The RCE Messageboard FAQ
February 2oo4
--------------------------------------------------------------------------------
Some guidelines you should follow before asking a question in our forums, the time you will spend here will save you much time to gain the rce knowledge that you are actually seeking.
- Do not ask for cracks.
- Do not use direct links.
- Do not ask where to find the "tools".
- Do not ask for help without showing you made an effort. This includes asking *lameass* questions in the Newbies Forum.
- Do not cross post. I can assure you that your question has already been answered and the answer can be found on this site or on some of the links included on this site.
- DO NOT EVER post anything like this: "Hi I have downloaded this program 12345.exe and I can't (insert your best word here IE:crack) it. Can someone tell me how? Can someone send the (insert your best word here IE:crack) at myemail@.. ?"
- Choose a right title for the thread. Usually, the title 'I am a newbie, please help me' doesn't get many responce.
- The board is divided into 7 areas, everyone with his own specific characteristics. Try to post your question into the specific area.
- Please use the SEARCH function.
- Help yourself before you get bashed !
DO NOT POST TARGET SPECIFIC CODE THAT INCLUDES THE NAME OF THE TARGET: this means do not post code that shows where and how to patch/keygen blah blah blah on a specific target. Keep your code snippets as generic as possible while explaining your problem.
DO NOT UPLOAD (ATTACH) ANY KIND OF COPYRIGHTED MATERIAL, INCLUDING EXECUTABLES OR OTHER PARTS OF SOFTWARE THAT YOU DO NOT HAVE EXPLICIT RIGHTS TO DISTRIBUTE (AND DON'T EVEN THINK ABOUT UPLOADING PATCHED, OR OTHERWISE MODIFIED VERSIONS OF THE SAME)!
DO NOT EMAIL OR PRIVATE MESSAGE MODERATORS WITH REQUESTS FOR WAREZ OR TOOLS. DO IT AND BE BANNED.
Cut and Paste these questions in your post, including your answers :
1. What is the problem....
2. What is the protection.....
3. What tools are you using....
4. What tutorials have you read....
5. Show your output listing WITH comments....
6. NOW ask your question....
--------------------------------------------------------------------------------
Beginner questions
What do I need to start?
Well, there is a good zip file to start with. Read it carefully: Tornado's crackers notes
Where can I find some assembly language guides?
Art of Assembly language, the bible:
http://cs.smith.edu/~thiebaut/ArtOfAssembly/artofasm.html
Win32asm basic tutorials: more programming oriented but very cool:
http://www.madwizard.org/view.php?page=tutorials.contents
Also, this opcode guide might come in quite handy when you feel ready to start patching some code:
http://protools.anticrack.de/files/docs/opcodes.zip
Where can I find some nice tutorials?
Take a look at:
http://www.woodmann.com/fravia/what_new.htm
http://www.woodmann.com/RCE-CD/
There are also some nice links at the bottom of the main forum page, try them.
What does 'API' mean?
API stands for Application Programming Interface and it is a set of functions; this set of functions is used by applications written for Windows.
Is there a sort of API reference?
Yes, there is the 'Win32 Programmer's Reference' available from many sites. This reference is a little bit old but still valid; if you want something up to date take a look at
http://www.msdn.com
I have heard about the word 'PE', what does it mean?
PE stands for Portable Executable and it is the file format for Win32 applications. Practically, it describes the physical structure of the application; take a look at these guides to learn more about the subject.
I am not able to set a breakpoint over hmemcpy function, it's strange because I saw it in many tutorials... why?
Hmemcpy works only under Windows98 and WindowsME. If you have something else (2k/NT/XP) you need to change your approach to the target.
Is there a "most useful breakpoint"?
Hmmm, there is not any specific best one, but there are some common breakpoints to start with. For example:
- if you have to catch when the application reads something from an edit box you can use one of: GetDlgItemTextA, GetWindowTextA
- if you have to catch when a file is opened you can use CreateFileA
and so on... Remember that this is not a rule (an application can use something different from CreateFileA to read a file), that's the problem!
