www.ebusinesshelpcenter.

com

Thousands of eBusiness & eMarketing eBooks

100% Free Downloads

Plus Resources To Guarantee Your Success

With Your New Or Existing Online Business

Free Website Hosting

Free Traffic Generators
Free Advertising
Free Ebook Compilers
Free HTML Editors
Free FTP Software
Free Email Auto-Responders
Free Bulk Email Software
Free Up-to-Date 80 Million Opt-In Email Lists
Free Web Positioning Tips
Free Ready to Go Turnkey Websites
Free Replicate Any Website
Free Tutorials for Everything
Free Web Page Creators

Small one-time lifetime membership fee then everything is

FREE!!!
1
Mexelite is a new cracking group which differs from the other groups in the scene today . We
share knowledge about modern cracking in order to build up the next generation of crackers.

We produce and collect cracking-tutorials and hand them out to you. We provide as well the
tools that are necessary to start off. Mainly our task is to help newbies but if you ask nicely
enough we might also take some requests. ;)

You can find us on Efnet , #cracking4newbies

Our channel advisors and tutors will help you in learning various cracking techniques ranging
from old DOS games, patches & CD checks to serial numbers and key generators.

MEXELiTE is always in search for tutors, crackers, couriers, webmasters, botmasters, siteops ...
so if YOU think that you can do something for us - get our appgen.

http://mex97.home.ml.org
Home Pageas of October 27, 2002
Welcome Dynamic DNS Users. . .

mex97.home.ml.org is not configured and/or a valid site.

Please visit ChangeIP.com for all your free domain and Dynamic DNS needs.

ChangeIP.com Free Domain Names

ChangeIP.com FAQ

ChangeIP.com Support Site

Go back to my referrer

Dynamic DNS Links:

MyServer.Org Dynamic DNS Provider

Technopagan Dynamic DNS Overview

http://www.geocities.com/kiore_nz/

http://www.oth.net/dyndns.html

Dynamic DNS
Free Dynamic DNS

2
Dynamic Domain Name System
Dynamic IP
Static IP
DDNS
Free DDNS
Dynamic DNS Client
Dynamic DNS Server
Port Forwarding
Dynamic DNS Provider
DNS Server
DHCP Address
Free Web Redirection
Web Redirection
URL Redirect
URL Forwarding
Free Redirects
Free Domain Names
Free Sub Domains
Free DNS
Cable Modem DNS
DSL DNS
Cheap Domain Names
Cheap Domain Registration

Search Google

Softice Beginner’s Tutorial

Tutor : CoRN2
Editor : Notepad (fullscreen wit' wordwrap on)
Audience : Beginners an' Newbies :)
Greets : All members of C4N/mEx'97... and everyone else I know :)
Target : SoftIce for Newbies, r4
Rev Date : 17/12/97

Check out http://mex97.home.ml.org for all your cracking needs!!

Foreword
-=-=-=-=
Hey there, wow, I'm on revision 4 of this tutorial now! Thanks to everybody who has written to
me, especially those with helpful suggestions. This update is therefore due to public demand ;)
Hopefully it will help all of you newbies out there, maybe not... ah well... ;)

Introduction
-=-=-=-=-=-=

3
Everybody asks the question, 'which debugger should I use?' The answer is usually SoftIce... The
second question is 'how do I use SoftIce!?!' This tutorial should hopefully cover the basic aspects
of using SoftIce for our 'evil' needs!! ;)

I'm going to assume that you're using SoftIce/Win95 v3.0 or later. Once installed, SoftIce lives
behind win until you need it... now the fun bit...

To access SoftIce you simply press <CTRL-D> unless of course you've changed this hotkey.

EXTERNALS
-=-=-=-=-
This seems to plague almost everyone who still remembers the day that their fingers first traced
the sacred CTRL-D combination. My first question was ( in #cracking ) as far as I remember,
why can't I breakpoint on GETDLGITEMTEXT ( or similar functions )

It took me a week until someone answered ( c4n rocks! plug plug ) its really quite easy. I think
this is covered in the c4n-mex faq also:

Load up the file WINICE.DAT in your favourite text-editor ( notepad will do if you haven't got
one :P ) and find the lines near the end of the file that start with:

;exp=c:\windows_directory\kernel32.dll
;exp=c:\windows_directory\user32.dll

If you remove the semi-colon ';' from the start of the above two lines, most of the
calls with be available- if not just remove them from other lines. Save
WINICE.DAT and restart windows/softice, easy eh?

You can also use the symbol loader to edit the these settings ( thanks _[mP] :) )

While we're on the subject of WINICE.DAT, I thought you should know the more useful
*default* keyboard mappings for SI...

F1 - Help
F2 - Toggle Register Window
F5 - Drop back to Windows
F8 - Trace To Next Instruction (will dive into all CALLS)
F10 - Step To Next Instruction (executes and steps over CALLS)
F12 - Run up until the next RETurn instruction

There are a shitload more, but these are the more useful ones I would use....

Now to the fun stuff...

4
I'VE PRESSED CTRL-D, WTF IS ALL THIS STUFF!!!?!??!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Although maybe daunting at first, its all pretty simple. You really do need to have a rough idea
about ASM for me to be able to explain this properly. If not, get my tut, 'ASM For Crackers'
(PLUG! PLUG!) from the mExeLITE'97 homepage. It should cover the basics.

A BIT ABOUT THE SCREEN YOU'RE GAWPING AT

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before we continue, you should check that you have four (count 'em) seperate boxes on your
screen, if not you should note that they can be hidden/shown with any one of the following
commands:

WR -- Show/Hide Register Window |

WD -- Show/Hide Data Window } including a number after the command
WC -- Show/Hide Code Window | allows you to set how many lines are used.

These are the most important, but you'll find there are also other windows that you can toggle,
including watches etc... but this will server the purposes of our tut.

These windows can be mucked about with individually, each is independently scrollable, using
the following keyboard combinations:

<CTRL-UP/DOWN/PGUP/PGDN> Scrolls the CODE Window

<SHIFT-UP/DOWN/PGUP/PGDN> Scrolls your INPUT (command) Window
<ALT-UP/DOWN/PGUP/PGDN> Scrolls the DATA Window

A bit of a cool trick involves the DATA window, some really lame protection schemes end up
placing the correct 'serial number' a couple of bytes away from your input, by simply scrolling
your data window, it is sometimes possible to discover this serial and save yourself a shitload of
work! --pretty cool huh?

Now back to your tut.

-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-==-
=-=-=-=-=-=

Ok. Now you know what registers are, and hopefully what a chunk of assembly looks like.

The top three lines of the screen are dedicated to your computers registers, and their contents.
This is fairly self explanitory.

EAX=whatever, EBX=whatever, and so on.

The second line at the far right contains 8 letters, these are your flags. Capital blue letters
indicate that the flag is set, the flags are:

5
 ODISZAPC
||||||||
| | | | | | | +------- Carry Flag
| | | | | | +--------- Parity Flag
| | | | | +----------- Auxiliary Carry Flag
| | | | +------------- Zero Flag ( VERY USEFUL! )
| | | +--------------- Sign Flag
| | +----------------- Interrupt Flag
| +------------------- Direction Flag
+--------------------- Overflow Flag

To be honest the only one I've ever looked at while cracking, is the Zero Flag ( its looked for
JZ/JNZ/JE/JNE commands )

Next we have another window underneath, this is your data window. It shows the value of any
memory address you might need. As an example, type: d F9D2B --this shows the bytes at that
address.

'd' is your display memory command.

Following this we have the code window. This contains the part of the program that we're
looking at. Firstly you have the segment:offset of the code, then the opcode, then the asm
commands we all love :)
( NB you may have to type 'CODE ON' in order to see the opcode )

And finally at the bottom is your input/information window. In other words the bit you use to
talk to SoftIce, and hears its' response.

BREAKPOINTS IN GENERAL
-=-=-=-=-=-=-=-=-=-=-=
Breakpoints are a useful (if not essential) addition to a crackers arsenal. Without them, life would
be a little bit harder for us, and easier for the protectionists. Breakpoints are simply that, points at
which the program will break, due to a condition being met ( we'll look at this in detail now )

BREAKPOINT ON EXECUTE
-=-=-=-=-=-=-=-=-=-=-
SYNTAX: bpx <api function name>

The main problem with cracking... umm.. sorry debugging ( heh! ) is to find yourself an entry
point into the program. The easiest, and most effective way to begin is with breakpoints.

Basically all you need to do is to tell SoftIce when to 'break' into the program so you can see
whats happening. The type of breakpoint that you would use depends upon the type of program
you're trying to 'debug' ;)

6
To show this we'll take an example:

1. Switch to SoftIce ( CTRL-D ), and type 'bpx GetLocalTime'

2. The prompt should return, switch back to win ( CTRL-D )
3. Double click on the win95 system clock ( usually on your taskbar )

SoftIce should now pop up, at the start of the call to 'GetLocalTime', if you press F11 you will
return to the part of the code that called the function.

Another function call to breakpoint on is useful when cracking serial number protections is
'GetWindowTexta' or 'GetDlgItemTexta'. This is done in exactly the same way.

1. Click your StartButton ( good old MS :P ) and click upon the 'RUN'
button.
2. Type in any old crap, ie. 'lalalalalalalalalaa' DON'T PRESS ENTER
3. Switch to SoftIce. ( CTRL-D )
4. Type: BPX GetWindowTextA
5. Switch back to win, now press ENTER

SoftIce pops up at the Start of 'GetWindowTexta', so again press F11 to return to the calling
code. GetDlgItemTexta isn't used as much in my experience, but worth trying if nothing happens
on GetWindowTexta.

SEARCHING MEMORY.
-=-=-=-=-=-=-=-=-
SYNTAX: s <start> l <finish> '<string>'

Simple one this. Say you've entered your registration info, and you're lost in the code
somewhere, to help yourself along you can search in memory for your info ( WOW! ;) )

When searching you want to look for it everywhere, so I mainly use:

s 0 l ffffffff 'mystring'

Once found you'll get a nice prompt telling you where in memory it is, and the data window
changes to that address.
To Search again just type: s

This will keep searching, beware though, that in my experience, any strings found around the
80000000+ and C0000000+ areas are either duplicates or bits of shite floating about due to
Win95's amazing management of your ram :) aren't you glad you 'bought' it?!

BREAKPOINTING ON MEMORY ACCESS

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
SYNTAX: BPM <address> R/W

7
This is usually used in conjunction with the step above, searching. Once you've found your
string, what use is it to you???

Say through searching, I got the prompt:

Pattern Found at 0157:0009AC2D

ok, this tells us that my string was found at the location 0157:0009AC2D ( doh! ). So to get
SoftIce to monitor this we'd use:

BPM 0157:0009AC2D

The R/W tells SoftICe whether to pop up on a read or write operation to that address. The default
is RW ( read & write )

BREAKPOINTING ON A RANGE OF MEMORY ACCESSES

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
SYNTAX: BPR <start address> <end address> R/W

Sometimes a more useful function. Imagine for example, that you want to track a range of
memory addresses, for example, a Username string, or Unlock Code.

Given the above example, if was to search for my username, 'mExeLITE'97 cracked bY CoRN2',
and I'm told that it was found at 0157:00643345. If I wanted to keep an eye on the entire range of
memory addresses taken by this string, I would use the syntax:

BPR 0157:00643345 0157:00643345+(Length of string in hex)

This will cause SI to popup whenever any part of the memory within this range is read from or
written to.

Now we'll look at the additional breakpoint manipulators that'll stop you screaming at SI when it
pops up hours after you've finished cracking.

LIST BREAKPOINTS
-=-=-=-=-=-=-=-=
SYNTAX: bl

Simply lists any defined breakpoints in the following format:

NUM) BREAKPOINT_TYPE PARAMETERS COUNT

An example could be:

00) BPX #0028:09876543 C=01

8
This tells us that SoftIce will pop up when ever the instruction at address 0028:09876543
depending upon the number of times it has occured, specified by Count. In the above example,
since C=01 SI will popup the first time that this occurs.

CLEAR BREAKPOINT
-=-=--=-=-=-=-=-
SYNTAX: bc <breakpoint(s)>

This clears the specified breakpoint(s), for example:

BC 0 <-- Clears the breakpoint labelled 0

BC 1,4 <-- Clears breakpoints labelled 1 and 4
BC * <-- Clears all breakpoints

DISABLE BREAKPOINT
-=-=-=-=-=-=-=-=-=
SYNTAX: bd <breakpoint(s)>

Sometimes it'll be more beneficial (and or useful) to simply disable a breakpoint temporarily,
rather than remove it completely. Again, for example:

BD 1,2,3,5 <-- Disables breakpoints labelled 1,2,3,5

BD 1 <-- Disables breakpoint 1
BD * <-- Disables all breakpoints

ENABLING BREAKPOINTS
-=-=-=-=-=-=-=-=-=-=
SYNTAX: be <breakpoint(s)>

Obviously, if you can disable breakpoints, then you're going to need to be able to enable them
again. I'll not give you any more examples 'cos this follows exactly the syntax given above.

SOFTICE & The Net (The Internet/The Information Super-Highway ARRGGH!)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Some people ( not me yet ) have experienced a problem when cracking whilst logged on. This
won't affect people who ( like me ) aren't lucky enough to get FREE LOCAL PHONE CALLS!!
who have to pay £££'s for their phonebills... sorry.

Anyway, if you're logged on and you switch to SoftIce many people experience a loss in their
connection ( mainly to IRC ) Apparently this is fixable by using the '/AWAY asuidsodj'
command, but I dunno. Try it if you get stuck.

9
FINAL WORD
-=-=-=-=-=
This tute should ( hopefully, unless I totally messed it up ) cover enough about SoftIce to allow
the average newbie to get started. I know there is a shit load of stuff I haven't covered, there
should be a more advanced tut arriving soon (watch this space | | ;) )

If there is anything you else think ppl need to know to get started, or anything you think should
be added, just mail me at CoRN02@hotmail.com and tell me. I can be reached on EFNET, in
#Cracking4Newbies most of the time... someone will be able to help anyway....

Hope this helps anyone who wants to learn a task easier... I could have done with this when I
started. Good Luck!

-- CoRN2 [mE'97/C4N]

::::::::::::::::::::: m E X / c 4 N T U T O R I A L D I V I S I O N ::::::::::::::::::::::::::

10