Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 42

Thread: The Softice-Won't-Work-In-XP/API-Hook-Failed!!! FAQ

  1. #16
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Hehe, I'm just trying to assure the doubters that Softice doesn't necessarily suck to the max big time. Maybe I've been lucky but I've never had any major problems with it.

  2. #17
    Kayaker...how do you know all this stuff...it just ain't natural? There aren't a lot of people who can reverse softice let alone understand what's going on in the inside. You're an amazing dude.

    About driver conflicts...there are at least two threads, including one of my own (http://www.woodmann.com/forum/showthread.php?t=6751&highlight=sygate), which delve into this. The other is (http://www.woodmann.com/forum/showthread.php?t=5335&page=1&pp=15&highlight=wireless+mouse), and you might want to read that since you were involved in the thread somewhere. It would make more sense to you. Talks about netmsg.dll as related to Sygate firewall.

    One thread talked about a wireless USB mouse and we both had problems with Sygate firewall. DS 3.2 seems to have addressed the USB mouse issue. When I first loaded DS 3.1, I had all sorts of grief. I'd get the DOS box, and SI would load, but the DOS box would stay on the screen and everything would run super slow. It turned out to be the Sygate Personal firewall (the free one). Since I updated it to version 5.6 build 2808, I've had no problems. I used DS 3.1 extensively after that without a problem.

    I loaded DS 3.2 with XP and SP2 and everything worked fine right away. I haven't tested it yet but symbol retriever seems to work ok. The message seems to be that DS 3.1 upward will work fine on XP with SP2 provided there are no driver conflicts and/or the correct drivers are used (osinfo.dat and ntice.sys). DS 3.2 seems to have fixed a lot of problems related to SP2. Reminds me of the good old IRQ conflicts of days gone bye.

    I realize many people are probably put off with problems that can occur when trying to load softice on XP. But I have worked in electronics and computers for years and I'm aware that very complex problems can be traced back to very simple causes. With all the drivers and crap that get loaded nowadays in Windows, that would be the first place I'd look for XP/softice issues.

    BTW...there's a new version of IceExt out (ver 0.67), which has been updated for DS 3.2. This is an excellent little proggy for hiding Ice and has other useful features, like dumping.
    Last edited by WaxfordSqueers; October 18th, 2005 at 04:32.

  3. #18
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    One loose thought:
    Compuware products are intended for Driver Developers and System Programmers, (Not to mention reversers), which probably would have a dedicated computer or computer lab just for writing and testing their code, So I doubt Compuware developers go out of their way to ensure Sice compatibility with all the drivers, hardware, and other crap an enduser would put in his or her machine. Sice is not a consumer product.
    Last edited by naides; October 18th, 2005 at 09:17.

  4. #19
    Quote Originally Posted by naides
    One loose thought:
    I doubt Compuware developers go out of their way to ensure Sice compatibility with all the drivers, hardware, and other crap an enduser would put in his or her machine.
    That's a real good point. I have visited a few forums in my searches for problems with Windows XP bugs. There is a good free app called Hijack This and another called Autoruns, from Sysinternals. These apps give you a quick glance at what is loaded at boot time.

    It blows me away how much crap people have on their machines as indicated by their postings of logs from Hijack This. I make a conscious effort to make sure nothing loads, including Trojans, except for the bare minimum I need. Just about every app you load these days sneaks an autorun in there somewhere.

    I'm sure most people in this forum are aware of the other free helpful apps like Adaware and Spybot Search and Destroy. There's also RegCleaner, a freeware app that reveals a lot of crap left over from apps in the registry.

    It's not just Softice that has problems with extraneous drivers and apps. I run audio software that is very sensitive to the number of machine cycles available to it. Real time audio depends on the amount of delay that can be afforded before an echo-like effect is heard...or a jerking/tearing of the audio. Obviously, with a time-slicing OS like XP, the more drivers competing for processor cycles the more likelihood there is of having problems. Firewalls, in particular, and virus monitors, are a big problem when it comes to recording/reproducing good audio.

