Log in

View Full Version : softice commands removed or changed ?


Elenil
October 2nd, 2008, 19:24
i changed to driver studio 3.2 and found major problems with it

problem 1: the operator "!" seems to be removed with if BPX is used with a register like EAX,ESP ect. (example:bpx GetDlgItem if esp!=001200ff)

problem 2: when ReadProcessMemory is used on a application and the readsize is bigger then 7 pages softice dont show up with its breakpoints(only tested with 7 pages dont know if less pages also work)

/*
problem 3: on a d3d7, d3d8, d3d9 or opengl application what runs in fullscreen softice cause a BSOD (windowed works)

i tryed to disable "Trap NMI" ,"mapping of non-present pages" , "Pentium support"

after this it dont cause a BSOD but the screen freez(same happend with Trap NMI only)
the screen freez and softice is not shown but you can do clt+alt+del (what made me think maybe a page fault happend or enabled i3here) but then i turned everything off (faults off , i3here , i1here + zap) still no luck
*/


im sorry if i double post partly but didnt find solutions for the problems i showed above

any1 has solutions to these 3 problems ?

esther
October 2nd, 2008, 21:45
*problem 1: the operator "!" seems to be removed with if BPX is used with a register like EAX,ESP ect. (example:bpx GetDlgItem if esp!=001200ff)

There's no operator "!" when using this command

http://www.woodmann.com/crackz/Tutorials/Siceinst.htm

There might be some changes in ds 3.2 I'm not so sure tho.

you can only see the "!" after bpx which is
bpx user32!getdlgitem.... when you do a breakpoint list

Someone might anwser other questions

Elenil
October 3rd, 2008, 18:17
on SoftICE 4.0.5 it has this operator for BPX its kinda useful then you set it on a api what is called by some system files the stack is mostly different if it calls from otherwhere (DeviceIoControl is often called for example) or registrys apis

im not sure but if i remember currect it even was possible to read a parameter of a function or a variable from a address cant get this to work on DS 3.2
on the tutorial you gave me it has a good example for that:
BPX RegQueryValueExA IF *(ESP->8) == 'Regi'

but try it on DS 3.2 it dont wanna work error msg again

also the HWND command on DS 3.2 seems to be buggy it mostly say "Unable to find a Desktop Window"



i really dont understand why the new softice lost so much functionality

deroko
October 3rd, 2008, 18:52
hm, the problem with bsod and nvida cards I've experienced for the first time, when I was watching some movie, and, dunno why, UnhandledExceptionFilter was called which resulted in softice to be called (faults on) and I've received bsod. Can't remember if this happened on my ATI HD 2100, probably it did

On other hand with intel gfx I don't have these problems on my laptop, so I assume that new drivers for those gfx cards cause the problem, also I don't remember receiving this kinds of bsod on mentioned nvidia gfx with default drivers (installation CD, probably were some ancient drivers, as I have nvidia gfx since 2002).

Regarding hwnd, you are right, it doesn't work, dunno why, nor I was ever interested in finding out. But if you are interested how it should work, you may use Kayaker's IceProbe to trace softice, and probably you will be able to figure why it doesn't work, and eventually make a patch for sice

Kayaker
October 3rd, 2008, 22:04
1. The != operator, as in "not equal to" should work. Leave a space between the register and the "!" symbol, else it will read it as "esp!"


2. ReadProcessMemory? Can you describe the problem completely?


3. Probably like deroko says, nvidia drivers are notorious for giving problems with Softice it seems.
Softice running under VMWare usually doesn't give display problems.


4. "->" operator disappeared in DS3.2.
Yeah, I grumbled about that for years, it was a nice shorthand for 'contents of pointer at'.

Just write it differently
esp->8
=
*(esp+8)



5. The HWND issue. Thanks for the promo deroko I looked into that a couple of years ago with Iceprobe and reported the findings:

Softice and breakpoints revisited
http://www.woodmann.com/forum/showthread.php?p=62332#post62332


It's because the value of NT_TIB (or TEB) is variable in XP. In Win2K it was always at 0x7ffdE000. The problem is that the HWND command *still* looks for this absolute address though, therefore the command fails, as you mentioned, _sometimes_. Use the QUERY command to check your value of the TIB and you'll see it varies sometimes. If you happen to be in the right thread context HWND should work.


Softice code, The "Unable to find a Desktop Window" error occurs when accessing a field in the Win32ClientInfo structure.

