Name : Softice Cracking Overview Tools : Softice Brain Cracker : LW2000 Tutorial : No.27 --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Ok, i was asked a lot about the Basics in Softice Cracking, so here is a small(!) overview. Keys in Sice: ------------- Key Function --- -------- F1 Help F2 Toggle Register Window F5 Return to Windows/App F8 Trace to next instruction (step into calls) F10 Step to next instruction (step over calls) F11 Get Caller F12 Run till next ret The Softice Windows: -------------------- WR <<-- show/hide the register window WD <<-- show/hide the data window WC <<-- show/hide the code window WL <<-- show/hide the locals window "ALT-L" Focus WW <<-- show/hide the watch window "ALT-W" Focus CTRL-UP/DOWN/PGUP/PGDN <<-- scrolls the code window SHIFT-UP/DOWN/PGUP/PGDN <<-- scrolls your comand (input) window ALT-UP/DOWN/PGUP/PGDN <<-- scrolls your data window The Registers ------------- Hey! You've got it, the 'e' in i.e. eax is for 32-Bit! AX <<-- Accumulator Register BX <<-- Base Register CX <<-- Count Register DX <<-- Data Register Every 16-bit registers above is split in two 8-bit registers. AH <<-- Accumulator High AL <<-- Accumulator Low AX <<-- AH*256 + AL BH <<-- Base High BL <<-- Base Low CH <<-- Count High CL <<-- Count Low DH <<-- Data High DL <<-- Data Low Index Register: --------------- SI <<-- Source Index DI <<-- Destination Index Stack Register: --------------- BP <<-- Base Pointer SP <<-- Stack Pointer Segment Register: ----------------- CS <<-- Code Segment DS <<-- Data Segment ES <<-- Extra Segment SS <<-- Stack Segment btw: 'd eax' and '? eax' shows whats inside eax.. ;))) The Flags: ---------- O <<-- overflow flag (will be set after math command for example 'sub') D <<-- direction flag (tells CPU if it should accept hardware input) I <<-- interrupt flag (tells the CPU to increment or decrement on a LODSB,STOSB,and similar commands) S <<-- sign flag (tells wheter or not the final value was signed or not) Z <<-- zero flag (tells if the final value was zero or not) A <<-- auxiliary carry flag P <<-- parity flag C <<-- carry flag (like the Overflow Flag but is set if you went overflow on an unsigned integer) Flag manipulation commands: --------------------------- CLC <<-- Clear Carry Flag CLD <<-- Clear Direction Flag CLI <<-- Clear Interrupt Enable Flag CMC <<-- Complement Carry Flag STC <<-- Set Carry Flag STI <<-- Set Interrupt Enable Flag btw: you can't change the Zero/Sign Flag by a command. You must use 'r fl z' to change the Zero Flag and 'r fl s' to change the Sign Flag !!! The Jumps: ---------- JA Jump Above (unsigned) JAE Jump Above or Equal (unsigned) JB Jump Below (unsigned) JBE Jump Below or Equal (unsigned) JC Jump Carry JCXZ Jump if CX is Zero JE Jump if Equal JZ Jump if Zero (Equal) JG Jump if Greater (signed) JGE Jump if Greater or Equal (signed) JL Jump if Less (signed) JLE Jump if Less or Equal (signed) JNA Jump if not Above (unsigned) JNAE Jump if not Above or Equal (unsigned) (same as JB) JNB Jump if not Below (unsigned) JNBE Jump if not Below or Equal (unsigned) JNC Jump if not Carry JNE Jump if not Equal JNG Jump if not Greater (signed) JNGE Jump if not Greater or Equal (signed) JNL Jump if not Less (signed) JNLE Jump if not Less or Equal (signed) JNO Jump if not Overflow JNP Jump if not Parity JNS Jump if not Signed JNZ Jump if not Zero (Equal) JO Jump if Overflow JP Jump if Parity JPE Jump if Parity Even (PF=1) JPO Jump if Party Odd (PF=0) JS Jump if Signed JZ Jump if Zero (Equal) MOV Operation: -------------- MOV moves a value to a register or memory place. MOV CX,AX <<-- AX is stored in CX MOV [CX],AX <<-- This stores AX into the memory location pointed at by CX. Call/Ret Operation: ------------------- We use CALL and RET to call and return from procedures. If you want a function to return something, it is easier to just store the return value in a register and then RET. i.e. IF a Function should return eax=1 then simply change the call like mov eax,1 ret The Breakpoints: ---------------- Like the registers, the api calls differ by 16-Bit and 32-Bit. If you have a 32-Bit Proggy, simply add 'a' to the end off the call. i.e. getwindowtext -> getwindowtexta btw: 'bl' will list your used breakpoints up! Clear breakpoints: ------------------ bc yourbreakpoint - i.e: bc getdlgitemtexta <<-- that will clear the one bc 0 <<-- will clear the breakpoint labelled 0 bc 1,3 <<-- will clear the breakpoints labelled 1 and 3 bc * <<-- will clear all breakpoints which were set Disable breakpoints: -------------------- bd yourbreakpoint - i.e: bd getdlgitemtexta <<-- will disable the one bd 1,3,4 <<-- disable the breakpoints labelled 1,3,4 bd * <<-- disable all breakpoints Enable breakpoints: ------------------- be yourbreakpoint - i.e: be getdlgitemtexta <<-- will enable the one be 1,4,7 <<-- enable the breakpoints labelled 1,4,7 be * <<-- enable all breakpoints Usefull Breakpoints: -------------------- Rember to put a 'a' at the end for 32-BIT!!! General ------- bpx messagebox bpx getdlgitemtext bpx getwindowtext bpx hmemcpy bpx showwindow bpx updatewindow bmsg xxxx wm_gettext bmsg xxxx wm_command bmsg xxxx wm_move Key File Related ---------------- bpint 21 if ah==3dh (DOS) bpint 31 if ah==3fh (DOS) bpint 21 if ah==3dh (DOS) bpx ReadFileA bpx CreateFileA Keyboard Input -------------- bpint 16 if ah==0 (DOS) bpint 21 if ah==0xA (DOS) Time Related ------------ bpint 21 if ah==2A (DOS) bpx getlocaltime bpx getfiletime bpx getsystemtime CD-ROM/Disk ----------- bpint 13 if ah==2 (DOS) bpint 13 if ah==3 (DOS) bpint 13 if ah==4 (DOS) bpx GetFileAttributesA bpx GetFileSize bpx GetDriveType bpx GetLastError bpx ReadFile bpio -h (Your CD-ROM Port Address) R Dongle Cracking --------------- bpio -h 278 R bpio -h 378 R FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!