Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: DS31 softice in XP with XP2

  1. #1

    DS31 softice in XP with XP2

    Hi...I've spent over 10 hours reading through the RCE archives the past few days looking for softice (DS31) setup hints on XP with SP2. A lot of the hints were helpful and I've got myself setup to a point where softice will stick at the program entry point using symbol loader. I can also trace through code without incident. The following are issues I'm having a hard time resolving.

    1)my system slows down incredibly when I'm not in softice. If I try to open a file manager, it can take 30 secs to a minute before it loads. My system is P4 with a 2 gig processor.

    2)the DOS window that opens when I load Ice manually stays open, even if I try to close it. I read about this in another thread and it seemed related to a firewall. I shut my firewall down and it did not help. It's a Sygate free personal firewall and I did not unload the app.

    3)I can't shut down windows without using hboot in ice. After using ice, sometimes the task manager won't even open.

    4)I'm afraid to try loading softice other than manually because I'm using a dual boot system with Win 98SE in the primary partition and XP on the second partition. It's on a FAT 32 system. I've heard there may be problems with a dual boot system.

    5)I tried out IceExt and it loaded ice fine. I got it to dump a screendump from Ice in raw format so I could send it to this forum, but how do I translate the raw code? It's in unicode and I can see it on Uedit in hex dump mode, but not in text mode.

    I wanted to send some code from ice, because IceExt 'seems' to have added an EB FE at F2D5F294 in NTICE. I did not use breakpoints in my tracing other than a 'G' instruction to jump to a code position. This prevents me terminating a running app in ice. Before the EB FE showed up, I was tracing an app that loaded a splash screen followed by an message box generated by an exception. The message box said the app trial had expired.

    BTW...when the message box opened, it had an OK button. I hit it and Ice disintegrated. It was after ctrl-Ding out and back in that I noticed the EB FE in Ntice.

    Actually, I found the code from NTICE:

    0008:F2D5F28F 1F POP DS
    0008:F2D5F290 83C404 ADD ESP,04
    0008:F2D5F293 FB STI
    0008:F2D5F294 EBFE JMP F2D5F294 <---------
    0008:F2D5F296 CD01 INT 01
    0008:F2D5F298 CF IRETD
    0008:F2D5F299 53 PUSH EBX
    0008:F2D5F29A 56 PUSH ESI

    If I CTRL-D now, ice is stuck at the position indicated by the arrow above at F2D5F294. I know about the EB FE trick for freezing Ice so you can get out for a minute. But why was it inserted in NTice? It might explain why I'm having trouble shutting XP down after using Ice. It might be a good idea to look up the actual bytes so I can replace them.

    Notes: I have added all the SP2 files recommended.
    Last edited by WaxfordSqueers; January 14th, 2005 at 04:55. Reason: confusion due to spelling errors

  2. #2
    for #1 to #4
    I'm not using DS3.1 nor SP2, so I can't help much.
    However, after installing a new OS/system, softice is one of the first things I install. This removes a software/driver conflict from the list of possible cause(s) of problem(s).

    Also, did you analyze carefully the log messages left by NTice & IceExt? IceExt outputs a detailed report of the hooks it installs & it is open source; so it is easier to find out why things go wrong by reading the src code :-)

    for #5
    there's a folder "SiwRender" in the IceExt installation.

    edit SiwRender.ini to reflect your settings & desired font. then run SiwRender.exe

  3. #3
    Also, did you analyze carefully the log messages left by NTice & IceExt? IceExt outputs a detailed report of the hooks it installs & it is open source; so it is easier to find out why things go wrong by reading the src code :-)
    I did to the extent I'm capable. I noted three items as follows:

    1)'Warning: AC97 not found.' ...near end of IceExt load

    2)reference to AVP (Kaspersky) module that is being 'unloaded'. I don't know what the unloading means.

    NTICE: Unload32 MOD=AvpShlEx
    NTICE: Unload32 MOD=avp32Loc

    I'm not using the AVP monitor features, but I'm wondering if it's spy
    facility is still loaded. If so, I have no idea how to unload it. There was an app called Registry Drill that would let you block drivers at boot time.

    3)in softice load, there is reference to an 'Int0E fault' with code 1. Most of
    this is beyond me. I have copied the pertinent lines below. I didn't want to copy the entire loading log because it's quite long.

    NTICE: Load32 START=73D30000 SIZE=17000 KPEB=FFA72590 MOD=wbemcons
    001
    Int0E Fault in SoftICE at address F2E69EF4 offset 00093C50
    Fault Code=00000001
    DS=0010 ES=0023 FS=0030 GS=0000 ESI=00000000 EDI=8058AE20 ESP=F3F0ECB4
    EAX=00000001 EBX=F8947E20 ECX=00000000 EDX=00000001 EBP=F3F0ED08

    FrameEBP RetEIP Syms Symbol
    F3F0ED08 F887673A N NTice!.text+00095B74

    Raw Stack Dump: ESP=F3F0ECB4
    F2E68C6E
    F8870010
    00000086
    8058AE20
    00000000
    F3F0ED08
    F3F0ECE0
    F8947E20
    F88792EC
    FE9ACBD8

    for #5 there's a folder "SiwRender" in the IceExt installation.
    thanks for the tip. When he said screen image, that's what he meant. It's a BMP file.
    Last edited by WaxfordSqueers; January 14th, 2005 at 02:24.

  4. #4
    A possible solution to your softice problems - it worked wonders for me anyway.

    It's avp fucking up your softice - bet you have it loaded on startup. If you don't let it run at startup, and don't run softice when it's been loaded, you might get lucky. There's an extra catch, tho, as avp loads a couple of services that you'll have to turn off manually. Search this place for "avp" or "kaspersky" - one of the threads should have details on how to change the registry, so those services will only load manually.

    Anyway, that did the trick for me and others.

    Fake

    ps. In the future, stick your "softice doesn't work"-questions in tools of our trade.

  5. #5
    Quote Originally Posted by Fake51

    It's avp fucking up your softice - bet you have it loaded on startup.
    thanks for the tip, but I don't. I also checked the registry thing earlier and could not find anything related to it starting any monitor.

    I do think I have other problems which might be similar. I noticed on my bootlog.txt file that the system is loading vxd's from my win 98 partition. Programmers get arrogant and/or stupid at times and assume everbody loads Windows in C:\Windows. It's more stupid than arrogant, however, to load vxd's from another operating system into XP. They are in different partitions.
    Then again, XP loads some of it's boot files in the Win 98 partition.

    I've heard that XP doesn't deal with vxd's, but it must have a thunk system similar to what 95 and 98 had for 16 bit proggies. How else would it be able to run apps written for systems other than XP?


    ps. In the future, stick your "softice doesn't work"-questions in tools of our trade.
    I didn't want to appear arrogant. I'm closer to a newbie in many things although perhaps intermediate in others. I felt some things in my post might not be intermediate enough to post in the Tools section.

    I'll take you up on your tip to research AVP/Kaspersky on this site.

    Thanks
    Last edited by WaxfordSqueers; January 14th, 2005 at 05:19.

  6. #6
    Are you sure that you have all kaspersky services disabled or set to load manually? They only show up in the registry, not when browsing the services part of admin controls (and they still load even if avp isn't set to load automatically). Since you note that you see some references to avp I still think that this is your problem.
    Look for services under hklm/system/yadayadayada/services/k???? that don't have any description, don't have counterparts in the services app, and don't have start value as automatic, disabled or manually. Check the files in your winnt dir, they should have version infos or the likes, identifying them as kaspersky files.

    As for the forum part: It was meant as more of a suggestion, lest JMI should suddenly decide to edit your post for fun. The point was merely to divide your post in two, seeing half of it would be better put elsewhere.

    Fake

  7. #7
    Quote Originally Posted by Fake51
    Are you sure that you have all kaspersky services disabled or set to load manually?
    I'm still working on it. I renamed both the drivers that show up in the softice log (from symbol loader) and AVP seem to work without complaining. It's getting late though, so I'll probably leave it till I'm fresh lest I make a catastrophic blunder. The AVP Control Centre shows up under Administration/Services and I have it both turned off and disabled. But I'll poke through the registry anyway. Thanks. I think I might uninstall my firewall too and hopefully remember to disconnect from the internet when I do it.
    I'll check out all your tips. Thanks.
    As for the forum part: It was meant as more of a suggestion, lest JMI should suddenly decide to edit your post for fun. The point was merely to divide your post in two, seeing half of it would be better put elsewhere.
    Fake
    I'll PM JMI and ask if it's OK to advertise in both. The complexity level is about intermediate.

  8. #8
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    It's not ok to double post, but this thread is ok for the Tools of our trade forum, I just moved it there.

  9. #9

    SI Pb

    Hi, all
    I don't know where is the problem but for sure, it's not Kaspersky. I'm using DS and KASPERSKY from many years now and never had any prob.
    For your info, i have XP SP2 corporate, KAV personal pro 5.0.1.4, DS 3.1, ZAP 5.5.0.62.

    Have you patched OSINFO.DAT for use with SP2 like it's said on compuware site ?

  10. #10
    Quote Originally Posted by LOUZEW
    Have you patched OSINFO.DAT for use with SP2 like it's said on compuware site ?
    Yes...I did it exactly as shown on their site. I've got symbol rertriever working off my hard drive with the entire sym file from M$. All my NMS files are loading fine.

    I'm concerned right now about a driver conflict. I have a dual-boot system with Win 98SE on partition 1 and XP home on partition 2. I was looking at a fresh bootlog.txt for an XP startup and it's loading a lot of vxd's from the win 98 partition (eg. C:\win98\smartdrv and C:\win98\himem.sys). I find it really strange that one operating system would go into another operating system's partition and load files from it.

    This is NOT an old system which I loaded XP over. The initial intention was to load XP by itself. But I had problems with my new Intel motherboard (turned out to be a bad processor) and I loaded Win 98 fresh to see if it would load. It did load, which lead me into thinking it wasn't the processor. XP would not load at all, getting to the first splash screen and freezing. Of course, when I loaded XP, I did it as a dual-boot system on partition 2. Once the processor was replaced the dual-boot worked fine so I left it. I've had no problems with it since and it's handy to have 98 and XP on the same FAT 32 drive since I can use 98 to spy on XP.

    I also had the Win 98/XP dual-boot computer networked with an older P2 Asus 440BX computer. I'm not running that system now, but I'm seeing drivers being loaded currently by XP that were for the older computer. For example, XP is loading drivers for an Asustek Broadcom NIC that has never been on my new dual-boot system. In fact, it's an on-board NIC on my P2 440BX on the old computer. The only way XP could do that is if it got information through the old network. But why would it go into another partition to do that?

    I know this is getting away from 'our tools' but it's still a problem about why softice in DS31 wont load, and maybe it will help others in the future. Does anyone have any thoughts on this other than flames?

  11. #11
    Quote Originally Posted by dELTA
    It's not ok to double post, but this thread is ok for the Tools of our trade forum, I just moved it there.
    thanks Delta.

  12. #12
    My opinion is that there are too many possible issues for it to be worth investing time troubleshooting; unless you are really keen on the subject and want to study it.

    Softice either works well or doesn't. Why it works well on some systems and not on others is rumoured to be a random process

  13. #13
    Quote Originally Posted by doug
    My opinion is that there are too many possible issues for it to be worth investing time troubleshooting; unless you are really keen on the subject and want to study it.
    I hear what your saying. Whereas it can be aggravating at times, I have an interest in breaking through to new ground. I have enough experience to realize it could be about something really simple that's not obvious.

    I feel like I'm close enough that giving up is not an option yet. The fact that the DOS window ice opens in does not shut down is a clue. I'm currently trying to eliminate things and reading a lot. Of course, like you say, it could be a total waste of time.

    thanks for dropping in.

  14. #14
    Quote Originally Posted by WaxfordSqueers
    I feel like I'm close enough that giving up is not an option yet.
    Feel like a bit of a dummy. It was the Sygate firewall. I say a bit of a dummy because I did follow my options relatively methodically, but there is another thread in the archives (from quetzalcoatl ....thanks Q) which specified that very remedy. After uninstalling the firewall and rebooting, everything was hunky dory. It was even peachy.

    The symptoms are as follows:

    -When ice is activated manually, a DOS window opens, and the typical Ice screen (not to be confused with Ice cream) can be seen loading in the window.

    -Under normal conditions, the DOS window closes by itself. With Sygate loaded, it doesn't close and it can't be closed, even with a kill from the task manager.

    -XP can't be shut down other than by using HBoot in ice.

    -other apps in XP slow right down, some intolerably.

    -this error message appears in a history dump:

    "Int0E Fault in SoftICE at address F2E69EF4 offset 00093C50
    Fault Code=00000001"

    -ice will appear to crash at times, with the screen breaking up like a jigsaw puzzle. CTRL-Ding out and back in again clears the screen breakup and will reveal code from NTIce which has an EB FE opcode at EIP. ie. The instruction jumps to itself. Funny enough, you can reload the app through symbol loader and it breaks happily at start of code again. And tracing is normal. The mystery is what puts the EB FE into NTIce and what reinserts the original bytes. I thought we were the only one's who did that.

    All that from a firewall. BTW...for anyone using the free Sygate firewall, the new version (5.6 build 2808) is reported to have bugs in it which Sygate have acknowledged. They claim the bugs will be removed by the next upgrade.
    Last edited by WaxfordSqueers; January 15th, 2005 at 07:36.

  15. #15
    Quote Originally Posted by LOUZEW
    Hi, all
    I don't know where is the problem but for sure, it's not Kaspersky. I'm using DS and KASPERSKY from many years now and never had any prob.
    Well, it sure was my problem. I'd say Doug is more than half right.

    Fake

Similar Threads

  1. to softice or not to softice
    By WaxfordSqueers in forum Tools of Our Trade (TOT) Messageboard
    Replies: 19
    Last Post: December 31st, 2007, 17:41
  2. softice help
    By god in forum The Newbie Forum
    Replies: 13
    Last Post: January 23rd, 2006, 00:53
  3. softice help
    By PETER in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: September 11th, 2002, 06:31
  4. Doing it without softice
    By blink4me in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: July 5th, 2002, 23:32
  5. softice
    By Dan in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: October 30th, 2001, 00:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •