Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: to softice or not to softice

  1. #1

    to softice or not to softice

    Usual disclaimer...I have spent inummerable hours researching the stock softice solutions and this one is mouse-related, and a bit weird. I was actually learning Olly, and stepped back to ice for a comparison. My mouse has taken to freezing, but ice works ok via the keyboard.

    History...ice (ds 4.3.2) was working fine earlier in 2007 (on XP with SP2). During the summer, I made the mistake of d/ling a bunch of micro$oft hotfixes, etc. Subsequently, got the old 'micopyonwrite' error and my mouse froze after ice boot, both in XP and in ice. Rolling back the hotfixes to mid-2006 got rid of micopyonwrite error. Mouse still freezes on ice boot. No other errors indicated.

    Tried boot.ini trick with version 5.1.2600.1568 ntoskrnl.exe (renamed to old_krnl.exe). OS didn't like that, asking for hal.dll. Renamed a hal.dll from same source as ntoskrnl 1568 to old_hal.dll and used this line in boot.ini:

    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft WinXP DS 3.1" /fastdetect /noguiboot /KERNEL=OLD_KRNL.EXE/HAL=OLD_HAL.DLL /NoExecute=AlwaysOff

    as recommended by micro$oft. Typically, it didn't work. OS keeps asking for hal.dll.

    Anyway, the mouse freeze seems to be something else...maybe new drivers added. I have added a linksys router, but I disabled it, as well as my sygate firewall with no luck. Even disabled nvidia drivers, and tried reducing video acceleration. Of course, reducing it to much kills the ice video.

    In the old days, a mouse freeze usually indicated an IRQ conflict, or a memory address conflict. I'm racking my brain to think what might cause this one...or to find a way to trap it.

    I have also changed my keyboard to a USB keyboard, but the kbrd works fine in ice while the mouse freezes. The mouse is a Logiteck ps/2 optical with 2 buttons and a wheel.

    I realize the writing is on the wall for ice, but it's like an old friend. It's too good to be put out to pasture.

    Any ideas?? Is it reasonable to assume that a mouse problem should not be related to osinfo.dat version, seeing that ice works? The window appears and disappears, and ctrl-d brings it up. I can maneuver fine with the keyboard in ice.
    Last edited by WaxfordSqueers; October 13th, 2007 at 01:46.

  2. #2
    Registered User
    Join Date
    Mar 2006
    Posts
    16
    Blog Entries
    1
    well, i suppose you dont have Intel Pentium processor ? :P (i had major problems with softice when i was on Pentium4 ... but when i bought a new pc with AMD inside the problems just vanished..). and if you didnt .. you should update your DS to v3.2.1 (http://www.woodmann.com/crackz/Tools/Ds321.zip)..
    oh and this .. if you have an nvidia gfx card .. you shouldnt use the latest ForceWare cause they kill sice

    ps: i dont think service pack is the problem ... because i've tried softice on VMware with winXP SP3 (pre-beta) installed and it worked okay

  3. #3
    Quote Originally Posted by smoke View Post
    well, i suppose you dont have Intel Pentium processor...
    Yeah...I do...but...everything was cool till the past couple of months. The Pentium isn't an issue.

    Quote Originally Posted by smoke View Post
    you should update your DS to v3.2.1....if you have an nvidia gfx card .. you shouldnt use the latest ForceWare cause they kill sice
    update applied a while back. I'll look into the nVidia solution. Thanks for response.

  4. #4
    Forget about using the mouse, I have never gotten it to work since a Pentium 233 up to my current Pentium 4 (with numerous machines in between) but I haven't encountered a freezing problem... I only remember either the pointer being invisible or the buttons not working.

    Just use the keyboard -- SoftICE isn't GUI based anyway.

  5. #5
    Quote Originally Posted by LLXX View Post
    Forget about using the mouse....Just use the keyboard -- SoftICE isn't GUI based anyway.
    Thanks for the input LLXX. I have thought of doing that but I have never had problems with the mouse before and kind of got used to it. Also, if I exit ice, I can't use it in XP till I reboot.

    I'll keep looking for a solution, but if push comes to shove. I'll take your advice, or try the VM.

  6. #6
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Hi WAX welcome to Ice hell.

    I have gotten convinced that the failure of Sice in newer computers and newer OS updates hotfixes usually don't have "A" cause, but are a constellation of causes, a perfect storm of software and hardware incompatibilities, which windows is able to navigate, but SoftIce is not.
    For isntance: HotFix installations are not perfectly reversible, the computer does not get back to the exact same state it was before. Some key files get updated and overwritten and are left that way. This could be tested by comparing virtual machines 1-before, 2-after hotfix and after 3-hotfix reversal. You will find out that state 1 != state 3.

    I guess one technical answer to this problem has been the driver certfication program ongoing with Vista, if it were not for the small problem that it gives to Micro$oft unprecedented, discretionary power to dictate who can get into the market, and who cannot. . .

    Going into virtual machines has been, for me, the most practical solution to this problem, allowing me to throw away and recycle any OS install that refuses to work. But by no means it mirrors your stated problem. the "Hardware" and the "drivers" inside the VM are not the same ones in your computer.
    If you really wanted to pinpoint the problem, perhaps you should make a small, sandbox install of winXP in a different partition, or second HD, and do your debugging and testing there.

  7. #7
    Quote Originally Posted by naides View Post
    Hi WAX welcome to Ice hell.
    Ice hell...would that be near Ring 0?? :-) Thanks for useful comments, naides. I've had pretty good luck with Ice in XP. It has been very stable. Till now, my problems have been limited to a buggy version of Sygate personal firewall, and that was eliminated by upgrading it. Other than that, the only issues I've had were video problems.

    I understand what you're saying about Hotfixes, and maybe I'll try a maintenance install of XP to see if I can rebuild it to the point where the Hotfixes are overrun.

    Quote Originally Posted by naides View Post
    I guess one technical answer to this problem has been the driver certfication program ongoing with Vista, if it were not for the small problem that it gives to Micro$oft unprecedented, discretionary power to dictate who can get into the market, and who cannot. . .
    Talking about Micro$oft and their big-brother-type paranoia gives me the heebies. I'm holding off on Vista till the DRM thing makes Vista so unstable that Micro$oft has to abandon it. I can't even get into Hotmail using Opera without a hassle.

    Quote Originally Posted by naides View Post
    Going into virtual machines has been, for me, the most practical solution to this problem, allowing me to throw away and recycle any OS install that refuses to work. But by no means it mirrors your stated problem. the "Hardware" and the "drivers" inside the VM are not the same ones in your computer.
    I'm basically aware of the foibles of running on VMWare. BTW...Soundblaster has a nice little 'PCI 128' driver that works well with their sound cards in VM. I recently loaded Linux Fedora 7 in a VM box, and it works adequately. It's a bit slow, but I'm only using 512M RAM. I'll try a gig and see what happens. It's time to try running Ice on a VM. I'm more worried about the learning curve than anything.


    Quote Originally Posted by naides View Post
    If you really wanted to pinpoint the problem, perhaps you should make a small, sandbox install of winXP in a different partition, or second HD, and do your debugging and testing there.
    good idea. I have a spare 60 gig drive I could load with XP and plug it in when required.

  8. #8
    Continuing my own thread...I put the problem on hold till I checked out other possible problems in Windows XP. For example, I unloaded all the updates, hotfixes, etc., and SP2 itself...being very careful to cut off my internet connection while doing so. I reloaded SP2. I ran into grievous problems doing all that, but managed to get a new and stable SP2 install.

    None of the above cleared up my 'no mouse' problem. Also, I back-dated my NVidia driver, so it's not that either.

    I noticed something peculiar, which maybe someone can help me with. I should mention first, that I recently changed my keyboard to a USB type. It's a Logitech with the 12 separate function keys for bringing up the calculator, etc. Also, it has a Windows key. The mouse is a PS/2 mouse.

    When I first start softice, the DOS window comes up, the softice screen rolls by, and the DOS window closes. After it closes, I have no mouse in XP. Here's the peculiar thing: if I ctrl-D into ice, there is no mouse at first. Once I do a single trace step (T <enter>), the mouse comes back. It only comes back in ice though, if I go back to XP, there's no mouse.

    When I go into ice, the code window cursor is sitting in kbdhid.sys, just after a call at 8:B80BAF51. The call is HidP_TranslateUsageAndPagesToI8042ScanCodes. That seems to be a system function since I can't find a reference to the exact function on the net.

    I was going to post some code but after a preliminary trace through ntoskrnl and several USB imports, I'm wondering if I'm on the wrong track. Softice seems to be sitting in a loop involving kdbhid.sys. It breaks in that loop at the same spot every time. I'll post the first part of the code, however, since there's a reference to 'Chattery Keyboard'. I found this note in an old DS 2.6 blurb that reads:

    When using a USB keyboard with SoftICE, Windows will display the following message:

    **** CHATTERY KEYBOARD : Keyboard is sending useless reports. Tell 'em to fix it.

    This message is caused by the SoftICE keyboard hook code, which prevents Windows from seeing SoftICE's hotkey. This message is normal when using a USB keyboard with SoftICE, and can be ignored.

