Tutorial on Soft-Ice and a byte on the side [ Part 1 ] - By CoLdBLood
Released on 1999/12/01 for Rift.
Introduction
This is a small tutorial on how to use soft-ice the debugger and what to do with it.
I have worked with soft-ice for a while now and with only knowing the basics of it I
have found it useful for my requirements. This will be part one of two, due to
having little time this part will be small and will include two examples but will
cover all the basics to getting started, part two will be more advanced and with a
lot more examples from dos to windows, so be sure to get a copy of part two as soon
as it is available.
Requirements
This is a tutorial on soft-ice so to use what I show here and to fully understand
what is going on here you MUST defiantly get a copy of it. I use soft-ice v3.0 for
windows. It's a old version but if you have a newer version these examples and
methods should defiantly work with it. *** SOME assembler knowledge *** is required
for ex. if you know how most of the jxx opcodes work and what the flags are and how
they work and have knowledge on segments and offsets you should get along fine. A
hex editor is a must if you want to test your modifications or if you want to
implement them permanently. I use Hex Workshop, which comes with a hex calculator
and a base converter.
Disclaimer
Well considering the fact that there are examples of how to illegally de-protect
software I think I MUST put this here. I take no responsibility for what anybody's
actions after they have read this tutorial and will deny every accusation that these
"cracks" are mine for the reason they where created by a coder who was tripping on
coffee and suffering from fatigue - hence I plead temporarelly insanity ...
Greets
Greets go to every one in #programming on the new zanet and the SA demo scene.
Contact Info
You can get hold of me at:coldblood@mailbox.co.za or in #programming on the new
zanet server (timewiz.zanet.net). Feedback would be very very helpfull in making
my mind up if i should even make an Part 2.
Soft-Ice. Soft-Ice, reader. (Now shake hands)
I have a monochrome monitor attached to my system which soft-ice outputs to, this
makes using soft-ice 100% easier and more user friendly to your system. I DEFIANTLY
recommend that you get a monochrome monitor if you want to seriously start using
soft-ice. Soft-ice can also display to your current screen just make sure you select
the correct settings and test it. Make sure your mouse WORKS in soft-ice or else you
are *going* to struggle unecaserely.
Here are a few Keys you can use in soft-ice:
F1 : Brings up a description of all the keys and avalible commands
F2 : Toggles Register Window
F4 : Restores program screen
F5 : Return to program
F6 : Go to code window
F8 : Step through the instructions and calls
F10 : Step through the instructions
F12 : The most power instruction of soft-ice
CTRL+D : This is the key command that places you into soft-ice
Note each key is changeable you can even set up new keys, each key executes an soft-ice
instruction specified.
To use soft-ice to your coding and other needs there are only a few commands u need to know:
a : This is the assemble instruction. You use it to enter assembler instructions into a
certain segment:offset.
Usage:a address
Ex. if you want to put a ADD AX,AX instruction at 0030:0010 you would
type: a 0030:10
now you can enter the assembler instruction ADD AX,AX and hit enter NOTE
after you hit enter you are STILL in assembler mode to stop it just hit
enter again.
bl : This command lists all the current break point. If a break point is
disabled then it will have a * after its number.
Usage:bl
bc : This command clears all break points or a specific break point.
Usage:bc [NR|*]
NR - this is the number of a break point wich to be cleared, you can get a
number of a break point with the bl command
* - this will clear ALL the break points
bd : This disables all break points or a specific break point.
Usage:bd [NR|*]
NR - this will disable the break point specified by this value
* - this will disable all the break points
bpr : This command places a break point on a memory range that you specify.
Usage:bpr address1 address2 [R|W|RW]
address1/2 - is a segment:offset
R - break if it reads from the range
W - break if it writes to the range
RW - break if it reads or writes from/to the range
now your memory range is from address1 to address2 and a brake will occur
as soon as something tries to read/write to the specified range, depending
on what option you selected.
s : This is the SEARCH command, used to find data.
Usage:s address Llength data/string
Ex. if you want to find where the word 'Soft-ice' is in memory you would
simply type: s xxxx:yyyyyyyy Lzzzzzzzz 'Soft-ice' notice
the ' before and after the word Soft-ice. The x's represent
an segment in hex so you can replace it with say 0030 or whatever segment
is valid. The y's represent an offset in hex this can be an 32bit
or 16bit offset. The L is for the Length and the z's represent the
length in hex, this means you can specify how far it much search from the
specified offset. I always use Lffffffff. So a proper ex. of our
'Soft-ice' search would be: s 0030:0 Lffffffff 'Soft-ice'
Now when it finds a match it will display it in your DATA window if it
doesn't your DATA window will stay the same. Say you want to search for a
certain sequence of bytes ex. 30 20 10, these bytes are in hex so you would
type: s xxxx:yyyyyyyy Lffffffff 30 20 10
Note each byte has a space between it and is not inclosed with '.
Remember these bytes are in hex.
That's it that's all you need to get started.
Break Points
Break-points are sort of triggers, as soon as the cpu tries to execute a instruction
you placed a Break-point on, it will imdeiatly be stopped and break into soft-ice,
Break-points can also be placed on memory ranges, as soon as something tries to
read/write from/to that range you placed a break point on it will again stop and
break into soft-ice at the code who caused this break. Double clicking on a
instruction in soft-ice will place a break point on that instruction and this will
highlight the instruction.
What Soft-Ice Looks Like
Image 1
Now take a look at the image 1, this is a screen shot of soft-ice, now I have
color coded it so that I can explain the difrent sections.
The Register Window:
This is the RED, YELLOW and GREEN parts. The red part contains all the registers
with each ones current contents. The yellow part is the flags, when the letter of a
flag is in lower case it means it is not set if it is in upper case then it is set.
The Green part only shows when an assembler instruction in the code window specify
an memory location to a location in memory. This window can be toggled with the
command WR or the F2 key.
The Data Window:
This is the PURPLE part in the picture, this is used to view the contents of an
address. The part on the left side is the current segment:offsets location you are
viewing and next to it is the data in hex divided up in bytes, you can change it to
output in words, dwords etc.. by clicking on the word 'byte' in the window, this
word will change each time you click on it to the current output format, next to
this is the representation of the bytes in text format. You can directly modify the
contents by click on the the byte byte or the text part and entering the new values.
This window can be toggled by using the WD command.
The Code Window:
This is the BLUE part. This window outputs the assembler instructions of the current
executing code. The left part is again the current segment:offsets being viewed,
next to it is the assembler instructions. If you use the CODE ON command you will
see a extra part added in this winder which shows you each instruction represented
in its byte/s form.
The solid blue bar is an indicator to show you which
instruction is to be executed next, in other words if it is on a instruction, that
instruction is be executed next. This window can be toggled by the WC command.
The white/grey part is where you type in your commands.
Now back to the GREEN part, this part like I said only pops up as soon as a
assembler instruction in the code window specify an memory location, now take a look
at the image again and look at what instruction is to be executed next, you will see
it is: TEST BYTE PTR [EBX],20 ,ok so this specifies the memory location DS:[EBX] and
it is looking for a BYTE so look at the green part again, it is: DS:C95200E8=62 ,ok
so 62 is a byte and the value in EBX IS C95200E8, so in other words the green part
shows you the contents of a specified memory location as asked for by the
instruction. If the instruction was asking for a word and not a byte, the green part
would have shown a WORD value and not a byte value.
Uses Of Soft-Ice
You can use soft-ice for many things ex:
Looking at the red-tape high level compilers add to your code
Timing your routines to microseconds
Making patches for software
Optimizing your code
Debugging your code
Cracking software
Using Soft-Ice for your code
Say you want to quickly look at a routine in its assembler state or want to see it
doing its thing in real time, all you will have to do is CTRL+D into soft-ice
and enter the following command: I3HERE ON,press F5 and then add a call to
interrupt 3h in the code witch you want to examine. What happens is as soon
as I3HERE is on, every time any code executes int 3h, it will brake into
soft-ice and you can have your way, to disable this you will need to say:
I3HERE OFF ,you can also use interrupt 1h but then you need to use
I1HERE and not I3HERE. Im sure you can see the potential here.
Using Soft-Ice to crack Windows software
When cracking in windows it is ussaly an shareware application which allows you to
register to the full version if you enter a serial number, surprisingly 90% of all
shareware applications protection schemes are dead easy to crack unlike the dos
counter part. Now the key to cracking is to get yourself into the right piece of
code, now this is VERY easy in normal windows applications but is much more
difficult when an application was written in Visual Basic. Now there are a few ways
to do this but ill show you the way I do it.
Guidelines to cracking an shareware application that needs an serial number:
- Go to the registration window
- Enter your name and a UNIQUE number
- Get in soft-ice and search for the UNIQUE number in memory - always from
address 0030:0
- Put a brake point on the number in memory
- Return to the application
- Press the OK or Register button
- It should brake into soft-ice after you clicked the button
- Use the F12 key to get into the APPLICATIONS code
- Find the "magic" jump
- Patch the "magic" jump
For a UNIQUE number I use 666999 , you can use anything as long as it is not all
ready in the computers memory some where, or you are going to get confused, in other
words it is not a good idea to use 123456. The "magic" jump will be the
jump that tells the application it's the correct key or if it's not. Sometimes,
depending on how well the program was written, you dont even have to modify the
"magic" jump.
Simple example:
test edx,edx ;
jnz good_code ; "magic" jump
bad_code:
xor ax,ax ; zero out ax so that we know it's wrong
jmp all_done ;
good_code:
mov al,1 ; put a 1 in al so that we know it's right
all_done:
ret ; finish up
in this example if we replace je good_code with jmp good_one it will ALWAYS jump to
the correct code sequence no matter what the code.
The applications to the examples that follow can be obtained easily on the internet,
good places to look for them is www.download.com or www.downloadnow.com
Ok now for a practicle example, lets start with a nice easy application winzip.
Now this is a very famous application and you mostprobaly all ready have it on your
system all ready registered with an serial number you found some where on the
internet, if this is the case just simply run regedit , open the HKEY_LOCAL_MACHINE
key and then open the SOFTWARE key after that open the Nico Mak Computing key then
the WinZip key and finally the WinIni key, then just delete the string SN and Name -
winzip should now be unregistered. If you don't find this go have a look in win.ini
under [Winzip] and remove the serial number from there. Besure to search through the
whole registery for mirrors and remove them. Now that you have an unregistered
version of winzip lets start. ( Alternetively you can just open winzip click About
Winzip and press ALT+R )
Cracking Winzip V7.0 SR-1
Ok run winzip and then get into its registration window. Now take a look at the guide
lines, next on the list is name and number so im entering CoLdBLood and 666999, next
we need to CTRL+D into soft ice and search for the number in memory, ok now lets
search for the string with the search command im typing
this: s 0030:0 Lffffffff '666999'
ok it found the search string now we need to place a break point on it, you will see
the number you entered is in the DATA window, now use your mouse and right click on
the segment:offset of the first character then select copy and paste, then click on
the first character of your number in the DATA window and use the right arrow button
to scroll to the right until the character AFTER the LAST character is where the
FIRST character was, now right click on the segment:offset and copy and paste again.
You will see both addresses you copied and paste is on the line where you enter the
commands. Now click on the line you enter your commands and press the INSERT key you
will see your cursor enlarges this means now your cursor wont overwrite characters
now. This is how my command line looks at the moment: 0030:80595F8A0030:80595F93
now we need to add the break point command in front of it and an r at the end so
that it breaks when something trys to read it, use your arrow keys to go to the
beginning of the text, now mine looks like this: bpr 0030:80595F8A 0030:80595F93 r
ok enter the break point and hit enter, next press F5 to return to winzip and press
the OK button, the idea being that after you press the button winzip will read the
number to calculate if it is correct or not. As soon as it reads it soft-ice will be
activated. Ok now we are back in soft-ice because winzip is trying to read the
number, now we use the POWERFUL F12 key, the reason this key is so powerful is
because each time you press it soft-ice will deactivate and break as soon a
procedure exits back to where it was called from.
Image 2
Now take a look at image 2 (color coded again), see the yellow text
WINZIP32!.text+7036 ? keep on pressing F12 until you get that message in the same
place. Ok now your code in the CODE window should look like the code in the image
2's CODE window, now take a good look at the code in image 2, do you see anything
strange ? let me first explain what the code is you see there, the code in RED is
the call to a windows procedure which caused the break point to be activated, this
means that call read the number you entered. Now look at the GREEN colored
instructions, here we have 3 jumps to the SAME place, this tells me this thing
really wants to make sure it doesn't execute the following code if it shouldn't.
Lets take a closer look at the 3 jumps, the first green jump has a compare
instruction before it, if we right click on this offset between the brackets and
select display it will dump the contents of the address to our DATA window, and
surprise surprise what do you see after you dump ? the name you entered in my case I
see CoLdBLood, now why does it compare the first character of your name with an 0 ?
easy it wants to check if you DID enter a name if you left the name field blank it
would have been 0 so then it would have jumped and give you an error message - ah
Bingo! so here we see the code that says "that was not the correct info" is at
offset 004080B2, in other words it jumps to that address ONLY when something is
wrong, so this means what ever makes it jump to there thinks something is wrong. Ok
so it doesn't jump because we DO have a name in so lets continue to the next green
jump, here we see a another compare again with the value 0, I wonder what could it
comparing ? lets have a look - right click and dump - lo and behold theres the
serial number we entered in the DATA window and its comparing the first character of
our serial number with 0 - obviously its checking if you entered a serial number, so
lets continue on to the third green jump - ah this is difrent here we have a call
and a test before the third green jump, its testing eax with eax, and we know if it
jumps, it jumps to the bad code so it should NOT jump, so for it NOT to jump eax
must contain 1 because if it contains a 0 the test command will set the zero flag
and it will jump - so we need to prevent what ever is making eax 0. This last jump
may "seem" as the "magic" jump but this is not the real one there is one before this
one that makes eax a one or a zero so we need to find this one, all place this one
can be is in the call before the test so lets go have a look. What we are looking
for is a piece of code that makes eax 0 and then exits, we know we have entered an
incorrect serial number so if we just step through the code normally with F10 and
not get sidetracked by anything we SHOULD get to the part where eax is zeroed out,
so lets go have a look all ready!. Ok now we have stepped through the procedure
until we reached where it exits and zero's out eax.
Image 3
Take a look at image 3 this is where you should be and this is the final place for
this crack, take a look at the RED instruction after it was executed eax became 0
look at blue register that is eax and it is zero, and look at the GREEN part that's
where the procedure exits to our previous third GREEN jump - so now we have where
eax gets changed, all we have to do is make eax ALWAYS be 1, this is pretty simple
to do because MOV EAX,[0047B07C] is 5 bytes big an coincedentaly is MOV EAX,00000001
also 5 bytes big so all we do is use the assemble command in soft-ice and patch the
red instruction with the MOV EAX,00000001 instruction and see if it works we also
need to right down the byte values of the code so that we can patch it permanently
in an hex editor - here we need to right down: E897E40400 A17CB04700
then in soft-ice we: a 0137:00407CB9
and then: MOV EAX,1
then we right down the new generated code witch will be the patch which is: B801000000
press F5 and click help->about winzip and look at your handy work. Now open your
favroute hex editor, load the winzip32.exe in it, and search for the byte pattern
you wrote down then replace A17CB04700 with B801000000 and save the exe make sure to
make a back up just to be on the safe side. Thats it winzip registered in any name
you like with any number you like.
Ok now this is an interesting example because it disables the button you need to
click to register, sounds very strange now but is exactly the same thing.
Holiday Lights 5.0
Right click on the icon in the taskbar and select enter serial number. you will see
the dialog box with a "Name:" and "Serial Number" field and then an OK button which
is disabled. Now obviously when you enter the correct serial number the OK button is
gonna be enabled, so this means as you are entering the serial number the number is
being copied and being checked if its the correct number. All we have to do is put
a break point on the serial number in memory and enter a next digit then it will
brake and we step back from there to the authentication code with F12. So step 1 is
enter a unique number in the serial number field. ex: 666999 then ctrl+d into
soft-ice and place a break point on your number in memory.
so this is what will
happen after we entered the number and ctrl+d into soft-ice:
s 0030:0 lffffffff 666999
bpr 0030:002cd979 0030:002cd980 r
PLEASE NOTE:
because we are going to ADD another character in the serial number field we need
to increase our second offset with one. Ex.
if it was: bpr 0030:002cd979 0030:002cd97F r
it should be: bpr 0030:002cd979 0030:002cd980 r
if you don't do this you wont end up and the right place and wont be able to crack
it. Then you press F5 and enter another digit in the serial number field and then it
should break into soft-ice and you should be in some windows code, now step back
with F12 until the title at the bottom changes to LIGHTS!.text+xxxxxxxxx where the
x's represent some address, you should end up at code that looks like in image 4:
Image 4
Ok lets take a look at image 4, do you see how similar this is to winzip's ? strange
how protection schemes are mostly the some in windows, it is like all developers
have a tea party and share protection scheme thoughts. Anyways we imediatly notice
the 3 jumps to the same address AGAIN, can they make it more obvious ?, now the RED
colored instruction is the call that caused the break, after that we see a
CMP EAX,0000000C , and if we take a look at EAX we will see it contains the length
of our serial number, so this is checking to see if the serial number IS above 13
characters or not, if it is NOT then it aborts, so we now KNOW that these 3 jumps
only jump to the bad code. Now the second green jump is after the BLUE colored call,
this means the BLUE colored call is the procedure that checks to see if the code is
the correct code. So its looking for 13 characters or more lets give it 13
characters, becuase we want to fall through the protection scheme and see where it
zero's out EAX, so we now double click on the red instruction and the instruction
following it with our mouse, this will cuase a break point to be placed on each of
these instructions, we know this code gets called each time we enter an character
so we disable all our break points with: bd * ,and we clear our break point on the
memory range becuase we dont need it anymore so we do this: bc 0 ,now we press F5
enter 13 characters or more then press CTRL+D to break back into soft-ice and then
enable all our break point with: be * ,and then press F5 again and then enter
another character, soft-ice should break on the red instruction, now step over it
with F10 until you reach the first green jump and you will see it doesnt want to
jump anymore becuase our serial number is long enough now, now we can go look for
theinstruction that zero's out EAX and patch it. Now like you did in winzip you
will step into the blue procedure and step through it, until you reach a section
where EAX gets modified and then the procedure exits back to our image 4 code,
so go do it.
Image 5
Ok you should reach a peace of code that looks like the code in image 5, take a look
at image 5 do you see where EAX gets modified and do you see it exits the procedure ?
good so this is where we need to patch it now the BLUE colored instruction modifies
our EAX and it is going to modify it to zero, so what do we do here ? we patch this
blue instruction sothat it ALWAYS makes EAX a 1, now the blue instruction is 3 bytes
big so we need a patch 3 bytes big, so MOV AL,1 is 2 bytes big and we are left with
1 byte wich we can useup with a NOP - nop is a no operation instruction. wich is 1
byte big. So there we go just write down the bytes: 8B45F0 8D65F4
Now go patch 8B45F0 with B00190.
Recognizing A Protection Scheme
There are a few things that give away a protection scheme which you will learn in
time, a few of these are:
- Multiple jumps to the same location ( as we saw in the previous examples )
- a TEST EAX,EAX directly after a call followed by an jz or jnz instruction
- if a jxx instruction's jump destination is AFTER an JMP instruction
- whenever you see a NEG EAX instruction its mostprolly a protection scheme
BUT most important is that you are in the right place first, or else you will fall
around in massive chunks of code which is defianatly not fun, if you get lost start
from the BEGENING its the only and best way. D/L lots of shareware or even those
cd's that come with magazines have a few shareware apps on, they are perfect to get
you started. Dont be surprized if you crack about 20 apps in one night when you
start out, and when you crack your first app it will be like someone switched an
light on in your head, im not kiding - it will be like this sensitive "feel" you
will develop for the "Right place", a six sence if you will.
Finishing Off
Not mutch time to make it in real tutorial shape and do error check but if sum thing
is wrong mail me and ill fix it up and tell you about it. Well I hope you can see
the uses of soft-ice and that you didn't get to confused in this tutorial, feed back
for a part 2 would be great like more advanced topics can be handled in there LOTS
more examples =) so get in touch.