Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: Softice and breakpoints revisited

  1. #1

    Softice and breakpoints revisited

    As Yogi Berra once said, it's deja vu all over again.

    OK...I've done my duty and searched the archives. There are some quirks using Softice in XP w/SP2, and I was hoping my friend in the kayak would drop by, or another Ice guru.

    The issues arising most are:

    1)the 'could not find desktop window' when using HWND by itself
    2)the 'no LDT' message when BPXing on a proc listed by the PROC command
    3)Ice not breaking on a bmsg hwnd wm_command when the addr context has been verified

    Ice works 90% of the time for me as it should. I can very seldom get a full listing of current windows, using just 'hwnd' as it used to do. I have to get the proc name using PROC, then apply HWND 'procname'. The other day, they all magically appeared with a straight HWND as they used to in older versions of softice. I have no idea what I did or what the conditions were to have that happen. It's not an addr context thing.

    I use SPYXXX occasionally to find the HWND of a window, or to find it's parent. When Ice complains about not being able to find the desktop windows, SPYXXX shows them all. If it can see them, why can't softice?

    I set a BMSG on a hwnd the other day, and it failed to go off. I brought up SPYXXX, and when I began to use the little window finder button you can slide over windows, Ice popped up with a HWND I had not asked for. It was for WM_COMMAND. I reset it with ctrl-D, and started to move the SPYXXX button over the open windows, when ICE popped up with my correct HWND and the WM_COMMAND. Of course, it was in the wrong context.

    I have verified the addr context many times, all to no avail. I have Sygate personal firewall running in the background, and I have shut it down without removing the driver. I hate to do that at this time, but it might be the only recourse. An older version of Sygate would not allow Ice to load from the desktop (DS32).

    What I'm reading in the archives is not all that informative. Can we perhaps go into this a little deeper, or does someone have softice working completely normal on XP with SP2? As I said, mine is 90% normal, and it's functional. I'm just wondering why it wont operate at 100%.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,084
    Blog Entries
    5
    Hi Waxford,

    He also said "If you don't know where you are going, you will wind up somewhere else."

    Since it's getting a bit cold for kayaking I guess I can try to answer these..

    1)the 'could not find desktop window' when using HWND by itself

    It turns out that this appears to be a difference in how the active TEB (or TIB) is defined in Win2K and XP. Here's the behaviour I noticed:

    In Win2K, HWND by itself *will* list all the current window handles, but only if you're in the context of some user app. So if you type 'ADDR Explorer' then 'HWND' you'll get every system window handle.

    In XP however you must *break* into the context of a user app before HWND will work. For example using Loader32 to break at the start of notepad. Then you can type either 'HWND' to get all the window handles, or 'HWND notepad' to get just those from notepad. If you Ctrl-D into Sice from the desktop and try changing the ADDR context to notepad it won't work.

    Why?

    First off, check these differences: Start notepad and in Win2K type 'QUERY notepad', scroll to the very end and check the address given for the TIB. It should be 0x7ffdE000. Now do the same in XP, it will probably be 0x7ffdF000.

    Maybe if you use a dll injection loader which creates its own thread, you'll notice notepad now has 2 entries for the TIB, one at 0x7ffdF000 and one at 0x7ffdE000, one for each thread. Type 'ADDR notepad' and 'HWND' and now it should work.

    In the same vein, if you were to Ctrl-D into Sice and type 'ADDR explorer' then type 'HWND' it should also work. Why? Because explorer already has several active threads and the TIB entry for 0x7ffdE000 is valid.


    What's so special about the TIB entry at 0x7ffdE000? The ugly explanation..

    I broke out IceProbe which as I mentioned before I wrote to manually trace into Softice commands. I selected 'HWND' and began to trace and it led me to the TEB->Win32ClientInfo structure. Surprisingly I could find no information on the definitions of TEB->Win32ClientInfo, a list of long pointers beginning at TEB offset 0x6cc.

    Code:
    kd> dt _TEB
       +0x000 NtTib            : _NT_TIB
    ...
       +0x6cc Win32ClientInfo  : [62] Uint4B
       +0x7c4 glDispatchTable  : [233] Ptr32 Void
    In Win2K at least, the TEB/TIB has the static address 0x7ffdE000, so Win32ClientInfo is always at offset 0x7ffde6cc. In XP you'll notice this isn't always the case if you try the 'QUERY' experiment I mentioned above.

    Now onto how Sice uses it.. Within the HWND command is the following code snippet which tries to find one of the Win32ClientInfo fields at the absolute address of 0x7ffde6e4. If it can't find it, the code leads to the 'could not find desktop window' error message. If for any reason the TIB is not valid, either because you're in a system context and it doesn't exist/is paged out, or because it's not currently located at address 0x7ffdE000, the code won't find Win32ClientInfo and will fail.

    Code:
    :0004EC5C                 call    GetOSMajorVersion
    :0004EC61                 cmp     eax, 4          ; Win2K and above = 5
    :0004EC64                 push    edi
    :0004EC65                 jnz     short loc_4EC6E
    :0004EC67                 push    7FFDE05Ch       ; TEB.Win32ClientInfo field for Win9x/Me
    :0004EC6C                 jmp     short loc_4EC73
    :0004EC6E ; ---------------------------------------------------------------------------
    :0004EC6E
    :0004EC6E loc_4EC6E:                              ; CODE XREF: _c_Hwnd_Sub1+F5
    :0004EC6E                 push    7FFDE6E4h ; TEB.Win32ClientInfo field for Win2K and above
    :0004EC73
    :0004EC73 loc_4EC73:                              ; CODE XREF: _c_Hwnd_Sub1+FC
    :0004EC73                 call    RetrieveWin32ClientInfoValue
    As to exactly what the Win32ClientInfo field at offset 0x7ffde6e4 is I'm not sure. It seems to be an address such as 530650h. Sice then gets another value/address from it at offset +8 and uses it in outputting all the window handles. I assume it's accessing a kernel handle table at some point.

    I'd like to know more about the Win32ClientInfo fields, they may point to an interesting kernel structure or two..

    In any case, if you play around a bit you should be able to confirm that when you are in a user context, AND there is a valid TIB situated at 7FFDE000h, then 'HWND' should work. Probably the best way to ensure this is just to switch the context to the always present Explorer and use the command from there.


    I'm not sure about the other problems. The 'No LDT' msg isn't new but I'm not exactly sure what you're doing to get it. As for the bmsg problems, a simple 'BMSG <hwnd> 111' seems to work OK for notepad wm_command at least. Perhaps you're problem was related to the HWND problem in some manner.

    Cheers,
    Kayaker

  3. #3
    Hey Kayaker...thanks for your in-depth response.

    This little problem is beginning to drive me daft.

    Quote Originally Posted by Kayaker View Post
    In XP however you must *break* into the context of a user app before HWND will work....snip...Start notepad and in Win2K type 'QUERY notepad'...snip...in XP, it will probably be 0x7ffd000.
    tried what you suggested. A 'query notepad' returned 7FFDF000 with TIB (E0). Tried a "hwnd explorer' and all the Windows appeared. Then I began to monkey around with the DEX command to setup a couple of data window for ds:esi and es:edi. Thinking I'd had enough of manually entering them each time, I set up a persistent macro, which didn't work. So I rebooted to see if that would help.

    After reboot, nothing worked. I tried 'hwnd explorer', making sure it was in the right context with an 'addr explorer', and got the old 'can't find a desktop window'. Tried 'addr notepad' + 'hwnd notepad'...same thing. Monkeyed around some more...don't know what I did...and suddenly 'hwnd explorer' worked, but not 'hwnd notepad'. Tried a couple of other processes with hwnd, and even hwnd by itself...same problem.

    The other day, I was fiddling with Silver's DX crackme, when hwnd started working by itself. All windows appeared. I am using IceExt, and I don't know if that's an issue, but I've tried loading Ice with it and without it, and used both !protect on and off. Same problem.

    That's when I noted the 'no LDT' error message last. I was trying an addr on dinput8, a directx module. If I use the exp command in Ice, I get about 5 exports listed under Dinput8. In fact, I am using NMS files to load the exports, including one recently made from a pdb file directly from Micro$oft.

