Log in

View Full Version : Here is the usual idiot

edolis
June 12th, 2002, 19:27
Well, hello to everyone.

I'm sorry to bore you all, but please be patient and if disgusted, just throw away this post.
I started trying reversing 3 days ago since i need a certain BIG app to work (well, not just for that, the fact is that now i have a precise reason to start)
I've just installed Softice to speedup debugging but now i'm stuck (Driverstudio 2.5 to be >precise - the only version which hasn't crashed my W2000 and works with my video board). The fact is that i can't understand how i should work with it - i don't mean debugging but the most trivial part: starting! Tutorials focus on using it but not starting..
How should i load the app? using the symbol loader? What message should i get? i just get a message saying that the exe is loaded, no debug information found (of course) AND Symbols not loaded. Is that normal or not?
When i pass to softice (ctrl+d) i expect to get the app stopped at the first instruction, but the current instruction is somewhat in a HAL place (and i don't know: what is it?) Should i use some command to start my app?
If i try to get EXP i see just one line concerning my app, nothing about its 3 dll... is it normal?
And if i want to restart and stop at the first instr. what should i do?

Moreover: is there any way to load in softice the european keyboard layout or i should keep guessing the positions of keys of the USA keyboard?

Something definitively is not working - maybe it's me - but I was used to Visual C++ debugger...
and, definitively, i feel an useless idiot.

Thanks
Emanuele
?ferret
June 13th, 2002, 01:08
In Symbol Loader:

File -> Open Module

Module -> Load

Ignore the error message box

hit F10 once after Softice pops up

Without Symbol Loader:
Set a breakpoint on an API or memory address
Run your program

Once your in the "basic" operation is the same as VC++ debugger, with the exceptions that Softice is system wide (all running processes) and you can trace into system .dll's. There are also WAY more bells & whistles, but worry about them after you get the basics down pat.
edolis
June 13th, 2002, 08:04
After loading the Module SIce doesn't pop up. - is it right?
so I've decided to set up a bpx MessageBoxA then i've launched the prog and it pops up at the licence msg box - too late to follow the flow.
AARGH! I need to start debugging at the first line! so i query STACK and here it is my app (xxxx!.text+1322). - by the way what is "text"?
Now i'd like at least to go to that line to set a breakpoint, better to say to go back to the beginning of the module and set a breakpoint over there, but i haven't got a clue how to do that.
SO: Is there any way to understand what is the address of the first instruction of a module i have loaded with the symbol loader? can i set a breakpoint there before launching the app? how can i do it?
Moreover the keybord keeps to be USAlike..

Thanks god i'm appreciating the power of softice - even if it seems a bit cumberstome...


Maybe could you redirect me to a tutorial which covers these startup phases with driverstudio-so that i can check what i working and what not?

Thank a lot for your help

Ema
foxthree
June 13th, 2002, 10:21
Use LordPE's Break-and-Enter and dont' forget to change the EIP bytes ;D

Signed,
-- FoxThree
Mefeus
June 13th, 2002, 10:29
U can find tut's over tut's, when following the links at the bottom of this site (and in different languages at hxxp://crackstore.com).

You have to look the following way:

You have a Messagebox.
You can set a breakpoint at a Messagebox.
Your SICE pops off and you find yourself inside some API-call.
You return to the caller (?was it F12?).
You find yourself inside the code of the file you want to hurt (if not, return to caller again).
You see, at which point (RVA=relative virtual address) the Messagebox finally is called.

Now there r two ways:
Trace the code in your SICE-Window back to find something interesting or return (again) to all caller-positions, hoping to find something like "je -> bad boy"...

Disassemble the file with a Disassembler (best for newbies is always Wdasm V8.93 - look around).
Look at the adress, you found with SICE and "trace" trough the jumps, leading to this positions, hoping find something like a final compare with differnt jumps.

If you r not successfull, you tryed something to hardly for the beginning of reversing.

And by the way: text is the name of one section of the PE-structure of your file - so you see, u have to read something basically about the PE (portable executable) - Format too.

Good luck!
NervGaz
June 13th, 2002, 12:29
Quote:
Originally posted by edolis
xxxx!.text+1322

would be <current cs>!<.code section in file>+<offset from beginning of .code segtion> if i'm not mistaken
naides
June 13th, 2002, 14:35
Originally posted by edolis
After loading the Module SIce doesn't pop up. - is it right?



Right



so I've decided to set up a bpx MessageBoxA
then i've launched the prog and it pops up at the licence msg box - too late to follow the flow.
AARGH! I need to start debu
ging at the first line!

[/B]

Dissasemble the module with Windasm or IDA and find the entry point of your app. Note the Address.

You need to place a BPX to that address in order to start tracing from the first instruction, if you seem so determined to debug from the very begining.
QUOTE]
so i query STACK and here it is my app (xxxx!.text+1322). - by the way what is "text"?
Now i'd like at least to go to that line to set a breakpoint, better to say to go back to the beginning of the module and set a breakpoint over there, but i haven't got a clue how to do that.

[/B][/QUOTE]


Several tricks: Dissasemble the program. find an API call very close to the program entry point. BPX GetVersion is my favorite. now when Sice breaks, browse upwards and soon you will find the initial instructions of your module. If you double click on the instruction you want, it will be BPX for you

Or manually change the first byte of the entry point instruction to 'CC' which is the code for int 3. now in Sice type BPint 3. it will break aas soon as your module first instruction 'CC' is executed.



SO: Is there any way to understand what is the address of the first instruction of a module i have loaded with the symbol loader? can i set a breakpoint there before launching the app? how can i do it?

The first instruction of the module, meaning, the one at the lowest address in memory , and the first instruction executed by the module, meaning, the module entry point, are two different things. The first instruction executed by a program rarely is placed at the begining of the module.

You can set a Break Point before starting the execution of a module, but there is a chance, given the relocation intricacies of windows, the address you pointed your bpx is not the address of the intended instruction. You need to Konw which Selector ie 017F : 004523412

Moreover the keybord keeps to be USAlike..

RTFM



Thanks god i'm appreciating the power of softice - even if it seems a bit cumberstome...


Maybe could you redirect me to a tutorial which covers these startup phases with driverstudio-so that i can check what i working and what not?

Thank a lot for your help

Ema [/B][/QUOTE]
edolis
June 13th, 2002, 15:38
Well, you have given me looot of good advices - i've already installed the two apps, now i'll go around to get some manual 'cause i haven't got a frame where to place all these utilities under a functional point of view - yet - but these two tools give me VERY good help. Thanks again

At least I won't bother you more before having read their tutorials

The silly prob i have now (pfff!) is that when LordPE breaks my app, Visual studio debugger comes up to take control (instead of SoftIce) but this should be a RTFM
(Foxtree yet i haven't understood what you mean about EIP register.. but i have realized it goes in access violation - i'll try to understand how to face)
Maybe I'll throw away my dear VisualStudio (sobh) and reinstall everything - anyway... hopin' that SoftIce predefines itself as the default debugger...

As for the keyboard, i'll check it out the documentation (sorry for the RTFM, naides ) once again...

Thanks to everyone and please remember - if someone is writing a tutorial, please add a paragraph binding concepts together without going directly to mnemonics.. that is how/why unpack [I mean how do you realize you need unpacking?], disassemble, load and start debugging - let's start with questions like Hey what are the information we must have on the desk before starting reversing? what are them useful for? After - what are the tool which provide them..
These are just advices, 'cause who is in touch with reversing often forgets the zero based position of a newbie^(newbie) [who maybe has concepts and a bit knowledge, but he can't relate them in a howto stepbystep guide]
It would be plainly useful even for those who have written down some lines of code before...

and idiots (like me) always go around, mates
But (I hope) is just a step of a Pokemon-like evolution (i hope!)

Thanks
Ema
nikolatesla20
June 13th, 2002, 16:06
Two things you must do to use the break and enter feature



1. CNTRL+D into softice, and make sure you tell it to break on interrupt 3. "bpint 3" <enter> This enables the break and enter to work right.


2. TO get rid of the "default" debugger go into your registry with regedit:

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Name: Debugger
Data Type: REG_SZ
Value: <whatever is here, for example msdev.exe>

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Name: Auto
Data Type: REG_SZ
Value: 1

The "Debugger" key is the path to your default debugger. The "Auto" key determines whether the debugger comes up on its own, or asks you first. I suggest that it ask you first. (set to zero)

You need to edit the bytes at the EIP after a break and enter because a break and enter is an interrupt 3 call. This is easy, when softice comes up after the break and enter, you can usually scroll up SHIFT+up arrow in the command window in softice and you will see it tells you something like "you need to replace with <blah><blah> code before continuing!". So then you need to do an "a eip" and change the bytes to what they should be, then just press <enter>......

Arrgh sorry you need to read some more tuts if you can't get all that. And if you don't like reading, well you are in the wrong hobby

-nt20
Mefeus
June 13th, 2002, 16:27
The best tutorial for the beginning:

hxxp://members.shaw.ca/yeslogon/spaia20020530_2.pdf
(change the xx to tt after copy and paste)

It comes from:
hxxp://alfredkmlo.cjb.net/

Trust me, it's worth the download - the best starting tutorial, which is available this time.

Greatz Mefeus
edolis
June 13th, 2002, 16:33
Nay, nikolatesla, i like reading...
your explanation is quite clear... now i have elements enough to solve the two probs...

great, great!
I'm smiling - this nite i'll sleep few hours as usual...
let me download some more tuts, print all these directions, and go home and have the usual spaghetti in front of the debugger...

WOW cool nite...

Bye
ema
JMI
June 13th, 2002, 17:15
edolis:

The Alfred Lo article mentioned by Mefeus is actually available on the Fravia portion of Woodmann's server under the "What's new" section of new tutorials. There is a link to that portion of the server at the bottom of this forum.

There's a link to that article from there: http://www.woodmann.net/fravia/spaia20020530_2.pdf

Regards.
edolis
June 13th, 2002, 17:27
yes, certainly i've got it - i downloaded it some days ago can't remember where - together a plentiful of manuals/examples/assembly-knowledge-refresher and the technical/universitarian point of view makes it quite appreciable (maybe only for engineers, but i'm) - now i just need time to read...
Unluckly the only Softice tut i found looks like a old copy of the manual <si-ug-chapterxx> (now i'm reading the newest copy-the one of driverstudio 2.5), which is written for a developer point of view, not reverser's (that's why you're getting fed up with me !!)
Lots of things to learn... does it mean i'm still young??

Bye Ema
JMI
June 13th, 2002, 17:50
edolis:

If you haven't been there already, go to Krobar's site at hxxp://www.krobar.cjb.net/. He has collections of tuts on many sybject, although many are already at the Fravia site here. More specific to your learning curve there are articles from the "Cracking 4 Newbies" site which address Softice issues. There are a lot of articles there and on Fravia. Use the search functions of the boards to locate articles specific to Softice.

The CrackZ Archive, also at the bottom of the forum, has an article titled "SoftICE - the very 'basics'" which has good information on getting started with Softice. You can also find the single article by doing a search on the net for that title. It has these connected articles:
Installing SoftICE
Configuring SoftICE
Greythorne's Guide to Breakpoints
Rhayader's Guide to SoftICE conditional breakpoints and macros

and identification of various API to use for cracking. Check them out. The CrackZ article would be a very good place to start to learn Softice use.

Regards.
edolis
June 14th, 2002, 07:27
I've found (at last - i've tried to access www.cracking4nebies thrice these days and no way ) but i've found another site with plentiful of tuts, like the one you advice me (and it is, really, cool!)
the url is hxxp://home.online.no/~reopsahl/files/assem.htm
(from the Ground Group)
have a nice day (i'll have a nice read...)
Ema
Mostek
June 16th, 2002, 23:21
Here is answer to keyboard isue.

wXw.compuware.com/products/driverstudio/faq/softice/
index.htm

Peace
Mostek
ReaL|sTy
June 26th, 2002, 18:08
seems you're just starting... usually hmemcpy bpx is used to fish serials... in your program window where you're supposed to enter the name and serial or just serial. open it.. leave opened don't enter anything yet if you have any bpx activated cleanit (bc * +enter) just in case.. we don't want softice to break yet

then enter your serial and name Ctrl+D will Pop up softice write bpx hmemcpy then enter now ctrl+d again to exit softice now press ok in the registration window softice will pop up .. usually starts at some windows API's..keep pressing F12 you have to make sure you're in the program code instructions if your program needs only a serial then youwill only have to stop when you see the program Code.... or skip until next instructions where the serial is calculated. with F12.... trace with F10.............

i'm too lazy right now to keep telling you,..anyway you need to read tutorials.....

good luck!
edolis
June 27th, 2002, 16:46
Mostek, your directions are quite interesting - yet, i can't access the directory where that damnd keymap.zip is placed - no permission to enter the dir where the file is placed.
Is there anyone who can tell me where i can get a copy??

Thanks
Emanuele