    If you run another free app from good, old Sysinternals, our buddy Filemon, it's amazing too see that the firewall monitors just about every activity happening. Not only that, XP monitors activity as well. It would appear then, that the observation by Naides has great merit. Although it's a pain in the butt, it may be a good idea to dedicate a computer to reversing only.

  5. #20
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Hi,

    I fully agree with naide's synopsis, Softice wasn't developed for the "I can't crack winzip while listening to mp3's and playing Quake tournament on my overclocked hot new gfx card!" type of scenario

    Worse comes to worse, the best solution is to run it on VMware on a compatible OS version dedicated for development/reversing. Clean, efficient and BSOD's don't hurt.


    A small digression, Re reversing Sice, I've been playing with that on and off for almost 5 years. Of course I've learnt from the works of Spath, TheOwl, Sten. It started with the writing of the backtrace disassembler TraceDump I released with Clandestiny. The KDextension stuff came from study of IceExt.

    The thing that's helped the most is being able to define a lot of the ntice variables and procedures, the IDA script by TheOwl being the starting point. I was able to develop a driver which allows me to live trace any of the Sice commands themselves, so having that running in VMWare in conjuction with IDA on the real system is invaluable for at least making an educated guess as to what the procedures are doing.


    The only "trick" to the driver and being able to execute a Softice command from GUI mode, is that you must replace the default command window text buffer with one of your own. The reason for this is that the very act of tracing in Softice overwrites this buffer, so immediately screws up the input string going to the command. It's *user* input that fills and modifies this buffer, and even single step tracing overwrites it with "t" for example, and the command fails miserably.

    Schrodinger's cat..


    The most basic of commands is structured as follows. bUserCommand is the default text buffer address you must replace.

    /////////////////////////////////////////////////////////////////
    // Each command uses a global command window buffer
    // Find where the buffer address is used and replace it.
    //////////////////////////////////////////////////////////////////
    /* EXAMPLE:
    .text:000A2D5E c_Be proc near
    .text:000A2D5E
    .text:000A2D5E BE A2 F7 10 00 mov esi, offset bUserCommand
    .text:000A2D63 E8 E1 71 FC FF call pSkipWord
    ...
    */

    However, the location of bUserCommand is different in every command (around 150 at last count), and there may be more than 1 occurrence or no occurrences of bUserCommand. What you have to do then is do a multilevel disassembly on the command in question, tracing into calls until the main ret is reached again, searching for offsets to patch. The easiest way to do this is to use the internal Disasm function of Sice available through WINDBG_EXTENSION_APIS (detailed elsewhere).

    Then it's just a matter of parsing the command index/name table (detailed elsewhere), passing this back to user mode and calling the command with a new modified string buffer. Of course I'd be willing to help anyone who is truly interested in such a line of study.

    Softice is an amazingly involved program that includes its interaction with cpthook.sys and other files. Sometimes I'm amazed it works at all, let alone on every system configuration.

    Cheers,
    Kayaker

  6. #21

    For How to Settings of Compuware DriverSuite v3.2

    I got it and did installed
    but failed break point settings
    for example) bpx getdlgitemtexta....
    i think that softice v4.05 is modified winice.dat file in win98 with notepad.
    but compuware driverstudio not modified ntice.dat file in winxp with notepad.
    How can i use the Compuware driverstudio v3.2.
    Teach me!!!
    Please~~~~
    have a nice day...
    thanx to everyone.

  7. #22
    Quote Originally Posted by Kayaker
    Of course I'd be willing to help anyone who is truly interested in such a line of study.
    Kayaker
    Kayaker...I appreciate the offer. I classify myself as an advanced newbie and as such would be wasting your time. I am interested in what you say about VMWare, however. I've used it on games that need to run in an older environment like Win 95, but I found it a little sluggish at times on a 2 gig Celeron with 512 Meg RAM.

    Are you referring to the Microsoft VM (2004) or VMWare itself? Also, are you running an XP emulation or running an older version of softice on an emulation of Win 98? I know there's a network available with the VM's, but how good is it? Can you communicate between the VM and the actual machine via the network, or do you hop in and out of the VM?

    My problem with respect to learning the deeper stuff is the mammoth amount of time it can take. I know a lot of you guys who do the deeper stuff are accomplished programmers in assembler and C, and some of you have taken it down to Ring 0, VxD's etc. Even though I've read a lot of theory on the Windows and Intel structure, I'm still struggling with concrete examples of how it should be applied.

    I started a few years ago, with my first big project being Quine's reversal of an original IDA dll. Because I had the time, I spent weeks at times doing nothing but reversing. As I said earlier, it's a mammoth task wading through superflous material to get at what you want. There's so much to learn, and trying to learn it all seems to be a mistake. It spreads you too thin and you can become a jack of all trades, so to speak, and a master of none. At the same time, if you don't make it a full time job, you don't get far.

    I'd like to hear from other people and how they get around the time constraints and the learning curve. My biggest problem is perhaps trying to do too much at once, then giving up in the frustration of the magnitude of it all. Also, there's the issue of constantly changing software technology. I finally got comfortable with Win 98 and the older softice with K32, U32, etc., then along comes XP with KD Extensions and everything. Then again, I had to make the jump from 16 bit to 32 bit apps and survived.

  8. #23
    Reinstalled windows and its working again.. But 'set breakinsharedmods on' is an unknown variable now? Still working for someone? I know about the involved context/paging problem (thus CW doesn't recommend its use) but i'm wondering why it is disabled now (i'm sure it worked before with 3.2). Does the change come with the latest osinfo.dat?
    Last edited by Uridium; October 24th, 2005 at 15:57.

  9. #24
    Quote Originally Posted by Uridium
    Reinstalled windows and its working again.. But 'set breakinsharedmods on' is an unknown variable now? Still working for someone? I know about the involved context/paging problem (thus CW doesn't recommend its use) but i'm wondering why it is disabled now (i'm sure it worked before with 3.2). Does the change come with the latest osinfo.dat?
    Who's CW? I can't vouch for 3.2 because I haven't worked on it enough. But it loaded easily and it found the symbols from 3.1. I have downloaded the entire Microsoft symbol package, and I know if you play with it long enough, you can load all the symbols. Kayaker put out a blurb a while back on how to do it methodically.

    With respect to the context question, I don't know why people are making such a fuss over it. I may be all wet, but if you go back into the app you're working on (i.e. it's name will show up in the softice window) and set your BP's there, there wont be a problem. If you're in a common export like Kernel32.dll you should be a able to set a BP as well.

    I'm thinking of everything else as a sub-routine and my app as the main thread. For example, if my app calls K32, I see K32 as the sub-routine and it will in most cases return control to my app at some point. I realize C++ types would look down their noses at that, but till someone gives me a good reason for thinking otherwise, I'm going to use the good old main program with sub-routines. If people want to conceptualize everything into objects and containers, let em. Some people aren't happy until they have developed jargon that makes no sense.

    I imagine there may be situations where you need to change the context from another thread in order to set a BP. I have had success by simply returning to my main app and setting the BP there. Maybe someone with more expertise could explain what would happen with re-entrant situations. If I'm in a thread other than my own app, T1, and I set a BP in a third thread,T3, while my app is in the middle of the action, then I'd have to be very careful. I don't encounter that at all.

    I reversed an Asprotected app using 3.1 and had no context problems whatsoever. I don't see why 3.2 would be any different. In fact, 3.2 should address problems that were encountered when moving up to XP SP2.

    It bothers me to see people giving up on softice because they can't get it going in XP. If it was an issue, do you think Compuware would be keeping quiet about it? There are no problems with softice and XP SP2. Look through this thread and you'll find the answer.

    The only thing I can say about the 'set breakinsharedmods' command, is read what the command says. It says to break in shared mods. We all know what shared mods are, like K32, U32, etc. Like I said, in 3.1, I had no problems breaking in shared mods even without the command set.

