are lots of those instructions like: getdlgitemtexta, getwindowtexta,
showwindow, updatewindow, etc... .
All procedures we need to crack are mostly located in KERNEL32.DLL, USER32.DLL
and GDI32.DLL .These are library files, like you have .TPU files in Pascal,
or .H files in C(++).
That about the breakpoints. Btw, there are many other breakpoints than
"bpx" (=break on execution). Examples: bpm, bpr, bmsg. We'll discuss them
later when we actually need them.
Next thing you have to know is how to dump a register or memory place.
The syntax (without the quotes of course...) :"d register". So to display
the eax register you'd have to type: "d eax". Memory adresses are displayed
the same way. Ex.: "d 130501".
Okay, last fundamental point is tracing through the code. This is done
with F10 (step over) or F8 (trace into). Open SoftICE (CTRL-D) and press
F10 a fiew times. You'll see that the red bar (if you use my config) goes
down, e.a. instructions are being executed. When using F10, you'll see
that the red bar goes over CALL procedures. If you want to trace through
those procedures you have to press F8.
Other useful keys are: F12=execute until the end of the procedure, F4=view
current status of the screen.
Oh yeah, before I (or you) forget: you can disable SoftICE by "REM-ing"
the activation line in your autoexec.bat.
Note: there are many other
possibilities with SoftICE but you can only learn them when they are needed.
If you really want to know everything about SoftICE: read the guide that's
included with it!
For problems concerning SoftICE, you can get information on the irc channel #cracking4newbies on EFNet.
Yess, this is a very powerful (yet easy-to-use) debugger for 16/32 bit
programs. It's réally easy to use and has a clean and smooth layout.
Fire up W32DSM! You'll see some menu's and 20 buttons. You can almost
completely controle W32DSM with those 20 buttons. Hold you mouse on a
button and wait a second...a little yellow box appears that tells you
what that specific button does. In this case there are only 2 buttons
Ok, let's disassemble a file. Just take any executable you want, but be
sure it is a 32 bit program that is NOT TOO BIG (!!!). The smaller the
less time it will take to disassemble. Choose a file by clicking the most
left button. When the file is disassembled, you can save the text by clicking
the second button. That way you don't have to disassemble the file time
Now scroll to somewhere in the code and search for a "jmp" instruction.
Go stand on it (with the green bar) with help of your cursors :) You'll
see that there's a button that lights up. Click on it and you will see
you've jumped to the place the program would jump. Click on the button
on the right of the jump button to return where you came from. There's
also a button for "call" instructions.
Very important are the string references. String references are strings
like: "Invalid registration" or "Thank you for registering!", etc... .
You can see them by clicking the last but one button. When you doubleclick
on a string, W32DSM places the cursor on the place where that string appears
in the dead listing.
Very important is that you notice the "@Offset xxxxxxxxh" at the bottom
of you screen. The "xxxxxxxx" is the offset value for the code that's
highlighted with the green bar. You'll need it to patch the program in
a hex editor.
Note: Of course W32DSM has
many other features.....find them out yourself. Most of them are just
too easy to include here. (like how to search for a string, instruction,...).
To read how to use IDA, just click here.
This is the best hex-editor I've ever seen, so I use it a lot. The only
"disadvantage" is that it's a DOS-based hex-editor. But that does not
weigh up against the many advantages you have with it!
HIEW is controlled with the function keys (F1, F2, F3, etc...) and the
arrows on your keyboard. A bit Norton Commander look-a-like. Well, load
a .exe file and explore the possibilities :) At the bottom of your screen
you can see what all function keys will do. If you press ALT or CTRL you'll
see that the bar at the bottom of the screen will change and will you
give other possibilities.
Quick start: load a .EXE, press F4 (choose mode), press F3 (disassembling
mode), press F5 (goto) and type in the offset number (the number you can
get in W32DSM), press enter. Changing the hexcode can be done by pressing
F3. Save the changes with F9.
Now, the big advantage of HIEW is that you can insert real assembly code.
Imagine you have to change a "cmp eax, ebx" to "xor eax, eax". Well, u
could try and find out the machine code (i.e. hex code) for that instruction,
but wouldn't it be easier to just type "xor eax, eax" ? Well, that's possible!
Press F3 to edit an instruction, then press F2 (insert assembly). Now
you can type in the instruction you want. When done, press enter, then
ESC and press F9 to save the changes you made.
Further, I can only recommend you read the help documents included with
Those two tools monitor file operations, like reading and writing (FileMon)
and monitor registery operations, like creating a registery key or reading
one (RegMon). They are pretty straightforward to use. The only thing that
is worth mentioning is that it's good to exclude some processes before
continuing. Otherwise you will get hundreds (if not: thousands) reads
and writes from the operating system itself and not of the program you're
monitoring. Therefore always exclude processes like iexplore, explore,
filemon/regmon itself, and other programs that are disturbing. To exlude,
just look what programs are loaded in Windows (ctrl-alt-del once)
and put their name(s) seperated with ';' in the exclude process list.