Author Topic: Beginner Softice Tutorial  (Read 3469 times)

Offline iago

Beginner Softice Tutorial
« on: February 14, 2004, 12:46 PM »
I found this, though I'd share:

:::::::::::::::::::::  m E X / c 4 N  T U T O R I A L  D I V I S I O N ::::::::::::::::::::::::::

Tutor      : CoRN2
Editor     : Notepad (fullscreen wit' wordwrap on)
Audience   : Beginners an' Newbies :)
Greets     : All members of C4N/mEx'97... and everyone else I know :)
Target     : SoftIce for Newbies, r4
Rev Date   : 17/12/97

Check out for all your cracking needs!!

Hey there, wow, I'm on revision 4 of this tutorial now! Thanks to everybody who has written to me, especially those with helpful suggestions. This update is therefore due to public demand ;) Hopefully it will help all of you newbies out there, maybe not... ah well... ;)

Everybody asks the question, 'which debugger should I use?' The answer is usually SoftIce... The second question is 'how do I use SoftIce!?!' This tutorial should hopefully cover the basic aspects of using SoftIce for our 'evil' needs!! ;)

I'm going to assume that you're using SoftIce/Win95 v3.0 or later. Once installed, SoftIce lives behind win until you need it... now the fun bit...

To access SoftIce you simply press <CTRL-D> unless of course you've changed this hotkey.

This seems to plague almost everyone who still remembers the day that their fingers first traced the sacred CTRL-D combination. My first question was ( in #cracking ) as far as I remember, why can't I breakpoint on GETDLGITEMTEXT ( or similar functions )

It took me a week until someone answered ( c4n rocks! plug plug ) its really quite easy. I think this is covered in the c4n-mex faq also:

Load up the file WINICE.DAT in your favourite text-editor ( notepad will do if you haven't got one :P ) and find the lines near the end of the file that start with:


If you remove the semi-colon ';' from the start of the above two lines, most of the
calls with be available- if not just remove them from other lines. Save
WINICE.DAT and restart windows/softice, easy eh?

You can also use the symbol loader to edit the these settings ( thanks _[mP] :) )

While we're on the subject of WINICE.DAT, I thought you should know the more useful *default* keyboard mappings for SI...

F1  - Help
F2  - Toggle Register Window
F5  - Drop back to Windows
F8  - Trace To Next Instruction (will dive into all CALLS)
F10 - Step To Next Instruction (executes and steps over CALLS)
F12 - Run up until the next RETurn instruction

There are a shitload more, but these are the more useful ones I would use....

Now to the fun stuff...

Although maybe daunting at first, its all pretty simple. You really do need to have a rough idea about ASM for me to be able to explain this properly. If not, get my tut, 'ASM For Crackers' (PLUG! PLUG!) from the mExeLITE'97 homepage. It should cover the basics.

Before we continue, you should check that you have four (count 'em) seperate boxes on your screen, if not you should note that they can be hidden/shown with any one of the following commands:

WR -- Show/Hide Register Window         |
WD -- Show/Hide Data Window         } including a number after the command
WC -- Show/Hide Code Window             | allows you to set how many lines are used.

These are the most important, but you'll find there are also other windows that you can toggle, including watches etc... but this will server the purposes of our tut.

These windows can be mucked about with individually, each is independently scrollable, using the following keyboard combinations:

<CTRL-UP/DOWN/PGUP/PGDN>  Scrolls the CODE Window
<SHIFT-UP/DOWN/PGUP/PGDN> Scrolls your INPUT (command) Window
<ALT-UP/DOWN/PGUP/PGDN>   Scrolls the DATA Window

A bit of a cool trick involves the DATA window, some really lame protection schemes end up placing the correct 'serial number' a couple of bytes away from your input, by simply scrolling your data window, it is sometimes possible to discover this serial and save yourself a shitload of work! --pretty cool huh?

Now back to your tut.


