Soft-ICE instance start (Windows version)

zhaozj2021-02-16  56

Soft-ICE instance start (Windows version)

● Text / jiang hong

// Jiang Press: Soft-ICE is a high-level development necessary tool, but a pity, many people don't know how to use

// jiang hong This is not bad, it is recommended to give you a look

-------------------------------------------------- ------------------------------

For the convenience of speaking later, some simple way of use of Soft-Ice is here to avoid the Soft-ICE description of the Chinese.

Soft-ice is constructed by three parts (Soft-Ice later, if it does not add special instructions, all refer to the 2.0 version of Soft-Ice for Windows 95) consists of Winice.exe, WLDR.exe (in 3.0 this file is called loader32 .Exe) and display driver SiWVID.386.

In addition, Soft-ICE is to load some DLL / EXE function name information when starting, you must manually specify these DLLs, follow:

Exp = D: /Path/Name.ext

The format is written in the Winice.dat file. In this appendix, there is a winice.dat in the appendix, you can use it directly, save yourself. Note, you must include the following lines, otherwise what Winice may Dongdong can't stop:

Exp = C: /WIN95/SYSTEM/kernel32.dll

Exp = C: /WIN95/SYSTEM/USER32.DLL

Exp = C: /WIN95/SYSTEM/GDI32.DLL

Exp = C: /WIN95/SYSTEM/COMCTL32.DLL

Generally we use WLDR (later referred to as WLDR) to load an exe file or a DLL file, most of us, we can also execute the EXE file directly, find it by tracking it. Start Winice The hotkey is Ctrl D. First introduce the regular approach:

Start WLDR, then select the program you want to follow, click the Load button, then enter the text mode after a mess on the screen, this is the track interface of Soft-Ice, although it is simple, but very friendly. You can be like Doskey Use the cursor upside button to repeat the last input content, or enter a part of the last input content, then press the cursor, the last input content is completely posted.

In general, if a NE program is loaded, Winice will directly find its entry point, and put the current optical label on the first instruction of the EXE; if it is a PE program, Winice will stop in an Invalid area, press After F10, you can go to the EXE head.

More important function keys:

(1) F10: Single step; Call, Int will be skipped;

(2) F8: Single step execution; Call, int will be cut;

(3) F4: View the program screen;

(4) F11: For the subroutine in the form of Call, directly executed, after ret (f)

Back to Call's next instruction;

More important sever orders are:

(1) G: Execute the program, then add the address, execute it, such as:

2400: 0480 MOV AH, 30

2400: 0482 INT 21

2400: 0484 CMP Al, 09

2400: 0486 JZ 04F9

2400: 0488 MOV AH, 4C

2400: 048A INT 21

Suppose the current CS: IP (EIP) is 2400: 0480, if we do G, you will go to the end, go directly to the command line, the reason is that DOS 9.00 has not yet, the program is directly executed DOS TERMINATE function.

If you change the DOS version number into 9.0, then execute the G 4F9, Winice will run to 2400: 04F9 and then stop; but if you don't change the version number, you will be a g, return The command line, because 2400: 04f9 will never be executed in this case. (2) P: Single-step execution program; only P: Press the F10 key; if you join the P RET parameters, will Perform a nearest RET / RETF, note that IRET will be ignored, so be careful;

(3) T: Equipped with F8;

(4) BPINT: Set the interrupt breakpoint; the format is "BPINT interrupt number [condition]"; in Winice 2.0, the conditions can only be one of the following:

BPINT XX AH = AB

BPINT XX AL = CD

BPINT XX AX = ABCD

In Winice 3.0, the conditions have been rich in format:

BPINT XX if AH == ab

BPINT XX IF AL == CD

BPINT XX if AX == Abcd

BPINT XX if DX-> 4 == ABCD (when the value of DS: DX 4 is 0xAbcd)

There are still some, not very common, wait until you use it again.;)

(5) BPX: Set the execution address breakpoint; the format is "BPX Address", but also to the above example, if we perform BPX 486, then come to a G 4F9, you will not go, because we are The judgment set a breakpoint, Winice will execute to 2400: 0486 and then stop;

The second use of BPX is the key to our tutorial. The format is "BPX function name". This function name can be any Windows API function, virtual machine instruction, DLL's lead function, etc. The function is strong. For example, we Start Notepad first, then tap some Dongdong, then press Ctrl D, execute:

: BPX MessageBoxa (no case sensitive)

: g

Then close the Notepad, then Winice will be activated because the breakpoint condition is already in line with. NotePad will pop up a message box to remind you of you, this enters the MessageBox function, then add an A because we are now in Windows 95 Inside, the function is a distinguishing character set. A represents ANSI, W represents Wide, ie Unicode (Wide Character-Set).

(6) BPM: Set the memory access breakpoint; the format is "BPM address"; such as: BPM F000: E6F9 will set the breakpoint to store the BIOS update version number in the memory, as long as there is a program to access this address, Winice It will be activated. In addition, the access conditions of the address can be set separately: read (R) / write (W) / execution (x). Just add the corresponding letter to the corresponding letter later. That paragraph " One g until the end "is an example:

: bpm 2400: 0486 x

: g

The effect is exactly the same as BPX 486.

(7) BMSG: Track Windows messages; the format is "BMSG message name"; for example, we perform NotePad, then Ctrl D activate Winice, enter:

: BMSG WM_CHAR

: g

Then go back to Notepad, press one button, Winice is activated; the reason is that we set a breakpoint on the button message.

(8) BL: list all breakpoints; the format is "BL"; it will list all breakpoints to the number starting from 0;

(9) BC: Clear breakpoint; format is "BC breakpoint number", this number is the one listed by BL; there is also a format "BC *", the role is to clear all breakpoints.

(10) RFL: Change the sign word; the format is "RFL flag bit"; such as the current z flag bit (zero) is set, it will be clear after executing "RFL Z"; if the C flag is clear, then "RFL C" will set it; for example :: g 486

: RFL Z

: g 4f9

This time you can get g to 4f9.

(11) A: Enter Winice small assembly status; format is "a address"; can also be added to the current CS: IP is assembled directly; for example:

: g 486

: a 2400: 0486

2400: 0486 JNZ 4F9

2400: 0488 (Compilation of the ENTER button)

: g 4f9

Also g to 4F9.

(12) E: Enter Winice Memory Modification; Format is "E Address"; or no address value, modify directly at DS: DX; such as:

: E 2400: 0485

2400: 0485 - 09 74 xx xx xx xx xx xx xx xx xx xx xx xx xx

(The cursor stops below 09, we enter 09 EB, then press ENTER to end the modification)

2400: 0485 - 09 EB XX XX XX XX XX XX XX XX XX

Then "G 4F9" can get 4F9; the EB we entered is the JMP machine code.

(13) U: disassembly; format is "U address", or you can do not add to the address, directly in the current CS: IP (EIP) 12 lines (the number of lines is determined by the width of the CODE column).

(14) R: Change the value of the register; the format is "R Register Name = Value", or the Winice will make you directly modify it in the top register area, and can move between the locations with the cursor keys. such as:

: g 484

: r ax = 0009

: g 4f9

It was 4F9.

Basic instructions are these 14, if needed, 俺 俺 补 补 补.

How to dismantle ACDSEE '95

ACDSee '95 is a speed, strong, format, bug less ... graphic browsing program (don't want to be 歪!;). We look at this with ACDSEE '95 1.0. How to disassemble the class program.

The first is to get the program, which can be:

http://www.acdsys.com/download.htm(L)

Get it. You can also get on many BBSs in China. Note: We need its official version, otherwise many address values ​​are wrong, but the principle is the same.

First use this program, when you look at about 30 or so, the program starts frequent reminding you to register. In addition, there is a register button in the program's About dialog. Let's try the registration will be What look. In the register dialog, enter a name, such as "EGIS - PCE '97", then press the Tab key to enter a number in the CODE bar, such as 12345, and press Enter.

Ah! ACDSEE '95 pops up a message box, telling you that the number is invalid.: ..

Let us think about how this judgment should work, this is not difficult to guess:

(1) acquire the name of the user input;

(2) Number of registration numbers entered by the user;

(3) Use some algorithm to test;

(4) Judging whether it is legal;

(5) If the registration message is displayed;

(6) A Message Box will pop up if illegal will pop up.

Ok. I know this. We can't see it. The key to dismantling is the fourth step above. How to make this program think that you entered is correct. From the "one G until" program we should learn To some simple dismantling experience, in that example, we have changed a z mark to achieve the purpose of g to 4f9, this method is "universal", which is also suitable for this more complicated example.

Now we start to remove it. First we guess ACDSEE uses the getWindowTexta function to get the user's input information, try:

: BPX GetWindowTexta

: g

Then press the Enter key, and the resulting Winice is not activated. Why? The reason is very simple, that is, ACDSEE does not use this function. What is it used? It is not difficult to think of the getDlgitemtexta function, then take a look at:

: bc *

: BPX GetdlgitemTexta

: g

Press the Enter key. Bingo! Winice is activated! Good, explain that our function is right. But don't worry, we have entered two information: name and registration number, so this function will be executed twice, so We continue to g. Sure enough, Winice stops a getDlgitemtexta function:

User32! Getdlgitemtexta

-------------------------------------------------- ----------------

0137: BFF61657 MOV CL, 96

0137: BFF61659 PUSH EBP

0137: BFF6165A MOV EBP, ESP

0137: BFF6165C PUSH ECX

0137: BFF6165D SUB ESP, 3C

0137: BFF61660 Push Word PTR [EBP 08]

Ok, let's come here. Anyway, Winice stopped this function, and we don't care about how it gets the data, we will finish this function directly. Pressing the F11 key to return to the place where calling it:

0137: 004016FB Call Edi; We are here back;)

0137: 004016FD XOR DI, DI; Current EIP

0137: 00401700 LEA EBX, [ESP 18]

0137: 00401704 CMP BYTE [ESP 18], 0

0137: 00401709 JZ 401723

0137: 0040170B Movsx Eax, Byte PTR [EBX]

We see two instructions below EIP and [ESP 18]. What is the Dongdong? Let's come to Dump:

: D ESP 18

Haha! Originally [ESP 18] is the name you entered. Then the following CMP's role is obvious, it is judged that you have not yet entered, since we entered the name, you can ignore the earth G Go to address 40170b.

The next section is:

0137: 0040170E Push EAX

0137: 0040170f Call 0045A230

0137: 00401714 Add ESP, 04

0137: 00401717 Test Eax, EAX

0137: 00401719 JZ 0040171D

0137: 0040171B INC DI

0137: 0040171D INC EBX

0137: 0040171E CMP BYTE PTE [EBX], 0

0137: 00401721 JNZ 0040170B

0137: 00401723 CMP DI, 05

0137: 00401727 JL 00401841

0137: 0040172D LEA EAX, [ESP 38]; Registration Number

0137: 00401731 LEA EAX, [ESP 18]; name

0137: 00401735 Push EAX

0137: 00401736 PUSH ECX

0137: 00401737 Push 0047A128

0137: 0040173C Call 00403560

0137: 00401741 Add ESP, 0C0137: 00401744 CMP EAX, 01

0137: 00401747 SBB EAX, EAX

0137: 00401749 Inc EAX

0137: 0040174A Test Eax, EAX

0137: 0040174C jl 00401841

0137: 00401752 Lea EAX, [ESP 14]

0137: 00401756 LEA ECX, [ESP 0C]

0137: 0040175A Push EAX

0137: 0040175B PUSH ECX

A is so long, let's take a look at this code. First we see this place in 40172d, I use [ESP 38] and [ESP 18] in 40172d, I know, [ESP 38] stored The serial number entered, then the above cycle can be jumped directly. Enter:

: g 40173C

Then there is a Call, and the front of it presses the name and serial number, then pass through a subroutine, then the following is judged, then this CALL is very likely to determine whether the name and the serial number match the subroutine, Let's take a look at that is not that, first g to the following judgment:

: g 401744

We see this time EAX is 0, then continue to go to 40174c, find it to jump to the 401841 executive program. We continue to go, discover the frame to play out. Previously the only branch is in the 40174c, so We repeat the above steps to 401744, change EAX to 1, continue to perform the next instruction while 40174c. We come to G.

Bingo !!! ACDSEE '95 tells us that it has been registered. But don't be proud, look at its title bar, or [unregistered]. :(

What is going on? It's not difficult to think of it, there is something else to say. Is it still going to follow? Needless. Since we find the judgment subroutine, you can change it directly. According to our last experience, EAX When 1, the name and the registration number were consistent, then we changed the return value EAX of the program to 1.

Re-track, to 40173c, press F8. Then enter the program, we use the Ctrl cursor to move the code, to 4035Fe:

0137: 004035fe Test Eax, EAX

0137: 00403600 MOV EAX, 00000001

0137: 00403605 JZ 00403609

0137: 00403607 XOR EAX, EAX

0137: 00403609 POP EDI

0137: 0040360A POP ESI

0137: 0040360B POP EBX

0137: 0040360C ADD ESP, 4

0137: 00403612 RET

If you have some experience in EXE-compiled EXE, you can see this actual:

RETURN (FVALID? 1: 0);

Compile results. You can see that 403605 is a key place, which is this dead instruction to make lovely EAX 0. Know this is good. We jump over:

: a 403605

0137: 00403605 JMP 403609

0137: 00403607 (End of the carriageway)

Then re-execute it. Hohoho! This title bar also turns into a registered version. Decomposition is completed!

Go back to DOS, write our results back to EXE. Just now we changed JZ to JMP, that is,

B8 01 00 00 74 02 33 C0 5F 5E 5B

Changed to:

B8 01 00 00 00 EB 02 33 C0 5F 5E 5B

(Blackback is called "74 change EB" :)

Why do you want to find the skewers you want to find? Directly replace "74 02" into "EB 02"? Not like this. There may be many "74 02" in EXE, because JMP $ 2 is a Too common instruction, and there is a number of MOV Eax in an exe, 00000001

JNZ @ here 2

XOR EAX, EAX

POP EDI

POP ESI

POP EBX

The opportunity is much less, and only one place in general, this is one of us to change.

It is no practical significance to get the characteristic string too long.

Ok, change it with a binary editor you love. Then re-execute the ACDSEE '95.

Cool! Datuals will come. Hurry to find a mm to boast ...;)

Summarize the experience after cool, it is the old gun when the next time is bubble:

Experience 1: You now know the judgment step of the registration code;

Experience 2: You know the program can be obtained with getDlgitemtext and getWindowText

The data entered in the Edit Box;

Experience 3: You know if the program judges whether or not the registration number is legal, but one

The same subroutine is used to complete the inspection function;

Experience 4: You know some of the principles of replacement code: ie --- don't be too long.

转载请注明原文地址:https://www.9cbs.com/read-20513.html

New Post(0)