Start of a Soft-ICE instance (for Windows)

Start of a soft-ice instance (for Windows)

● Text/Jiang Hong

// Jiang Press: Soft-ice is an essential tool for advanced development. Unfortunately, many people do not know how to use it.
// Jiang Hong: This article is not bad. We recommend it to you.

--------------------------------------------------------------------------------

For the convenience of speaking in the future, let's talk about some simple use methods of soft-ice here, so that we won't be confused by e-article's comrades who cannot find the soft-ice instructions in Chinese.

Soft-ice is composed of three parts (soft-ice later mentioned. If no special description is added, it refers to soft-ice for Windows 95 version 2.0 or later): winice. EXE, wldr. EXE (this file is called loader32.exe in 3.0) and the display driver siwvid.exe.

In addition, soft-ice needs to load some dll/EXE function name information at startup, you must manually specify these DLL, according:

Exp = D:/path/name. ext

The format is written in winice. in the DAT file. winice is used in the appendix of this article. dat, you can use it directly, saving yourself from writing so many lines. note that you must include the following lines, otherwise winice may not be able to block anything:

Exp = C:/Win95/system/kernel32.dll
Exp = C:/Win95/system/user32.dll
Exp = C:/Win95/system/gdi32.dll
Exp = C:/Win95/system/comctl32.dll

Generally, we use WLDR (LOADER32 is also called WLDR) to load an EXE file or a DLL file. In most cases, we can also directly execute the EXE file, find it by tracking its various messages. the hotkey used to start WINICE is Ctrl + D. first, we will introduce the general method:

Start WLDR, select the program you want to follow, and click the Load button. The text mode is displayed after a burst on the screen. This is the Soft-ICE tracking interface, but very friendly. you can use the cursor up/down key as DOSKEY to repeat the last input, or enter a part of the last input, and then press the cursor over the key. The last input is completely pasted.

In general, if an NE program is loaded, WINICE will directly find its entry point and calibrate the current light on the first instruction of the EXE. If it is a PE program, WINICE will be parked in an INVALID area. Press F10 to go To the EXE header.

Important function keys:

(1) F10: One-step execution; CALL, INT will be skipped;
(2) F8: One-step execution; CALL, INT will be cut in;
(3) F4: view the program screen;
(4) F11: Calls subprograms are directly executed after RET (F ).
Return to the next command of CALL;

Several important commands are as follows:

(1) G: Execute the program. If an address is added to the program, the execution ends at this address. For example:

2400: 0480 mov ah, 30
2400: 0482 INT 21
2400: 0484 cmp al, 09
2400: 0486 JZ 04F9
2400: 0488 mov ah, 4C
2400: 048A INT 21

Assume that the current CS: IP (EIP) is 2400: 0480. If we execute G directly, a gb is taken to the end and the command line is directly returned, because DOS 9.00 is not available yet, the program directly executes the dos terminate function.

If you change the DOS version number to 9.0 and then execute G 4F9, WINICE will run to 2400: 04F9 and then stop; but if you do not change the version number, then, the command line is returned, because 2400: 04F9 will never be executed in this case.

(2) P: One-step execution program; when only P is executed, it is equivalent to pressing the F10 key; if the p ret parameter is added later, it will be executed to the nearest RET/RETF. Note, IRET will be ignored, so be careful;

(3) T: equivalent to pressing F8;

(4) BPINT: Set the interrupt breakpoint. The format is "BPINT interrupt number [condition]". In WINICE 2.0, the condition can only be one of the following:

Bpint xx ah = AB
Bpint xx al = cd
Bpint xx ax = abcd

In WINICE 3.0, the condition formats are much richer:

Bpint xx if ah = AB
Bpint xx if al = cd
Bpint xx if ax = abcd
Bpint xx if dx-> 4 = abcd (when the value of DS: DX + 4 is 0 xabcd)

There are some other features that are not very commonly used. Please wait for them to be used.

(5) BPX: sets the execution address breakpoint. The format is "BPX address". For the above example, if we execute bpx 486, then we will not end with a G 4F9, because we set a breakpoint at that judgment, WINICE will execute to 2400: 0486 and then stop;

The second usage of BPX is the key of our tutorial. The format is "BPX function name ". this function name can be any Windows API function, Vm command, DLL extraction function, and so on. powerful features. for example, we first start Notepad, then randomly knock something in it, and then press Ctrl + D to execute:

: Bpx messageboxa (case-insensitive)
: G

Disable Notepad, and WINICE will be activated because the breakpoint conditions have been met. notepad will pop up A message box to remind you to save the disk, which enters the MessageBox function, followed by A because we are in Windows 95, the function is character set differentiated. A Indicates ANSI, W indicates Wide, that is, Unicode (Wide character-set ).

(6) BPM: sets the memory access breakpoint. The format is "BPM address". For example, BPM F000: E6F9 sets the breakpoint to the memory location where the BIOS update version is stored in the memory, as long as a program accesses this address, WINICE will be activated. in addition, you can separately set the access conditions for the address: Read (R)/write (W)/execute (X ). you only need to add the corresponding letters to the end. take that section "one G to the end" as an example:

: Bpm 2400: 0486 x
: G

The same effect as bpx 486.

(7) BMSG: tracks Windows messages. The format is "BMSG message name". For example, run Notepad, press Ctrl + D to activate WINICE, and enter:

: Bmsg wm_char
: G

Then return to notepad and press a key to activate winice. The reason is that we set a breakpoint on the key message.

(8) BL: lists all breakpoints. The format is "Bl". It lists all breakpoints according to the number starting from 0;

(9) BC: Clear the breakpoint. The format is "BC breakpoint number", which is the one listed by BL. The format is "BC *", the function is to clear all breakpoints.

(10) RFL: Change the flag. The format is "RFL flag". For example, if the current Z flag (zero bit) is set to a bit, it will be clear after "rfl z" is executed; if the C flag is in the clear status, "rfl c" sets it to a bid. For example:

: G 486
: RFL Z
: G 4f9

This time, we can go to the 4f9 location.

(11) A: Enter the winice small assembly status, in the format of "A address". You can also directly assemble the data in the current Cs: IP address without adding the address value. For example:

: G 486
: A 2400: 0486
2400: 0486 jnz 4f9
2400: 0488 (Press enter to end the Assembly)
: G 4f9

Or g to 4f9.

(12) E: Enter the winice memory modification status. The format is "e address". You can also directly modify it at ds: DX without adding the address value. For example:

: E 2400: 0485
2400: 0485-09 74 XX
(The cursor stops below 09. We ENTER 09 EB and press ENTER to end the modification)
2400: 0485-09 EB XX

Then "g 4f9" can reach 4F9; the EB we input is the JMP machine code.

(13) U: disassembly; format: "U address", you can also add an address directly in the current CS: IP (EIP) decompile 12 rows (the number of rows depends on the width of the CODE column ).

(14) R: change the value of the Register. The format is "R register name = value". You can also add no value to the register. WINICE will allow you to directly modify the value in the top register area, the Optical Mouse key can be moved between BITs. for example:

: G 484
: R ax = 0009
: G 4f9

It's 4F9.

The basic commands are these 14. If necessary, you can add them at any time.

--- How to disassemble ACDSee '95
ACDSee '95 is a fast, functional, and many formats with few bugs... graphic browsing Program (don't think about it! Take ACDSee '95 1.0 official version as an example to see how to disassemble such programs.

The first step is to obtain the program, which can be in:

Http://www.acdsys.com/download.htm)

It can also be obtained in many domestic BBS. Note: We need its official version. Otherwise, many address values are incorrect, but the principle is the same.

First, use this program. After you read about 30 images, the program will frequently remind you to register. in addition, there is a register button in the program's about dialog box for you to register. let's try what the registration looks like. enter a name in the register dialog box, such as "EGIS-PCE '97". Press the tab key to enter a number in the code column, such as 12345, and press Enter.

Ah! A message box pops up in ACDSee '95, telling you that the entered number is invalid .:..(

Let's think about how this judgment should work. It's not hard to guess:

(1) obtain the name entered by the user;
(2) obtain the registration number entered by the user;
(3) Use a certain algorithm for testing;
(4) judge whether it is legal;
(5) if valid, the registration message is displayed;
(6) If it is invalid, a message box will pop up.

Good. it's easy to understand. we can easily see that the key to disassembling is the step 4 above. How can we make this program think that the number you entered is correct. from the "one G to the end" program, we should learn some simple dismantling experience. In that example, we changed a Z sign to achieve the goal of G to 4f9, this method is "universal" and is suitable for this complicated example.

Now let's start splitting. First we guess ACDSee uses the getwindowtexta function to obtain user input information. Let's try:

: BPX getwindowtexta
: G

Then press enter, and winice is not activated. Why? The reason is that ACDSee does not use this function. What is the function used? It is not difficult to think of the getdlgitemtexta function. Let's take a look at it again:

: BC *
: BPX getdlgitemtexta
: G

Press enter. Bingo! Winice activated! Okay. The function we followed is correct. but don't worry, we entered two messages: name and registration number, so this function will be executed twice, so let's continue to G. indeed, winice again blocked a getdlgitemtexta function:

USER32! Getdlgitemtexta
--------------------------------------------------------------
0137: bff61657 mov Cl, 96
0137: bff61659 push EBP
0137: bff6165a mov EBP, ESP
0137: bff6165c push ECx
0137: bff6165d sub ESP, 3C
0137: bff61660 push word PTR [EBP + 08]

Okay, let's get a here. winice blocks this function, and we don't care about how it gets the data. We will go through this function directly. press the F11 key and return to the place where it is called:

0137: 004016fb call EDI; we are back from here
0137: 004016fd XOR Di, di; current EIP
0137: 00401700 Lea EBX, [esp + 18]
0137: 00401704 cmp byte [ESP + 18], 0
0137: 00401709 JZ 401723
0137: 0040170B movsx eax, byte ptr [EBX]

We can see that the two commands under EIP are related to [ESP + 18]. What exactly is [ESP + 18? Let's DUMP it:

: D esp + 18

Haha! The name you entered is stored in [ESP + 18. the next CMP is very effective. It is used to judge whether you have not entered anything. Since we have entered a name, we can use the name to go to the address 40170B.

The following section is:

0137: 0040170E PUSH EAX
0137: 0040170F CALL 0045A230
0137: 00401714 add esp, 04
0137: 00401717 test eax, EAX
0137: 00401719 JZ 0040171D
0137: 0040171B INC DI
0137: 0040171D INC EBX
0137: 0040171E cmp byte pte [EBX], 0
0137: 00401721 JNZ 0040170B
0137: 00401723 cmp di, 05
0137: 00401727 JL 00401841
0137: 0040172d Lea eax, [esp + 38]; registration number
0137: 00401731 Lea eax, [esp + 18]; Name
0137: 00401735 push eax
0137: 00401736 push ECx
0137: 00401737 push 0047a128
0137: 0040173c call 00403560
0137: 00401741 add ESP, 0c
0137: 00401744 CMP eax, 01
0137: 00401747 SBB eax, eax
0137: 00401749 Inc eax
0137: 0040174a test eax, eax
0137: 0040174c JL 00401841
0137: 00401752 Lea eax, [esp + 14]
0137: 00401756 Lea ECx, [esp + 0C]
0137: 0040175a push eax
0137: 0040175b push ECx

A. Let's take a look at the usefulness of this Code. first, we can see that [esp + 38] and [esp + 18] are used in 40172d. After dump, we know that [esp + 38] stores the serial number we entered, the above loop can be skipped directly. input:

: G 40173c

Then there is a CALL. The several pressure stack functions in front of it are pressed by the name and serial number. Then, after a sub-program, the following judgment is made, this CALL is probably a subroutine used to determine whether the name and serial number match. Let's see if this is the case. G to the following judgment:

: G 401744

We can see that EAX is 0 at this time, and then continue to go to 40174C, and find that it is to jump to 401841 to execute the program. we continued and found the broken box popped up. the only branch in the past is in the 40174C location, so we repeat the above steps to 401744, change EAX to 1, and continue to execute the next command at 40174C. let's use G.

Bingo !!! ACDSee '95 tells us that it has been registered. But don't be proud of it. Look at its title bar, or [unregistered.

What's going on? It's easy to think that there are other judgments. Do you have to follow them? No. now that we have found the judgment subroutine, we can directly change it. based on our previous experience, when EAX is 1, it indicates that the name is consistent with the registration number. Then we can change the returned value of EAX to 1.

Trace again, press F8 at the location of 40173C, and then enter the program. We move the code by pressing Ctrl + cursor to 4035FE:

0137: 004035FE test eax, EAX
0137: 00403600 mov eax, 00000001
0137: 00403605 JZ 00403609
0137: 00403607 xor eax, EAX
0137: 00403609 POP EDI
0137: 0040360A POP ESI
0137: 0040360B POP EBX
0137: 0040360C add esp, 4
0137: 00403612 RET

If you have some experience in decompiling the C ++ compiled EXE, you can see that this is actually:

Return (fValid? 1: 0 );

As you can see, 403605 is a key point, that is, this damn command turns the cute EAX into 0. It's easy to know this. Let's jump over it:

: A 403605
0137: 00403605 jmp 403609
0137: 00403607 (Press enter to end the Assembly)

Then execute. HOHOHO again! The title bar has become the registration version. The dismantling is complete!

Return to DOS and write our results back to the EXE file. Just now we changed JZ to JMP, that is

B8 01 00 00 00 74 02 33 C0 5F 5E 5B
Changed:
B8 01 00 00 00 EB 02 33 C0 5F 5E 5B
(The black story is "74 change EB"

Why is the string to be searched so long? Just Replace "74 02" with "EB 02? This is not the case. There may be many "74 02" in the EXE, because JMP $ + 2 is a too common command, and one EXE contains multiple

Mov eax, 00000001
JNZ @ HERE + 2
Xor eax, EAX
POP EDI
POP ESI
POP EBX

There are fewer opportunities. Generally, there is only one opportunity. This is the one we want to change.

It makes no practical sense to get feature strings too long. Instead, it will waste the limited paper resources on the earth. There is only one earth, which is our home, we need to take good care of it ......

Well, use your favorite binary file editor to get rid of it. Then re-Execute ACDSee '95.

Cool! You're done. Hurry up and find a MM to boast ......

I will sum up my experience later. The next time I take a bubble, it will be an old gun:

Experience 1: You now know how to judge the registration code;
Experience 2: You know that the program can be obtained using GetDlgItemText and GetWindowText.
User input data in the Edit Box;
Experience 3: You know that there may be more than one place where the application judges whether the registration number is legal,
The same subroutine is used to complete the test function;
Experience 4: You know the principle of getting a replacement code: --- not too long or too short.