Home    Training    Downloads    Tutorials    Arbitary    Get Fate    Proxy Info
 
Training session 15: Softice
Difficulty: Medium
Learn what this beautiful tool is and how to use it
Creator: m101


Sorry to say i will not provide you with a place to download softice, nor will i provide you with instructions on how to properly install and set it up. Once you have a working copy of softice the following is the basics steps to use it:

CTRL+D (opens/closes the softice window)
WR (turn on/off the register window)
LINES 35 (changes the screen size to something a little more reasonable)
BPX xxapixx (sets a breakpoint at either a memory address or an api call)
BC * (clear all breakpoints)
BL (list all breakpoints)
BD * (disable all breakpoints)
BE * (enable all breakpoints)
WC (turn on/off code window)
D xx (show xx register in hexidecimal form)
? xx (show xx register in decimal form)
FAULTS OFF (stop alot of annoying messages, extremely recommended)

Ok, now you should have a basic idea of what softice does. It disassembles memory ranges, and sets breakpoints on programs when they access specific memory ranges such as dll's or a specific address. To set a breakpoint on a call just type something similar to 'bpx getdlgitemtexta' and it will indeed set a breakpoint on 'getdlgitemtexta'

Now you will probably ask what is the point on setting a breakpoint on 'getdlgitemtexta'? Well you see, computer programs are made similar to C programs, they use dll's in much the same way as C uses headers, except instead of compiling the headers into the code, they are compiled only once. Our little friend 'getdlgitemtexta' is one such api call that would return the value of a text box. Still not meaning much? Well lets say we have a serial number to register a program, you start the program, enter a code, click the submit button and if its right the program is registered. Well instead of searching the code for ages similar to the way you use win32dasm, you can set it to break as soon as it takes the value you entered from the text box, and is about to compare it to the correct code.

The following is a list of standard api used in programs that can come in handy:

GetDlgItemInt
GetDlgItemText / GetDlgItemTextA / GetDlgItemTextW
GetWindowLong / GetWindowLongA / GetWindowLongW
GetWindowText / GetWindowTextA
GetWindowWord
SendDlgItemMessage / SendDlgItemMessageA / SendDlgItemMessageW
GetFileTime
GetLocalTime
GetSystemTime
GetTickCount
SystemTimeToFileTime

If you are wandering, the diference between GetDlgItemText and GetDlgItemTextA is that an 'A' after an api name means the value it returns is 32 bit. If for example you have a program which checks how long it has been running for, you could set a breakpoint on 'GetSystemTime' to check this, or possibly GetTickCount depending on how it was programmed, you could set a breakpoint by breaking into softice (CTRL+D) and typing 'bpx GetSystemTime'

If your assumptions were correct, when the program checks to see how long it has been running, softice will break open at the call to GetSystemTime.

For cracking i would probably recommend the use of the following config file for softice:

winice.dat
---------------------------------------------

PENTIUM=ON
NMI=ON
ECHOKEYS=OFF
NOLEDS=OFF
NOPAGE=OFF
SIWVIDRANGE=ON
THREADP=ON
LOWERCASE=OFF
WDMEXPORTS=OFF
MONITOR=0

PHYSMB=64
SYM=1024
HST=256
TRA=8
MACROS=32
DRAWSIZE=2048

INIT="CODE ON; WD 2; WC 14; FAULTS OFF; IXHERE OFF; IYHERE OFF; X;"

F1="h;"
F2="^wr;"
F3="^src;"
F4="^rs;"
F5="^x;"
F6="^ec;"
F7="^here;"
F8="^t;"
F9="^bpx;"
F10="^p;"
F11="^G @SS:ESP;"
F12="^p ret;"
SF3="^format;"
CF8="^XT;"
CF9="TRACE OFF;"
CF10="^XP;"
CF11="SHOW B;"
CF12="TRACE B;"
AF1="^wr;"
AF2="^wd;"
AF3="^S 0 L FFFFFFFF 8B,CA,F3,A6,74,01,9F,92,8D,5E,08;" ; Visual Basic Cracking
AF4="^S 0 L FFFFFFFF 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14;" ; Visual Basic Cracking
AF5="CLS;"
AF8="^XT R;"
AF11="^dd dataaddr->0;"
AF12="^dd dataaddr->4;"
CF1="altscr off; lines 60; wc 32; wd 8;"
CF2="^wr;^wd;^wc;"

; WINICE.DAT
; (SIW95\WINICE.DAT)
; for use with SoftICE Versions greater than 3.0 (Windows 95)
;

; *************************************************************************
; If your have MORE than 32MB of physical memory installed, change
; the PHYSMB line to the correct # of Megabytes.
; If you have LESS than 32MB you can save a bit of memory by
; specifying the correct # of Megabytes
; Example: PHYSMB=32
; *************************************************************************
; ***** Examples of sym files that can be included if you have the SDK *****
; Change the path to the appropriate drive and directory
;LOAD=c:\windows\system\user.exe
;LOAD=c:\windows\system\gdi.exe
;LOAD=c:\windows\system\krnl386.exe
;LOAD=c:\windows\system\mmsystem.dll
;LOAD=c:\windows\system\win386.exe
; ***** Examples of export symbols that can be included *****
; Change the path to the appropriate drive and directory
;EXP=c:\windows\system\vga.drv
;EXP=c:\windows\system\vga.3gr
;EXP=c:\windows\system\sound.drv
;EXP=c:\windows\system\mouse.drv
;EXP=c:\windows\system\netware.drv
;EXP=c:\windows\system\system.drv
;EXP=c:\windows\system\keyboard.drv
;EXP=c:\windows\system\toolhelp.dll
;EXP=c:\windows\system\shell.dll
;EXP=c:\windows\system\commdlg.dll
;EXP=c:\windows\system\olesvr.dll
;EXP=c:\windows\system\olecli.dll
;EXP=c:\windows\system\mmsystem.dll
;EXP=c:\windows\system\winoldap.mod
;EXP=c:\windows\progman.exe
;EXP=c:\windows\drwatson.exe
; ***** Examples of export symbols that can be included for Windows 95 *****
; Change the path to the appropriate drive and directory
EXP=c:\windows\system\kernel32.dll
EXP=c:\windows\system\user32.dll
EXP=c:\windows\system\gdi32.dll
EXP=c:\windows\system\comdlg32.dll
EXP=c:\windows\system\shell32.dll
EXP=c:\windows\system\advapi32.dll
EXP=c:\windows\system\shell232.dll
EXP=c:\windows\system\comctl32.dll
EXP=c:\windows\system\crtdll.dll
EXP=c:\windows\system\version.dll
EXP=c:\windows\system\netlib32.dll
EXP=c:\windows\system\msshrui.dll
EXP=c:\windows\system\msnet32.dll
EXP=c:\windows\system\mspwl32.dll
EXP=c:\windows\system\mpr.dll
EXP=c:\windows\system\msvbvm60.dll ; Visual Basic 6
EXP=c:\windows\system\msvbvm50.dll ; Visual Basic 5
EXP=c:\windows\system\vb40032.dll ; Visual Basic 4
EXP=c:\windows\system\vbrun300.dll ; Visual Basic 3

---------------------------------------------

By now you should have a basic idea of how program logic works from the previous cracking tutorial. So to crack a program using softice you should follow these steps:

1. Open the target program and go to the registration page

2. Enter false information

3. Set Breakpoints on all the api calls you believe may be called

4. Click submit and if softice doesnt pop up, go back to step 1 and change the breakpoints, otherwise press CTRL+D until all data has been collected by the program, and then repeat the entire process again, and stop on the last call to the api

5. Press F12 to continue thru the code, until you have returned to the main program, you should see the call to the api you were just in

6. Press F10 until you reach something interesting, such as a CMP or TEST followed by JNE or JE

7. Look into the code window and check whether the jump is taken, if it is not test if this is our jump by pressing 'A' and typing in the modified statement that reverses the jump

8. Press CTRL+D to return to normal control and see if our modification worked

9. If it worked continue to patching the program, if it didnt, return to step 1 and try a diferent jump

Following these steps it should be possible to crack many 'simple' programs with softice. Do not get discouraged if it doesnt work for you at first, softice can be rather dificult to use. Softice is much more advanced than win32dasm, although win32dasm provides a stabler and easier platform to learn from. Hopefully you have been successful and have learned the way of softice, this is by far not an extensive guide to its use tho and tips and tricks may be found in various other guides and the softice command reference.
Name

URL or Email

Message