New 2 Cracking
~~~~~~~~~~~~~~

Tutorial Type  : Essay
Tutorial Topic : How and Why to Use Win32bitDisassembler Debugger
Utilities      : Win32dasm 8.93 (that what i use, i donno about earlier version)
Music          : Bob Marley, Three Lil Birds.
Written by     : ParaBytes
Date           : Nov. 17th, 2001
Remarks        : This tutorial assume you have Win32dism++ (info, mouse
                 And of course you'll need Keyboard.

 Lets Start     :
--==--==--==--==--

Okay, we are here to discuss W32Dasm.

2 Facts you didn't know about W32Dasm :

1) This Disassembler have in it a great Debugger (like SoftIce, better or not, you'll rate it)
2) This program have a lot of addons, the newest and the best is W32Dism++ 1.00
   the addons make you able to patch the file with-in the dasm, enter comments, 
   and more and more, get it in protools.cjb.net

ok, this essay is for w32dasm using, so i'll start with why you SHOULD use it :

A. You can hear Mp3 while its working
B. It wont disconnect you from the computer/internet/bios clock
C. You dont have to be a genuis to learn it easily by yourself
D. You will be using the ol'good w32dasm and so you'll be able to see the interface of it
   (its useful sometimes when you need to check some things)
E. Its not hard to change the flags/registers

now, we have to be fair and explain why you shuoldn't work with w32dasm as debugger :

A. You cant break on memory access
B. You cant use hmemcpy 
C. You cant break on a IO (for dongles.. etc..)
D. You cant change the code (unless you have the add-on for in-mem patch...)
E. You CAN hear music, it might distrack your mind from the cracking...

ok...
we have the reasons, the main reasons...

now, lets open up some file in w32dasm and learn how to config and use the debugger
lets say we've opened file123.exe, ok ?
we have now the header, what sections, what is the code section offset and size, and the
resource info, menus-name,id, dialogs, the import table,
this table contains the .dll's that the program use and what functions 
like User32.dll is the Dll, MessageBoxA (to send the messagebox.. ;p) is the dll.
there are many many functions like this, and you can import functions from other dll,
like if you coded d a dll named sex.dll you can import functions from this file
to the file you use.

now, do you see the menu called 'Debug' ?
good, this is what we gonna study.
open it, goto the debugger options, now we have :

1. "Enable Command Line On Load" - if you want to load the exe with a command line, select it, else
   remove the option, we dont need it (most of the time)
2. "Debug Only This Process" - if you handle with program that call and use other exe (that mean, 
   run the exe) this option will make the debug ONLY on the selected application file, if you'll
   de-select it you will be able to debug more than one file in one time, i recommend to keep this
   one selected.
3. "Display Program Generated Exceptions" - when you handle an error (This file did an illegal...)
   this one will tell you what,where and when he did it, so you will be able to mem-patch it and make
   it work fine.
4-5. "Enable Break on Create/Exit Process" - These functions will break when the process is started
     or ended so when you start/end you'll need to click on the run to continue, this is good to 
     select, so after you run you have time to set breakpoints on the w32dasm window.
6-7. "Enable Break on Load/Unload DLL" - These functions will break when DLL is loaded/unloaded, i
     recommend to leave it out, unless you want to know when a DLL is getting loaded
7-8. "Enable Break on Create/Exit Thread" - These functions will break the running process whenever
     a Theard is created/detroyed so, if you'll need to use it, select it

ok, now we've finished the setting, lets start..

load the process, (press Ctrl+L or in the menu)
we got opened more to windows, one of them is the code window, the window where
the code is shown, this is the place where we have several options, and some
buttons - Run,Pause,etc...
lets review this window :

Enable Documented API/Undocumented API/Local Function details,
these set of option will open a dialog that will tell ya where the function is getting called,
what parameters are sent, you'll be able to get the result, so if we have StrCmp (string comparing)
we will get a window that say what are the parameters (goodserial,badserial) and if we will
want to get the result we will get the return of the function, usefull ? you'll decide...

Stop Auto On API, supposed to stop the process whenever API is executed, well...
i tried it, i have bad luck, i thik its works only on AutoStepping.. :(

Step Into "rep" Instruction Bypass, well rep is repeate.. so it will step into the rep..

ok, now what is these buttons down ? 

AutoStep Into - will run slowly, it will show you where is it in the code, into mean
that if it will encounter a call it will trace threw it.

AutoStep Over - will run slowly, it will trace threw your code but will go over calls, 
so it wont be so slow...

Step Into - you will have to press on it (or on the hotkey), it will let you examine a part (or all)
of the code while getting into calls, this is useful when you tracing threw a call that get your
name and serial (for this you can also read my tutorial on backtracing)

Step Over - you will have to press on that one pretty much, it will trace the code, jump over calls
so, if you have a call that calculate your serial you can get over it and see the serial in the memory

Pause - geez, i hope this one is clear, if not - goto school and learn english ;]

Run - will run the process, until it reach breakpoint or break on the selected options.

Terminate/Close - will terminate the process or close the dialogs if the process closed.

Patch Code - will give you the option to pacth the code, easy clean, but, if you'll do aplly patch
it will be one-time patch..

Goto Address - like in the dasm window.. 

now, lets review the Data window..

we have a list of the registers, this is the values of the register, you can copy all or 
just look on then and wonder what is the code of windows...
after breaking/stepping you will see some UPCASED and some lowcased, the UPCASED are registers
that just changed, the lowcased are registers that have the same value for atleast to code lines..

in the middle we see a big box, small buttons in the side and down, this is the memory box,
sounds funny, i know, i named it like it...
in this box you can see the memory in the register you can select in the side buttons..
lets say we selected eax, now eax=0040A894 so we will see what is in the memory in the address 
of eax, same as d eax is sice, [eax] as asm code.

HEY ! what is this UA1/2 ??
good. i hoped i'll ask it ;p
you see the boxes in the side ? User Addr 1 & 2 ?
these are boxes that we can enter an address and when we select UA1 or UA2 we can see what is
this memory address ! so if a porgram call to a special memory address, we can see what is in it !

ok, lets get back to the memory box, down we have on/off, we can select which one we want (of course on)
and this will activate the memory box, in the modes we have DWord/Word/Byte/Code, that make us
able to change the amount of view, like byte will give us only 1 byte every time, 
word will give us 2 bytes, dword-4 bytes and code will show us the assembled code from the memory
address, like if we are on eip (the current code line) and selected code we will see the code in
the code line we are doing now (did, because its less than a second..)
we can see [reg+/-num] so if they say "mov eax,[ebp-04] we can see whats if ebp-4...

the second display box, is more complicated, we have Disp1,UA1,UA2,Oper, lets explain :

Disp 1 - this will make us view the code+string+memory content of the address in the address on the
memory box, sound complicated ? i know, lets give example..
lets say eax=00489760, [eax] (memory content)=00462386, so in the Disp 2 box we see what is IN 00462386
what code we have there (code is dasmed from the opcodes), what string we have there,
we can select UA 1/2, this will give us pretty much like in the memory box..

above the memory box we have the flags, that mean what flag equals what, 0 or 1...

in the top right corner we have the status lights, when a line is colored and the lamps are on
that say if we are running,terminated,paused,steping threw/into..

blew it we have the segments reg, i dont know much about this, but this related to asm, so you can
ask people that know asm well...

below we have very important thing, the breakpoints list,

when setting break point on a line (F2) the address will go there, * will say its enabled,
right click will disable, the clear will clear the breakpoints,
AA will Activate All
DA will Deactivate All

below we have the active dlls, that is important if you need to know if any dll is called 
and now shown in the import table (with loadlibrary(a))
below we see the same options, selected like we setted before, we can change it, it will change the
options ONLY for the current debugging.
now, way down we see 
"Modify Data" "Goto Current Eip"
Modify Data will open a new window, you will be able to change data, lets review

CPU Flags - the 8 flags, zero,signed,carry,etc.. (i know only the 3 i said.. ;p)
one click will change the flags, from 1 to 0 or 0 to 1. the 'T' flag you cant change..

CPU Registers : 
you can select the value size, it will change the registers you can use,
you set the value in the box and click on a register to change the value.
you can change the data in the UA's and the Disp2 box,
or write a memory location and change the data there.
Checking the NOP Instruction @ eip will make the code in the Eip NOP (No Operation),
so if you want to check something 1 time in mem, you can use if. 
close will close with the data selected, reset all will set all like before you modfied them,
modify will save the values.

"Goto Current Eip" - will go in the main window to the code line that will executed.

well, we are done...

for further questions ask me, or read the help file attached to w32dasm.

 Ending :
+--------+

For ending i'll just say that you dont have to use softice for serial fishing, even sometimes its
more comfortable...

people say that w32dasm suck, that you should bearly use it, i say, they dont know the tool, they
thinks its bad...

make your own choices in life.

Greetings :
~~~~~~~~~~~
DeaL, again, you made me write a great essay (so say i !)
f0dder,jeffro,PhANt0m, all the rest who gave me remarks on the last tut (backtracing),
duelist, for being a good friend and leet cracker.
pain, even we sometimes fight, i have to admit that your tutorials where very useful in the start..
tKC, thanks for the great tutorials,
Bob (marley, of course), greaaaat music...
Dawai - ]:0 moooooooOOOOOOOOOooooooOOOOOOOOoooooooooOOOOOoo !
all the people who read my tutorials, published my tutorials, helpped me,
GlO - thanks a lot for the help..
all the iNSiGHT crew, #New2Cracking staff, DnNuke, sinny, URSoft,Borland,Adobe,
bla.. bla.. again, Invoker, thanks a lot...
all DiGiTAL REALiTY old skewl members ;p
all the crackers, keep up the great job !

ParaBytes / Lewser4Life !

Contact me :
~~~~~~~~~~~~
eMail : Lewsers@Hotmail.com
IRC   : EFNet > #New2Cracking
Here ! ;p

ParaBytes.