    Finally, I have nothing bad to say about Ollydebug, but it works in user mode and I can't see how it can do things softice must be able to do working at Ring 0. That's why softice must be harder to setup because it digs under the operating system itself. How they accomplished that at Compuware, especially with XP, makes them look like rocket-scientists to me. It's an excellent debugger and well worth the time to get it going.

  10. #25
    Quote Originally Posted by Uridium
    But 'set breakinsharedmods on' is an unknown variable now? ---snip--- I know about the involved context/paging problem (thus CW doesn't recommend its use)
    Did some digging around and found this morsel about softice:

    ******

    Operating behavior of breakpoints in shared ring 3 modules.

    In versions of SoftICE prior to 3.0, breakpoints set in shared ring3 modules would hit according to the description as defined in the Using SoftICE book, Chapter 7, "Understanding Breakpoint Contexts." In 3.0, we changed this so that breakpoints would only hit within the context in which the breakpoints were set. For Version 3.1, we have now added a SoftICE environment variable to toggle the behavior of shared ring3 breakpoints. By default, breakpoints only trigger in the context in which they were set. To change to the pre-3.0 behavior, from the SoftICE command line, issue the command set BreakInSharedMods on. Note that all breakpoints will have to be cleared with a bc * and then reset after changing this value. For shared ring 3 module breakpoints, it is possible for your application (or another application that is sharing the module) to end up crashing. This is due to copies of the physical pages that the code pages reside on being present and SoftICE not tracking these copies. Any such ring 3's left around in memory will cause crashes. There is currently no easy workaround. One possible solution would be to issue the set i3here on command to allow for user mode int3's to trigger SoftICE, and then modify the byte in memory, replacing it with the original code byte.

    ***********

    The first part of that about BreakInSharedMods is pretty straight forward to me. In fact, I read on another board that it's better left alone. That is, don't set it. The second part is a bit baffling. It's saying to me that if I'm debugging an app that is using a module shared by another app, that the other app or the module 'might' crash. It also seems to be saying that the other app could change the code pages, and when softice goes looking for them, they're not there. How often does that situation exist, where two different apps are sharing the same mod?

    That doesn't seem a humungous issue to me...certainly not enough to stop using softice. Kayaker...if you're paddling around out there, what do you make of this? Need your expertise.

    I think this faulting/BreakInSharedMods is a red herring. I'd be willing to bet those people having trouble setting up 3.1/3.2 just haven't bothered to read all the information required to set it up. Between the docs that come with SI and what's available in this forum and others, I think there's now plenty of info to set up 3.1 or 3.2.

    That's my story, and I'm sticking to it.

  11. #26
    You don't need to tell me what breakinsharedmods is doing, i know already. I'm just curious why its gone out of a sudden and whats responsible for that. In some cases its very useful to have.
    Attached Files Attached Files
    Last edited by Uridium; October 25th, 2005 at 14:09.

  12. #27
    M4yH3M3d
    Guest
    I know this is my first post and please forgive me if am a bit flaky, I have been up 36 hours working on something and I didnt want to goto sleep a few hours ago for the fear of not waking up to pick my daughter up at school.

    As far as SI goes, for RE tools even to this day I dont see its power equaled among the other tools out there. Alot of people know the risk's they take when they use a kernal level debugger but I can only speak for myself, I am willing to take that risk because even though I could wind up formatting my HD because I did something half-hazardly the time it saves me over switching between IDA olydbg and a dynamic mem tool is well worth it. (and believe me I have had to format 4-5 times when I first started using SI because I didnt know about nice little sites like this and the old Fravia site which I actually read alot of the 300 essays over there before coming here.

    SI is not and easy program to get knowledgable about without making mistakes that is the process of learning some of these things. I started using SI with no knowledge of ASM barely able to do accounting sheets in VB but I seemed to be good or have a knack of guessing correctly more then incorrectly while I educated myself on what exactly all of the 0's and 1's were for in the computer. Im still a nublet in many respects I read the Author of the topic's post and some of the responses probably 2-3 times before some of it sunk in. I have actually never had a problem getting the program to work on XP I just recently started using it again after smashing my head up against the wall trying to use 3 tools at once with only 1.5 gigs of ram and not getting what I wanted out of my search. I suppose I could have tried to read more articles but I dont know an easier way and have not been successful using any other tool to get past an exe that has been Obfs! And believe me I have about 40 ways of how not to do it with the other tools.

    Anyway hopefully at some point after I read and attempt some of the things being done on this forum I will have more to contribute then just my opinion. Also probably would help if I would keep nodding off while I'm typing.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #28
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Oh what strange twists and turns these threads sometimes take..
    Nope, DS3.2 no longer supports the SET BREAKINSHAREDMODS command. A look at the SET command in the Sice manual will tell you which commands it does support, and this isn't one of them. Not being thoroughly convinced, I traced the SET command with IceProbe and Sice does a string comparison on an ascii table which doesn't have the word BREAKINSHAREDMODS in it, so of course it fails and you get the error message.

    You can't fight it if the code ain't there, but only the CW guys know why they reverted to the old method of context sensitive breakpoints.

  14. #29
    Quote Originally Posted by Uridium
    You don't need to tell me what breakinsharedmods is doing, i know already. I'm just curious why its gone out of a sudden and whats responsible for that. In some cases its very useful to have.
    Didn't mean to imply you didn't understand BreakinSharedMods. I couldn't get the drift of your post...what you were on about.

    Looking at your winice.log, it seems that ice can't understand the 'set' command. I would guess you have included that in Winice.dat as:
    'set BreakinSharedMods=ON'

    If you have, take out the 'set' and leave only:
    BreakinSharedMods=ON

    I think you would only use the 'set' command at the prompt in the softice
    window.

    Also...you have this line in your winice.log.txt:

    NTICE: KDExtensions are disabled KDHeapSize=00000000 and KDStackSize=00000000

    When I used IceExt, it prompted me to change those values in the registry at:

    HKLM/System/ControlSet001/Services/NTice

    If you highlight the NTice key, you'll see about 20 entries. Both KDHeapSize and KDStackSize are listed with zero values hopefully. If so, and they are Dwords, just change the 0x00000000 to 0x00008000 in both of them.

    If they are not even listed, you'll have to add them. Here's how they're listed in my reg:

    KDExtensions REG_SZ
    KDHeapSize REG_DWORD 0x00008000 (32768)
    KDStackSize REG_DWORD 0x00008000 (32768)

    I don't know what significance the KDExtensions entry has, but it's in mine as above.

    After that, I got an indication that KDExtensions are enabled. Voila!! Don't know what it means, but I like it.

    Also, I increased my EXP memory allocation in Symbol Loader to 1024K. I don't know what an optimum size is nowadays but I have run into problems in the past by not having enough memory allocated to exports.

  15. #30
    Quote Originally Posted by M4yH3M3d
    Anyway hopefully at some point after I read and attempt some of the things being done on this forum I will have more to contribute then just my opinion. Also probably would help if I would keep nodding off while I'm typing.
    You sound like a typical reverser...sleep-challenged.

    If you have anything to contribute, the more the merrier.

Similar Threads

  1. Replies: 0
    Last Post: August 20th, 2011, 23:59
  2. Failed unpack
    By gbrooks3 in forum The Newbie Forum
    Replies: 20
    Last Post: June 20th, 2005, 00:29
  3. about the book <<How Debuggers Work.. >>
    By lordor in forum The Newbie Forum
    Replies: 7
    Last Post: December 6th, 2004, 18:44
  4. Normal Breakpoints Work!
    By telophase in forum The Newbie Forum
    Replies: 5
    Last Post: April 22nd, 2004, 02:43
  5. Makin Revirgin Work in Win95
    By r00t in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: March 22nd, 2002, 18:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •