Page 1 of 3 123 LastLast
Results 1 to 15 of 34

Thread: Patch for DriverStudio to fix problem of Symbol Loader not breaking at WinMain

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5

    Patch for DriverStudio 2.7 to fix problem of Symbol Loader not breaking at WinMain

    Hi All,

    Well, after some digging into the bowels of winice I found the source of the problem of why the DriverStudio versions of Symbol Loader don't break at WinMain. Rather than patching winice I found a spot to set a flag in Nmtrans.dll instead. I'll detail what's going on later, so it can be adapted to other DS versions, but for now I just want to make sure it works for others as well.

    This patch is ONLY for the DS2.7 Nmtrans.dll version, file date 6/20/02, file size 544,853 bytes. I was working on Win98SE but I hope it works on Me and XP as well. Lemme know if it's OK...

    EDIT: Updated patch compatible with all DS versions is in a later post.

    Kayaker
    Attached Files Attached Files

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Mr canoer, I am very proud of you and thank full for your efforts. your fix works for me in DS 2.7 winXP. I will let you know about DS 2.6 and W2000 in a few hours.
    ( I will try to understand what you did to DS2.7, that is what I mean)
    Last edited by naides; October 14th, 2002 at 22:49.

  3. #3
    Patch is ok on win2k!
    Great work!
    Looking forward to the explanation.

    /Manko

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    All right, cool. It's a simple 3 byte patch, though the reason behind it is a little more involved. I'll explain some of the winice stuff later, but here's the patch point, which is universal in all versions of nmtrans.dll. Where the difference lies in DriverStudio is within winice.exe itself, but patching this takes care of that. The checkbox feature to turn breaking on WinMain on or off still seems to work as well.

    Code:
    Original:
    
    :1001CD7A 25FFFF0000              and eax, 0000FFFF
    
    :1001CD7F 50                      push eax
    :1001CD80 8B4DDA                  mov ecx, dword ptr [ebp-26]
    :1001CD83 51                      push ecx
    :1001CD84 8D55B0                  lea edx, dword ptr [ebp-50]
    :1001CD87 52                      push edx
    * Reference To: nmtrans.DevIO_SetWLDRBreak
    
    Patched
    
    :1001CD7A B801000000              mov eax, 00000001 ; Patch
    
    :1001CD7F 50                      push eax
    :1001CD80 8B4DDA                  mov ecx, dword ptr [ebp-26]
    :1001CD83 51                      push ecx
    :1001CD84 8D55B0                  lea edx, dword ptr [ebp-50]
    :1001CD87 52                      push edx
    * Reference To: nmtrans.DevIO_SetWLDRBreak
    Actually, I'll fix the patcher so it's universal for all DS versions, give me a few hours...

  5. #5
    Snatch
    Guest
    Well its about time someone figured this out congrats Kayaker! Some information on why eax = 1 is better than eax = 0 - ffff would be interesting and what eax represents here not to mention what the value typically is when it doesnt work and how it gets set in the first place hehe. Very nice work though its about time DS 2.7 works completely

    Snatch

    Edit: Well silly me I forgot to tell you that it worked and on WinXP Pro with SP1
    Last edited by Snatch; October 15th, 2002 at 08:45.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Nice, but..

    nicely done.:-)
    Unfortunately it didn't work on my system. (DS 2.7, and correct nmtrans.dll, winXP Pro with sp1 installed),

    I have just tried it on WinME, still no luck. When I put a breakpoint on the adress where nmtrans.dll has been patched, softice doesn't even break. A possible solution or explanation would be nice...
    Do you guys have symbols loaded in the loader when you run it? I have that on the XP system, but not on the WinmE system. Either way, Sice doesn't break at programstart.

    All kinds of input will be appreciated...

    regards,
    hobgoblin
    Last edited by hobgoblin; October 15th, 2002 at 15:47.

  7. #7
    Very nice ,

    Congrats to you kayaker.
    For me its working great on windows XP corp with servicepack 1

    lownoise

  8. #8
    backeyes
    Guest
    congratulations : nice one m8

    works for me on win 2k sp3 ! many thanx

    regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Cheers,

    I'm off to buy XP and DS 2.7 to test it... ()

  10. #10
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Originally posted by JimmyClif
    Cheers,

    I'm off to buy XP and DS 2.7 to test it... ()
    jimmyclif, ltns

  11. #11
    cool!, thanks and nice job !!

  12. #12
    sorry, forgot to say its working fine on 2.6....

