Log in

View Full Version : Sice says "Symbol not defined"

spuTniK
July 31st, 2002, 00:03
Hi there,
I`m a bloody Newbie and got a little problem about the function
"MessageBox" which should be included in the kernel.dll
( I`m using win2k ).
I try to do an crackme which breaks on hmemcpy, but as this is not working with the NT Version of Softice I tried to get all the needed functions by using SoftSnoop :
...
API: GetProcAddress(KERNEL32.DLL), 77E00000h, 00436170h="MessageBox"
API: GetProcAddress returned: 77E275D5h

But if I try to set a breakpoint on MessageBox Sice tells me "Symbol not defined"



Thx for any help
spuTniK
ramon
July 31st, 2002, 00:27
You must load exports for SoftICE, use Symbol Loader for that or the best thing, edit "SoftICE initialization Settings..." under Symbol Loader and add all *must have* DLLs to exports tab:

User32.DLL
Kernel32.DLL
Shell32.DLL
Advapi32.DLL
...
...
and all DLLs you want!
And your are wrong about the DLL name that export "MessageBox", for sure is "User32.DLL"

bye
Ramon
Aimless
July 31st, 2002, 07:22
Could also be because there is no such thing as MessageBox. Only:

MessageBoxA
MessageBoxW
MessageBoxExA
MessageBoxExW

Have Phun, Always.
spuTniK
July 31st, 2002, 12:03
>You must load exports for SoftICE, use Symbol Loader for that >or the best thing, edit "SoftICE initialization Settings..." under >Symbol Loader and add all *must have* DLLs to exports tab:

Thx for the tip - till now I loaded the exports by editing the winice.dat. Think the next thing I`ll do is reading the "Using Softice" tut.

>Could also be because there is no such thing as MessageBox. >Only:

>MessageBoxA
>MessageBoxW
>MessageBoxExA
>MessageBoxExW

U are right - they are all existing - but no one breaks




thx for your help - cya
Aimless
July 31st, 2002, 14:03
A couple of things:

1. What version of Softice are you using ?

2. Are you using the standalone or SoftIce Driversuite one ?

3. Is your OS Win 95/98/ME/NT/2000 ?

4. Are you sure what you are seeing is indeed a MESSAGEBOX ? Just because it is a box that appears during an error, just because it has a title bar, just because it has 2 buttons, OK and CANCEL, does not make it a MESSAGEBOX.

5. Suggest you get an API Monitor at www.programmerstools.org and see whether its really a MESSAGEBOX or a DIALOG BOX or a DIALOG BOX FROM TEMPLATE or DIALOG BOX from RESOURCE or a Window drawn using DirectX (yup!!!) or, in rare cases, HAND WRITTEN CODE that creates a window with the same.

6. Instead of breakpoint on MESSAGEBOXA, try breaking on CreateWindowExA or CreateWindowExW. This will tell you if the programmer has used hand-written routines, or he is simply calling the APIs.

7. Use a tool like SPY (found on same site above) to find whether your window is really a MESSAGEBOX or DIALOGBOX disguised as one.

8. Make sure that if you see you app in softice as "myapp" by giving the PROC or TASK commands, then you *must* do a

ADDR MYAPP

and SUBSEQUENTLY put in a BPX MESSAGEBOX<whatever>

9. Of course, I assume you have already found out ANTI-SOFTICE code, if any.

Try these out and see what happens. If not, we may just have to get dirty...

Have Phun, Forever.