How are registers EAX, AX, AL and AH related?
EAX is a 32 bit register (a 'doubleword', or 'double'). The lower part of
(E)AX is AX, a 16 bits register (word) AX can be decomposed in it's higher
and lower parts, AH and AL (that are 8 bits register).
(E)AX = 934F93AB
Here the higher part of is EAX=934F and the lower part of (E)AX is AX : 93AB. These is
the last 8 bits (byte) of it (remember 2 bits = 1 hex). AH and AL are directly related
to this as AH=93, AL=AB. They are not independant. Modifying EAX modifies AL, AH, etc...
and modifying AL changes AX and EAX. (NOTE: what you see in SoftICE [in the register
window]) is actually the hex value. (NOTE2: (E) usually indicates that it is a 16 bit
register).
How can I use the BPM command in SoftICE to find serials?
This is a very useful command. Once you have found where your bogus
serial is parked, you may want to do a BPM SEG:OFFSET r. This will tell SoftICE to break
whenever the program tries to (r)ead your bogus serial (obviously will cuz it has to
validate it). Another use is to get to the decrypting routine of packed code. Find the
command that you think is unpacked somewhere. Set a BPM SEG:OFFSET w on it. Restart the
program. BOOM! Into softICE slap bang in the middle of the decryption routine where the
command is (w)ritten to memory. Find an empty space and patch that address after the
decryption routine ;)
What do those abbreviations in the upper right in SoftICE stand for?
CoRN2:
O D I S Z A P C
| | | | | | | |
| | | | | | | +------- Carry Flag
| | | | | | +--------- Parity Flag
| | | | | +----------- Auxiliary Carry Flag
| | | | +------------- Zero Flag ( VERY USEFUL! )
| | | +--------------- Sign Flag
| | +----------------- Interrupt Flag
| +------------------- Direction Flag
+--------------------- Overflow Flag
Can you give me some detailed information on registers?
General purpose registers
EAX: - Accumulator. General use
EBX: - Base ...
ECX: - Count... mainly for loops...
EDX: - Displacement ...
Stack registers
EBP - Base Pointer... for stack..
ESP - Stack Pointer..
Segment registers
CS - Code Segment. This is where the instructions are ...
DS - Data Segment. This is where data can be accessed. Source Segment when dealing with string operations.
ES - Extra Segment. This segment can also be used as a data segment. Source Segment when dealing with string operations.
SS - Stack Segment. This segment is for adresses ...
Index registers
ESI - Source Index. Used by string operations as the source.
EDI - Destination Index. Used by string operations as the destination.
(BX - BX can also be used as an index register. These register are used together with the segment registers as an offset)
So, what does DS:SI mean then? Well, simply that DS points to the datasegment and SI is an offset in the datasegment.
I'm looking for a tutorial for [insert name]. Can you help me?
To find a tutorial you're looking for, just check out the
PUBLIC TUTORIAL SEARCH ENGINE!
Am I just stupid or is it impossible to get SoftICE to write to a file.
Say for example I want a screen of SoftIce to be written to a text file so I can examine it
later. Can this be done?
FootSteps:
First fire symbol loader and go to softice initialization settings. Put a history buffer
size more of KB, obviously :-) (default is 256, not enough for big listing). Then
fire SoftICE. Put your breakpoints and all to arrive at the wanted code. Disassemble with
for example,
U CS:EIP L 1000
And after that CTRL-D immediately to return to Win9x/NT, fire again Symbol Loader and
choose File/Save SoftICE History As ... And the saved file contains your code, SoftICE
loading, all you type (even if you're tracing WITHOUT code window on), etc.
Can you please tell me what CALLs I need to trace?
Normally you need to trace the CALLs before the error message pops up.
Can you please crack [insert name here]?
I don't take crack requests ... if you ask me again to crack something, I'll publish
your e-mail at http://crackmes.cjb.net!!
Can you please send me [insert name here]?
I won't send you anything ... I'll just ignore this e-mail.
I have [insert problem here] with [insert name of tool here]. Can you help me?
Ask the question at Fravia's Tools of
the Trade Forum and you'll get an anwer!
What means [eax], [ebx], etc - my question "[ ]" what?
VERtiCES:
[ ] means, the DATA in it.
For example MOV EAX,DWORD PTR [EDX]
At address EDX, assume that the first 4 bytes are 05 04 AF EE. So, after this instruction,
EAX should have the value EEAF0405 h (remember, it's always in REVERSE order)
I'm a Newbie and need to know if it's possible to find out if a something
has been packed or not.
Use GetTyp!
What is HMEMCPY?
Volatility:
HMEMCPY is a Windows API call, which uses memory (RAM) to read, manipulate, compare and
store strings (text you've entered into a program). The function takes the information
you've entered (such as name and serial number in a registration screen) and puts them
into memory. The function then proceeds to manipulate these strings, by moving and
comparing them (for example, comparing the serial number you entered to the correct one),
and then decides wether your string is correct or incorrect. The function then sends this
information back to the application, and you proceed as good guy, or bad guy.
How to find free space in the Code Section of a program?
UFK:
Run ProcDump and press on PE Editor. Open your target program. Now press on 'Sections'
button and look at the Code section:
| Name |
Virtual Size |
Virtual Offset |
Raw Size |
Raw Offset |
Characteristics |
| CODE |
00076560 |
00001000 |
00076600 |
00000400 |
60000020 |
Virtual Offset: The one in memory
Raw Offset: The physical one in the file
Raw Size: Bytes that the Code Segments needed
Virtual Size: Bytes that the Code Segments have
Now if Virtual Offset starts at 1000 how come in SoftICE and stuff with see 4000000 and long
numbers like that? The answer for that question is, that there's an Image Base too, and that
is a PREFERRED loading adress for the program to be ,apped in the address space. Remember,
PREFERRED, meaning that it can change under certain circumstates.
If you have a look at the above description, you will find out that there were
76600 - 76560 = A0h (240) bytes free space in the Code Section. The Code Segments starts at
400h (Raw Offset). So Raw Offset + Virtual Size gives us where there
is free space.
400 + 76560 = 76960
Now use your favourite Hex Editor and go to 76960h ... and enjoy using your free space.
|
00. INDEX
12. FAQ