hello all

I need to set a breakpoint on RegQueryValueA in Soft Ice. The program I'm trying to crack checks the registry very early on for a username and serial number.
The problem I have is this: after seting up the breakpoint and and leaving the Sice window with control D, I am then unable to run my prog due to Sice breaking every few seconds on RegQueryValueA!
I rialise that this is the OS querying the registry, but it's getting in the way!!

Does anyone know if there is some kind of conditional break that I could use that would ignore the OS's reg queries, but just break on the ones in my program? Surely there must be something like this.

Any help will be greatly appreciated.

Thanks in advace
xOptiMus

Greetings xOptiMus

I asked the same question once too and got told to visit rhayader.htm on fravia's page... Since that time I got a helpful shortcut pointing straight at that specific page...

Next to some really helpful tricks he shows you this:

BPX RegQueryValueExA IF *(ESP->8) == 'Regi' DO "D ESP->14;"

And SoftIce will only break when the registry read the ones that start with "Regi".

Grabb that page...

JimmyC

Thanks very much Jimmy.

I still don't quite understand. When you say Sice will only break on anything starting "Regi", then what is"Regi", i.e. is it the key that you might be searching for in the registry, or some function call or what?

Can u elaborate a little more please?

Thanks

As always, reading the docs can help... 87

For this you can use process id and/or thread
id in your breakpoint condition to limit
breakpoint triggering on a single program
(PID/TID in NT, UPID/UTID in Win9x).

ex: bpx blabla if (upid==1234)

Regards,

Spath.

It seems that there are bugs in the conditional breakpoints of SoftICE.
When I use
bpx RegQueryValueExA if *(esp+8)=='Key'
as the breakpoint, SoftICE doesn't pop up. But I'm sure that the prog does read a registry key named "Key"?C coz I use
bpx RegQueryValueExA do "d *(esp+8)"
and find the string "Key".

> It seems that there are bugs in the conditional
> breakpoints of SoftICE.
>
> When I use
> bpx RegQueryValueExA if *(esp+8)=='Key'

Your condition is not correct, you must either use
a 4 bytes string or add operand size information.

yeah, you are right. It's my bug, not SoftICE's
bpx .... if BYTE(*esp)== 74
bpx .... if WORD(*esp)== 7474
bpx .... if DWORD(*esp)== 74747474

Hi Spath,

Thanks for the info about using a thread or process id to keep all breakpoints to a single program, it sounds like just what I need.

The problem is I havn't been cracking long and don't know how to get the process or thread id of my program. Could you explain how I can get this....?

Thanks in advance
xOptiMus

> The problem is I havn't been cracking long
> and don't know how to get the process or
> thread id of my program. Could you explain > how I can get this....?

Use 'proc' and 'thread' for that, and get the
SoftIce manuals, that could be useful
http://www.idca.com/~thesandman/SoftPage.html