Hello,

After reading and studying all the fantastic tutorials on reversing and cracking for many months now, I thought I would try to get hands-on experience with solving a few CrackMe's first, and learn how to use the tools before I apply the knowledge and techniques I've learned. I've amassed quite a good collection of tuts, and just this week I finally installed the tools, and I'm ready to apply the knowledge and develop the skills.

I d/l'd several CrackMe's, and have started practicing. I thought I'd jump straight into the solutions first and follow the solutions to the letter, just to learn how to become proficient with the tools and commands. Unfortunately, I'm having mixed success, despite following the solutions and following the lead. The problem is trying to get Sice to display certain registers. I've run the CrackMe and Sice and the solution countless times trying to figure the error. I know I'm totally overlooking the obvious, but just can't figure it out despite all my efforts.

Here's the situation, briefly:

CrackMe_1 has a solution which bpx-ed on hmemcpy. I followed, and Sice popped as it should, and I followed the author as he traced through the code. The author then bpx-ed on a particular CALL function, and then performed a display on 'edx' which contained the correct serial. 'eax' on the other hand, should contain the wrong serial, entered by me at the start of the CrackMe_1.

Here's the simple code: (borrowed from w32dasm), my notes arrowed:

------------------------Code Start------------------------
:0042D556 8D55F8 lea edx, dword ptr [ebp-08]
:0042D559 8B86E0010000 mov eax, dword ptr [esi+000001E0]
:0042D55F E8FCC8FEFF call 00419E60
:0042D564 8B45F8 mov eax, dword ptr [ebp-08] <-- wrong serial
:0042D567 8B55FC mov edx, dword ptr [ebp-04] <-- correct serial
:0042D56A E86163FDFF call 004038D0 <-- compare eax, edx,
:0042D56F 750C jne 0042D57D

* Possible StringData Ref from Code Obj ->"Congratz cracker! hehehe"
|
:0042D571 B8ECD54200 mov eax, 0042D5EC
:0042D576 E87DFBFFFF call 0042D0F8
:0042D57B EB0A jmp 0042D587

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D56F(C)
|
* Possible StringData Ref from Code Obj ->"No no no! Try again!"


---------end--------------------

Here's my question: when I try to display 'edx' as the author did, I just don't see the serial in the data window; however, I wanted to take a look at the contents of 'eax' and was able to display 'eax', which is the incorrect data I entered into the CrackMe. I can't understand why I'm unable to get 'edx' to display as the author is able to do? I'm entering the same command for both: "d edx" and "d eax".

Similarly, the second solution to this same CrackMe1 was written by a different author. He also bpx-ed on hmemcpy. I traced along with him, to the same CALL above.
The author writes:

" Indeed... eax after 0042D564 is my serial of 1234567 and edx after 0042D567 is the correct serial...". I completely understand, but I just can't get 'edx' to display here either.

This author actually took the solution even further, and then offered yet another angle to solving the CrackMe, and displayed the address of edx [ebp-04]. In his words, he stated:

" [ebp-04] contains the address that stores the correct serial. To find what is [ebp-04], type "d (ebp-04)" and in the data window. you will see D0 1D B9 00 ........" ,
and then he did a conversion routine, but the point being is that he was able to display 'edx'. I couldn't get it to display either. I believe I'm using the display command correctly, but can't get 'edx' to show the contents.

I hate getting stuck on such a trivial issue. I know it's difficult trying to troubleshoot something like this without having the CrackMe in progress, but if anyone can see what the problem could be and can help with this slight snag I'm having, I'd be very grateful.

Thanks for any input and advice.

~Ralder

To examine the contents of eax and edx simply look at them in the register window (or activate the registers window by typing 'wr' in softice).
The command 'd eax' shows, in the data window, the contents of the ADDRESS pointed by DS:EAX, not the actual number contained in EAX.
Same with 'd edx'




I think the author of the tut assumes you have opened the data window (type 'wd' in Sice).


I hate getting stuck on such a trivial issue. I know it's difficult trying to troubleshoot something like this without having the CrackMe in progress, but if anyone can see what the problem could be and can help with this slight snag I'm having, I'd be very grateful.

Thanks for any input and advice.


Also keep in mind that the data in memory is organized in the 'Little endian format' ie: the least significant byte is in the lowest memory position, to the left, and the most significant byte is in the highest memory position, to the right. This is also known as reverse notation.
a for instance:
after the instruction
:0042D564 8B45F8 mov eax, dword ptr [ebp-08]

eax will contain '12345678'
but if you examine the contents of ebp-08 with the instruction 'd (ebp-08 )'
you will see in the data window

1256:90456789 78 56 34 12 ........"
Some address actual data

this notation is somewhat counterintuitive and may be confusing. you may be looking at the correct number but you would not recognize it

Hope I understood your question and helped you.

Hi Bratscher,

Thanks for replying. Oh yes, that was the problem. It was a complete oversight on my part. I'm really embarrassed now, haa. I'm still learning the interface of Sice, which seems a bit complex and a little daunting at first go. I'm sure it'll take a bit of practice for me, but I'm ready.

Hey, thanks *very* much! I also keep good notes, and I really appreciate your information about the way in which data is organized. I will certainly study that in more detail.

Your help is appreciated, and my sincere thanks again for clearing things up for me.

Onward,

Ralder