How can I know which function is used to perform a specific operation (ie: get the text from an edit box)?
Well, you can try to breakpoint over all the functions capable to perform the operation or you can take a look at the imported functions.
I am using my hex editor trying to patch a byte at address 40746Dh but I am not able to find that address, is it possible?
Sure it is, you have to understand the difference between Virtual Address and File Offset because for physical patch you need to tell your hex editor to go at a specific offset and not at a specific Virtual Address.
- Virtual Address = 40746Dh is the memory address where the byte is located at when the program is executed. It is also the address showed by debuggers.
- File Offset represents the distance (in number of bytes) between the beginning of the file and a byte.
If you want to patch that byte you have to translate Virtual Address into File Offset and then go to that specific Offset.
How to convert Virtual Address to Offset?
There are many ways:
1. Ida and W32dasm shows the Offset of a specific Virtual Address at the bottom of the main window
2. there are some tools around that may help you, search for File Location Calculator on google
3. do it by hand, the formula is pretty simple; make practice with the board 'search' function and try to find the formula.
I would like to code something, do I need to write it in asm?
No, of course not. You can use your preferred language (c, c++, delphi, java and so on...). Feel free to ask 'programming related question' inside 'Advanced reversing and programming' area.
--------------------------------------------------------------------------------
Tool related questions
Which tools do I have to use?
Hmmm... Everyone has his own preferred tools. I will tell you some tools, then it is up to you to try them (or others) and to choose which ones you prefer:
- Debuggers: Softice, Ollydbg, SmartCheck (for Visual Basic programs)
- Decompilers: Ida, W32dasm, Dede (for Delphi program)
- Hex editors: HexWorkshop, Ultraedit
- Resource editors: Resource Hacker, Exescope
There are also a lot of utilities, you will find them reading tutorials and threads; for the moment try to make yourself familiar with these.
Where can I download a specific tool?
Take a look at the bottom of the main forum page, there are some cool links and some of them will satisfy your question.
What questions may I and may I not ask about acquiring tools?
1.
You may NOT ask for cracks, automatic unpackers and other kinds of ready-made zero-knowledge tools for breaking software protections.
2.
You may NOT ask about where to download ANY tool, freeware, pirated or whatever (this is to make sure no links to pirated software occur here, and to avoid people using this forum instead of google, even for freeware tools). This does of course include NOT being allowed to ask if someone can send it to you too!
A valid exception to this rule of not being allowed to ask WHERE a tool can be found is when the original site of a free tool has disappeared, and it is hard to find it by searching. In that case you MAY ask if anyone knows what happened to the site, and if there are any ways to find this tool anywhere else.
3.
You MAY ask for the existence (i.e. name) of a tool that has some feature that you have been looking for and been unable to find yourself, AFTER having put some reasonable effort into searching for it yourself on the net. Some features may be quite hard to find through searching though, and that's why you are allowed to make use of the collected knowledge of the board members here if you haven't been able to find it through searching the net.
Do I have to install Softice?
If and only if you want to debug a program; btw, it's not necessary, you can use another debugger called Ollydbg.
Is it better to use Softice or Ollydbg?
Even if Softice is more powerfull than Ollydbg, Ollydbg works well on most applications; the main difference is that Softice is kernel-mode and Ollydbg is user-mode... make your choice.
Which is better: Ida or W32dasm?
Ida is the non-plus-ultra. W32dasm works well on *simple* programs (ie: not packed, no SMC) but it's relatively easy to fool it. I know that Ida may shock you at first but I suggest to learn and use it.
--------------------------------------------------------------------------------
Softice questions
Softice + XP, is it possible?
It's possible but sometimes not so easy, you need to install DriverStudio (v3.1 at the moment).
Most of the problems are related with settings like video, mouse and/or keyboard. The most stupid (and maybe right) answer to solve this problems is: try all the possible available settings and browse Compuware site for bugs (and patch...).
