
                         HELLO ALL!!!!!!!


Sorry it's been a long time since my last intructional tutorial.... but I've
been kinda busy.  This really isn't a tutorial, just a few tricks that I use
from time to time.  Have fun, and enjoy :)

                                                josephCo



ps.
     ANYONE that would like to add to this doc can come to #cracking4newbies
     and get ahold of almost any op and send them YOUR little trick.



Well I'll start off by explaining a little trick i use for attacking serials.
I don't use any of the main API's (getdlgitemtext(a), getwindowtext..(if
this is really one to use)), I almost always break on HMEMCPY.

When i set my breakpoint on HMEMCPY, i single step (F10) into it about 17
to 25 lines. You should find code similar to this:
PUSH ECX
SHR ECX,2            ;number of words to copy
REPZ MOVSD           ;copies from ds:esi (32 bit) to es:edi (32 bit)
POP ECX
AND ECX,3
REPZ MOVSB           ;same as repz movsd, but only 1 byte
XOR DX
XOR AX

NOW, this may seem a little tricky, but just stick with it.  You will find
that this method usually is a bit easier to break on your serial, or name.

At REPZ MOVSD, in sice, type: D DS:ESI (32 bit) or D DS:SI (16 bit).  You
should see your name, serial number, or whatever you typed in.  Now type:
D ES:EDI (32 bit) or D ES:DI (16 bit).  This will show the location where
you information will be COPIED TO ie 22bf:00000000 .  Notice the strange
segment ( 22bf).  If you bpr on this range of memory, you MIGHT not break
again at all.  Now f10 untill all of your information is copied (past repz
movsb).  At this point you should type: PAGE 22BF:00000000 (or whatever
SEG:OFFSET you have).  Something like this will show up:

Linear         Physical         Attributes            Type
80284960       01603960         P D AU RW             System

What we want to do is put a BPR (break point on range) at the address of
the linear location. To do this you need to know how many bytes are in the
range, and you HAVE to use the SELECTOR 30.

example:

BPR 30:80284960 30:80284969 RW

This just set a break on the range for 9 bytes during RW (read/write) access.
If you want to see how different addresses can actually be the same you can:

D 30:80284960

ALWAYS use the selector 30, because it ALWAYS exists.  That's just the facts.

Basically all this does is keep the user from having to f12 out of the normal
API and then searching for his serial/name.  This is extremely useful for
16 bit programs, because the segment always changes.  Now you can go about
your merry way (F5) and repeat the process or BD <hmemcpy> (whatever break
point it is) and you should break when your serial/name is read.  Simple ;)


The next trick i use, is for NAG SCREENS.

This may seem confusing also.. but again, play around with it.  You'll get
used to using it.

When a nag screen pops up, enter sice and type:

HWND

You should see something similar to:

Window Handle  hQueue   SZ   Qowner    Class Name          Window Procedure
____________________________________________________________________________
0080(0)         2057     32   MSGSRV32  #32711(switch win)  17ef:00004b6e
0084(1)         2057     32   EXPLORER  shell_trayWnd       1487:0000016c
......
......

What you want to do is scroll down the list of handles, and look at the
QOWNER.  Find the handle of a process that belongs to your program, and
if your nag screen has an OK button, look for a BUTTON under class name.
If your nag screen doesn't have one, then anything that has BUTTON after
it, won't be the handle you want to break on.  This is trial and error untill
you get the one you want (explained in a little bit).  The list of handles
will probably be quite long, but usually the nag screen is amongst the first
that belong to your program.

Once you think you've found your nag screen's handle, you will want to use
the BMSG command.  If you want to see the exact paramaters it allows, while
in sice, type:

HELP BMSG

OK, now to our example.  Lets assume your nag has an OK button after the
handle you want to break on (easier to find), and you think
you've found your proper handle.  You would want to type:

BMSG 0084 WM_DESTROY

Where 0084 is the handle of your nag screen.  What this basically does, is
tell sice to break after the nag screen has been erased from the screen.
You will be deep inside of some unknown API, so you will have to F12 (P RET)
which stands for Pause on RETurn back you your program's code.  At this point
you want to find where the initial nag was created (set BPX on most of the
calls you come out of).  The nag screen was most likely created/destroyed in
same call, so if you find the proper one, do whatever you need to do.

*NOTE*
I'M NOT GOING TO GO INTO DETAIL HERE.  IF YOU DON'T KNOW WHAT TO DO WITH A
CALL, THEN PRACTICE, AND READ SOME MORE TUTORIALS



I hope that these 2 tricks help you.  Like i said earlier, If you would like
to add anything to this PLEASE TYPE UP A LITTLE .TXT and send it to any OP.
Please include your nick so we can give you credit.

COMING SOON:

HOW TO MAKE SYMBOLS FOR SICE (easier way to debug).


                                                   Thanx in advance
                                                      josephCo
