Log in

View Full Version : what software can i use?


DENiSON
July 19th, 2009, 15:28
i have been using ollydbg 1.10 for my previous reversing projects, however today i decided i would give softice a try. after installation all went well and i had softice fully configured i decided to give it a blast see what i could do! i loaded mixvibes 5.0 into symbol loader and got the message "load succesfull" however when i press translate i get the message "no debug information found" i have since learnt i need to compile the software to create a debug information file for the software i am wanting to reverse! does anybody know what software can be used to compile a debug information file?

thanks in advance for your help
DENiSON

naides
July 19th, 2009, 15:38
Well it goes like this:
The DEVELOPERS of the software, the ones that have the source code, have the option of compiling the executable(s) with debug information, for their internal consumption, or without it for distribution to consumers. So unless you have the source code, you should not be able to recompile a commercial software package with debug information. . .
On the other hand, Olly recognize most of the OS API calls and label the parameters accordingly. IDA, using FLIRT can also recognize a lot of common libraries and API calls used in regular development tools and help you quite a bit in recognizing common function calls. There are tools to feed the IDA output into a SYM file for SoftIce and help you in your SoftIce tracing.

DENiSON
July 19th, 2009, 15:45
in that case i will stick with ollydbg, the only reason i decided to try softICE was because in most crackme tuts they always use softice. so i thought maybe softice has something that ollydbg doesn't. however if exactley the same tasks can be carried out in both ill stick to softice. its not like i need kernel debugging anyway. im debugging the software not my system

thanks for your reply

Elenil
July 19th, 2009, 17:10
1 thing is out of the question nothing olly can crack cant be done with softice
however i noted some adventages of olly and softice
softice: kernel mode debugging (no limits or depents on ring3 apis) , kernel info about paging, CR3, GDT, IDT, TSS, KTEB, also it runs before everything else is started , other adventage is the pc is frozen while softice is open so applications cant start something in other applications or ring0 components

on counter i dont see so much but : the disassembler of olly has a better view and also mostly can calc where jmps come from , also the PE info is pretty nice made in olly
big problem can be the softice video card crashs, also it dont like a few other system driver software what makes quick bluescreens, olly has more plugins what can solve a lot things

DENiSON
July 19th, 2009, 17:34
i also note most tutorials dont mention needing symbol loader. they simply suggest loading up your program and then pressing CTRL + D and your in softice does this mean i dont need to use symbol loader everytime i want to start a cracking project?

Elenil
July 19th, 2009, 17:50
Quote:
[Originally Posted by DENiSON;81909]i also note most tutorials dont mention needing symbol loader. they simply suggest loading up your program and then pressing CTRL + D and your in softice does this mean i dont need to use symbol loader everytime i want to start a cracking project?


exactly you can use other ways to break in the winmain
or you not even do
i forgot about a other big adventage of softice!
it can set GLOBAL breakpoints

so you set a breakpoint for example on LoadLibraryA, GetWindowTextA, GetDlgItem,MessageBoxA or something else what you target will use

just pop up softice with CTRL + D and enter for a normal bp
bpx messageboxa or if you want to do with a hardware bp use BPM messageboxa x

naides do you read pmīs ?

Aimless
July 20th, 2009, 00:56
if you are *still* reading tutorials on how to crack using softice, you're not really helping yourself. Softice is dead. RIP. Find ollydbg tuts or windbg tuts or heck, even ida debugger tuts and have a blast. You also have VIDEO tuts so not going through them is not an excuse any longer.

Have Phun

WaxfordSqueers
July 21st, 2009, 11:37
Quote:
[Originally Posted by DENiSON;81909]i also note most tutorials dont mention needing symbol loader. they simply suggest loading up your program and then pressing CTRL + D ?
That's because they assume you know how to use softice, or are at least basically acquainted with it. Aimless claims softice is dead but he's being biased.

If you use XP, sice is as good or better than Olly, depending on what you are trying to accomplish. If you're going to use it, however, you need to spend a lot of time learning it. You don't need symbol loader, I seldom use it. If I want to break in on an app I'm debugging, I set BPX _baseprocessstart in kernel32 and the app stops there. That's because _baseprocessstart shows up in k32 just before an app loads. It's simply a matter of stepping over a couple of functions and tracing into one of them. Then you're right at the start of code for the app.

One of the keys in using softice is learning how to make nms files using IDA. The nms file are symbols that help you indentify key locations in the app. Using IDA, you can even write in your own landmarks for your own benefit. It's not as good as source code, of course, but it sure helps. Learning to use the 'addr' and 'table' command is vital in softice, but once you've mastered that stuff, the rest is a piece of cake.

Symbol loader is a convenience for editing the winice.dat config file. You can do all that by hand. It also helps you load modules if you want them but you can do that by hand as well.

Once you break on _baseprocessstart, and trace to start of code, it's simply a matter of setting whatever BP you need and hitting F5. Or type G <address>. When you first use sice on an app, it can take a while to determine what's going on. For example, an app I am debugging loads a ROM module. On the first load, I have to set a BMSG hwnd 111, which catches a WM_COMMAND message on the top window.

I find the hwnd using SPYXX. When it breaks, I can trace to the dialog box that loads the module, or I can BPX on GetOpenFilename. Either way, I end up at the dialog box. From there I write down the address where GetOpenFilename is found, so next time I don't have to mess with tracing. I just use BMSG hwnd 111, set G <address>, set a BP with the mouse on the other side of GetOpenFilename, hit F5, the dialog box appears, I load my module and hit OK. The BP I set with the mouse picks up GetOpenFilename returning from the call, and I'm off to the races.

Softice is very intuitive and easy to use. It's also very stable and you can trace through any ring 0 code you want, as long as you don't try anything stupid.

I am not going to mouth off about Olly because I don't know how to use it. By the same token, I don't think anyone should try to discourage you using softice. Both debuggers have their pluses and it never hurts to learn anything related to RE for future reference.

The advantage of Olly, as far as I can see, is that a lot of people are writing plugins for it. On the negative side, what I'm seeing is tutorials written for Olly that are recipe cracks. They tell you how to get to a point in the code without explaining what is going on. Most of what I have learned, which ain't a lot, has been from breaking on the start of code (not winmain) and tracing through the app to see what's happening. That way, I've learned about how windows initializes an app, how winmain is called, the message loop, and how winmain is one long function that loops till an exit message appears. I have also watched windows being initialized and opened.

I think you should carry on with softice and try tracing into some ring 0 code. Sometimes you'll find that a call into ring 0 calls back into the app you are debugging. How Olly handles that is not clear to me. While in ring 0, however, you must be aware that your app in not all that's going on. If you're not aware, you can be tracing through the code for another app. You can tell that immediately in softice by looking at the bar near the bottom of the screen. It tells you exactly what module you're in.

One last thing. I recently came across utilities that are written in DOS. For example, a FLASH utility for flashing your ROM. Without the older version of softice you're essentially dead. I don't know of any other debugger that can debug a DOS app. I've used softice to debug DOS, DOS4G, windows, directX and python. Not bad for a dead debugger.

Elenil
July 21st, 2009, 17:40
while you sayed that hwnd command problem again i think i fully fixed it now
i rewrote the routine kayaker posted where it only calcs with a static address
also i gave it 2 methods to read the right value
but i noted a bug sometimes a stack overflow happens so i increased the KDStackSize to 10000 then it worked always good

if you wanna give it a try :
http://www.woodmann.com/collaborative/tools/IceStealth
copy the ntice.sys in your drivers folder

WaxfordSqueers
July 23rd, 2009, 19:52
Quote:
[Originally Posted by Elenil;81997]re hwnd command....if you wanna give it a try :
thanks Elenil.