Code:

:0004EC5C call GetOSMajorVersion
:0004EC61 cmp eax, 4
:0004EC64 push edi
:0004EC65 jnz short loc_4EC6E
:0004EC67 push 7FFDE05Ch ; Hardcoded TEB.Win32ClientInfo offset for Win9x/Me
:0004EC6C jmp short loc_4EC73
:0004EC6E ; ---------------------------------------------------------------------------
:0004EC6E
:0004EC6E loc_4EC6E: ; CODE XREF: _c_Hwnd_Sub1+F5
:0004EC6E push 7FFDE6E4h ; Hardcoded TEB.Win32ClientInfo offset for Win2K and above
:0004EC73
:0004EC73 loc_4EC73: ; CODE XREF: _c_Hwnd_Sub1+FC
:0004EC73 call RetrieveWin32ClientInfoValue



I had thought about a patch and figured it would require inputting the correct TEB address, as well as modifying the bytes of that push statement to a suitable instruction. As well as assuming the Win32ClientInfo structure wasn't modified for XP!


In retrospect, this is a *really* bad error that was never picked up by the final release version of ntice.sys.


The QUERY command shows there are individual mem allocations for the TEB, one for each thread of a process. It sort of sounds like in Win2K and before the OS copied a threads TEB on a context switch into the absolute address 0x7ffdE000.

naides
October 4th, 2008, 06:56
That what I was going say. . . EXACTLY what Kayaker wrote.


Any further Questions?

deroko
October 4th, 2008, 08:26
Quote:
[Originally Posted by Kayaker;77268]Thanks for the promo deroko


You are welcome

ah so we can basically make patch (push xxxxxxxx replace with jmp) which would read 0x3B selector, add to it 0x6CC and push onto the stack, and go back? If win32clientinfo didn't change we even might get this thing to work on XP

Elenil
October 4th, 2008, 21:18
first i have to thank you all for your answers especially keyaker i give you more information about the ReadProcessMemory problem

/*
see this example code:
ReadProcessMemory(handletoprocess, 0x00470000, TESTARRAY, 0x7000, 0);
TESTARRAY is just my array what will reciefe the values
take a look on the 0x7000 the size to read

when you set a small value like 0x40 softice shows the moves in ring0
if its 0x7000 (dont know what size is requied to make it not work) bpms dont work just nothing happens

lets say we do a BPM on 00470008 then nothing will happen !
if we set a BPM on 00470000 in ring0 i see its moving the virtual address to a other place
then make a calc to increase :
add ECX,00001000
and ECX,FFFFF000
mov [someplace],ECX

what moves in 1 pages size

but the direct data move dont break on softice as i wrote it with the 00470008 example
*/

if you want i can give you the applicationīs where these problems happens

to the nvidia driver problem i cant fix it even the oldest driver avalible (for my 6600) on nvidia.com it still cause BSOD

heres the list with all nvidia drivers released :
http://www.nvidia.com/object/winxp-2k_archive.html

Elenil
October 10th, 2008, 06:27
still no solutions for the other problems ?
i found a new 1
i cant use the command
"set BreakInSharedMods on"
it gives me a msg : Set variable not found

deroko
October 10th, 2008, 19:14
http://bbs.pediy.com/archive/?t-5589.html so seems that this variable is not needed anymore, as sice will break always when you set bpx, if you want to limit it for specific process/thread type bpx.p/.t

Kayaker
October 10th, 2008, 21:48
I have no idea about the first problem. Frankly I had never considered such a situation.

I see two scenarios as to what you're doing:

1. You are "standing" in the context of Process B and set a BPM rw on say 470000. Then you F5 and let it run. If Process A has the ReadProcessMemory call, then BPM may break.

2. You are "standing" in Process A just before the ReadProcessMemory call, switch the context with ADDR to Process B and then set the breakpoint on the selected address, and let it run.

But in both cases - will the BPM break and in what context and on what instruction?

BPM's are very context sensitive and are often only "1-shot deals" once you break out of context. They often need to be deleted and reset again in the proper context to make them work a second time.

I can't recall ever setting a breakpoint on ReadProcessMemory in that manner, so I can't confirm if it should work or not.



IF you feel you are doing everything right and sometimes get the breakpoints hitting as you expect, then maybe it is a paging issue.

This is just a guess but, you could test this by displaying each of the 7 pages with the D command (in the proper context of course). If any of the addresses are paged out (has ???????? in the display window), then use the PAGEIN command to page it in. Then try your BPM and see if it works.

ReadProcessMemory may "touch" each page to page it in if necessary before reading it, whereas Softice doesn't do this by default. This is why you sometimes see ???????? for pages which haven't been executed or accessed yet and on which breakpoints may fail. This is also why the IceExt !dump command fails when dumping a large image - 1 or more of the pages requested are paged out (this can be solved by using the PAGEIN command where needed before dumping).




SET BreakInSharedMods - does the manual show that this SET variable still exists? No it doesn't, deal with it

If you must know,..

http://www.woodmann.com/forum/showthread.php?p=48292#post48292

Elenil
October 11th, 2008, 12:00
at last i solved this problem different by doing this :
i hooked ReadProcessMemory with a breakpoint and see if it had my Address + enough size to read it then i did set a breakpoint on the buffer what recieves the data

but this isnt a good solution

im newbie with DS3.2 and only used SI 4.0.5 till now
but i sure breakpoints on a address in specific process and if readprocessmemory (or something else) happens softice always showed the "movīs"
thats why i thought breakinsharedmods might help

atm the bigger problem is still that SI crash on FullScreen of opengl/d3d games and only on fullscreen i got a tool to make some games windowed(DXWnd) but as the problem above this is not a good solution doing it in this way
also the driver what comes with my card make me a BSOD
i got a older card i remember it worked on fullscreen but as the problem above again its not a good solution

deroko
October 12th, 2008, 09:19
I know that it's a huge problem, but newer nvidia drivers simply kill softice. I've used old nvidia drivers < 6x or it was 6x, can't really remember as I don't have desktop machine anymore, and those worked flowless with full screen

WaxfordSqueers
October 19th, 2008, 20:01
Quote:
[Originally Posted by Kayaker;77268]Probably like deroko says, nvidia drivers are notorious for giving problems with Softice it seems.
Softice running under VMWare usually doesn't give display problems.


Kayaker...I've been using an NVidia 6200 with different drivers and never had a problem. I have noticed many problems with XP using updates beyond the basic SP2 upgrade. I rolled back all my XP updates to SP2 and no further and everything has been cool so far. That may be why it works in VMWare. I don't think anyone using VMWare would bother with updates beyond SP2, would they???

I figure most updates are to do with slack security on XP and are not required if other measures are taken. I use a good firewall and a router with built in firewall features. if someone is going to hack that, I don't think Msoft updates will stop them.

WaxfordSqueers
October 19th, 2008, 20:22
Quote:
[Originally Posted by WaxfordSqueers;77424]Kayaker...I've been using an NVidia 6200 with different drivers and never had a problem.
Oops, spoke too soon. Just upgraded to NVidia driver 6.14.11.7813 a few days ago and it does not work.

And...doh!! The reason it works in VMWare is that they don't use NVidia drivers.

Elenil
October 20th, 2008, 21:43
i want to show a other softice error i found recently
when ssdt table -> NtTerminateProcess is changed from anti virus driver software like Avira anti virus (i think kaspersky also does cant check yet)
SoftICE make itself to a endless loop (EBFE) this lags the whole computer then
+ softice window change to confusing only WR WD WC restore the SI window back
solution is kinda simple you restore the orignal SSDT address for NtTerminateProcess

WaxfordSqueers
November 4th, 2008, 22:03
Quote:
[Originally Posted by WaxfordSqueers;77425]Oops, spoke too soon. Just upgraded to NVidia driver 6.14.11.7813 a few days ago and it does not work.


Update...had to drop back to my old NVidia drivers, 6.14.10.8198, and they work with ice. Don't confuse the end set of numbers, 7813 and 8198, with how current they are. The 7813 drivers are most recent and do not work with ice. The 8198's are listed as 81.98 by NVidia whereas the 7813 are something like 178.13 and are quite recent version.

Kayaker
November 5th, 2008, 00:03
The EBFE seems to be Softice protecting itself and the system from catastrophic destruction. That particular occurence is later in the Int0E page fault handler. And you're right, shutting off the various windows seems to be part of it since the WD etc commands are called internally, as well as outputting a Raw Stack Dump before hitting the spin loop.

Continuing with the useless information..

The other two cases of EBFE would give an indicative error message if their loop routine was called:
- SoftICE INTERNAL STACK OVERFLOW DETECTED
- Breakpoint table has been corrupted


It would be interesting to know where the fault lies with those AV SSDT hooks. The Raw Stack Dump output might indicate something.


Quote:
[Originally Posted by Elenil;77438]when ssdt table -> NtTerminateProcess is changed