HELLO ALL!!!!!!! Sorry it's been a long time since my last intructional tutorial.... but I've been kinda busy. This really isn't a tutorial, just a few tricks that I use from time to time. Have fun, and enjoy :) josephCo ps. ANYONE that would like to add to this doc can come to #cracking4newbies and get ahold of almost any op and send them YOUR little trick. Well I'll start off by explaining a little trick i use for attacking serials. I don't use any of the main API's (getdlgitemtext(a), getwindowtext..(if this is really one to use)), I almost always break on HMEMCPY. When i set my breakpoint on HMEMCPY, i single step (F10) into it about 17 to 25 lines. You should find code similar to this: PUSH ECX SHR ECX,2 ;number of words to copy REPZ MOVSD ;copies from ds:esi (32 bit) to es:edi (32 bit) POP ECX AND ECX,3 REPZ MOVSB ;same as repz movsd, but only 1 byte XOR DX XOR AX NOW, this may seem a little tricky, but just stick with it. You will find that this method usually is a bit easier to break on your serial, or name. At REPZ MOVSD, in sice, type: D DS:ESI (32 bit) or D DS:SI (16 bit). You should see your name, serial number, or whatever you typed in. Now type: D ES:EDI (32 bit) or D ES:DI (16 bit). This will show the location where you information will be COPIED TO ie 22bf:00000000 . Notice the strange segment ( 22bf). If you bpr on this range of memory, you MIGHT not break again at all. Now f10 untill all of your information is copied (past repz movsb). At this point you should type: PAGE 22BF:00000000 (or whatever SEG:OFFSET you have). Something like this will show up: Linear Physical Attributes Type 80284960 01603960 P D AU RW System What we want to do is put a BPR (break point on range) at the address of the linear location. To do this you need to know how many bytes are in the range, and you HAVE to use the SELECTOR 30. example: BPR 30:80284960 30:80284969 RW This just set a break on the range for 9 bytes during RW (read/write) access. If you want to see how different addresses can actually be the same you can: D 30:80284960 ALWAYS use the selector 30, because it ALWAYS exists. That's just the facts. Basically all this does is keep the user from having to f12 out of the normal API and then searching for his serial/name. This is extremely useful for 16 bit programs, because the segment always changes. Now you can go about your merry way (F5) and repeat the process or BD (whatever break point it is) and you should break when your serial/name is read. Simple ;) The next trick i use, is for NAG SCREENS. This may seem confusing also.. but again, play around with it. You'll get used to using it. When a nag screen pops up, enter sice and type: HWND You should see something similar to: Window Handle hQueue SZ Qowner Class Name Window Procedure ____________________________________________________________________________ 0080(0) 2057 32 MSGSRV32 #32711(switch win) 17ef:00004b6e 0084(1) 2057 32 EXPLORER shell_trayWnd 1487:0000016c ...... ...... What you want to do is scroll down the list of handles, and look at the QOWNER. Find the handle of a process that belongs to your program, and if your nag screen has an OK button, look for a BUTTON under class name. If your nag screen doesn't have one, then anything that has BUTTON after it, won't be the handle you want to break on. This is trial and error untill you get the one you want (explained in a little bit). The list of handles will probably be quite long, but usually the nag screen is amongst the first that belong to your program. Once you think you've found your nag screen's handle, you will want to use the BMSG command. If you want to see the exact paramaters it allows, while in sice, type: HELP BMSG OK, now to our example. Lets assume your nag has an OK button after the handle you want to break on (easier to find), and you think you've found your proper handle. You would want to type: BMSG 0084 WM_DESTROY Where 0084 is the handle of your nag screen. What this basically does, is tell sice to break after the nag screen has been erased from the screen. You will be deep inside of some unknown API, so you will have to F12 (P RET) which stands for Pause on RETurn back you your program's code. At this point you want to find where the initial nag was created (set BPX on most of the calls you come out of). The nag screen was most likely created/destroyed in same call, so if you find the proper one, do whatever you need to do. *NOTE* I'M NOT GOING TO GO INTO DETAIL HERE. IF YOU DON'T KNOW WHAT TO DO WITH A CALL, THEN PRACTICE, AND READ SOME MORE TUTORIALS I hope that these 2 tricks help you. Like i said earlier, If you would like to add anything to this PLEASE TYPE UP A LITTLE .TXT and send it to any OP. Please include your nick so we can give you credit. COMING SOON: HOW TO MAKE SYMBOLS FOR SICE (easier way to debug). Thanx in advance josephCo