    Here's the code (note reference to Chattery at 0008:B80AEF84):

    _KbdHid_ReadComplete+01A1

    0008:B80AEF49 E826090000 CALL _HidP_TranslateUsageAndPagesToI804
    0008:B80AEF4E 8B4350 MOV EAX,[EBX+50]
    0008:B80AEF51 8B4B54 MOV ECX,[EBX+54]
    0008:B80AEF54 33FF XOR EDI,EDI
    0008:B80AEF56 894B50 MOV [EBX+50],ECX
    0008:B80AEF59 894354 MOV [EBX+54],EAX
    0008:B80AEF5C 397DF8 CMP [EBP-08],EDI
    0008:B80AEF5F 0F86B7000000 JBE B80AF01C
    0008:B80AEF65 8B4358 MOV EAX,[EBX+58]
    0008:B80AEF68 663938 CMP [EAX],DI
    0008:B80AEF6B 0F8586000000 JNZ B80AEFF7
    0008:B80AEF71 8B435C MOV EAX,[EBX+5C]
    0008:B80AEF74 663938 CMP [EAX],DI
    0008:B80AEF77 757E JNZ B80AEFF7
    0008:B80AEF79 8D8688010000 LEA EAX,[ESI+0188]
    0008:B80AEF7F 803800 CMP BYTE PTR [EAX],00
    0008:B80AEF82 7528 JNZ B80AEFAC
    0008:B80AEF84 6840ED0AB8 PUSH B80AED40 ; **** CHATTERY KEYBOARD : Keyboard is sending useless reports. Tell 'em to fix it.
    0008:B80AEF89 C60001 MOV BYTE PTR [EAX],01
    0008:B80AEF8C E883080000 CALL _DbgPrint ...prints Chattery message
    0008:B80AEF91 834E4801 OR [ESI+48],01
    0008:B80AEF95 59 POP ECX
    0008:B80AEF96 56 PUSH ESI
    0008:B80AEF97 E876F7FFFF CALL _KbdHid_UpdateRegistryProblemFlags
    0008:B80AEF9C 8B06 MOV EAX,[ESI]
    0008:B80AEF9E 57 PUSH EDI
    0008:B80AEF9F 6801000580 PUSH 80050001
    0008:B80AEFA4 FF7008 PUSH [EAX+08]
    0008:B80AEFA7 E8F8F7FFFF CALL _KbdHid_LogError
    0008:B80AEFAC 807E3500 CMP [ESI+35],00
    0008:B80AEFB0 7527 JNZ B80AEFD9
    0008:B80AEFB2 807D0F00 CMP [EBP+0F],00
    0008:B80AEFB6 7421 JZ B80AEFD9
    0008:B80AEFB8 8D8634010000 LEA EAX,[ESI+0134]
    0008:B80AEFBE 50 PUSH EAX
    0008:B80AEFBF 57 PUSH EDI
    0008:B80AEFC0 FFB684010000 PUSH [ESI+00000184]
    0008:B80AEFC6 8D8658010000 LEA EAX,[ESI+00000158]
    0008:B80AEFCC FFB680010000 PUSH [ESI+00000180]
    0008:B80AEFD2 50 PUSH EAX
    0008:B80AEFD3 FF15ACF90AB8 CALL [KeSetTimerEx]
    0008:B80AEFD9 6A18 PUSH 18
    0008:B80AEFDB FF7640 PUSH [ESI+40]
    0008:B80AEFDE 8D4658 LEA EAX,[ESI+58]
    0008:B80AEFE1 50 PUSH EAX
    0008:B80AEFE2 FF1520FA0AB8 CALL [IoReleaseRemoveLockEx]
    0008:B80AEFE8 81C600010000 ADD ESI,00000100
    0008:B80AEFEE 56 PUSH ESI
    0008:B80AEFEF FF15A4F90AB8 CALL [KeCancelTimer]
    0008:B80AEFF5 EB65 JMP B80AF05C ....jumps here

    I've taken some liberties with the code to make it more readable. When I first break into ice, the cursor is sitting at:

    0008:B80AEF4E 8B4350 MOV EAX,[EBX+50]

    The mouse is frozen, but the minute I single step to the next instruction, the mouse works fine, in softice. I'm thinking maybe there's something else going on that I might be missing.

    On the first loop, the message about the Chattery Keyboard is printed on the softice screen. On subsequent loops, it is not printed. It reads:

    **** CHATTERY KEYBOARD : Keyboard is sending useless reports. Tell 'em to fix it.

    Is this maybe a focus problem? When I first go into softice, the mouse is not working. After I do a single trace step, it is. Am I bringing the focus to the softice code window, and if so, how does that affect the mouse? There is a point later on when the mouse freezes again. I need to do more work to identify that point, but another trace step gets it back. I think that point comes around:

    0008:B80AEFE2 FF1520FA0AB8 CALL [__imp__IoReleaseRemoveLockEx]
    0008:B80AEFE8 81C600010000 ADD ESI,00000100
    0008:B80AEFEE 56 PUSH ESI
    0008:B80AEFEF FF15A4F90AB8 CALL [__imp__KeCancelTimer]
    0008:B80AEFF5 EB65 JMP B80AF05C

    The mouse is frozen at the JMP but comes back after the JMP, when I do a single trace step.
    Last edited by WaxfordSqueers; November 27th, 2007 at 03:53.

  9. #9
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Simple things first.
    Can you connect your old OS/2 Keyboard and Mouse and see how Sice behaves?

  10. #10
    Quote Originally Posted by naides View Post
    Simple things first.
    Can you connect your old OS/2 Keyboard and Mouse and see how Sice behaves?
    I was going to borrow a keyboard. The old one is fried...someone?? spilled something on it. Imagine!!?

    The mouse is the original. Thanks for input, naides, ...I'll get back to you.

  11. #11
    Quote Originally Posted by naides View Post
    re Simple things first.
    How right you were...thanks.

    I borrowed a ps/2 keyboard and softice worked fine. Then, I remembered getting a USB mouse (mouth...as Sylvester would say) with the keyboard. I plugged it into a spare USB port, and softice likes that too. So, USB mouse + USB keyboard seems to work, but not PS/2 mouse + USB keyboard. I like the ps/2 mouse better, for handling, so I might try a ps/2 to USB adapter to see if the USB port will accept data from a ps/2 mouse.

    Unfortunately, nothing ever goes all that well. Softice (startsi) now is hogging 70% of the cpu cycles. A rundll started app, ncpa.cpl is hogging another 20%. I looked it up and it seems to be 'My Network Places'. Go figure.

    Since I reloaded SP2, I'm also getting this error in softice:

    Int0E Fault in SoftICE at address B5DB1ECB offset 00096C43
    Fault Code=00000001
    DS=0010 ES=0023 FS=0030 GS=0000 ESI=FFFFFFFF EDI=8058AE20 ESP=B6141C24
    EAX=00000001 EBX=00000000 ECX=00000000 EDX=00000001 EBP=B6141C78

    FrameEBP RetEIP Syms Symbol
    B6141C78 F77077AC N NTice!.text+00098B4B
    WARNING: One or more symbol tables were not present. Stack backtrace through not-present tables may be incorrect!

    I wont bother you about that one. It's probably a misconfiguration between the osinfo.dat file and ntoskrnl. I need to play with it.

  12. #12
    Quote Originally Posted by WaxfordSqueers View Post
    WARNING: One or more symbol tables were not present. Stack backtrace through not-present tables may be incorrect!
    Answering my own post again. The problem witht the symbol tables seemed to be related to the ntoskrnl version put there by the SP2 update. I inadvertantly used the 'TABLE' command to check the loaded nms files and there was an error indicated. There were asterisks beside the offending nms files, indicating a problem with the timestamps in the files.

    I had trouble downloading the required ntoskrnl pdb file using symbol retriever. Don't know why exactly, but I'm sure it had something to do with the hotfixes, etc., I had installed prior to reverting to the old SP2 upgrade. The nms files I was using were from the updated hotfix/update files.

    I fixed the problem by loading both ntoskrnl and ntkrnlpa into the retriever at the same time. The retriever got both the pdb files and the nms files from that download got rid of the error message. I tried many times to get ntoskrnl by itself with no luck. Maybe the ntkrnlpa was required. I also downloaded pdb files for kernel 32, ole32 and win2k, since they too were flagged by the TABLE command as being not right. Now ice is running with the mouse and indicates no errors on startup. Also, the TABLE command indicates no errors.

    The acid test came thanks to Kayaker's hint for breaking in an app using symbol loader. It can be found in this thread:

    http://www.woodmann.com/forum/showthread.php?t=7528&highlight=ntsetinformationthread

    and uses this breakpoint:

    BPX _NtSetInformationThread IF *(esp+8)==9 DO "dd esp"

    Before fixing up my nms files, I couldn't even list _NtSetInformationThread using the 'exp' command in ice. After fixing them, I set up the BP as suggested by Kayaker, loaded my app in loader32, and bingo, the app broke like a charm. I single stepped the rest of the way right to the entry point of the app.

    Happy to say that reports of the demise of softice have been greatly exaggerated.

  13. #13
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Quote Originally Posted by WaxfordSqueers View Post
    The acid test came thanks to Kayaker's hint for breaking in an app using symbol loader. It can be found in this thread:

    http://www.woodmann.com/forum/showthread.php?t=7528&highlight=ntsetinformationthread

    and uses this breakpoint:

    BPX _NtSetInformationThread IF *(esp+8)==9 DO "dd esp"
    Damn, I had forgotten about that trick! I gotta start using it again. I usually use my own loader, based on a dll injection technique and inserting an Int01 (with I1HERE ON) before jumping to the EP. It's more reliable than the Softice loader for breaking on EP but the Int01 interferes with IceDump, and some protections can detect the extra running dll thread.

    That BPX would be a good one to put into a persistent macro to be called just before starting the target app..


    Glad you got the problem fixed and thanks for posting the solution.

    Happy to say that reports of the demise of softice have been greatly exaggerated.

  14. #14
    Quote Originally Posted by Kayaker View Post
    Damn, I had forgotten about that trick!
    Hey Kayaker...there 'seems' to be an even easier method. I thought I'd seen it on RCE but the closest I could come to it was:

    http://www.woodmann.com/forum/showthread.php?t=5933&highlight=baseprocessstart

    Even at that, pLayAr 'suggested' K32!BaseProcessStart. He obviously knew about it.

    Making sure the context is in K32, using 'Table kernel32', assuming the K32 nms file is loaded, a simple 'BPX baseprocessstart', will land you just about right on the EP of the app.



    With the BP set, ice breaks in K32!baseprocessstart when the app is loaded by loader32. A quick look down the code reveals the following:

    7C816D46 Call NTSetInformationThread ...your call
    7C816D4C Call [EBP+8] ...to EP of app

    The [ebp+8] points right at the entry address of the app. Stepping over the other calls and tracing in there one step puts you right at the entry code of the app.

    Don't know if this works in general, but don't see why not.
    Last edited by WaxfordSqueers; December 14th, 2007 at 18:14.

  15. #15
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    yes setting a bp on that call always works thats where the executable's main is called from kernel32.dll

    to reach here set a bp NtContinue and when its hit find the context->Eip the context will always hold BaseProcessStartThunk()
    it pushes 2 constants and will jmp unconditionally to BaseProcessStart()

    Code:
    7c810867 33ed             xor     ebp,ebp <--BaseProcessStartThunk() will reach here from NtContinue() 
    7c810869 50               push    eax
    7c81086a 6a00             push    0x0
    7c81086c e9bb640000     jmp kernel32!RegisterWaitForInputIdle+0x26 (7c816d2c)
    ignore windbg crap symbols it gets mad without right symbols concentrate on address
    Code:
    0:000> u 7c816d2c l10
    kernel32!RegisterWaitForInputIdle+26: < BaseProcessStart()
    7c816d2c 6a0c             push    0xc
    7c816d2e 68586d817c       push    0x7c816d58
    7c816d33 e893b7feff       call    kernel32!ReleaseMutex+0x24 (7c8024cb) <-- prolog
    7c816d38 8365fc00         and     dword ptr [ebp-0x4],0x0
    7c816d3c 6a04             push    0x4
    7c816d3e 8d4508           lea     eax,[ebp+0x8]
    7c816d41 50               push    eax
    7c816d42 6a09             push    0x9
    7c816d44 6afe             push    0xfe
    7c816d46 ff15a013807c     call    dword ptr [kernel32+0x13a0 (7c8013a0)]  <---- NtSetInformationThread()
    7c816d4c ff5508           call    dword ptr [ebp+0x8]   < always will be entry point of executable here as per executables pe header> addr of entry point
    7c816d4f 50               push    eax
    7c816d50 e8545fffff       call    kernel32!ExitThread (7c80cca9)

Similar Threads

  1. softice help
    By god in forum The Newbie Forum
    Replies: 13
    Last Post: January 23rd, 2006, 00:53
  2. softice help
    By PETER in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: September 11th, 2002, 06:31
  3. Doing it without softice
    By blink4me in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: July 5th, 2002, 23:32
  4. softice
    By skyman in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: March 21st, 2002, 01:52
  5. softice
    By Dan in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: October 30th, 2001, 00:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •