TORN@DO presents: cRACKER's n0TES
FAQ


Frequently Asked Questions
How are registers EAX, AX, AL and AH related?
EAX is a 32 bit register (a 'doubleword', or 'double'). The lower part of (E)AX is AX, a 16 bits register (word) AX can be decomposed in it's higher and lower parts, AH and AL (that are 8 bits register).

(E)AX = 934F93AB

Here the higher part of is EAX=934F and the lower part of (E)AX is AX : 93AB. These is the last 8 bits (byte) of it (remember 2 bits = 1 hex). AH and AL are directly related to this as AH=93, AL=AB. They are not independant. Modifying EAX modifies AL, AH, etc... and modifying AL changes AX and EAX. (NOTE: what you see in SoftICE [in the register window]) is actually the hex value. (NOTE2: (E) usually indicates that it is a 16 bit register).
How can I use the BPM command in SoftICE to find serials?
This is a very useful command. Once you have found where your bogus serial is parked, you may want to do a BPM SEG:OFFSET r. This will tell SoftICE to break whenever the program tries to (r)ead your bogus serial (obviously will cuz it has to validate it). Another use is to get to the decrypting routine of packed code. Find the command that you think is unpacked somewhere. Set a BPM SEG:OFFSET w on it. Restart the program. BOOM! Into softICE slap bang in the middle of the decryption routine where the command is (w)ritten to memory. Find an empty space and patch that address after the decryption routine ;)
What do those abbreviations in the upper right in SoftICE stand for?

    CoRN2:
  
  O D I S Z A P C 
  | | | | | | | | 
  | | | | | | | +------- Carry Flag 
  | | | | | | +--------- Parity Flag 
  | | | | | +----------- Auxiliary Carry Flag 
  | | | | +------------- Zero Flag ( VERY USEFUL! ) 
  | | | +--------------- Sign Flag 
  | | +----------------- Interrupt Flag 
  | +------------------- Direction Flag 
  +--------------------- Overflow Flag
    

Can you give me some detailed information on registers?
General purpose registers
EAX: - Accumulator. General use
EBX: - Base ...
ECX: - Count... mainly for loops...
EDX: - Displacement ...


Stack registers
EBP - Base Pointer... for stack..
ESP - Stack Pointer..


Segment registers
CS - Code Segment. This is where the instructions are ...
DS - Data Segment. This is where data can be accessed. Source Segment when dealing with string operations.
ES - Extra Segment. This segment can also be used as a data segment. Source Segment when dealing with string operations.
SS - Stack Segment. This segment is for adresses ...


Index registers
ESI - Source Index. Used by string operations as the source.
EDI - Destination Index. Used by string operations as the destination.
(BX - BX can also be used as an index register. These register are used together with the segment registers as an offset)

So, what does DS:SI mean then? Well, simply that DS points to the datasegment and SI is an offset in the datasegment.
I'm looking for a tutorial for [insert name]. Can you help me?
To find a tutorial you're looking for, just check out the PUBLIC TUTORIAL SEARCH ENGINE!
Am I just stupid or is it impossible to get SoftICE to write to a file. Say for example I want a screen of SoftIce to be written to a text file so I can examine it later. Can this be done?

FootSteps:

First fire symbol loader and go to softice initialization settings. Put a history buffer size more of KB, obviously :-) (default is 256, not enough for big listing). Then fire SoftICE. Put your breakpoints and all to arrive at the wanted code. Disassemble with for example,

   U CS:EIP L 1000

And after that CTRL-D immediately to return to Win9x/NT, fire again Symbol Loader and choose File/Save SoftICE History As ... And the saved file contains your code, SoftICE loading, all you type (even if you're tracing WITHOUT code window on), etc.
Can you please tell me what CALLs I need to trace?
Normally you need to trace the CALLs before the error message pops up.
Can you please crack [insert name here]?
I don't take crack requests ... if you ask me again to crack something, I'll publish your e-mail at http://crackmes.cjb.net!!
Can you please send me [insert name here]?
I won't send you anything ... I'll just ignore this e-mail.
I have [insert problem here] with [insert name of tool here]. Can you help me?
Ask the question at Fravia's Tools of the Trade Forum and you'll get an anwer!
What means [eax], [ebx], etc - my question "[ ]" what?

VERtiCES:

[ ] means, the DATA in it.

For example MOV EAX,DWORD PTR [EDX]
At address EDX, assume that the first 4 bytes are 05 04 AF EE. So, after this instruction, EAX should have the value EEAF0405 h (remember, it's always in REVERSE order)
I'm a Newbie and need to know if it's possible to find out if a something has been packed or not.
Use GetTyp!
What is HMEMCPY?

Volatility:

HMEMCPY is a Windows API call, which uses memory (RAM) to read, manipulate, compare and store strings (text you've entered into a program). The function takes the information you've entered (such as name and serial number in a registration screen) and puts them into memory. The function then proceeds to manipulate these strings, by moving and comparing them (for example, comparing the serial number you entered to the correct one), and then decides wether your string is correct or incorrect. The function then sends this information back to the application, and you proceed as good guy, or bad guy.
How to find free space in the Code Section of a program?

UFK:
Run ProcDump and press on PE Editor. Open your target program. Now press on 'Sections' button and look at the Code section:

Name Virtual Size Virtual Offset Raw Size Raw Offset Characteristics
CODE 00076560 00001000 00076600 00000400 60000020


Virtual Offset:  The one in memory
Raw Offset:      The physical one in the file
Raw Size:        Bytes that the Code Segments needed
Virtual Size:    Bytes that the Code Segments have

Now if Virtual Offset starts at 1000 how come in SoftICE and stuff with see 4000000 and long numbers like that? The answer for that question is, that there's an Image Base too, and that is a PREFERRED loading adress for the program to be ,apped in the address space. Remember, PREFERRED, meaning that it can change under certain circumstates.

If you have a look at the above description, you will find out that there were 76600 - 76560 = A0h (240) bytes free space in the Code Section. The Code Segments starts at 400h (Raw Offset). So Raw Offset + Virtual Size gives us where there is free space.

400 + 76560 = 76960

Now use your favourite Hex Editor and go to 76960h ... and enjoy using your free space.





The cRACKER's n0tES are divided into 10 main parts:
 00. INDEX
 01. Assembly for Crackers (CoRN2)
 02. SoftICE (Boot Menu, Setup, Commands)
 03. Breakpoints & Win API Details
 04. Jump Instructions
 05. SET Instructions
 06. Tips & Tricks for Cracking
 07. Window Messages For Crackers
 08. Identifying Functions, Arguments, and Variables (Rhayader)
 09. Commerical Protection Systems
 10. Bitmanipulation (Cruehead)
 11. General Cracking Theory
 12. FAQ

 +A. How to contact me
 +B. What's New?



The cRACKER's n0TES are Copyright © 1998-2000 by TORN@DO of ID. All Rights Reserved. Archived and Re-hosted by Werdstaff