    I can't recall exactly the command I was applying to dinput8, it was either a hwnd or an addr. It only returned 'no LDT'. Here's what the manual says:

    ***Win32 applications and drivers do not use LDT selectors. When a Win32
    process is active, the Intel CPU’s LDT register is NULL. In this case, the
    SoftICE LDT command gives you a No LDT error message. When a VDM or 16-bit WOW process is active, a valid LDT selector is set, and it comes from this GDT selector. During a process context switch, LDT selector information within the kernel process environment block (KPEB) is poked into this selector to set the appropriate base address and limit.***

    so, if I type in LDT with a 32 bit app loaded, it returns the error 'no LDT'. Why is softice returning that error message in relation to a command involving Dinput8? That question is more rhetorical than anything, I don't expect you to have the answer.

    With regard to the BMSG command, I can get it and the BPX command working 90% of the time. In fact, I usually break into an app using the loader and use the 'G address' command a lot. It never fails.

    The app I was working with the other day uses an installation setup from Inno. I think it's OK to use that name in this context. The installation comprises one setup file, setup.exe. and a huge bin file which is compressed with the same compression as 7.zip. Everything goes swimmingly till one data file is being decompressed, when the installer pops up an error message that an access violation has occured at such and such an address with a READ of such and such.

    When I try to BMSG hwnd WM_COMMAND on the message box, Ice does not pop up. If I bring up SPYXX and apply it's window finder button, Ice pops up immediately, but the hwnd is wrong. If I move the SPYXX button around, then Ice pops up with the right hwnd, before I've had a chance to hit the OK button. That strikes me as being weird, but it may be related to a conflict between Ice and SPYXX.

    I am checking another possibility. The setup.exe file seems to create an image of itself in a temp directory. Maybe that's the file I need to BMSG on.
    Last edited by WaxfordSqueers; November 13th, 2006 at 17:59.

  4. #4
    Kaolin
    Guest
    Quote Originally Posted by Kayaker
    I'd like to know more about the Win32ClientInfo fields, they may point to an interesting kernel structure or two..
    Does that help?

    Code:
    typedef struct _CLIENTINFO {
    	DWORD		CI_flags;			   
    	DWORD		cSpins;
    	DWORD		dwExpWinVer;
    	DWORD		dwCompatFlags;
    	DWORD		dwTIFlags;
    	PDESKTOPINFO	pDeskInfo;
    	ULONG		ulClientDelta;
    	struct tagHOOK	*phkCurrent;
    	DWORD		fsHooks;
    	CALLBACKWND	CallbackWnd;
    	DWORD		dwHookCurrent;
    	int		InDDEMLCallback;
    	HANDLE		hDdemlCallbackInst;
    	PCLIENTTHREADINFO   pClientThreadInfo;
    	DWORD		dwHookData;
    	DWORD		dwKeyCache;
    	BYTE		afKeyState[CBKEYCACHE];
    	DWORD		dwAsyncKeyCache;
    	BYTE		afAsyncKeyState[CBASYNCKEYCACHE];
    	BYTE		afAsyncKeyStateRecentDown[CBASYNCKEYCACHE];
    	WORD		CodePage;
    	HKL		hKL;
    	BYTE		achDbcsCF[2]; 
    	MSG		msgDbcsCB;	
    } CLIENTINFO, *PCLIENTINFO;
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Quote Originally Posted by Kayaker View Post
    In XP however you must *break* into the context of a user app before HWND will work. For example using Loader32 to break at the start of notepad.......
    Kayaker...I skimmed over this part, but went back and checked it. M$oft seems to have diddled Notepad. I got a EULA when I tried to load it from Ice loader and it wont break at the entry point. Tried modding PE header with Lord PE and bpx'ed on getmodulehandle, etc., but it wouldn't break. Have little patience for Bill's games, so I used an app I know will break.

    My app broke at the entry point, but there's no way. No matter what I do, the hwnd alone gives me the annoying message about not being able to find a desktop window. The addr context makes no difference. I can bpx on exports or addresses all over the place no problem. At one point, I tried the 'task' command alone and got the 'no LDT'.

    I dumped the softice driver and found the message to do with not being able to find the desktop window. They are pushing a value a little before the message that is pretty close to the value you mentioned for the tib using query notepad. Is there a chance this version of the driver may be pointing to the wrong address?

    4EC6E push 7FFDE6E4h <---close to tib you gave for XP
    4EC73 call sub_749DE
    4EC78 cmp eax, edi
    4EC7A jz short loc_4EC8F <---- jmp
    4EC7C push edi
    4EC7D push 8
    4EC7F push eax


    4EC8F push 0Bh
    4EC91 lea eax, [ebp+arg_0]
    4EC94 push eax
    4EC95 lea eax, [ebp+var_10]
    4EC98 push eax
    4EC99 mov [ebp+arg_0], edi
    4EC9C call sub_4599E
    4ECA1 test eax, eax
    4ECA3 jz short loc_4ED09 <-----jmp to message
    4ECA5 cmp [ebp+var_10], edi
    4ECA8 jz short loc_4ED09 <-----jmp to message
    4ECAA push edi
    4ECAB push 40h
    4ECAD push [ebp+var_10]
    4ECB0 call sub_74A0E
    4ECB5 mov esi, eax
    4ECB7 cmp esi, edi
    4ECB9 jz short loc_4ED09 <-----jmp to message
    4ECBB test byte ptr [ebp+arg_4], 2
    4ECBF jnz short loc_4ECC6
    4ECC1 call sub_4E17D


    4ED09 ; sub_4EB70+138 ...
    4ED09 push offset aUnableToFindAD ; "Unable to find a desktop window"
    4ED0E call sub_11ACB
    4ED13 jmp short loc_4ED2F
    Last edited by WaxfordSqueers; November 14th, 2006 at 03:08.

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,084
    Blog Entries
    5
    Quote Originally Posted by WaxfordSqueers View Post
    4EC6E push 7FFDE6E4h <---close to tib you gave for XP
    That was sort of the point of my post - since Softice uses a static hardcoded address of 0x7ffde6e4, if the current TIB isn't situated at 0x7ffdE000 then the function will fail.

    I don't know why in XP the TIB is sometimes at 0x7ffdE000 and sometimes it's at 0x7ffdF000. It seems to depend on the context, maybe it's even a bit variable.

    As you've indicated and I noticed too, sometimes HWND would work, and then under what you think is the same conditions, it doesn't work. At that point in time, check the TIB address, that should indicate whether it will work or not. In fact, you can simply display the address 0x7ffde000, if it's paged out HWND will fail, guaranteed.

  7. #7
    Quote Originally Posted by Kayaker View Post
    I don't know why in XP the TIB is sometimes at 0x7ffdE000 and sometimes it's at 0x7ffdF000. It seems to depend on the context, maybe it's even a bit variable.
    thanks for reply, Kayaker. I didn't see what you made obvious. The 0x7ffde6e4 is based at 7ffde000. If I change that address in the driver to 7ffdf6e4, would that fix it? I'm a bit leary about altering drivers, and to do it, I'd probably have to rename the driver, and replace it from my Win 98 partition. Of course, I could find the module in memory and try a tweak there.

    I also noticed there's a range in the tib listing under 'query', and it's always a range of 0 for notepad.

    Quote Originally Posted by Kayaker View Post
    In fact, you can simply display the address 0x7ffde000, if it's paged out HWND will fail, guaranteed.
    that is a problem. It was paged out once and I tried to pagein, only to get a crash. Is there another way to page it in? Or is there a reason it's paged out? I'm thinking I might have been using an app that uses the tib base at 7ffde000, if that's possible, when the hwnd worked. I'll keep an eye on it.

    There's another possibility that maybe my ice driver is a Win 2k version. As you know, to get DS32 working, you have to change some files, and I don't recall if I changed the driver. I have two versions in my driver directory: 4.3.2.2485 and 5.1.2601.0. The 4.3.2.2485 is active while the other is renamed.

    Another thing that just occured to me. I reloaded XP recently (a repair install) and it may have overwritten my osinfo files. I'll check.

  8. #8
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,084
    Blog Entries
    5
    I wouldn't alter the driver to change that hardcoded address, it would serve no purpose. The problem is the variability of the TIB base address. I can't explain the variability, just that it seems to exist and effects whether HWND will work or not. And you won't be able to pagein what doesn't exist..

    >> I'm thinking I might have been using an app that uses the tib base at 7ffde000,

    Exactly

  9. #9
    Quote Originally Posted by Kayaker View Post
    I wouldn't alter the driver to change that hardcoded address, it would serve no purpose.
    Here's something that might tickle ya. I found the app that allows me to have every hwnd I need. It was Silver's DirectX crackme.

    I don't want to give any secrets away that might affect the outcome of Silver's crackme, but I'm sure he'd forgive a few indiscretions aimed at furthering the cause of Ice research.

    Anyway, if you d/l the crackme, and fire it up, it's kinda neat in itself. Getting Ice to break is a bit tricky, however. You have to be sure any graphic accelerators are turned off, or in my case (NVidia 6200) down to the first notch in Display settings/Advanced/Troubleshooting. Then you can control-D in to Ice.

    Right away, a hwnd gives me all the windows. What gives? A query on the handle of Silver's crackme doesn't list a TIB, rather a Stack(8c) in the range 30000 - 12f000. Hmmmm...could Silver be up to some evil-alley tricks? We'll have to hold him down and force it out of him.

    You might also notice that the softice video display is now altered. I'm sure that has something to do with the competition between the Ice video driver and the DX rendering. Does that maybe have something to do with the hwnd's suddenly appearing? It's above my head. It's over to you, good guru of the North.

  10. #10
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    I don't know why in XP the TIB is sometimes at 0x7ffdE000 and sometimes it's at 0x7ffdF000. It seems to depend on the context, maybe it's even a bit variable.
    all tib teb and peb all are variable in xp its not mapped to same address
    its some random address and it almost maps from 7ffda000 to 7ffdf000

    it was constant in w2k

    a blog entry in opnrce which talks about it
    https://www.openrce.org/blog/view/44

  11. #11
    I found the app that allows me to have every hwnd I need. It was Silver's DirectX crackme
    Um, yup, I just forgot to add a note about that in the readme - "This crackme also fixes sice problems"

    Well hey if you can't claim credit for totally unintentional side-effects, what's the point in doing anything! I have absolutely no idea why my crackme would affect sice in this way...

    Great to hear someone's attacking my crackme, I haven't heard much activity on it yet. Indiscretions ahoy:

    You have to be sure any graphic accelerators are turned off,
    Just one note about this. I totally forgot this would be a side-effect of how I coded the crackme. My original intention was to really force people to figure out how to get (for example) Olly to break and work correctly with a fullscreen DX app. I've discussed this before so rather than spoil the crackme the search feature is at your disposal. Anyway after I coded the first version I realised that I needed to add at least some caps checking to the code otherwise it probably wouldn't load on a significant percentage of machines.

    So by doing this you're actually forcing the code to fall back to a backup mechanism (for the technically minded, it switches between HAL, SW and REF rasterisers and HW or SW vertex processing).

    Anyway, fair dues, you figured a way round the first issue and for reversers that's just as good a solution as any, but if you'd like to specifically expand on your DX cracking experience (doing the sightseeing, as I put it, rather than just beating it) you can always go back and attempt to patch your way around the problem without altering your driver settings.

    I'll stop hijacking your thread now
    Last edited by Silver; November 14th, 2006 at 15:06.
    Still here...

  12. #12
    Quote Originally Posted by Silver View Post
    I'll stop hijacking your thread now
    no problem...hijack away. There are a lot of issues I've stumbled across in Ice trying your crackme. For example, I'm having trouble getting Directx functions to list, or other functions that might help me trap the mouse and keyboard input.

    I find function names listed due to my nms files that softice doesn't seem to know about, even thought it lists them as exports. I could give you a specific function if you like but it might compromise your crackme.

    BTW...I spoke too soon with regard to your crackme being different. It is in many ways, but I'm back to the same old, same old. At first, on initially breaking into the crackme, I got all hwnd results on everything. After playing a while, it was back to the no desktop window bit.

  13. #13
    Quote Originally Posted by blabberer View Post
    a blog entry in opnrce which talks about it
    https://www.openrce.org/blog/view/44
    thanks for info Blabs. There's one url at your posted URL with an article by Matt Pietrek, who once worked for Noo Mega. I'm wondering if I should ask him to fix the Ice driver now that Compu-where?? is defunct. I've communicated with Matt before, he's a pretty nice guy. He was also a pioneer in the modern Windows reversing era, calling it spelunking.

  14. #14
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,084
    Blog Entries
    5
    Quote Originally Posted by Kaolin View Post
    Does that help?

    Code:
    typedef struct _CLIENTINFO {
    	DWORD		CI_flags;			   
    	DWORD		cSpins;
    	DWORD		dwExpWinVer;
    	DWORD		dwCompatFlags;
    	DWORD		dwTIFlags;
    	PDESKTOPINFO	pDeskInfo;
    Thanks Kaolin,

    Yes that does help. Though it does raise just as many questions
    Most of those substructures and variables are not particularly defined either, whether you check ReactOS, Wine, various header files or even "leaked" code. It's not surprising though since any of these structures can change at a moments notice, so it doesn't really matter. The only define that is important is the one of the OS you happen to be working on at the moment.

    For example, I'm quite happy that the Win32ClientInfo(CLIENTINFO) pointer that Softice retrieves at TEB+0x6e4 is called PDESKTOPINFO. I can find no clear define for a "DESKTOPINFO" structure, but Sice checks a second pointer at offset +8 of this structure, and this points directly to another structure which visibly lists the primary "Desktop" window, showing it's Class, Handle and Name, and matches the 'HWND' command output. With enough effort one could probably figure out at least some of the relationships and linkages between these various structures. Good enough!

    However, just to make the point, in the CLIENTINFO structure you showed, which would be at TEB+0x6cc, PDESKTOPINFO is the 6th DWORD, (or at offset TEB+0x6e0), but according to how Softice defines it, it should be the 7th DWORD (at offset TEB+0x6e4). Again, it doesn't matter if it doesn't match up exactly, the information is still helpful.

    Regards,
    Kayaker

  15. #15
    Kaolin
    Guest
    Quote Originally Posted by Kayaker View Post
    Thanks Kaolin,

    Yes that does help. Though it does raise just as many questions
    Most of those substructures and variables are not particularly defined either, whether you check ReactOS, Wine, various header files or even "leaked" code. It's not surprising though since any of these structures can change at a moments notice, so it doesn't really matter. The only define that is important is the one of the OS you happen to be working on at the moment.

    For example, I'm quite happy that the Win32ClientInfo(CLIENTINFO) pointer that Softice retrieves at TEB+0x6e4 is called PDESKTOPINFO. I can find no clear define for a "DESKTOPINFO" structure, but Sice checks a second pointer at offset +8 of this structure, and this points directly to another structure which visibly lists the primary "Desktop" window, showing it's Class, Handle and Name, and matches the 'HWND' command output.
    No problem. You seem very helpful to others so I'm just returning the compliment if I can.

    Of course your correct regarding the consistency of these low level structures between windows OSís however we must also be aware that, though these structures change, their change is usually more evolutionary than revolutionary.

    PHP Code:
    typedef struct _DESKTOPINFO {
        
    PVOID            pvDesktopBase;
        
    PVOID            pvDesktopLimit;
        
    struct WND        *spwnd;
        
    DWORD            fsHooks;
        
    struct HOOK        *aphkStart[CWINHOOKS];
        
    struct WND        *spwndShell;
        
    PPROCESSINFO        ppiShellProcess;
        
    struct WND        *spwndBkGnd;
        
    struct WND        *spwndTaskman;
        
    struct WND        *spwndProgman;
        
    int            nShellHookPwnd
        struct WND        
    **papwndShellHook;
        
    int            cntMBox;
    DESKTOPINFO, *PDESKTOPINFO
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. +Splaj Awave tutorial revisited.
    By WaxfordSqueers in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: February 3rd, 2005, 01:20
  2. Softice 4.05 breakpoints
    By tee_bag in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: May 31st, 2004, 14:42
  3. Softice 4.05 breakpoints
    By tee_bag in forum The Newbie Forum
    Replies: 0
    Last Post: May 24th, 2004, 18:47
  4. Softice breakpoints sometimes leave nasty int 3 !?
    By MrSmith in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: December 9th, 2001, 06:07
  5. DEBUG using Softice: Softice look for abort.c atoi.c etc... (Win32 console program)
    By lsteo2 in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: January 15th, 2001, 03:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •