Page 1 of 2 12 LastLast
Results 1 to 15 of 26

Thread: SoftIce + XP one big, or 3 small probs..

  1. #1

    SoftIce + XP one big, or 3 small probs..

    ok, i have searched, tried, pathced, edited, read, thought and god-oly knows what else i did during last 48h. i searched through this forum for last 5h, and it did have faaar more materials about SI that all others i have found..

    many ideas, different ideas, all the same problems, but NOTHING works...

    Duron 1.2G, 256MB, mainb: K7S5a, hell knows whever SIS or VIA..
    GF2MX400 64MB on detonators 53.03
    WXPpro without SP1/SP2, with several hotfixes

    from the beggining: i have tried a month ago to installl SIv4.05 - failed, patching with allmighty 3 files didn't do the trick. next i tried installing 4.27, failed again, 3 files failed again. so, after 2 weeks of searching/blah/ i obtained DS3.0.1, tried to install, FAILED. And Compuware tells it supports XP heh. I've digged through the whole Knowledgebase in search for solution. I have found many, but none worked. OK, i thought, i have tons of trash in the system, maybe it is it??

    now, after reistalling WXP, few progs, hotfixes, and drivers, i have tried to install directly DS301 and .. failed. But from the beggining - DS have installed, i have set it up to boot. WXP didn't start, so i ESC'ed the drivers, got to the desktop, switched to system, voil'a, WXP now runs clear. But SI doesn't (hangs on C+D, doesnt resume on C+D or f5). ok, i searched deeper, and somehow digged out patch DS30SP2.exe from compuwaer, which i somehow missed earlier. i have applied it, and from now on, SI displays the window correctly (WOW it managed to display it self at least..)

    but there is different issue that need solving - keyboard. after SI patches it, the keyboard (apparently key table) gets messed, and in the very best case, behavies erratically, sometimes just right, sometimes a little wrong (mouse on USB works all the time ok). but in many cases keyb just gets into such lets say "code page" that i can in no way guess where that ** key is that now is that ** (different) key OR everything is OK for a time - after etting into SI, i have 3..5s before hangup, from which i can get out with CAD (!)(commented later). my esarching led me to some ideas, some from this forum, some from compuware..
    *)i HAVE found (not here, on other site, dunno which one now) something said to be keytable changer. it can overwrtie keytable ie. in keyboard drivers like that in ntice.sys. in package i found 3 tables - deutche (dk.map), ??(dk.map) and USA(us.map). usa one seemed to contain just the same what i have in my ntice.sys, so i assume the ntce.sys has correct table. (yes, i have tried later overwriting with us.map - no change)
    *)swapping i8042prt.sys - files from compuw.'s w2ktest.zip doesnt work.
    w2k!=wxp
    *)swapping -,,--,,--,,-- - file from SP1 didn't work (my idea) ...
    *)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTice]
    "KbdMethod"=dword:67416E5A - from this forum, worked in a way. as long as it is in registry i can write in SI for about 5..20s.

    in that small time SI work correctly, an if i manage to switch out of SI before it hangs, the switchin out seems to reset the time counter. but it is haaard to guess when would it want to hung today [ok, that was meant as a joke connected to "where do you want to go today" but after writing one more screen of this post, i realised that it can be too hard ]

    next thing: after running command "net start ntice" or "net start iceext" (iceext gave me additional 0..10s )) and waiting abut 30s, console window informs me about success, SI window flashes, and the sh** with keyboard happens. whats more that console window DOESNT close. the NET command hangs after printing message. Console doesnt hang. I sometimes can force closing NET (Ctrl+C, if keyboard works..). after running SI, any tries to run NET-related command (net view, net stop etc) end in NET's hangup either right on start, or at the end.
    SI seems also to block any other process terminating, or worse - hangs up computer on attempts to close/terminate whatever. Computer with SI running slows down constantly (ab. 10% in 2..4 minutes). I managed however to close notepad two times in a row before hangup
    *) i have my little brain and some memory, and tried to apply incidentially found patch described in issue
    [ frontline.compuware.com/nashua/kb/doc/1348.asp ]
    after 3 hangups (hey, i have to write in SI...) i obtained address:
    8058DC32, while SI in it window shows all the time
    NtTerminataProcess found out at: 805A5246
    either with my corrections, or without them. SI seems to ignore the Addr.NtTerminateProcess key.

