PDA

View Full Version : Driver Studio 3.2/Softice 4.3.2


Greyhound2004
June 2nd, 2008, 13:29
Yipee !! I finally got Softice to work under XP sp2 using driver studio 3.2
even the mouse works. I'm following a tutorial that sets a BPR but softice tells me its an invalid command.
In earlier versions of Softice you used to be able to do something like this:-

BPR 0010:00091AAF 0010:00091AAF+9 rw

I did read something about ring 3 but did not understand it, how do I set this break point?


Greyhound2004
June 2nd, 2008, 13:51
It seems that the Softice BPR function was discontinued with Win95
is there another way of achieving the same result?

Kayaker
June 2nd, 2008, 16:37
There was a test BPR command in IceExt, but I don't think it was fully working.

You can achieve the same thing with BPM(B/W/D), though without the Backtrace capability BPR had.

BPMD 00091AAF rw will break on rw access to any byte in the Dword at that address.
BPMD 00091AAF+4 rw will break on the next Dword, etc.

Greyhound2004
June 3rd, 2008, 00:34
Thank you for the info Kayaker.

herb
June 30th, 2009, 14:28
Hi,
I also use Driver Studio 3.2 and am missing the BPR command. How can I set a breakpoint for memory ranges e.g. bpr 401000 401000+3D18b4 RW now?

naides
June 30th, 2009, 17:47
@herb: You cannot. BPR does not work in full win32 systems (Not even in the old windows NT).

disavowed
June 30th, 2009, 18:25
FWIW, the current beta release of OllyDbg 2.0 (http://www.ollydbg.de/odbg200j.zip) can effectively do BPR:

Trace --> Set condition... --> Memory range 1 accessed: 401000 ... 7D28b4 on R/W

WaxfordSqueers
July 1st, 2009, 05:04
Quote:
[Originally Posted by Kayaker;74926]There was a test BPR command in IceExt, but I don't think it was fully working.
I tried it the other night with IceExt and had no luck. I was racking what's left of my brain trying to find another way to do it (break on a memory range greater than a dword).

Since you're the expert on conditional breakpoints, how would it work if you BP'd on eip with a memory range? I'm assuming the memory address will be in eax, or another register, at some point. For example, a bp on eip 'if eax > 401000 && < 402000? I realize that would be a hassle because you'd have to reset the program for every miss when eax was not the register holding the mem value. But if you were desperate....???

I can see a problem with that already since a lot of memory access is done with pointers to pointers. But how about the old *eax?
Just a thought.

Although I have never used the 'watch' window, how about that? Does the window just pop up, or does it stop the app? It's a bit late...I may not be thinking all that clearly.

Elenil
July 1st, 2009, 07:40
if you write bpm eip or bpx eip softice will use the currect eip as value
but maybe it helps to trace the program iceext support that like :
!trcinit (eax == 5 && (ebx >= 0x6 || ecx != edx)) || al < ah && ecx == 7
or with the other command :
!trace 10000 0x77000000
!trace 10000 MessageBoxA

the bpr command is 1 of the removed commands in softice when it came to NT/2000/XP i seriously never tried the !bpr command from iceext but maybe its worth a try
i also noted some other commands are removed or dont work currect anymore (like hwnd or the condition != (works ok if u you spaces))

Greyhound2004 i maybe have a solution if you dont wanna load iceext manual
try to download my protector and hit (load iceext with protections)
http://www.woodmann.com/collaborative/tools/index.php/IceStealth

Greyhound2004
July 1st, 2009, 10:20
Still very much a newbie and haven't played with those commands yet.

Elenil
July 1st, 2009, 14:52
dont make it complicated for you
run IceStealth (after softice is started)
check the checkbutton (load iceext with protections)
hit "load new protection" -> done

herb
July 1st, 2009, 16:45
thx for all the replies.

WaxfordSqueers
July 1st, 2009, 20:48
Quote:
[Originally Posted by Elenil;81436]...i also noted some other commands are removed or dont work currect anymore (like hwnd.....)
I use SPYXX from an old Microsoft C disk I bought years ago. If you load the target app, it shows you all the current hwnds. Also, the bmsg command seems to have changed. In the past, you could type bmsg hwnd wm_command, but now you have to type bmsg hwnd 111. In other words, you have to give it the message handle instead of the message name.

Softice is getting finicky in it's old age, then again, aren't we all?

JMI
July 1st, 2009, 20:58
Speak for yourself, dagnabbit!

Although Karl Malden did finally cash in his chips today. But it was about time, after all he was 97 and trying to live forever. Today he "left home without it" if you catch my drift.

He did play some good roles though.

Regards,

WaxfordSqueers
July 2nd, 2009, 20:42
Quote:
[Originally Posted by JMI;81473]Speak for yourself, dagnabbit! Although Karl Malden did finally chash in his chips today.....
That'll be 'Mr' dagnabbit to you.

I had not heard about Karl Malden. Too bad, he seemed like a good guy. Whereas 97 is considered a real good run, Linus Pauling figured humans 'should' be able to reach 120. It was cancer got him even though he was taking 18 grams of Vitamin C a day.

I think the greatest mistake we all make is retiring physically. Humans are not designed to sit on their butts, and after 30, the human body loses about 10% of its lean muscle mass per decade. That's apparently due to the loss of growth hormone, which the body stops producing about that age. Vigourous exercise helps the body excrete more. Unless steps are taken, though exercise, to maintain that mass, we'll all end up literally as little, old people. A recent medical report claims humans who carry a bit of extra weight into older age stand a better chance of surviving.