Is it possable breakpoint on entry point of DLL

A DLL is including the code to check registration key !!!
DLL have to be loaded in memory to debug with Softice, but
the DLL is not loaded at first time because it is loaded only when
using just some function ~.

So I have no idea how to debug the DLL !
Is there how to do breakpoint on entry point of the DLL ?
Please give me any other useful tips !

Thanks

Replace the entrypoint of the dll with a int 3 ans set in softice i3here on

[zlatko]

Can anyone help me to find OEP of DLL with Olly ?

What is 'i3here on' ?
replacing the code on entry point with 'INT 3'
Is right ?

I replaced the code 'mov ebp,esp' of entry point with 'int 3' by hex editor.
But softice doesn't break on the point .
Help me !

[asterix]

_http://www.exetools.com/forum/showthread.php?s=&threadid=2108

asterix,
Thank you very much~!

The DLL was packed by aspack 1.08.04, so I unpacked it by
unaspack1.08.04 ! but the dll was not loaded into memory after unpack!
then I re-packed it by aspack1.08.04 but it was not loaded into
memory too !

--summary--
if original DLL -> loaded success
after unpack -> not loaded
after repack -> not loaded
--
also when debugging with softice ! I do step by step F8,
I can see code changing automaticly
Example) next code was 'ADD ...' but after F8 the code was changed 'CMP.,.,'

I give up cracking !
The program with powerful anti-debug,anti-diassem surprised me !!
Sorry terrible english !

when you use F8 in SoftIce you go into the function. Better is to use F10 then you go thru the program.

Normally if you go thru the program and you comes to the point where the exe.file checks the dll, SoftIce load the dll without problems! If you have problems with this, disable your breakpoint after SoftIce breaks into the program and use F10 to go further.

Goodluck

T.S

[ricnar456]

In olly go to DEBUGGING OPTIONS-EVENTS and put a mark in BREAK IN MODULE LOAD (dll)

Olly stop in the load of any dll, and show in VIEW-EXECUTABLES the name of the dll was loaded.

When you see the name of the dll loaded, right click and press FOLLOW ENTRY and you are in the entry point of the dll, you can BP in the entry point or in any point, BPM in the section code, etc.


Ricardo Narvaja

[zlatko]

Thanks Ricardo,

This particularly dll is protected with ASPr. and it is integrated in Delphi IDE. Your suggestions ?

[britedream]

Hi,
what is the name of the program?

[zlatko]

SDMSoft SourceWizard

Regards,

Z

[ricnar456]

a tut but is in spanish

143-ASProtect en una DLL por JUAN JOSE.rar

Ricardo Narvaja

There is no any jump and call instruction at next code~
But when execute next code, other code execution happen.

anyway
I belived that file analyzer say it was packed by 1.08.04
But now I think It may not be 1.08.04.

Also the DLL was not diasembled with W32dasm
So I used IDA. But IDA can not diasemble too.

The DLL file is d2maphack.dll of mousepad's diablo2 maphack program.

Also Olly could not debug the dll because the DLL have the code
to check registration key so if no key the DLL automaticly is unloaded.
Olly can debug DLL loaded into memory !

-- summary --
1. can not diasemble with any diasembler
2. can not debug with softice becuase code changing happen
3. can not debug with olly because the dll can not be loaded
--
So I give up
If we can know exact a packer/protector used, It may be possible to debug or diasemble.

Thanks
sorry for terrible english

[britedream]

sorry !
the original program is not working on my pc ,I
think it needs a dll that I don't have.