kpoint list, type bl in the command line(sponsor sponsoring banks advertisment shipping). The first column indicates the breakpoint index, which starts counting from (sponsor sponsoring banks advertisment shipping). Therefore, the second index will be , the third and so on(sponsor sponsoring banks advertisment shipping). The index is very useful when we want to edit the breakpoint(sponsor sponsoring banks advertisment shipping). We edit an existing breakpoint with the instruction bpe <index>(sponsor sponsoring banks advertisment shipping). Consider the following example: bpx getdlgitemtexta Martinique, Mauritania, Mauritius, Mayotte, Mexico, Micronesia, Moldova, Monaco, Mongolia, Montserrat, Morocco, Mozambique, Myanmar, Namibia, Nauru, Nepal, Netherlands, Netherlands Antilles, New Caledonia, New Zealand, Nicaragua, Niger, Nigeria, Niue, Norfolk Island, Northern Mariana Islands, Norway, Oman, Pakistan, Palau, Palestinian Territories, Panama, Papua New Guinea, Paraguay, Peru, Philippines, Pitcairn, Poland, Portugal, Puerto Rico, Qatar, Rιunion, Romania, Russian Federation, Rwanda, Saint Helena, Saint Kitts and Nevis, Saint Lucia, Saint Pierre and Miquelon, Saint " Here we set a breakpoint on execution of the function “getdlgitemtexta”(sponsor sponsoring banks advertisment shipping). Softice needs the symbols of the user(sponsor sponsoring banks advertisment shipping).dll module, since this function is a part of the user(sponsor sponsoring banks advertisment shipping).dll module(sponsor sponsoring banks advertisment shipping). bl " We get the breakpoint list(sponsor sponsoring banks advertisment shipping). Note that SoftIce starts listing breakpoints with their indices (), type (BPX = on execution) and module!function name, i(sponsor sponsoring banks advertisment shipping).e(sponsor sponsoring banks advertisment shipping). USER(sponsor sponsoring banks advertisment shipping).DLL!GetDlgItemTextA(sponsor sponsoring banks advertisment shipping). SoftIce automatically recognizes that this function belongs to user(sponsor sponsoring banks advertisment shipping).dll(sponsor sponsoring banks advertisment shipping). If it can’t find an appropriate module, then you have to either edit winice(sponsor sponsoring banks advertisment shipping).dat (see (sponsor sponsoring banks advertisment shipping).(sponsor sponsoring banks advertisment shipping).) or use another function name(sponsor sponsoring banks advertisment shipping). bpe " We decide that this breakpoint is not correct, so we want to edit it(sponsor sponsoring banks advertisment shipping). SoftIce will put us in an edit mode, with the current breakpoint’s value in memory (sponsor sponsoring banks advertisment shipping).

Chapter : Using the Debugger bpx getdlgitemtextw " This will replace getdlgitemtexta with getdlgitemtextw(sponsor sponsoring banks advertisment shipping). To verify changes, all we have to do is use bl(sponsor sponsoring banks advertisment shipping). To remove all or some of the breakpoints that we’ve set, we have to use bc command (breakpoint clear)(sponsor sponsoring banks advertisment shipping). If a star (*) is used as an argument, all breakpoints will be cleared(sponsor sponsoring banks advertisment shipping). Else, we must indicate the number of the breakpoint we wish to remove (use bl to retrieve the number)(sponsor sponsoring banks advertisment shipping). Occasionally, we may find that all breakpoints in memory are not that useful(sponsor sponsoring banks advertisment shipping). Therefore, we might want to disable some or all of them without erasing them(sponsor sponsoring banks advertisment shipping). If we erase them, we should type them back in the next time we would like to use them(sponsor sponsoring banks advertisment shipping). If we disable them, all that is needed is to enable them(sponsor sponsoring banks advertisment shipping). For this purpose, we are going to use bd and be commands that take the same arguments with bc(sponsor sponsoring banks advertisment shipping). If a star (*) is used, all breakpoint will be disabled or enabled respectively, otherwise the breakpoint that corresponds to the index used will be disabled or enabled(sponsor sponsoring banks advertisment shipping). Note that when we list the breakpoints (bl), disabled breakpoints are listed with a * after their indices(sponsor sponsoring banks advertisment shipping). Vincent and the Grenadines, Samoa, San Marino, Sao Tome and Principe, Saudi Arabia, Senegal, Serbia and Montenegro, Seychelles, Sierra Leone, Singapore, Slovakia, Slovenia, Solomon Islands, Somalia, South Africa, South Georgia and the South Sandwich Islands, Spain, Sri Lanka, Sudan, Suriname, Svalbard and Jan Mayen Islands, Swaziland, Sweden, Switzerland, Syria, Taiwan, Tajikistan, Tanzania, Thailand, Togo, Tokelau, Tonga, Trinidad and Tobago, Tunisia, Turkey, Turkmenistan, Turks and Caicos Islands, Tuvalu, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States of America, Uruguay, Uzbekistan, Vanuatu, Vatican City, Venezuela, Vietnam, Virgin Islands (British), Virgin Islands (US), Wallis and Futuna Islands, Western Sahara, Yemen, Zaire, Zambia, Zimbabwe Command Explanation

eakpoints on memory access (can be bpm, bpmb, bpmd, bpmw) " Bpr breakpoints on memory range (very, very useful), see also bprw(sponsor sponsoring banks advertisment shipping). Also, one can find useful the bpt (template) and bstat (statistics), but these commands are far away from the scope of these notes and won’t be described or used(sponsor sponsoring banks advertisment shipping). (sponsor sponsoring banks advertisment shipping). Useful Functions GetDlgTextItemA is invoked each time a string from a text box is retrieved(sponsor sponsoring banks advertisment shipping). Therefore, we can rely on the fact that each time we enter something in a text box and the program tries to reach the data contained there, this function will be executed(sponsor sponsoring banks advertisment shipping). Hmemcpy is even more powerful than the previous, since this function will always be invoked(sponsor sponsoring banks advertisment shipping). Consider the case where the programmer bypasses getdlgtextitema by using his own controls and methods(sponsor sponsoring banks advertisment shipping). Since the string will be stored in a variable that resides in memory, hmemcpy will be invoked(sponsor sponsoring banks advertisment shipping). (sponsor sponsoring banks advertisment shipping). Navigation in SoftIce After you’ve set a breakpoint and SoftIce popped up, all you need to find is who called that function that you’ve breakpointed(sponsor sponsoring banks advertisment shipping). That is, the function resides in a module, whose symbols are imported in SoftIce (see (sponsor sponsoring banks advertisment shipping).(sponsor sponsoring banks advertisment shipping).)(sponsor sponsoring banks advertisment shipping). When SoftIce detects the function, it means that you are in the module that implements the function and of course you are

(sponsor sponsoring banks advertisment shipping). Hackman Editor Hackman is a hex editor and disassembler (in the future, there’ll also be an application level debugger under the same suite)(sponsor sponsoring banks advertisment shipping). Its purpose is to easily let you export and modify portions of the source code of any executable program(sponsor sponsoring banks advertisment shipping). Of course, it may be used as a mere hex editor(sponsor sponsoring banks advertisment shipping). In the following sections, a brief description of some interesting functions included in both Lite and Professional editions is available(sponsor sponsoring banks advertisment shipping). (sponsor sponsoring banks advertisment shipping). String Manipulation With this function, you can search in both and bit files (windows (sponsor sponsoring banks advertisment shipping).x and windows – x, NT, , Me) for strings(sponsor sponsoring banks advertisment shipping). A string may be any label that appears as a menu or as a static or dynamic caption within a program(sponsor sponsoring banks advertisment shipping). Take for example Windows Explorer(sponsor sponsoring banks advertisment shipping). Labels are the menu names (like File) but also some dynamic menus(sponsor sponsoring banks advertisment shipping). Try to right click on an (sponsor sponsoring banks advertisment shipping).exe file and on a (sponsor sponsoring banks advertisment shipping).dll file(sponsor sponsoring banks advertisment shipping). You’ll notice that some menus change in the pop up menu that appears and some always exist (like Properties, Delete and Rename)(sponsor sponsoring banks advertisment shipping). Static menus are called those that always appear, Dynamic are called the menus that may or may not appear(sponsor sponsoring banks advertisment shipping). If you try to delete a file, a dialog box appears asking for your confirmation(sponsor sponsoring banks advertisment shipping). The text on that dialog box is also a string resource(sponsor sponsoring banks advertisment shipping). Almost every application has string resources(sponsor sponsoring banks advertisment shipping). The first step in searching for them is to identify if the program is or bit(sponsor sponsoring banks advertisment shipping). The difference between them is that the -bit programs use Unicode strings(sponsor sponsoring banks advertisment shipping). This is illustrated below: " Label “Text” is equal to in standard ANSI (-bit) Afghanistan, Albania, Algeria, American Samoa, Andorra, Angola, Anguilla, Antarctica, Antigua and Barbuda, Argentina, Armenia, Aruba Australia, Austria, Azerbaijan, Bahamas, Bahrain, Bangladesh, Barbados, Belarus, Belgium, Belize, Benin, Bermuda, Bhutan, Bolivia, Bosnia and Herzegovina, Botswana, Bouvet Island, Brazil, British Indian Ocean territory, Brunei Darussalam,

Version stamps usually exist in executable files and dynamic link libraries(sponsor sponsoring banks advertisment shipping). To view the version stamp of a file (OS specific), all you have to do is right click it, then select Properties and click on the version tab(sponsor sponsoring banks advertisment shipping). If the version tab does not exist, then there is no version stamp(sponsor sponsoring banks advertisment shipping).

Chapter : Hackman Editor To change the version stamp is easy; go to Write menu, the Special and then go to Version Changer(sponsor sponsoring banks advertisment shipping). If the file you’ve opened has a version stamp, the plugin (Version Changer) will automatically let you edit (with the lower or equal law) the version strings(sponsor sponsoring banks advertisment shipping). This could also be done manually, search for the strings and replace them, but this way is much faster(sponsor sponsoring banks advertisment shipping). (sponsor sponsoring banks advertisment shipping). Date Stamp Date stamps usually exist for every file(sponsor sponsoring banks advertisment shipping). Although creation date and time and last modification date and time are logically manipulated, the last access time is not(sponsor sponsoring banks advertisment shipping). And this happens because when you right click a file and select properties, you actually access it and therefore, the stamp changes again(sponsor sponsoring banks advertisment shipping). You can change the date stamp of any file with Hackman(sponsor sponsoring banks advertisment shipping). Just open the file in Hackman (it is called logged file), go to Write, then Special and then select Modify dates(sponsor sponsoring banks advertisment shipping).

Chapter : Hackman Editor (sponsor sponsoring banks advertisment shipping). Icon Resources To extract icon resources from a file, use the Icon Xtractor (From the Write menu select Icon Xtract)(sponsor sponsoring banks advertisment shipping). To replace an icon in a file, extract first the icon you want to replace(sponsor sponsoring banks advertisment shipping). Then, open it in Hackman (the extracted file) and select a part of it (double click for selection, let’s say - bytes)(sponsor sponsoring banks advertisment shipping). Press Copy(sponsor sponsoring banks advertisment shipping). Go to the target file and press Find(sponsor sponsoring banks advertisment shipping). The paste the bytes onto the find text box(sponsor sponsoring banks advertisment shipping). You’ll find the source code of the icon in the target file(sponsor sponsoring banks advertisment shipping). It should be bytes long, if unsure, check the length of the extracted file(sponsor sponsoring banks advertisment shipping). Overwrite this information (delete it and then use insert file to insert a new icon in the target file)(sponsor sponsoring banks advertisment shipping). Bulgaria, Burkina Faso, Burundi, Cambodia, Cameroon, Canada, Cape Verde, Cayman Islands, Central African Republic, Chad, Chile, China, Christmas Island, Cocos (Keeling) Islands, Colombia, Comoros, Congo, Congo, Democratic Republic, Cook Islands, Costa Rica, Cτte d'Ivoire (Ivory Coast), Croatia (Hrvatska), Cuba, Cyprus, Czech Republic, Denmark, Djibouti, Dominica, Dominican Republic, East Timor, Ecuador, Egypt, El Salvador, Equatorial Guinea, Eritrea, Estonia, Ethiopia, Falkland Islands, Faroe Islands, Fiji, Finland, France, French Guiana, French Polynesia, French Southern Territories, Gabon, Gambia, Georgia, Germany, Ghana, Gibraltar, Greece, Greenland, Grenada, Guadeloupe, Guam, Guatemala, Guinea, Guinea-Bissau, Guyana, Haiti, Heard and McDonald Islands, Honduras