  13. #13
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Shucks, if I had known it was going to be so popular I would have made it shareware! Oh hell, who am I kidding? With this audience? ;-)

    OK, here's an updated patch which *should* be universal for all DS versions. It does a byte scan for the unique string immediately after the patch point
    50 push eax
    8B4DDA mov ecx, dword ptr [ebp-26]
    51 push ecx
    instead of using an absolute offset. This code is identical in DS2.7 and SI4.05, so I'm assuming it is for everything else in-between as well. Please let me know if you find otherwise or it doesn't work.

    I also changed the patch itself slightly from the earlier one. Either instruction patch works OK, this 1-byte patch is just more 'logical' as you'll see, no need to update it if you don't want to. This updated file also contains the *brief* explanation to follow, as well as the patcher source if anyone cares to look at it.


    Hobgoblin, I hope you can sort out what the problem is, hopefully comparing system notes with others might solve it. If not, and if you like, we can go through the Softice code and see if it's taking the proper "path", at least through this part of the code. I've got all the jumps and such logged, plus the proper way to get into the code, so we might be able to at least eliminate one source of the problem...

    To Snatch, Oh Ye of the inquiring mind and many questions :-) I don't know if this explanation will answer all your queries. Perhaps a reversing + results session is in order. The good stuff starts with NmSymLoadExecutableEx where the PE file is mapped into memory and the entry point found in a usual manner. Let us know what you find

    JimmyClif, you will let us know the "official" reason for DS not breaking at WinMain then? ;p

    OK, here's the new patch, do what you like with it.
    Attached Files Attached Files

  14. #14
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    And the explanation:

    Ever since the DriverStudio versions of SoftIce came out people seemed to be having problems with getting Symbol Loader to break at WinMain. As it turns out there is a small difference in the winice driver from earlier versions in the routine which sets the "CC" breakpoint on the program entry point. This patcher fixes the problem by making a small patch in nmtrans.dll and should be universal for all versions of DriverStudio. Here is a *brief* explanation of the source of the problem...

    ============================================
    To start with, here is the patch in the DriverStudio v2.7 nmtrans.dll. By changing the 1 instruction we affect a variable used in winice, and *ensure* that Symbol Loader will break at WinMain.

    Code:
    
    Original:
    
    :1001CD7A 25FFFF0000    AND EAX, 0000FFFF   ; PATCH HERE
    
    :1001CD7F 50            push eax
    :1001CD80 8B4DDA        mov ecx, dword ptr [ebp-26]
    :1001CD83 51            push ecx
    :1001CD84 8D55B0        lea edx, dword ptr [ebp-50]
    :1001CD87 52            push edx
    * Reference To: nmtrans.DevIO_SetWLDRBreak
    
    Patched:
    
    :1001CD7A B8FFFF0000    MOV EAX, 0000FFFF   ; PATCH
    
    :1001CD7F 50            push eax
    :1001CD80 8B4DDA        mov ecx, dword ptr [ebp-26]
    :1001CD83 51            push ecx
    :1001CD84 8D55B0        lea edx, dword ptr [ebp-50]
    :1001CD87 52            push edx
    * Reference To: nmtrans.DevIO_SetWLDRBreak
    
    ==============================================


    The nmtrans.dll function DevIO_SetWLDRBreak is used to communicate to the winice driver via a DeviceIOControl call that the user wants to break at the program entry point. The DevIO_ConnectToSoftICE function opens the vxd in the usual way with CreateFileA and returns a valid handle. Then DeviceIOControl is called, pushing the dwIoControlCode (9C40601C) for the proper function within the winice vxd to set the "Stop at WinMain" flag. For more info on the functioning of nmtrans.dll, see IceLoad by The Owl, G-RoM and Muffin.


    This unique dwIoControlCode (9C40601C) in nmtrans.dll is our "ticket" into the correct function in winice itself. (All addresses are from DriverStudio v2.7)

    ...
    _text:1001FFBD push 9C40601Ch ; dwIoControlCode
    _text:1001FFC2 push esi ; hDevice
    _text:1001FFC3 call ds:DeviceIoControl ; communicate with winice


    A search in winice.exe reveals the following code:
    Code:
    
    :C00007B0  mov ecx, [esi+0Ch] ; DeviceIOControl dwIoControlCode
    :C00007B3  mov edx, ecx	; 9C40601Ch
    :C00007B5  shr edx, 10h	; isolate HiWord		
    :C00007B8  cmp edx, 9C40h	; equal to 1st part of dwIoControlCode?
    :C00007BE  jnz short loc_0_C00007E0
    :C00007C0  mov edx, ecx	; 9C40601Ch
    :C00007C2  shr edx, 2	; E7101807h
    :C00007C5  and edx, 0FFFh	; 807h
    :C00007CB  cmp edx, 800h
    :C00007D1  jl  loc_0_C0000AAD
    :C00007D7  sub edx, 800h      ; 07h
    :C00007DD  inc edx		; 08h
    :C00007DE  mov ecx, edx
    :C00007E0 
    :C00007E0 loc_0_C00007E0:         ; CODE XREF: :C00007BE
    :C00007E0  inc ecx		; 09h
    :C00007E1  cmp ecx, 17h
    :C00007E7  jnb loc_0_C0000AAD
    :C00007ED  JMP DS:OFF_0_C0007E10[ECX*4] ; JUMP TO CORRECT ROUTINE
    
    What all this boils down to is getting the correct Index value of 09h in ECX. The JMP statement address then becomes C0007E10 + [09h*4], which leads to:

    :C0007E34 dd offset loc_0_C0000928 ; main function called by DeviceIO_WLDR

    Following the code...
    Code:
    
    :C000093F push dword ptr [eax+0Ch]  ; 1
    :C0000942 push dword ptr [eax+10h]  ; 0
    :C0000945 push dword ptr [eax+8]    ; 0, BUT THIS IS THE CRITICAL VARIABLE!
    :C0000948 push dword ptr [eax+4]    ; CCh (ooh, what's this? ;-)
    :C000094B push dword ptr [eax]      ; filename of program to be loaded
    :C000094D call sub_0_C003718D
    
    That middle variable, dword ptr [eax+8], is going to turn out to be the critical one. It is moved into CX, then later into a small buffer containing the name of the program to be loaded, the "CC", some other flags and the word WINMAIN.
    Code:
    
    :C003719A  mov ebx, [ebp+arg_0] ; filename of program to be loaded
    ...
    :C00371B9  mov edx, [ebp+arg_4] ; CCh
    :C00371BC  mov cx, [ebp+arg_8]  ; CRITICAL VALUE MOVED INTO CX
    
    Now comes the major difference in the code between DriverStudio 2.7 and Softice 4.05, and the how and why that patching that instruction in nmtrans.dll works. Basically all we are doing is duplicating the code that existed in the 4.05 version.

    Code:
    
    DriverStudio 2.7:
    :C003714A  mov ds:dword_0_C0037FA6, edx	  ; CCh
    :C0037150  mov ds:byte_0_C0037F7E, 4
    :C0037157  mov ds:word_0_C0037FA2, 0FFFFh
    :C0037160  mov ds:word_0_C0037FA0, cx 	  ; WE WANT THIS TO BE 0FFFFh
    :C0037167  mov ds:dword_0_C0037FAE, 0
    :C0037171  movzx ecx, byte ptr [ebx]
    
    Softice 4.05:
    :C00607E4  mov ds:dword_0_C0061642, edx   ; CCh
    :C00607EA  mov ds:byte_0_C006161A, 4
    :C00607F1  mov ds:word_0_C006163E, 0FFFFh
    :C00607FA  mov ds:word_0_C006163C, 0FFFFh ; LACKING IN DRIVERSTUDIO
    :C0060803  mov ds:dword_0_C006164A, 0
    :C006080D  movzx ecx, byte ptr [ebx]
    

    This is basically the crux of the matter, but certainly doesn't convey the complexity of the Softice code or give an appreciation of the true excellence of the debugger. Getting lost in the codewoods is the only way to do that ;-)

    Enjoy the patch

    Kayaker

  15. #15
    So like why the value 0xffff? Besides that it's equal to v4.05 and (by luck?) works I don't see the explanation/reason why you want this value.

    // CyberHeg

Similar Threads

  1. NTice.sys Patch for DriverStudio v3.x,fix problem of Symbol Loader not breaking at Wi
    By iceplus in forum Tools of Our Trade (TOT) Messageboard
    Replies: 33
    Last Post: May 26th, 2004, 19:14
  2. Symbol Loader not loading from CL
    By micmic in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: May 2nd, 2004, 09:38
  3. annoying bug of SoftICE Symbol Loader :(
    By Solomon in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: October 11th, 2002, 02:51
  4. DriverStudio 2.5 RC1 Loader Problems!
    By DGR in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: October 14th, 2001, 11:11
  5. SoftICE Symbol Loader Problem
    By Lou Cypher in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: April 2nd, 2001, 10:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •