Cracking Tools

Overview

If you don't know your enemy's weapons, you cannot defeat him. Let's take a look at the programs most commonly used by crackers.

SoftICE SoftICE from Compuware (compuware . com) is one of the best debuggers in the DOS environment. You will not find anything better for Windows 9x and NT. Many crackers therefore say that NuMega (the producer of SoftICE) is their favorite company. Since SoftICE is probably the best debugger, we will use it too, and we'll look at it more closely later in this chapter.

TRW2000 This is a debugger for Windows 9x. It isn't as good as SoftICE, but its price is acceptable considering the high quality. You'll find shareware versions online.

WinDasm Together with IDA (discussed below), WinDasm (shown in Figure 2.1) is the best disassembler in the Windows environment. Compared to IDA, WinDasm's disassembled code is shorter and easier to understand. It's a great loss that, unlike IDA, WinDasm is no longer in development. You can find shareware versions online.

IDA Pro (Interactive DisAssembler Pro) IDA (shown in Figure 2.2), by Ilfak Guilfanov, is a wonderful disassembler for DOS and Windows programs. It is not a static disassembler like WinDasm, and it even lets you manage the translation manually. (This is a great feature to have when a program that you want to study uses various tricks to protect it from disassembly.) IDA has many other great features. You can request a demo of IDA Pro from http://www.ccso.com.

Hex Workshop Hex Workshop, from BreakPoint Software (http://www.bpsoft.com) is a hex editor for the Windows environment.

Hiew (Hacker's View) Probably the best HEX editor for the DOS environment.

SoftICE Basics

As mentioned earlier, we will be using SoftICE in this book, so we'll take a closer look at it here. The SoftICE manual is an excellent and comprehensive resource (see Figure 2.3), so we'll just have a look at some of the basics of working with the program.

. *****Examples of export symbols that can be included for Windows 95***** ; Change the path to the appropriate drive and directory

You'll see various libraries listed below the preceding text, from which you can export symbols into SoftICE. Remove the semicolon (;) characters from in front of the kernel32.dll and user32.dll libraries. The text will then look like this:

EXP=c:\windows\system\kernel32.dll EXP=c:\windows\system\user32.dll

You have just permitted functions to be exported to SoftICE from kernel32.dll and user32.dll and from their Windows API calls. Now you can set breakpoints for these calls in SoftICE. For example, you can directly use the command bpx MessageBoxA to set a breakpoint for this API call.

Another way to export to SoftICE is through the SoftICE loader menu, where you select Edit and SoftICE initialization settings. Select Exports in this menu and use the self-explanatory Add to add further exports and Remove to remove them.

Once you have made these changes, you must restart your computer so that SoftICE can be reinitialized. In the following sections I will explain the basics of using SoftICE.

Key Commands

To get into SoftICE, you can use the key combination CTRL+D. This combination always works, whether you are at the Windows desktop or running a program or game. (Figure 2.4 shows what SoftICE looks like when it's running.)

The F11 key is very important. If a breakpoint is set to an API call, SoftICE will stop at the beginning of this call. Pressing F11 again is like calling the RET function, though the API call will be performed before SoftICE stops. The advantage to this is that you don't have to perform manual call tracing, which can be time-consuming.

The BPX Command

The BPX [API call or an ADDRESS] command sets the breakpoint to that API call or address in the program. For example, BPX GETDRIVETYPEA would set the breakpoint to the Windows API GetDriveTypeA function. (You don't have to worry about lowercase or capital letters.) When using the BPX ADDRESS command, you enter a program address where the breakpoint should be set, and if the running program encounters this address, it will be stopped and you will be switched back into SoftICE.

The BPR Switch

The BPR [address1 address2] switch sets the breakpoint within a memory range, specified from address1 to address2. When anything reads from this range or writes to it, the program will be stopped and you will be switched into SoftICE. The switch has three options: r (read), w (write), and rw (read or write).

The BPM Switch

The BPM [address] command sets the breakpoint to a certain memory location. If anything reads from this location or writes to it, the program will be stopped and you will be switched into SoftICE. Like the BPR switch, this switch has three options: r (read), w (write), and rw (read or write).

If you use an x value as the switch, the so-called debug breakpoint will be set. This breakpoint will be written directly into the processor debug registers, and an INT 3h will not be set at the address, as with normal breakpoints. This kind of a breakpoint is much more difficult to discover.

Display Commands

The display commands are as follows:

d [address] This command will show the memory contents in DWORD (4 bytes) beginning at the location defined by the address.

ed [address] This command will let you edit memory contents in DWORD (4 bytes), beginning at the location defined by the address.

r [register value] This command will change the register value. You can use it with conditional jumps.

You can also change special register values.

s [address1 address2 string or byte1, byte2 and so on] This command will search the memory for a string or bytes from address1 to address2. For example, s 400000 401000 "test" will search for a "test" string from address 400000 to address 401000.

s This command will continue searching for a string or bytes from the last found one.

code on This command will show instruction prefixes.

wf This command will show coprocessor register values.

exp This command will show exports.

rs This command will show the program window in the actual state, and will return to SoftICE when you press any key.

address This command will let you insert program code in assembler directly from the entered address.

hboot This command will reset the computer. It is useful in case of a system crash.

Of course, SoftICE also contains many other commands. You can find all of them in the SoftICE documentation.