JMI
April 27th, 2001, 14:12
I'm using Softice 4.05 on Win98. I'm reversing a program and need to determine where the program is getting a data value which it puts at a particular address. The data is the "expected" CRC which resides somewhere in the file encrypted.
Because I've located the routine that uses this data to process for the CRC check to see if the code has been altered, I already know "what" it is and "where" it's stored. What I want is to find out how it got at that address and the routine to decrypt it. I don't really "need" to do this other than it will permit me to look at subsequent versions of the software and have some idea where this information is hidden. Learning for learning's sake.
I started with rtfm and then downloaded several articles on Softice breakpoints, but nothing works that I've tried.
I found one article that suggested using the "==" sign. so I tried bpm Address==data. The machine froze. I then tried an "if" statement using the "w" command. "bpm address w if (address==data)" This didn't work either. Part of the problem is that this specific address is written to by most of the system calls and I've already tried stepping through several hundred without reaching the goal.
Anyone who can point me to the correct format would be much appreciated. If it helps the data is a double word checksum of the unaltered file, so I also tried "bpmd" with several combinations. It's probably something simple I'm missing. That's part of what being a "newbie" is all about.
It seems that it should be rather trivial to get the d**n thing to stop when a specific value is written to a specific location. Thanx in advance.
All advise greatfully received.
Because I've located the routine that uses this data to process for the CRC check to see if the code has been altered, I already know "what" it is and "where" it's stored. What I want is to find out how it got at that address and the routine to decrypt it. I don't really "need" to do this other than it will permit me to look at subsequent versions of the software and have some idea where this information is hidden. Learning for learning's sake.
I started with rtfm and then downloaded several articles on Softice breakpoints, but nothing works that I've tried.
I found one article that suggested using the "==" sign. so I tried bpm Address==data. The machine froze. I then tried an "if" statement using the "w" command. "bpm address w if (address==data)" This didn't work either. Part of the problem is that this specific address is written to by most of the system calls and I've already tried stepping through several hundred without reaching the goal.
Anyone who can point me to the correct format would be much appreciated. If it helps the data is a double word checksum of the unaltered file, so I also tried "bpmd" with several combinations. It's probably something simple I'm missing. That's part of what being a "newbie" is all about.
It seems that it should be rather trivial to get the d**n thing to stop when a specific value is written to a specific location. Thanx in advance.
All advise greatfully received.