Ok. Now you know what registers are, and hopefully what a chunk of assembly looks like.

The top three lines of the screen are dedicated to your computers registers, and their contents. This is fairly self explanitory.

EAX=whatever, EBX=whatever, and so on.

The second line at the far right contains 8 letters, these are your flags. Capital blue letters indicate that the flag is set, the flags are:

   O D I S Z A P C
        | | | | | | | |
        | | | | | | | +------- Carry Flag
   | | | | | | +--------- Parity Flag
   | | | | | +----------- Auxiliary Carry Flag
   | | | | +------------- Zero Flag ( VERY USEFUL! )
   | | | +--------------- Sign Flag
   | | +----------------- Interrupt Flag
   | +------------------- Direction Flag
   +--------------------- Overflow Flag

To be honest the only one I've ever looked at while cracking, is the Zero Flag ( its looked for JZ/JNZ/JE/JNE commands )

Next we have another window underneath, this is your data window. It shows the value of any memory address you might need. As an example, type: d F9D2B    --this shows the bytes at that address.

'd' is your display memory command.

Following this we have the code window. This contains the part of the program that we're looking at. Firstly you have the segment:offset of the code, then the opcode, then the asm commands we all love :)
( NB you may have to type 'CODE ON' in order to see the opcode )

And finally at the bottom is your input/information window. In other words the bit you use to talk to SoftIce, and hears its' response.

Breakpoints are a useful (if not essential) addition to a crackers arsenal. Without them, life would be a little bit harder for us, and easier for the protectionists. Breakpoints are simply that, points at which the program will break, due to a condition being met ( we'll look at this in detail now )

SYNTAX: bpx <api function name>

The main problem with cracking... umm.. sorry debugging ( heh! ) is to find yourself an entry point into the program. The easiest, and most effective way to begin is with breakpoints.

Basically all you need to do is to tell SoftIce when to 'break' into the program so you can see whats happening. The type of breakpoint that you would use depends upon the type of program you're trying to 'debug' ;)

To show this we'll take an example:

1. Switch to SoftIce ( CTRL-D ), and type 'bpx GetLocalTime'
2. The prompt should return, switch back to win ( CTRL-D )
3. Double click on the win95 system clock ( usually on your taskbar )

SoftIce should now pop up, at the start of the call to 'GetLocalTime', if you press F11 you will return to the part of the code that called the function.

Another function call to breakpoint on is useful when cracking serial number protections is 'GetWindowTexta' or 'GetDlgItemTexta'. This is done in exactly the same way.

1. Click your StartButton ( good old MS :P ) and click upon the 'RUN'
2. Type in any old crap, ie. 'lalalalalalalalalaa' DON'T PRESS ENTER
3. Switch to SoftIce. ( CTRL-D )
4. Type: BPX GetWindowTextA
5. Switch back to win, now press ENTER

SoftIce pops up at the Start of 'GetWindowTexta', so again press F11 to return to the calling code. GetDlgItemTexta isn't used as much in my experience, but worth trying if nothing happens on GetWindowTexta.

SYNTAX: s <start> l <finish> '<string>'

Simple one this. Say you've entered your registration info, and you're lost in the code somewhere, to help yourself along you can search in memory for your info ( WOW! ;) )

When searching you want to look for it everywhere, so I mainly use:

   s 0 l ffffffff 'mystring'

Once found you'll get a nice prompt telling you where in memory it is, and the data window changes to that address.
To Search again just type: s

This will keep searching, beware though, that in my experience, any strings found around the 80000000+ and C0000000+ areas are either duplicates or bits of shite floating about due to Win95's amazing management of your ram :) aren't you glad you 'bought' it?!

SYNTAX: BPM <address> R/W

This is usually used in conjunction with the step above, searching. Once you've found your string, what use is it to you???

Say through searching, I got the prompt:

Pattern Found at 0157:0009AC2D

ok, this tells us that my string was found at the location 0157:0009AC2D ( doh! ). So to get SoftIce to monitor this we'd use:

BPM 0157:0009AC2D

The R/W tells SoftICe whether to pop up on a read or write operation to that address. The default is RW ( read & write )

SYNTAX: BPR <start address> <end address> R/W

Sometimes a more useful function. Imagine for example, that you want to track a range of memory addresses, for example, a Username string, or Unlock Code.

Given the above example, if was to search for my username, 'mExeLITE'97 cracked bY CoRN2', and I'm told that it was found at 0157:00643345. If I wanted to keep an eye on the entire range of memory addresses taken by this string, I would use the syntax:

BPR 0157:00643345 0157:00643345+(Length of string in hex)

This will cause SI to popup whenever any part of the memory within this range is read from or written to.

Now we'll look at the additional breakpoint manipulators that'll stop you screaming at SI when it pops up hours after you've finished cracking.


Simply lists any defined breakpoints in the following format:

An example could be:
00) BPX #0028:09876543 C=01

This tells us that SoftIce will pop up when ever the instruction at address 0028:09876543 depending upon the number of times it has occured, specified by Count. In the above example, since C=01 SI will popup the first time that this occurs.

SYNTAX: bc <breakpoint(s)>

This clears the specified breakpoint(s), for example:

BC 0      <-- Clears the breakpoint labelled 0
BC 1,4    <-- Clears breakpoints labelled 1 and 4
BC *      <-- Clears all breakpoints

SYNTAX: bd <breakpoint(s)>

Sometimes it'll be more beneficial (and or useful) to simply disable a breakpoint temporarily, rather than remove it completely. Again, for example:

BD 1,2,3,5  <-- Disables breakpoints labelled 1,2,3,5
BD 1       <-- Disables breakpoint 1
BD *       <-- Disables all breakpoints

SYNTAX: be <breakpoint(s)>

Obviously, if you can disable breakpoints, then you're going to need to be able to enable them again. I'll not give you any more examples 'cos this follows exactly the syntax given above.

SOFTICE & The Net (The Internet/The Information Super-Highway ARRGGH!)
Some people ( not me yet ) have experienced a problem when cracking whilst logged on. This won't affect people who ( like me ) aren't lucky enough to get FREE LOCAL PHONE CALLS!! who have to pay 's for their phonebills... sorry.

Anyway, if you're logged on and you switch to SoftIce many people experience a loss in their connection ( mainly to IRC ) Apparently this is fixable by using the '/AWAY asuidsodj' command, but I dunno. Try it if you get stuck.

This tute should ( hopefully, unless I totally messed it up ) cover enough about SoftIce to allow the average newbie to get started. I know there is a shitload of stuff I haven't covered, there should be a more advanced tut arriving soon ( watch this space |     | ;) )

If there is anything you else think ppl need to know to get started, or anything you think should be added, just mail me at and tell me. I can be reached on EFNET, in #Cracking4Newbies most of the time... someone will be able to help anyway....

Hope this helps anyone who wants to learn's task easier... I could have done with this when I started. Good Luck!

-- CoRN2 [mE'97/C4N]

:::::::::::::::::::::  m E X / c 4 N  T U T O R I A L  D I V I S I O N ::::::::::::::::::::::::::
This'll make an interesting test for broken AV:


  • Guest
Re:Beginner Softice Tutorial
« Reply #1 on: February 14, 2004, 10:02 PM »
One command that I find useful and don't see in any SoftICE tutorial is how to set breakpoints using IF statements.


bpx <address> IF eax==00000069

Offline iago

Re:Beginner Softice Tutorial
« Reply #2 on: February 15, 2004, 02:55 AM »
One command that I find useful and don't see in any SoftICE tutorial is how to set breakpoints using IF statements.


bpx <address> IF eax==[a profane address]

I've never actually used that, but I can see where it would be useful
This'll make an interesting test for broken AV: