Hi all,

I have searched the forums for an answer to my question, but to no avail... so sorry for the (almost certainly) spam.

I am following Nolan Blender's Zendenc tutorial, and have reached the part where I am supposed to break at 00439019 with softice. I cannot seem to do this.

I have tried :
bpx 00439019
bpm 00439019
and various combinations of typing 'be' before and after entering the breakpoint(s).

Can anyone give me some guidance?

Cheers,

-tjm

Try searching for the term "breakpoints" without the quotes on the msgboard search function. You'll be surprised.

Have Phun

Also search 'memory space' along with 'breakpoint' and you'll see the answer to your problem

Hi all,

Thanks for the search ideas.
I have already explored both of those options... all I really wan't is the correct syntax to break at 00439019.

I have now tried :
bpm 00439019 r, rw and w, all to no avail.

I am sure I am missing something obvious, so please put me out of my misery

Cheers,

-tjm

Well.

You REALLY need to be standing on the memory space of the correct module to get a Hardware breakpoint to be set up correctly.
Also, if that module has a Data Segment (DS) that happens to be different from the Code Segment CS (unusual, but not unheard of), you have to EXPLICITLY write

bpm CS:00439019 X


Because, by default, bpm refer to the DS based address
Notice the X for Execution, but R for read should work also, as code needs to be read right before it is eXecuted.

Moreover, some protections clear the Debug registers, effectively defeating your breakpoint.

Good Luck.

In this Blender's essay, he simply states break at 00439019.
I take it that this may not be as simple as he suggests?

I was thinking all that is required is to tell softice where to break, I figured if I had the patience to scroll through the assembler code in the softice popup, I could just double click 00439019 and my problem would be solved... (I haven't tried that yet).

But you seem to be indicating that I am missing a more important deeper understanding of what exactly "break at 00439019" entails.

Does anyone know if there is a "walkthrough" of Nolan Blender's zendenc essay with all commands used to complete the crack? I think that would be a great thing for me to learn from.

Cheers,

-tjm

Direct quote from the tut:

"After the program loads and breaks at the entry point, a breakpoint is then set at 439019, and the stack examined at that point - I use dd esp. . ."

You need to load the program into the SoftIce symbol loader, which assures you you are in the program memory space. then setting a bpx 439019 works, at least in my computer. WinXP, Sice 4.27 with Kayaker's patch.

Odd, I have loaded the program into softice and set bpx 439019, that is the first thing I tried. I doesn't work for me.

I use softice from DriverStudio 3.1, on Windows 2000 SP4. Are there any known bugs on that platform?

Cheers,

-tjm

tjm2k:

One begins to wonder if you are actually paying attention to the words that are being used. You say:

"I have loaded the program into softice and set bpx 439019."

The tut says:

"After the program loads and breaks at the entry point, a breakpoint is then set at 439019."

Your statement is NOT the same as the one from the essay. Did you load the program and break at the entry point before you set bpx 439019 ???? If not, that may be your probelm.

Regards,

Sorry if it seems that I didn't read the instructions well...

Anyway, I made it break , and I got some of the data I need.

Only problem now is that the address pointed to by esp is full of nulls, instead of a proper FlexLM job structure.
I thought this might be because it had not been populated yet by the function at 439019, so I tried running the next line to no avail.

I have tried bpx 439019, bpm 439019 x and they both break. But bpm 439019 with r|rw|w don't break.

Is there any reason I should be seeing all null (00000000) at the address which should contain the job structure? It can't be any kind of protection because this is the sample program from the tutorial.

Cheers,

-tjm

nevermind, found some instructions to go on...

but I would like to know if the null behaviour is the same for everyone.

In the interest of future newbies...

to get around the null structure
break at 439018, record the job structure address
then goto the instruction right after 439019 (43901F)
g 43901F
now you can examine the job structure recorded previously, and it will be populated with values.

I got a different XOR value than Blender

Cheers,

-tjm

p.s thanks to all for putting up with my annoying questions

Hi all,

Trying to follow Nolan Blender's Zendenc tutorial for my target app...

I understand the logic which gives him 439019 as the break address. However, I am not sure what to do in my target.

I have located the lm_new() and l_sg() routines.
However, I am not sure how to find the pointer to the decoding routine. Here is a code snippet.

.text:00403CB2 loc_403CB2:
.text:00403CB2 cmp dword_F2FD90, 1
.text:00403CB9 jl short loc_403CC2
.text:00403CBB xor eax, eax
.text:00403CBD jmp locret_40C6EB
.text:00403CC2 ; -------------------------------------------------------
.text:00403CC2
.text:00403CC2 loc_403CC2:
.text:00403CC2 push offset sub_40C6ED
.text:00403CC7 call sub_7BF0D4


The lm_new() routine is sub_40C6ED. I am thinking the address to the decoding routing is pushed onto the stack at 403CC2. But I really am not sure.
If I'm right, is the next step to break at 403CC2 and see what is on top of the stack after the call to sub_40C6ED (lm_new), then set a breakpoint at that address?
That seems to me to be equivalent to dword_49E5EC in Mr. Blender's tutorial.

Any help is much appreciated

Cheers,

-tjm

tjm2k:

You don't need to start a new thread when you have another question about the subject you have already started. You new question belongs here, so I've merged the threads.

Regards,