    what next.. god, i'm completely tired.. (location: poland, time: GM+1, local time: 4 a.m.) forgive me any grammar/etc mistakes

    ahh, i also obtained txt from the SIwindow, by I:\SoftICE\SoftICE\nmsym /log:log.txt
    but as long i have only 2 logs, 'cause every such a call results in hangup after or before writing file.. if BEFORE, im popped out into SI *with instant hangup* and i can see that SI halted at NTSTATUS:STATUS_ACCESS_VIOLATION
    if AFTER writing - i have luck, and brand new log. in this log i see maany things more or less interesting. i think this part is most important, but i can also send you even whole two logs so the part is:

    NTICE: Load32 START=71B40000 SIZE=2C000 KPEB=80F6F768 MOD=netmsg
    001
    Int0E Fault in SoftICE at address F54C0053 offset 00092D8F
    Fault Code=00000000
    DS=0010 ES=0023 FS=0030 GS=0000 ESI=00000000 EDI=F6295D64 ESP=F6295CFC
    EAX=00000000 EBX=F9DB2E20 ECX=00000000 EDX=00000000 EBP=F6295D64

    FrameEBP RetEIP Symbol
    F6295D64 00000000 NTice!.text+00094CD3

    and after it, ntice loads several MOD's successfully (or omits them successfylly, i dont know, just no further errors). it seems NTICE have a problem with netmsg.dll - i checked it, i cant get any symbols from microsotf, and any exports (checked by EXT= and ICEPACK - icepack throw out error on reching this file). so, i thought "maybe it is my goddam sygate firewall". enabling/disabling/uninstalling does nothing to IS ofcourse. SI still reports the same error in the same place.

    ok, now, in shorter form, about winice.dat options:
    Option turned on or off, SI doesnt find USB mouse.
    Disabling keyb. pathing results in disabling keyb driver on loading SI.
    Disabling NUMlock progr. seems to disable keyboard
    Enabling keyb. pathing and NUM programming results in that issues described above
    Disabling/Enabling Pentium supprt really doen't nothing
    The DSControlPanel setts walue ECHOKEYS=[ON|OFF] on turning keyb. pathing on/off respectively. Strange. Older SI's seemed to use KBD name instead. I tried KBD - no reaction.
    I thought that dealyed hangups may be seaprated from keyboard issue, and be just a result from i-thought-repaired video problem. i treid changing VidMemory with such results:
    2048kb..65536kb - all the same (mind that i have 64mb on GF2MX400)
    over 65536kb - on entering SI, screen screws into "out of frequency" and if im lucky 0 the keyboard is ok- i can switch off SI and work on desktop again.
    mouse on/of - nothing, mouse isnt present, as the SI doenst find any USB devices.. (BUF when SI runs, mouse work correctly, maybe with some slowdowns..)

    And one more thing with the keyboard - since SI uses (i think) direct keyboard (sheeesh what was the word for it?????) gr.. cant recall. ok lets say: since it uses "direct keyboard sniffing", it should make any difference, what keyboard layout i use under WXP? OR MAYBE that is the thing - and i must either simply switch to US-KeybLauout, so the i8042prt will be automatically exchanged for the US-i8042.sys or obtain/make somehow file "pl.map"?
    (as you could notice form "location: poland", i'm in poland, i speak polish and i think in polish, so it is easier for me to have polish layout, even it it has just
    the same characters on the same positions.. strange? not we have some national-specific characters not found in roman alphabet, added under ie. alt+a, alt+e, alt+s etc. computer maniacs like me are a bit more flexible, and for us "myslenie" is the same as "myślenie" [thinking] but for other it is just "killing our beautiful language", so at least for theirs sake, i need those extra characters :| )

    ok, EOF

    PS.i pasted this post into notepad - wow, i wrote "just" 8.06KB!!
    PS2. thanks for help!
    PS3 (thanks for reading)^2

  2. #2
    Nice for the post to be viewed at least
    I write now because i've noticed i'd forgot the almost most important thing:

    "please HEEEEEEEEEEEEEELPPPPP"

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,124
    Blog Entries
    5
    Hi

    I have no idea how to help you, wouldn't know where to start, but just thought I'd mention a thread by Czerno where he patched TRW's keyboard tables to handle a foreign keyboard. If you really think that the keyboard mapping may be part of your problem, you might consider a similar idea with Softice.

    http://woodmann.net/forum/showthread.php?t=4296&highlight=czerno

    Other than that all I can say is good luck, and I'm sure glad I don't have XP...

    Kayaker

  4. #4
    thanks for hint, i haven't read this post earlier. however, i have already found out few things that i think close the keyboard-key-map-table-etc ides.

    first one: as i write, i tried to patch ntice.sys with us.map table (which was the same as found in ntice.sys) - no result. strange. [nmfilter was INSTALLED manually, it didnt install into the system with SI installation]

    second one: later i tried once again to patch it [nmfilter REMOVED - i backed to 'clean' SI installation..] and ... net start ntice said "error-blah service coudnt start blah corrupt file blah" or something close to it

    third: i tried switching in WXP to US-layout, just for fun. Ofcourse i8042prt, keybdrv, key01 etc files werent even touched by the system - so no change for SI

    fourth, the dumbiest: just before realising "fifth" i got stuck at:
    ok, i have us-table, i need polish-table. how do i know which codes on polish keyboard match which ASCII? how do i know the scan codes for polish keyboard?

    fifth, the best one: after seeing that error in "second" and getting stuck in "fourth" i realised that i misunderstood word "foreign keyboard". I have Standard Keyboard, with standard key layout, with nothing polish, or even non-english on it (ok, except for dirt, which is completely local ). Key table converts scan codes into key codes, right? so, i'm almost sure that my keyboard has just the same scan codes as yours; why would it need to have different, if it works with 100% non-national-specific devices and have no-national-specific keys???
    ------------------------------------------------------------
    [updated later] oh, i've forgotten, there was also sixth:
    sometimes the keboard, after launching SI , have a delay of exactly 2..3 chars (in different windows session it changes, but during session it is constant). ie in notepad:
    i press in sequence: abcdefghijkl
    ntpd gets: [nothing][nothing]abcdefghij
    then i press: 012345
    and ntp cathes: kl0123
    and so on.
    seems just like SI screwed sth in the keyb's ring buffer [static buffer, two pointers to its elemets indicating start and end, reading element by *(buf
    +element%bufsize). 'ring buffer' was that the english name for it?]
    Last edited by quetzalcoatl; January 4th, 2004 at 10:59.

  5. #5
    Ari Benta
    Guest
    Do you use Kaspersky Antivirus? If so, try changing the registry key "Start" at
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Klif" and "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVMonitorService" to 3 (manual load).

    (Erm, no, there shouldn't be a space between "Servic" and "es"..)
    Last edited by Ari Benta; January 4th, 2004 at 17:55.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    nope, i don't have any antivirus. however this thingies i have starting with the system:
    DStrayicon, SygatePers.FirewallPro, DAP, DaemonToold3.43+ShellSuite, VCD5.0 (yes yes, two different virt.cd drives, i just have old cd images for VCD), C-Media Audio Configuration (shitsoft automatically installed with drivers onboard soundcard), 2 programs from Detonators (nwiz.exe and NvCpl), and the last - CreativePlayerDetector (came with Jukebox3).
    and any services those programs need, and ofcourse system-critical services

    need more info on something? need some blog? just name the topic

    PS. i'll repeat myself, but previous is hard to find..

    Please Heeeeeeeeeeelppppppp!
    Last edited by quetzalcoatl; January 4th, 2004 at 18:08.

  7. #7
    Just as a wildass guess suggestion, have you tried turning off your other running programs and/or tasks in the task manager?
    First step: turn off all or most other running, non-critical not related applications. Try again to make it run.

    Step two: Begin turning off other running processes, one by one, and seeing if doing so has any effect on your condition?

    Step three: Turn off the first suspect running process and then add a second, in sequence, i.e. tasks 1 & task 2, then task 1 & task 3 and so on. You can repeat these sequencing event such as task 2 & task 3, task 2 & task 4, and so on. That way you will eliminate the running processes as the culprit. Of course this will possibly identify the culprit, but not the cause or cure, unless you can make it run correctly without whatever you identify.

    Step four: If you have an extra HD, do a clean install of xp and necessary drivers and updates to match your hardware configuration. Install SICE and see if it works without any of your other software. If so, you could start installing them one at a time until it breaks again and then you would have identified at least one of the programs which is causing the issues.

    All you need is time to burn to try all these things. By the way, have you tried Olly?

    Regards,
    JMI

  8. #8
    Ari Benta
    Guest
    Well, I had the same problem.. after I started SIce, the dos box stayed open, everything was super slow and hell instable.. and I also tried everything I found on the web, but nothing helped, until I changed those kaspersky services to manual.. but as you don't have that installed, I don't really know what might be the cause for your problem. However, it might be some other driver on your system which interferes witch SIce, so maybe if you disable one driver after another, you can find the faulty one..
    good luck!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Hum. That sounds kind of familiar. See previous post.

    Regards,
    JMI

  10. #10
    Quote Originally Posted by JMI
    ...wildass... steps..
    Funny named, no offence, i didn't know that word

    That was the first, no sorry, the third thing i've tried. First: reboot, Second: try to patch SI as i read many times (3 files..) Third: Check for conflicts with progs. ??th: reinstalling SI Now i suspect that i't maybe sth with the Syg'sFirewall, but i've tried turning it off/etc and still with no effect.

    What really bothers me is that strange message
    NTICE: Load32 START=71B40000 SIZE=2C000 KPEB=8122EDA8 MOD=netmsg
    Int0E Fault in SftICE at addrss F3497053 offst 00092D8F FaultCode=00000000

    maybe its just because netmsg.dll has no debuginfo, but it's quite dumb idea, as many files doesn't have them and SI runs somehow somewhere else...

    what more suspicious i've never found any references to "softice netmsg" anywhere and nothing interensting with "softice load32"...

    aaa and one more thing - i did try befrore and after reinstallin wxppro... i really have now wxp at minimum. i don't even have office yet )
    Last edited by quetzalcoatl; January 4th, 2004 at 19:25.

  11. #11
    kao
    Guest
    Hi,
    you did not mention what kind of keyboard it is: PS2 or USB. SI sometimes has problems with USB keyboards, so maybe this is the case. Try switching to PS2 keyboard or use an USB-to-PS2 adaptor.

    Hope this helps,
    kao.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647

    Some combinations

    I guess you would not contact compuware for Costumer service help, right ?

    Some Display cards and Keyboard Drivers just won't cut it with SoftIce. Perhaps the Duron CPU may have its own wrinkles.
    Consider installing either Win2000 or Win98 (as dual boot OS) and see if Sice runs in those OS. I mean try to isolate if the the problem is in your hardware, versus your Operating System, versus your Drivers.

  13. #13
    Keyboard: PS/2 Mouse: USB, i have tried with keyboard w/o mouse nad vice vera, no effect.
    to be honest i'm a bit of tired now. no blog today in the schedule i have now trying with different releases of SI, i have tried now ROR's full DriverStudio3.0.1 (cdimage) 125mb, ROR's DriverSuite3.0 (that is just SI and the closest programs cut from that cd) 61.5mb, and in next 15mins i'll try SoftIce Lite 4.30...

    shit. i've just unpacked the archive "softice_lite4.30.rar" and found inside "DriveCrypt+", gosh,
    GOD ONLY KNOWS HOW MUCH I DO HATE THOSE FCKD FAKEEEEEEES

  14. #14
    Hi,

    I think you have too many things going on at the same time.
    Too many install's/patches/winice.dat

    The only practical way to solve this problem is to install a clean OS,
    No extra app's should be installed, no firewall/antiV/realP etc;
    From the task manager shut off any extra crap that XP has running.

    Install SI. Does it work ?
    Change video adapter and drivers to "generic" and reduce the display to 640.
    Change the keyboard drivers to "standard" and make sure the layout is set to US. Not us dvorak or whatever the other options are.

    If this does not work, dont add any patches etc; Go to Sysinternals and download some tools and watch what is happening. If this fails to provide an answer then you can try 2000 or get a new rig without a duron processor

    You are just one of those lucky people running XP and can't get SI to run properly for some strange reason.

    Keep us updated please.

    Woodmann

  15. #15

    Lightbulb Happy Endian :)

    Quote Originally Posted by Woodmann
    1) I think you have too many things going on at the same time
    2) No extra app's should be installed, no firewall/antiV/realP etc
    3) Go to Sysinternals and download some tools
    4) Get a new rig without a duron processor
    5) can't run SI for some strange reason
    6) Keep us updated please.
    Woodmann
    1,2 - in fact, yes that was one of the problems
    3 - you mean filemon & regmon? i know them well indeed, really good tools..
    4 - low on cash and don't want to downgrade hardware :|
    5 - reason weren't as strange as it seemed before..
    6 - why, of course i will after writing such a essay about problems with SI how could i not write how i did solve them? more, with so many keywords those post will catch any query about problems with SI ROTFL

    i have solved the problem just before reading you post, but thanks for reply anyway, there weren't many of them

    ---------------------------------------------

    hereby i report that 99% percent of problems with instalation of the SoftIce are closed.

    we have a saying "najciemniej pod latarnia" [ "the darkest place is just under the lantern" ] meaning that it is hard to find something lying just on sight..

    i have pasted earlier that fragment of log from SI window:

    NTICE: Load32 START=71B40000 SIZE=2C000 KPEB=80F6F768 MOD=netmsg
    Int0E Fault in SoftICE at address F54C0053 offset 00092D8F

    so, there was an error in NETMSG.DLL. but what is it? well, after little thinking, one can say that it has something with network messages, right?
    so i tried turning off firewall-de-sygate, with no effect. tried to disable it at startup - no effect. at last i've got completely mad it constantly asking me about something, despite turning off every 'ask me' option, and i uninstalled it. after reboot i started SI, and ... console window closed after finishing.

    hey. it never did close. ... aaaaarrrrgggghhh
    i opened the notepad. i closed the notepad - no crash...
    so i opened it again, closed, opened, closed.
    wooow closing doesn't crash anymore.

    ctrl-D, and i saw exactly this at the top of SI history:

    NTICE: Load32 START=71B40000 SIZE=2C000 KPEB=812134C8 MOD=netmsg
    NTICE: Exit32 PID=9C MOD=net1
    NTICE: Unload32 MOD=net1
    NTICE: Unload32 MOD=netrap
    NTICE: Unload32 MOD=netmsg
    NTICE: Exit32 PID=94 MOD=net
    NTICE: Unload32 MOD=net
    NTICE: Exit32 PID=7F4 MOD=cmd
    NTICE: Unload32 MOD=cmd

    first note - no error at mod=netmsg!!!
    second note - just look what were unloaded just after that netmsg..
    NET1:exit, NET:ext, CMD:exit
    so, firewall blocked somehow Exit32 when it was about to close NET1...

    but i wasn't happy for long. i exited SI, nad checked keyboard in notepad. well.. eh, it still had that strange 'delay' . so just to be sure i entered SI once more played awhile, bumped the mouse, and saw SI freezing again.

    having that netmsg issue in mind (trivial net-msg <-> firewall), could be that bumping the mouse related to halting SI (usb mouse instead usb keyboard)? lets try some unpluggin'

    so, i unplugged the mouse receiver, rebooted, started SI, waited 5minutes.. and nothing, no crashes, no freezes. what's better - with out mouse, keyboard also seemed to work correctly.

    ...thinking...
    bump_the_mouse()==>freeze_the_SI(). ok. but why waste_time(time)==>freeze_the_SI()...
    shit... ofcourse... keepalives... just that you don't touch your wireless mouse, doesn't mean that the mouse won't send anything... so the true 'equation' was: receive_msg_form_mouse()==>freeze_the_SI().

    so, just for a test, with SI runing, i plugged the mouse, keyboard still ok, SI still ok. what the hell? hmm.. i opened confing panel, troubleshooting tab, and i see that i still have mouse-disabled, usb-mouse patching disabled. hmmm. i left the mouse connected, rebooted, started SI. everything works. so the alst thing - i enabled mouse support, enabled usb-mouse, rebooted - keyboard ok, mouse behaves on the desktop as if there is CTRL pressed and the most strange: SI doesn't crash on mouse movements! heh, still it must be disabled for the keyboard..

    the last thing - why when previously i turned off the mouse support and patching, SI still freezed overtime because of the 'pings' from mouse?
    some time ago i tried to sniff packets exchanged between computer and Jukebox3 via Firewire (IEE1394 port), downloaded some strange tools for universal port sniffing, and got suprised that i could set up an IP address not only for connection through network card and via Firewire (that was ok) but also for USB. at that time i thought it was just bug - someone used the same dialog template for different ports, but now it makes som sense..
    it seems that the reason why turning off usb support didn't work earlier was.. again firewall. turning it on/off started working just after unintalling it, right? SI also stopped crashing on mouse movements then.. it's all as if the firewall messed not only with network and it interface, but also with USB. this and that strange IP setting in sniffer... does it mean that USB controllers are also seend by the system (or used) as network adapters? i knew that Firewire (IEEE1394) is, but to be honest i've never heard such a thing about USB


    ok, EOF

    now in reeeally short form:
    *) problem with thread killing was solved by uninstaling completely Sygate's Firewall.
    *) problem with no reaction on changing DisableMouseSupport and DisableUSBMousePatchnig was also solved then
    *) erratic keyboard seemed to be solved by solving USB issue.
    *) Wireless USB Mouse (M$ design..) is still erratic when SI is running with 'mouse enabled', but SI doesn't hang anymore on receiving signals from mouse
    *) so the compuware's "USB mices won't work with SI" isn't 100% true. my mouse works, but sometimes -only for the mouse- ctrl key gets 'locked'. ie.on the desktop, clicking will select multiple items all the time (unless you pess ctrl, or unlock it by repeatedly presing both ctrl's and having some luck )

    [added] *) and i forgot about one thing (again...)
    i have also found file OSINFO.DAT.. yes, yes, yes i know that it should be updated whenever possible. BUT as i searched (even on compuware's site) i have found bunch of osinfo's of size: 290kb, 298kb, another two between it, and one OSINFO_XPSP1.dat NOW i'm saying about osinfo.dat of size 310kb, from 29August2003. i don't have an idea where guys got it, as even osinfos in my DS3.0.1 (the newest version i know about) were smaller. ok not allways smaller!=older but here's database about system versions, so it is probable file is available at: (i hope it's not against rules to post a link to small patch..?)

    http://reversing.kulichki.com/files/debug/osinfo.rar
    Last edited by quetzalcoatl; January 5th, 2004 at 21:43.

Similar Threads

  1. Board probs ??
    By monguz in forum Off Topic
    Replies: 5
    Last Post: September 3rd, 2004, 10:38
  2. revirgin probs
    By asd in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: May 11th, 2003, 00:26
  3. Dede probs with directdraw graphical stuff
    By Lbolt99 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: July 25th, 2002, 20:10
  4. DS 2.5 and XP probs
    By CirKutz in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: February 12th, 2002, 02:08
  5. Really newbies probs
    By cherry in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: March 14th, 2001, 21:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •