1, Symbol Loader concept Do you often hear a program with Softice or TRW2000, what does this mean? There is a Symbol Loader shortcut in Softice. After running, open the program you want to debug in its menu, then press LOAD to load you to debug and programs. After loading a file, it will interrupt the main function of this file (ie, the entrance to the program). You can also load interrupt in the exit function by formulating Winice.dat. The purpose of the general use of this method is to be tracked from the start code of the program. The TRW2000 load method is similar to the TRW2000 Run window to select the program that needs to be debugged with Browse, and then load it with the LOAF button.
2, using the S command to find the string S command to search for specific data in memory, very useful, its general format: s [-cu] [address l length data-list] address: Search start address Length: Search Length (byte length) Data-list: It can be a series of bytes, or a string, a string can be used in single quotes, or a double quotation number can be enclosed.-C: Size case case-U: Find Unicode encoded strings.
Example: S 30: 0 l fffffff 'String' This command is a string 'string' throughout the 4GB virtual address range.
3, how to compare two files, after using WDASM, use UltraEdit to compare; Second, use HEX Workshop 3.0 to compare two exe; three, you can use patch production tools CodeFusion 3.0 to compare two files, specific reference Complete lesson.
4. Crawler Softice and TRW2000 debugging screen 1Softice first runs Softice's Symbol Loader shortcut to open the "Softice InitialIction Settings" option for the menu. The History Buffer is large (the default is 256, and there is no enough buffer data). Then switch to the Softice debug screen, come to the place you want to capture, disassemble these code, such as: u cs: Eip L 1000, press Ctrl D to return to the Windows environment, then come to the Symbol Loader program, select File / Save softice history as .... 2 Loading iCEDUMP under Softice, using the command pagein n [filename] more convenient and flexible. 3 under TRW2000: u 401000, 402000> MyFile or U 401000 L 100> MyFile
5, make full use of conditions interrupted 1 under Softice: BPX
2 under TRW2000: bp ?? [if (conditions)] [do "statement"]
Special recommendation: After the TRW2000 1.2 version, the EIP condition is supported. Such as: g IF ((Byte) * EIP == C2 && EIP> 401000 && Al == FF) It is used when it looks for entry points when she picking up. 6. Several method examples of the modification of register data: Set EAX to 1.1xor Eax, Eax // set Eax, 00000001 // Put 1 in Eax 2Xor Eax, Eax // Set Eax 0 Inc Eax // EAX plus 3PUSH 00000001 // Push 1 Go to POP Eax / / Find 1 to EAX
7, NOP instructions as little as possible with NOP instruction patch original, unless necessary. Other better methods can be replaced, such as: Inc EAX, DEC EAX can replace two NOP instructions.
