Name      : Softice Cracking Overview

Tools     : Softice
	    Brain
	    
Cracker   : LW2000

Tutorial  : No.27



---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---


Ok, i was asked a lot about the Basics in Softice Cracking,
so here is a small(!) overview.


Keys in Sice:
-------------

Key		Function
---		--------
F1           	Help
F2           	Toggle Register Window
F5           	Return to Windows/App
F8	        Trace to next instruction (step into calls)
F10     	Step to next instruction (step over calls)
F11	        Get Caller
F12             Run till next ret


The Softice Windows:
--------------------

WR  <<-- show/hide the register window
WD  <<-- show/hide the data window
WC  <<-- show/hide the code window
WL  <<-- show/hide the locals window "ALT-L" Focus 
WW  <<-- show/hide the watch window  "ALT-W" Focus


CTRL-UP/DOWN/PGUP/PGDN   <<-- scrolls the code window
SHIFT-UP/DOWN/PGUP/PGDN  <<-- scrolls your comand (input) window
ALT-UP/DOWN/PGUP/PGDN    <<-- scrolls your data window


The Registers
-------------

Hey! You've got it, the 'e' in i.e. eax is for 32-Bit!

AX <<-- Accumulator Register
BX <<-- Base Register
CX <<-- Count Register
DX <<-- Data Register

Every 16-bit registers above is split in two 8-bit registers.

AH <<-- Accumulator High
AL <<-- Accumulator Low
AX <<-- AH*256 + AL
BH <<-- Base High
BL <<-- Base Low
CH <<-- Count High
CL <<-- Count Low
DH <<-- Data High
DL <<-- Data Low


Index Register:
---------------

SI <<-- Source Index
DI <<-- Destination Index


Stack Register:
---------------

BP <<-- Base Pointer
SP <<-- Stack Pointer


Segment Register:
-----------------

CS <<-- Code Segment
DS <<-- Data Segment
ES <<-- Extra Segment
SS <<-- Stack Segment

btw: 'd eax' and '? eax' shows whats inside eax.. ;)))


The Flags:
----------

O  <<-- overflow flag (will be set after math command for example 'sub')
D  <<-- direction flag (tells CPU if it should accept hardware input)
I  <<-- interrupt flag (tells the CPU to increment or decrement on a
                        LODSB,STOSB,and similar commands)
S  <<-- sign flag (tells wheter or not the final value was signed or not)
Z  <<-- zero flag (tells if the final value was zero or not)
A  <<-- auxiliary carry flag
P  <<-- parity flag
C  <<-- carry flag (like the Overflow Flag but is set if you went
                    overflow on an unsigned integer)


Flag manipulation commands:
---------------------------

CLC <<-- Clear Carry Flag
CLD <<-- Clear Direction Flag
CLI <<-- Clear Interrupt Enable Flag
CMC <<-- Complement Carry Flag
STC <<-- Set Carry Flag
STI <<-- Set Interrupt Enable Flag

btw: you can't change the Zero/Sign Flag by a command.
You must use 'r fl z' to change the Zero Flag and 'r fl s'
to change the Sign Flag !!!


The Jumps:
----------

JA              Jump Above (unsigned)
JAE             Jump Above or Equal (unsigned)
JB              Jump Below (unsigned)
JBE             Jump Below or Equal (unsigned)
JC              Jump Carry
JCXZ            Jump if CX is Zero
JE              Jump if Equal
JZ              Jump if Zero (Equal)
JG              Jump if Greater (signed)
JGE             Jump if Greater or Equal (signed)
JL              Jump if Less (signed)
JLE             Jump if Less or Equal (signed)
JNA             Jump if not Above (unsigned)
JNAE            Jump if not Above or Equal (unsigned) (same as JB)
JNB             Jump if not Below (unsigned)
JNBE            Jump if not Below or Equal (unsigned)
JNC             Jump if not Carry
JNE             Jump if not Equal
JNG             Jump if not Greater (signed)
JNGE            Jump if not Greater or Equal (signed)
JNL             Jump if not Less (signed)
JNLE            Jump if not Less or Equal (signed)
JNO             Jump if not Overflow
JNP             Jump if not Parity
JNS             Jump if not Signed
JNZ             Jump if not Zero (Equal)
JO              Jump if Overflow
JP              Jump if Parity
JPE             Jump if Parity Even (PF=1)
JPO             Jump if Party Odd (PF=0)
JS              Jump if Signed
JZ              Jump if Zero (Equal)


MOV Operation:
--------------

MOV moves a value to a register or memory place.

MOV CX,AX   <<-- AX is stored in CX

MOV [CX],AX <<-- This stores AX into the memory location pointed at by CX.
                 


Call/Ret Operation:
-------------------

We use CALL and RET to call and return from procedures. If you
want a function to return something, it is easier to just store the
return value in a register and then RET.

i.e. IF a Function should return eax=1 then simply change the call like
        mov eax,1
        ret



The Breakpoints:
----------------

Like the registers, the api calls differ by 16-Bit and 32-Bit.
If you have a 32-Bit Proggy, simply add 'a' to the end off the call.
i.e. getwindowtext -> getwindowtexta
btw: 'bl' will list your used breakpoints up!


Clear breakpoints:
------------------

bc yourbreakpoint - i.e: bc getdlgitemtexta <<-- that will clear the one
bc 0    <<-- will clear the breakpoint labelled 0
bc 1,3  <<-- will clear the breakpoints labelled 1 and 3
bc *    <<-- will clear all breakpoints which were set


Disable breakpoints:
--------------------

bd yourbreakpoint - i.e: bd getdlgitemtexta <<-- will disable the one
bd 1,3,4  <<-- disable the breakpoints labelled 1,3,4
bd *      <<-- disable all breakpoints


Enable breakpoints:
-------------------

be yourbreakpoint - i.e: be getdlgitemtexta <<-- will enable the one
be 1,4,7 <<-- enable the breakpoints labelled 1,4,7
be *     <<-- enable all breakpoints


Usefull Breakpoints:
--------------------

Rember to put a 'a' at the end for 32-BIT!!!


General
------- 

bpx messagebox 
bpx getdlgitemtext 
bpx getwindowtext 
bpx hmemcpy 
bpx showwindow 
bpx updatewindow 
bmsg xxxx wm_gettext 
bmsg xxxx wm_command 
bmsg xxxx wm_move 


Key File Related
----------------

bpint 21 if ah==3dh (DOS) 
bpint 31 if ah==3fh (DOS) 
bpint 21 if ah==3dh (DOS) 
bpx ReadFileA 
bpx CreateFileA 


Keyboard Input
--------------

bpint 16 if ah==0 (DOS) 
bpint 21 if ah==0xA (DOS)


Time Related
------------

bpint 21 if ah==2A (DOS) 
bpx getlocaltime 
bpx getfiletime 
bpx getsystemtime 


CD-ROM/Disk
-----------

bpint 13 if ah==2 (DOS) 
bpint 13 if ah==3 (DOS) 
bpint 13 if ah==4 (DOS) 
bpx GetFileAttributesA 
bpx GetFileSize 
bpx GetDriveType 
bpx GetLastError 
bpx ReadFile 
bpio -h (Your CD-ROM Port Address) R 


Dongle Cracking
---------------

bpio -h 278 R 
bpio -h 378 R 



FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!