View Full Version : Softice breakpoint for DLL
07-18-2005, 08:48 AM
I was after some advice re setting a breakpoint in Softice.
I have a crackme called "MarketingPro" April 2004 edition. It uses Installshield for the installation.
After decompiling the Setup.inx, I found the following,
ChkRegKey(local_string3, local_string4, global_string16, "", ""); // dll: MINSCHK.dll
local_string3 - Name
local_string4 - Company Name
global_string16 - Key (format xxxx-xxxx-xxxx-xxxx-xxxx-xxxx)
I can't seem to break into MINSCHK.dll using Softice. I set the breakpoint BPX ChkRegKey, which comes back symbol not defined. I have included the dll in the Softice dat file.
I have included the W32Dcompile of MINSCHK.dll for the hell of it.
I have tried to study what is happening in ChkRegKey routine but I don't get it! Especially,
Call 004023CC - does this change the strings to numbers?
Call 004011D3 - is this the algo to work out the correct key?
Any tips would be appreciated.
07-19-2005, 06:00 PM
Ok, Call 004023CC counts the number of bytes for an entered string and returns with the value in EAX.
07-23-2005, 01:39 AM
Here is a link to the prog.
MarketingPro (http://www.sendmefile.com/00040336) <- link works again!
I have not included the whole thing but there are enough files to check out the install program.
I patched the Setup.inx successfuly to accept any key but when the setup tries to install the database it comes up with an error. I believe it must use the key to do other checks as well!
08-04-2005, 02:16 AM
Thanks for the feedback guys!
The silence is deafening.
Well, I have done a search on Softice and come up with a way of breaking into the DLL the hard way.
Softice has a feature"i3here" which uses the Int 3 command to pop straight into Softice when called.
So I substituted a byte at the start of the DLL with 0xCC (Int 3) and entered the command "i3here on" in Softice and bang! You are in Softice every time the DLL is called.
Now all I have to do is work out what the routine is actually doing!
Routine at 401345 is doing alot of comparing with the Key, but I am not sure whats going on!
08-10-2005, 05:22 AM
Here is a bit more that I have worked out.
Call 407DD4 makes the characters of the Key all Uppercase.
Call 401345 gets each char from the key and extracts a new char from a lookup table. I am not sure what it compares the new characters to!!
08-15-2005, 04:25 PM
your feed back is appreciated although i am not so sure your definition of a crackMe is the same as everyone elses.
08-17-2005, 02:32 AM
So what is the definition of a "Crackme"?
A program/software that someone or many users have but is crippled or times out until a vaild serial is entered for the registration process?
If not the above what is it? Am i asking advice in the wrong forum?
I have not added link to the whole program as it is very large, over 500meg. If anyone wants the whole thing I will be glad to upload it where you like.
08-18-2005, 12:18 PM
Actually I should have just kept my mouth shut as I am not qualified to help you. I happen to like that you were posting your progress even though you had recieved no feed back. Watching others troubleshoot facinates me (educates me as well). Most of the people surrounding me in the real world would rather shout over their shoulder asking how to do something rather than making the 1st attempt to figure it out.
The definition of crackMe is like anything else in life. Whatever each individual wants it to be. I was thinking more along this
line when I made my unnesessary post.
lates and good luck with your crackMe!
08-22-2005, 08:05 AM
Thanks for the post quitsendingmetrash.
At least you have made the effort to give me some sort of feedback.
Thanks for the link. The site looks very interesting and I will visit it more often when I get more time. Definately a good place to learn more on the subject!
vBulletin® v3.6.4, Copyright ©2000-2013, Jelsoft Enterprises Ltd.