Hi,

Am trying to discover the install password on an exe prog.
Have looked at Import functions using WDasm and found that it called MessageBoxA

Set a breakpoint in Softice BPX MessageBoxA and gone back to installer. Click OK after entering password but Softice doesn't pop up?

Have tried HWND but Softice reports "Unable to find Desktop Window"

I've read that there are problems with breakpoints on this version of Softice..
Any suggestions really appreciated.

Thanks,

Medic

Operating Sys: WIn XP Sp1
Cracking Tools: W32DASM, Softice v4.3 (Full Driver Suite v3 installed)
Program: <program name removed>

Hi.
Take a look at this incredible guide: how to start!!! (http://www.woodmann.net/fravia/rce-faq.htm)

Good luck,
ZaiRoN

HI ZaiRoN,

I had read lots of other posts about breakpoints and XP on this forum and had read the insturctions on posting (sorry for posting the prog link).

Volodyas advice about setting BreakInSharedMods on is not recognised by the current version of SI, and I followed nikolatesla20 advice on setting NTSYMBOLS=ON but that doesn't help.

I tried updating the symbols for ntoskrnl.exe thinking that might be it but the System Retriever does not connect to the microsoft server (think this is a Numega bug). I cant find a copy of ntoskrnl.pdb to use symbol loader either.

Finally I followed advice on Numegas help about updaing osinfo.dat (they have a ftp download especially for XP SP1) but this stops SI loading at all..

The last prog I cracked was on 2000 SI v3 and everything used to just work but I cant even start without BPs working.

If I type U MessageBoxA code appears which makes me think SI can see it and I've tried ADDR [progname] before setting thr BP but that doesn't work either.

Thanks again for your help, I anyone can add to other things I could try I'd really appreicate it.

Medic.

Hi.

With DS v3, to set a breakpoint over MessageBoxA (or any other function) you have to be in the process context. The simple way is to use softice symbol loader; try to run the program from the loader and when it breaks over the entry point, put your bpx.

Use the command PROC; proc command without parameters shows information about all processes that are running in the system. For every process you will see some fields, you need the first one: the process name that you will use as a parameter of another command: hwnd.
Type 'hwnd process_name' and you should be able to see all the informations you need.

Good luck,
ZaiRoN

Hi ZaiRon,

Thanks for the last tips! It really helped.
Turns out that Softice WAS working correctley and the symbols were a red herring too!

Could'nt see the point of using PROC as I already new the exe name and was just setting ADDR [exe name] and setting BPXs on eveything WDASM said the exe was calling.. This resulting in no response from SI, a bit of head scratching and then I used PROC and saw a strange proc name. The format was is-Txxxx and it changed each time I ran the exe. So I set my ADDR contect to is-T0HKJ and bingo, bpx messageboxa worked every time.

But once in SI the code did a JNZ (not taken) before a direct call to the wrong serial window.... Tried patching the JNZ but still end up at the wrong serial window...

is-Txxx is a .tmp file that seems to contain the origonal exe code and some extra bits copied from user32.dll.
Had a search about the forum for ideas of what this might be called and found volodya having similar behaviour with Installsheild MSI files. This is just a crappy little exe prog and I cant believe that they went to much trouble to protect it....?

Any suggestions on how to proceed??

Thanks allot,

Medic