There are some threads that may help you, here is one of them:
http://www.woodmann.net/forum/showthread.php?t=5335
Does Softice / DriverStudio work with Windows XP SP2?
Sure, but you need to use at least DriverStudio 3.1, with the patch mentioned in the following support thread over at the Compuware site:
http://frontline.compuware.com/nashua/kb/doc/1846.asp
Is there a reference for every Softice's commands?
Sure, take a look at 'SoftIce command reference''s help file.
I am not able to set breakpoint with new version of Softice (on NT system)?
The newest version of Softice has Context Sensitive breakpoints by default (you can change this setting to go back to the old global breakpoint behavior though, see this thread for more info about this). Firstly you have to be in the application's Context; if you use Symbol Loader (to load the program) there are not problems, otherwise you can use the 'addr' command. From Softice's help file:
Use the ADDR command to both display and change address contexts within SoftICE so that process-specific data and code can be viewed. Using ADDR with no parameters displays a list of all address contexts. If you specify a parameter, SoftICE switches to the address context belonging to the process with that name, identifier, or process control block address.
ADDR [process-name | process-id | KPEB]
where:
process-name Name of any currently loaded process.
process-id Process ID. Each process has a unique ID.
KPEB Linear address of a Kernel Process Environment Block.
A simple 'addr process-name' should work.
--------------------------------------------------------------------------------
Ollydbg questions
I am able to patch the code at runtime, is it possible to save all the modifications I made?
Yes you can! When you have done all the modifications, follow these steps:
1. right click over the code
2. "Copy to executable" - "All modifications" (or "Selection", as you desire)
3. right click over the new window
4. "Save file"...
Is it possible to dump a process using Ollydbg?
Yes you can! There is a plugin called Ollydump. You can find it and many others at
http://ollydbg.win32asmcommunity.net/stuph/
--------------------------------------------------------------------------------
W32dasm questions
W32dasm crashes while trying to decompile a file, why?
It often happens when the file uses some anti-W32dasm trick and/or it is packed/crypted. W32dasm is an old tool, still valid but old.
Is it possible to see all the functions imported by the program?
Yes, load the file and look at the string reference, it shows all the used functions.
I load a file but I am not able to see the string reference, is it possible?
Yes, there could be some reasons:
1. the program uses some anti-W32dasm tricks
2. the program is packed
3. the program is written in visual basic; in this case you can use a patch, it lets you see the string reference (see protools for more info)
--------------------------------------------------------------------------------
Visual basic...
P-code or native code?
Every Visual basic programs can be compiled in two different modes: P-code (pseudo code) or native code. What is the difference? P-code exe file uses a sort of 'pseudo instruction set', it means that if you want to run the file, Visual Basic has to interpret these instructions at runtime. This is done everytime you need to run the program; the native code does not need this translation.
Which tools do I have to use versus p-code programs?
ExDec and wktvbDebugger.
And, which tools versus native code programs?
Smartcheck works well only on non p-code programs.
--------------------------------------------------------------------------------
Unpacking questions
How can I know which packer is used in a specific target?
There are some analyzer avalaible on the net. The most used seems to be PE iDentifier (PEiD) by snaker, Qwerton & Jibz but there are others around.
I am working on a program packed with (put your packer here, ie: asprotect), how can I unpack it?
Eheh, a 1 million dollar question. The 'Packing and Unpacking forum' stores all the info you need to know in order to reach the goal (unpack the file...); use the search function and you will see with your eyes. There are some nice tutorials, some of them are attached and others are here. A little advise, try to understand the reason why you need to do some operations and do not try to follow the steps like a mindless robot.
--------------------------------------------------------------------------------
Final notes:
If you think that something inside this file is not correct and/or some questions (and/or answers) are not totally clear, feel free to ask for them in the forum or tell it directly to the mods.
Good luck
the RCE staff
