Results 1 to 7 of 7

Thread: Setting up IDA for analysing Softice functions

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,067
    Blog Entries
    5

    Setting up IDA for analysing Softice functions

    Hi All,

    A lot can be learned about low level system operation from reversing Softice itself. While it is possible to trace live certain sections of Softice code, the more useful analysis is through IDA. Since questions seem to come up all the time which could be clarified by examining SICE code, I decided to write a small introduction to setting up IDA for analysing Softice.


    Step 1, as always, is to make use of the invaluable resource provided by The Owl, in the form of IDB files and Softice headers produced while developing Icedump. The package is one I put together to preserve the info and Yates was kind enough to host it.

    NTICE and WINICE IDB Files by the_owl (IDB)
    http://woodmann.net/yates/ida/softice_idb.zip

    There is also a script by Toteu that may be useful:
    Icedump inc parsing scripts (IDC)
    http://woodmann.net/yates/ida/ice_script.zip


    To begin with, you should update the IDA disassembly of Softice to your latest version. I will explain how to set up what I term the CommandIndex, a call table of all the Softice command function addresses. To properly identify each function, you can use a corresponding ascii table, the NameIndex.

    These tables have been consistent since early SICE versions, you can usually find them by locating some *known* function by examing SICE messages ("I1HERE is ON" for example), then tracing backwards until you find a long list of pointers. In Win9x they were easy to find by tracing the BCHK interface. The simplest method now is probably to search for the ascii message
    'A General Protection Violation has occurred'
    the CommandIndex table follows immediately, and the NameIndex follows thereafter. Addresses are from DriverStudio 3.1:

    Code:
    .data:00111061 aAGeneralProtec db 'A General Protection Violation has occurred',0
    .data:0011108D CommandIndex   dd offset sub_69F81     ; DATA XREF: sub_68326+2C9r
    .data:00111091            dd offset sub_5F0F7     ; Altscr
    .data:00111095            dd offset sub_A2D5E     ; Be
    ...
    
    .data:00111381 21 00        NameIndex       db '!',0  ; DATA XREF: sub_6864B+5o
    .data:00111383 AA                           db 0AAh ; 
    .data:00111384 2E 00        a__1            db '.',0
    .data:00111386 38                           db  38h ; 8
    .data:00111387 3F 00        a?_3            db '?',0
    .data:00111389 30                           db  30h ; 0
    ...
    Each ascii string in the NameIndex is followed by an index value which references the correct function address in the CommandIndex. New versions of Softice add new functions to the end of each table.


    Parsing the NameIndex:
    ----------------------
    As an example of parsing the NameIndex to identify the correct CommandIndex function address, let's take the PHYS command. When you enter a command in the Softice window it eventually gets called indirectly in the form:

    call CommandIndex[eax*4]

    where eax is the corresponding NameIndex index value. You may also see it as:

    shl eax, 2
    call ds:CommandIndex[eax]


    Now search in the NameIndex for the command you want to identify, extract the index value, in this case 76h, and plug it into the call equation:

    .data:00111648 50 48 59 53 00 aPhys db 'PHYS',0
    .data:0011164D 76 db 76h ; v

    CALL CommandIndex[eax*4]
    or by address
    CALL 0011108D[eax*4]

    0011108D + (76h*4) =
    0011108D + 1D8h =
    00111265

    00111265 is now the correct CommandIndex address which identifies the PHYS function:
    .data:00111265 31 80 01 00 dd offset c_Phys
    ----------------------


    crUsAdEr came up with a very nice IDA script for automating this. I'll take the liberty of posting it here from a PM we had, he can add any comments he may have.

    Code:
    static CmdTable(NameTable, CommandTable) {
        auto i, j;
        auto CmdIndex, CmdName ;
        i = NameTable;
        j = NameTable;    
        while ( Word(i) != 0) {
           while ( Byte(j) != 0) j++;
           j++;
           MakeStr(i,j);
           CmdName = "c_" + substr(Name(i),1,j-i);       
           CmdIndex = Byte(j) * 4;
           MakeName( Dword(CommandTable+CmdIndex), CmdName);
           j++;
           i = j;
        }
    }
    
    with idc command
    CmdTable(0x111381, 0x11108d);
    on DS3.1
    Now that you have the all the Softice functions named, you can go back to The Owl's IDB files and start filling in the missing pieces, updating your new IDA disassembly. Many of the functions are identical or similar enough that you can start naming some of the global variables and subfunctions that he identified. Do a few of these and you can begin to "read" the disassembly code. It's about here that the little lightbulb above your head goes on ;-)

    Regards,
    Kayaker

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Cool, high quality stuff as usual, thanks Kayaker!

  3. #3
    the Lamer ? it's ME ! Yes SynApsus's Avatar
    Join Date
    Feb 2004
    Location
    France
    Posts
    30
    Yeah ! Thanks Kayaker ! This post is in a certain way a reply to my question, isn't it ?
    Identification of the PHYS command will a lot help me. Big, big thanks man ! I'll post the results of my research in one week, and i'll certainly write tutie + example on my website.
    Have a nice day !

  4. #4
    Great information on the dark codewoods, as usual.

    Regards,
    JMI

  5. #5
    Registered User
    Join Date
    Feb 2004
    Location
    France
    Posts
    99
    Thank you for sharing informations like this one. This is trully great and could help many reversers. It will help me a lot.

    Thank you very much.

    Regards, Neitsa.
    Omne tulit punctum qui miscuit utile dulci

  6. #6
    Nice one, Kayaker.
    Could not have done it any better!!! Somehow i am quite sure you are in the teaching profession or along that line of work ?

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,067
    Blog Entries
    5
    Glad it's useful. I figure if everyone is on the same 'page' so to speak and has these basics in hand, it might encourage further documentation of Softice internals.

    Sorta like this description of the PHYS command....

    http://woodmann.net/forum/showpost.php?p=41341&postcount=13

Similar Threads

  1. Please help analysing new SWF exploit!
    By Marcos in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: July 20th, 2009, 14:25
  2. Got a virus - please help analysing
    By unix in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 19th, 2009, 02:10
  3. Manually "analysing" functions
    By Noopsie in forum OllyDbg Support Forums
    Replies: 3
    Last Post: July 31st, 2006, 13:43
  4. Ollydbg analysing over and over
    By lux in forum OllyDbg Support Forums
    Replies: 1
    Last Post: August 10th, 2004, 09:14
  5. Setting a breakpoint in Softice
    By sync in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: August 24th, 2002, 14:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •