Hi folks,
the previous solution on softice didn't work. I'm usin driverstudio, but when i simply do a bpx getdlgitemtexta si doesn't break. Any new solutions?
regards revoltX

Which is the previous solution?

http://woodmann.net/forum/showthread.php?t=7291
the one about softice under xp

This is really great! A person with a post count of 1 that is complaining about non working previous stuff... Probably he means that the solution comes from a previous life

I think the only reasonable thing would be for revoltX to commit seppuku for writing such an awful and uninformative question.

Regards,

possible solution:

Start by installing ollydbg.
rung your app under it and put a bp in getdlgitemtexta,
see if olly breaks. . .

thx naides for the only valuable post
i already tried with olly, what worked! So, i thought in this foum one might be allowed to ask a question, even though it's the first post.
Didn't know one has to post more than one threat to be allowed to ask why a solution given by another member (which is definitely valuable!) doesn't work!
Thx again naides

It is clearly stated in the FAQ in section 10, line 3: "One has to post more than one threat to be allowed to ask why a solution given by another member doesn't work." In the future, please read the FAQ before posting.

GEEZ - this thread is more fun than my hard-drive crash last friday.

SiGiNT

(Explains why I haven't been littering the board with useless trivia!)

Question 2:
If olly works, why do you need SofIce version 4.32?

I know Sice do more than Olly, by why do it with ice if olly will do, I do think it does, do you?

somewhere in the FAQ, in really small type, it also says you have to have a good sense of humour and a thick skin.

Can you expand on what you were doing with getdlgitemtexta? Did you set the bpx from within the app you are debugging and is user32.dll loaded as an export? For example, if you type 'exp getdlgitemtexta' at the prompt in softice, does it return an address in user32? If not, then the export is not loaded.

Also, is your app maybe using SEH tricks to unhook your BPX before getdlgitemtext is called? Since softice is the big kahoona of debuggers, it's quite possible your app is aimed at defeating ice and hasn't bothered with Ollydebug.

I had that problem while debugging an Asprotected app. There was a minefield of SEH's that had to be manually negotiated before I could set my BPX's. If it's the case that your app has targeted Ice and not Olly, then it might be smarter to use Olly in that case. But you'll learn a hell of a lot more trying to negotiate the SEH's.

My approach, which is somewhat kamikaze, is to single step into an app from the code entry point. Sometimes I even start in the OS before it loads my app. That way, you get an idea of where the problems start and how the protection is implemented. Of course, my modus operandi is excitement and defeating protections. If you just want to fish a serial, that might not interest you.

Could you guys in the softice-challenged, Ollydebug peanut gallery please keep it down. There are some serious reversers (aka softice users) here trying to concentrate.

LMAO

Softice user= serious reverser hmmmmmm

serious reverser use any tool, and make the work with the existente posibilities in each moment, serious reversers don´t work with one only program and one only machine and one only posibility, the life have infinite posibilities and a serious reversers try ALL.


Ricardo Narvaja
PD:i go to a internet shop with machines (not mine) and try installing and cracking with softice, hmm if you never use olly you are not listen for this circunstance of cracking in other machine than yours (remember with only a diskette you have olly with you in every computer of the world you can use)
I´m tired of the ugly discussion genious with softice, newbies with OLLY, can be made good work in any tool, the tool is not important, the brain is important use plis ans stop with this.
And i don´t see good tutorials with softice till long time ago (the genious are sleeping?)

you need to develop a sense of humour, Ricardo, you're way too tense.

We have a term in English called "talking with tongue in cheek". Maybe it doesn't translate to other languages and cultures. I really couldn't give a rat's ass what anyone uses for reversing. I usually use a dead-listing first from IDA then apply it to a hex editor if it's obvious. Of course, with all the packed apps out there I have to unpack them first.

Hey Ricardo,

It's not that at all. You are very correct a good reverser uses all the tools at his disposal for what is needed, and every good reverser is fully aware of that. Quite simply, Softice is 'necessary' for ring0 debugging, and OllyDbg is 'excellent' for ring3. No one here is judging the abilities of those who use either, each has it's purpose.

There is no ugliness here in joking about the debugger you prefer, it is, or should be, good natured fun, like cheering for your own sports team.

