Hi, there is a program that I've cracked.. and it worked great. However, there is one line of code which is giving an "Exception: access violation (0xc0000005), Address: 0x004374a6" error. This is not a BIG problem, because i can jump over this address. However, by jumping over this address, I cause a certain line of text in the program to dissappear. Like I said, not a huge problem, but I'd love to understand why this is happening.

This address is a line in a small loop.. i'll paste that here.. Any help is appreciated. Even if its "can't help.. but here's some info for your brain..."

*ps : This file cannot be loaded into a debugger... Don't ask why.. long explanation... but take my word please

:0043727B E89C050000 call 0043781C
:00437280 66F745FC1008 test [ebp-04], 0810
:00437286 59 pop ecx
:00437287 8BC8 mov ecx, eax
:00437289 894DF8 mov dword ptr [ebp-08], ecx
:0043728C 0F84FE010000 je 00437490

:00437490 85C9 test ecx, ecx
:00437492 7509 jne 0043749D

:0043749D 8BC1 mov eax, ecx

:0043749F 8BD6 mov edx, esi
:004374A1 4E dec esi
:004374A2 85D2 test edx, edx
:004374A4 7408 je 004374AE
:004374A6 803800 cmp byte ptr [eax], 00
:004374A9 7403 je 004374AE
:004374AB 40 inc eax
:004374AC EBF1 jmp 0043749f

Hi,

Well, it looks that EAX points to a wrong (or not mapped) address. Why don't you check the value of EAX in that address in the original program and then check it in your cracked version?

After that, just "trace back" to see what makes different your cracked version from the original version.

If you cannot load it under a debugger...I think that most of us are interested in hearing why not. We are here to learn

Rightly so.. here goes.. Hopefully there is something obvious that me (being somewhat of a newbie at cracking) has looked over..

This file is an nt/2k service. It can be started from the command line by typing: "app.exe -start". and stopped by "app.exe -stop". I've loaded it into ollydebug, w32dasm, & turbo debug. Every time I start it in any of these, everything loads to the entry point fine.. but when I set my breakpoints and try to run it.. the debuggers think the file has terminated... even though it remains running in memory. Maybe there is a way to do it in softice.. but i'm not a pro at that yet either. I can't single-step thru the debugger from the entry point to find out WHY it thinks the program is terminated because frankly.. there's just TOO much damn code to go through before that point.

Anyway.. maybe something good will come from this. I appreciate it all -b

I see...

Well, in case that you cannot load it in SoftICE or your SICE breakpoints does't pop up (the common XP problem with breakpoints...) you could change the instruction 0x004374a6 with a INT 3 (0cch) in your HEXeditor. Make BPINT3 in Sice and start the service.

When SICE pops up, you change the INT 3 for the original instruction and watch EAX....The same procedure in your cracked version and compare.

Well, this is just the procedure that I will do in your current stage

Good luck.

If it is a service, it runs in Ring 0 and those debuggers will not be able to follow it there. SoftIce should. Try to load it using the Sice symbol loader application which should work, except if the service does not have a winmain call at entrypoint.

Otherwise you can find the service process runing in memory using the Proc command in Sice, change the address context using the :addr The_process_name_or_process_id command and set your breakpoints there.
and debug. . .

First let me express again my appreciation at your taking the time to help me with this. Cracking this program is not nearly as important to me as knowledge.

Ok. that said. I will change that instruction to int3. Now.. how do I load it into softice? I thought softice just simply runs and you can't have it watch one specific file? Or are you saying, that by "bp int3", softice will break when ANY program has an INT3 and hopefully it will only be my program that does that? Second, (as you can tell i haven't done much with sice).. how do I change an instruction WHILE its running and loaded with sice (i know, I know.. read the docs... I will.. but if its a quick instruction you could give me, then please forgive my laziness Anyway.. thanks again

Ring 0 huh? Good to know.. I'll have to learn a bit more about these rings..

Onwards.. apparently there is no winmain because the symbol loader isn't happy with the file so I'll try your other way...

I'm afraid i'm unfamiliar with addr .. (truthfully I'm really only familiar with breaking on api calls... and then using that info to help me with a dissassembler). I'll have to look up what addr is and how i will be able to use it. thanks for the info

This is what I would do:

type in Sice:

proc

you will see a list of processes, and your service should show up there, with a process ID (three hex digits) and a process name, which may or may not be the name of the file.

if you type in Sice MAP32 process_name

you will see the addresses in which your process is loaded

if you type

ADDR process_name

now you are sitting in your service memory space Look at the lower right corner of Sice and you will see your process name there

once there you can search the BYTES of the routine you want to trace
beit
0043727B E89C050000 call 0043781C
:00437280 66F745FC1008 test [ebp-04], 0810
:00437286 59 pop ecx
:00437287 8BC8 mov ecx, eax
:00437289 894DF8 mov dword ptr [ebp-08], ecx
:0043728C 0F84FE010000 je 00437490

:00437490 85C9 test ecx, ecx
:00437492 7509 jne 0043749D

:0043749D 8BC1 mov eax, ecx

so

S 0 L ffffffff E8 C0 50 00 00 66 F7 45 FC 10 08

the DATA window should show the code at some address in hex form

you can then put it on the code window by typing

u 1B:xxxxxxxx (whatever address the code seems to be) and now you should see it in Sice a disassemble of your code similar to above but live and direct!!!

place a BPX where you want it and provoke the code to run thorugh your routine. Sice should brake

Debug and enjoy.

good god man.. I want to reach through this cable and give you a big smacker on the lips! I've really been enjoying this "using softice" pdf.. NOT. I was contented enough with your previous answer, and I was now trying to find time to do the research i needed to learn more about softice (which I still need to do), but you've gone above and beyond and I really appreciate it. For the first time in years I am excited about learning this new depth to software. I've been capable of doing almost anything I've ever wanted to in the cyber world, and this avenue is just another tool(knowledge) that trumps most of the ones I've used before. Thanks alot for your help! -b

Hum?? Going to have to check the rules about "reaching through the cable and giving..big smack on the lips." Might not be approved for all viewers.

But we are happy you're happy. Just a thought. You might actually want to check some sections of the manual for the operation of SICE. I know. It is a shocking concept to actually READ the manual, but give it a try. You might actually like it.

Regards,

absolutely, i didn't want to give the impression I would use your kindness as a replacement for my laziness.. i'll have sice down pat in a few days. thanks again. laterz -b

Thank you for the offer, Handsome, but I am old enough to be your mother.

I seriously doubt that there is anyone using these forums who is old enough to be one of my parents. But it would be interesting to talk to an octogenarian cracker.

Regards,

oh well.. that doesn't bother me .. anyway, thanks again... i've starting to navigate sice MUCH better than before.. and even though I'm having to go through TONS of code, this is helping. This program is CONSTANTLY doing something. It never rests, which makes it much harder for me to debug. anyway, thanks. toodles. And don't get discouraged, feel free to take me up on my offer! -b

Actually, all services don't run in ring 0 at all, only the driver kind of services do this.

There are some common problems with debugging services like this though:

1.
The services most likely execute in the LocalSystem context, which makes it prohibited for normal user applications to directly attach to them with a ring 3 debugger, at least without tinkering with the process privileges.

2.
When the service is started as described above, by directly calling the executable on the command-line with a special argument, what the application will most likely do is to register itself as a service in the operating system, and then start this service through the normal service control APIs as a second process, and then exit. This would be consistent with the description above that the debugger "thinks" that the application terminated. It actually most likely did, but started a second service process instance of itself instead.

Yeah, this had occured to me.. I was hoping it wasn't, cause i don't know how to have a debugger "jump" over rather than attaching to a currently running process. anyway, I'm making some headways... thanks. -b

In the worst case, you can always patch in a spinning jump at the executable entrypoint in situations like that, and then take your good time to attach the debugger to the process, then restore it and continue.