Regards,
Kayaker

... as long as we can all agree that gdb sucks

i speak spanish,and the touchs of sense of humor, only i undertsand in spanish, barely speak english for understand the difference betwenn more comentary SOFTICE vs OLLY (i have very plenty of this crap) or a irony sorry

Ricardo

Woohoo and I thought watching ultimate fighting was entertaining but, I have been thoroughly(<-still waking up from my crakin session yesterday) entertained the last 20 mins reading this thread. I think the people who get SI to work correctly for them know For a Fact it is a much better tool then even Ida let alone olydbg. SI also has its own debugger so you dont really need to use the others (not to say that i dont because I still like to - my t's and ' my (.) (.)'s) which saves on the resource drain and possible meltdown of using SI.

I guess I should read the Faq's to make sure when I have a question I am not trying to pull excaliber out of the stone without having the right to see if I can.

Anyway this is an old argument I can tell you from experience that I find it easier to work with a few tools as possible because I dont want to have to worry about locking up and losing all my info because i didnt have enough resources left to finish the job. So I would say 80% of the stuff I do I use SI exclusively and the other tools randomly but I am not as advanced and have never really tried to crack a commercial software (well i did but there was a tut on it so that really doesnt count) I stick more or less to modifying game code and breaking into other peoples work so i dont have to use their mod or pay them for violating a eula. If Compuware actually supported the product I would more then likely buy it but I seem to get most of my technical support from sites like this so they arent getting my $$.

This I can agree with! I got flamed on another forum for using VBReformer (a "kiddie script" instead of wading through wd32asm's interperatation of a VB6 app. I'll use anything that makes my job easier!

SiGiNT

Ehmmm... Why you got flamed? To me, it seems a very good approach...

Posting threats will get you exactly nowhere. Go to George "Dubbelj00" (and his) Bush(whackers) for such. You may want to try creating constructive threads as an alternative, though and you may receive helpful suggestions here.

Anyone that flames another person for trying to save time during the reversing process must either be well off financially or a glutten for punishment. I look at this stuff as a challenge but parts of it have to be fun or it just isnt worth it. I could understand doing things the long way a few times to understand the "why" but after you know the "why" by all means use whatever saves you time and mental anguish. When I take on a task of this nature I always ask myself "Is it worth the effort to find out?" If certain tools did not exist to make this process easier I know I there wouldnt be a "yes" after the above question too often.

Wow, you got b00bs?

SCNR

Please tell me the name of the board so I can add it to my URL filter

I can't believe it... Evangelists all around. Promoting the one-and-only holy grail of reversing or whatever. *sigh*

Your attitude ("I'll use anything that makes my job easier" is very much seconded here

(@).(@) that better? They were supposed to be eyes. I guess I should have just typed it out but I was being lazy and cute and no I dont have boob's nor man breasts.

Don't worry brother, I thought something was lost in the translation. When we reverse, we all speak the same language...Assembler...or Machine language.

Using the translator at: h**p://w*w.worldlingo.com/wl/translate, that would be:

No se preocupe a hermano, Pensé que algo fue perdido en la traducción. Cuando invertimos, todos hablamos la misma lengua...Ensamblador...o terminología de la informática.

Let me know how it translated.

don't forget good old Smartcheck for VB apps. In case you don't know, it's the counterpart of Boundschecker, built by NuMega especialy for VB apps. I used it once to very effectively locate and decipher code being used in a mathematical algorithm in a VB app.

I didn't know Excalibur was stoned.

Oh Yeah? Well, real reversers code in hex, leetos in binary, and base calculators are for sissies. There, I said it! ;-)

I think we are in agreement. What I meant by assembler is the hex opcodes we run into while reversing. Most of the programming in assembler today seem to be in macro assembler, but I'm talking about the low level stuff after it's compiled. I've done a few jobs on the 8080, 8085, Z80 and Motorola 6800/68000 series. You load all those with opcode (hex) through a programming interface. I even remember starting out with a machine-coded computer where you entered everything in binary.

Of course, there's nothing like talking to a processor in it's native language...+/- 5 volts. Just hang a 10K resistor from the positive rail through a switch to ground, with the bottom end of the 10K feeding the pins of the processor. Processors really identify with people who can nurture them like that. It's like talking to your plants as you water/feed them. With all the rails down to about 3 volts now, you may have to adjust your resistance.

I was following an article once, about converting a PII mobo with a 300 Mhz proc to a PIII Tualitin running at about 1.3 gig. You had to get right onto the processor and solder wires to the pins, with really fine wire, leaving the wire under the processor when you remounted it. If these guys start getting too silly with their protections, we may have to go back to that....intercepting the signals as they run down the bus.

What's a base calculator??? doesn't everyone add, subtract, multiply and divide in base 16 on a piece of paper with a dull pencil???

Belated reply to all those who commented on my being flamed for using a "kiddie script" - in all fairness it was in a newbie section of the board and several people were walking the noob thru reversing the VB6 app with w32dsm - now in my view w32dsm does a damn good job of trying to represent what the VB app is doing but it's kind of like unscrewing a Torx screw with a phillips head screwdriver - the tool is inherently incompatable - but it certainly does a better job than IDA, Smartcheck is great for fishing but as for following the program execution I either haven't mastered it or it simply won't do the job. I mentioned using a shortcut which was out of line with the nature of the educational process that was ongoing.

Still struggling with that hard drive crash so I'll be here only intermittently for a day or 2. I've discovered some interesting things about Flexnet that need to be shared.

SiGiNT

A VB app has to call into a library like msvbvm60.dll, which can be fully disassembled by IDA. Using Smartcheck, you can get pointers to where it's calling in. You get a sequential display of what the app is doing. What more could you ask for? Also, Smartcheck will put names to the functions VB is calling, and you can trace strings. If you use softice, you'll be in the library code a lot of the time anyway, which you can reference to IDA.

I used Smartcheck once to unravel a protection in a VB app which used the math co-processor heavily. I was able to get a visual in Smartcheck of what was happening and it saved a lot of time. It gave up mathematical computations. So, it's not merely a fishing tool.

The trick with Smartcheck is setting it up properly. Same with Boundschecker. You can't take either out of the box and expect them to yield a lot of info. You have to fine tune both of them. Take a look at this page from this forum:

http://www.woodmann.com/crackz/Vb.htm. There are a lot of good tips for reversing VB (aka bloatware).

Thanx for the info, I had a short lived obssession with Smartcheck and VB apps - I should have done a lot more work, ahhhh so little time and so many tools!

SiGiNT

Would those two events by any chance be related? (Flexnet reversing involving direct disk sector access and all)

tell me about it!! I love reversing and wish I could do it full time. I have been 'going to' learn languages like C++ for a long time as well. But I need to make a living and I have an interest in computerized music. A guy should be able to sign up for another go-around in life, like signing up for another hitch in the army.

Delta's query to you has sort of tweaked my interest too.

I've been meaning to post what I learned about FlexNet - (FlexLM 10.1) - and no I didn't run into any of the harddrive manipulation that has been observed when using the trial period opton. Well I'll try and fill you in and be as non specific as possible, because I'm sure this forum is read daily by our friends on The Other Side.

The two targets I had the pleasure of playing with were straight upgrades from FlexLM 9.x - this has nothing to do with reversing and everything to do with bypassing the protection, 10.1 can be reversed in the traditional, (Nolan, Crackz way), and can run using an earlier server.

here's the good news -

The ECC code is still being used

here's the bad news -

It's not fully implemented

apparently there are a lot more options for the developer.

Target #1 -

I did not work on this from the beginning but started somewhere in the middle, as a friend had already been working on it - this one is a multifeatured implementation - and playing with the ECC did not work - eventually a subroutine that passes for what used to be _l_checkout or _lc_checkout was located, (not identified by IDA even with Flirt sigs), xoring EAX and issuing a retn at the beginning of the subroutine allowed the target to accept a bogus lic. ala the old ECC patch. This subroutine is easily found by searching for a named call in a sub immediately before this sub (physically), not logically - and yes it was identical in both apps. I normally would think that this sort of trick would yield Features that are unstable, but that does not appear to be the case.

Target #2 -

This was a timed, full featured, demo using FlexNet licensing, it had a hard coded time period and only used a temporary license as a back-up. The demo period was easily reversed as it was not hidden very well, the number of days left was added to an arbitrary large number that then was checked against the base number - I simply added instead of subtracted and created a demo that lasts as long as the temp license, (hard coded was 15 days - temp lic was 2 mos.), in this case the method above, in Target #1, did not work - what did work was forcing full implementation of the ECC and using the usual patch, this allowed the lic. date to be rolled forward to whatever you want - I did notice that you no longer have the freedom to mess with things like NOTICE= this apparently is now an important part of the licensing.

How did I force full imlementation of the ECC - simple, as it stands the code is first jumped over and called later - I just eliminated the jump.

The ECC code can be found by searching for unique operations preceding it as in version 9.x.

So in short not much new here as far as upgrading from 9.x - 10.x - just a little trickier.

I did defeat the "your clock has been turned back" error in the usual way, simply find all files and folders showing a date later than current and fix them. no harddrive trickery here.

SiGiNT

I thoroughly enjoyed it!

Its rare to come across such posts that involve such fun. Keep it up guys!

By the way, i think IDa and Softice is all for kiddies....

I personally use debug.exe

Have Phun...