Log in

View Full Version : Softice 1.52 with Windows 3.1x/Dos


JesterXIII
May 21st, 2012, 12:32
Hello everyone,

I did a brief search for subjects similar to Windows 3.1 and Softice 1.52, but I don't believe there is much on the subject. Honestly, I'm a bit too young for the topic myself.

Anyway, my questions is as follows, as the softice documentation is a bit poor: How do I properly load the symbols from Softice over DOS in the autoexec.bat and config.sys? Also, the system I'm looking at has an extended memory manager (HIMEM.SYS) with NOEMS and an I switch of E000-EFFF. Most of the documentation regarding EMM's seemed to be referring to Windows NT, though. (See Fifth Addendum)

From what I gathered, winice.exe needs to be loaded as a device in the config.sys (device=C:\WINICE\WINICE.EXE). Though, that is my assumption from reading the documentation for NT systems.

Thank you very much for your help,
-Jester

Slight addendum: If there is a more appropriate version of Softice I should be using that is still compatible with Win3.1, I am definitely open to the suggestion. To my knowledge, later versions of Softice are intended for Windows NT and on.

Second addendum: I am now working with Softice 2.62, as provided in the archives (thank you for preserving this!). Using the line "DEVICE=C:\2F5BC~1.6SI\S-ICE.EXE /SYM 500" successfully lets me load the symbols from softice before DOS (in 500k memory), but does not let me actually make calls, such as ctrl + d, to softice. However, I am still flirting with the EMM. Using the /EMM switch causes a system exit with my program, but allows me to ctrl + d. Using the command "DEVICE=C:\2F5BC~1.6SI\EMMSETUP.EXE C:\DOS\HIMEM.SYS" in the config.sys brings a blank box up during startup and freezes. Using the same command while the system is running also freezes, but does not bring up a blank box.

Third addendum: After reading through some of the new documentation, my config.sys is as follows:

DOS=HIGH, UMB
DEVICE=C:\2F5BC~1.6SI\CE.EXE ;config
DEVICE=C:\2F5BC~1.6SI\S-ICE.EXE /SYM 500 /EXT 2112 /EMM
DEVICE=C:\DOS\HIMEM.SYS
DEVICEHIGH=C:\2F5BC~1.6SI\UMB.SYS
DEVICE=C:\DOS\SETVER.EXE
DEVICE=C:\DOS\EMM386.EXE NOEMS I=E000-EFFF
FILES=255
BUFFERS=30
LASTDRIVE=Z
DEVICE=C:\RTC2000.SYS
DEVICE=C:\WINDOWS\IFSHLP.SYS
STACKS=9,256

There is no ansi.sys in the system to my knowledge and smartdrv is an executable handled by autoexec.bat rather than a .sys.

Fourth Addendum: With the previous config.sys, I experience the following errors in a system run:
[DOS boots normally until the UMB device is loaded. Returns the following:]
No high memory available.

[The next line, returned from the EMM386 device states:]
EMM386 not installed; protected mode software already running.

[DOS finishes and the system continues as normal. After windows 3.1 begins, the program begins to load, and application errors display as follows:]
Application Error
Progman caused page fault in module DRVDDLL.DLL at 0001:0000

[Click ok, the second error:]
Application Error:
Progman caused page fault in module KRNL386.EXE at 0001:4E8B

When trying to click enter, nothing happens, and the system freezes. Clearly, I'm not fluent with traditional memory management.

Fifth addendum: After getting through Chapters 2, 6, and 8 of the provided documentation in Soft-Ice 2.62, I came to realize that Soft-Ice is not compatible with EMM386.exe. Attempting to substitute the expanded memory manager with the soft-ice driver alone, however, was met with the same failures from porgman. Reading deeper into chapter 8, it seems that the emmsetup.exe should be used prior to loading the soft ice driver with /emm switch. However, chapter 8 is not quite specific on what to use emmsetup.exe with. Running the program with no file in the parameter returns the type of parameter it is looking for (a Numega driver). I'll keep reading Chapter 8, but I believe the problem is clear now: I need to tweak the internal EMM of soft ice to function identically to EMM386.exe.

Sixth addendum: I have finagled with s-ice.exe switches enough to get it loaded as a device driver. However, I am only able to ctrl + d outside of the windows 3.1 environment or on system exit. Once windows is running, however, I am (seemingly) unable to use softice functions. Will continue to experiment, assuming the issue is still nested in memory management.

Kayaker
May 21st, 2012, 18:58
Hi

Have you got it running? I just "installed" 1.52 (on XP) and all it said was to run winice.exe from a DOS window. I don't recall having to modify autoexec or config.sys. Perhaps for boot loading instead of manual loading, if that is possible, but I can't actually test that or see any reference to it.

As for symbol loading, that's usually done with wldr.exe and/or modifying winice.dat. Are you actually having problems, or only think you're going to?

JesterXIII
May 21st, 2012, 21:21
Quote:
[Originally Posted by Kayaker;92577]Hi

Have you got it running? I just "installed" 1.52 (on XP) and all it said was to run winice.exe from a DOS window. I don't recall having to modify autoexec or config.sys. Perhaps for boot loading instead of manual loading, if that is possible, but I can't actually test that or see any reference to it.

As for symbol loading, that's usually done with wldr.exe and/or modifying winice.dat. Are you actually having problems, or only think you're going to?


Thanks for your reply!

Well, I've attempted to run it on several occasions. The GUI in the windows environment only allows me to select a program, but I cannot "load" it. Upon trying to execute WLDR <program>.exe/.sym in DOS, it tells me that Soft-Ice/W is not loaded. From what I have found, I think Soft-Ice/W is supposed to be loaded before DOS in the config.sys.

The problem is, I don't know how to load a driver like this manually. Correct me if I'm wrong, but XP does not use EMM programs like HIMEM for Advanced 386 mode, because it's not 386 architecture? Unfortunately, EMM's affect how softice is loaded as a device driver, and I'm not quite sure how to properly do such.

Kayaker
May 22nd, 2012, 01:30
I'm not quite sure. I haven't used Softice under Win3.1 since the last century, well, millenium

Are you trying to look at a 16 bit NE app? Maybe try running it under Win9x and use Softice 4.05 instead, more likely compatible with modern hardware.

This might be helpful as well:

http://www.woodmann.com/crackz/Tutorials/Siceints.txt

JesterXIII
May 22nd, 2012, 05:53
Quote:
[Originally Posted by Kayaker;92581]I'm not quite sure. I haven't used Softice under Win3.1 since the last century, well, millenium

Are you trying to look at a 16 bit NE app? Maybe try running it under Win9x and use Softice 4.05 instead, more likely compatible with modern hardware.

This might be helpful as well:

http://www.woodmann.com/crackz/Tutorials/Siceints.txt


Haha, yeah, to be honest I don't think anyone should be even touching this software anymore XD

16-bit, yes, however I don't believe it is an NE. The decompilers (such as the latest IDA and w32dsm) were very prompt to note that. So I had to decompile it with IDA Pro 5.0. To be honest, I'm not quite sure what kind of .exe type the file is other than 16 bit.

That was one of the articles I had been reading carefully, actually. The following three steps on execution of WINICE.EXE is where failure occurs, I believe:

"2. test if Windows is already running in enhanced mode, and quit if so.
3. test if an XMS driver is installed, and quit if not. If installed,
SoftICE stores the XMS driver entry point.
4. test if CPU is 386+ by trying to write higher part of eflags, quit if not."

If I try to load it as a device (DEVICE=C:\WINICE\WINICE.EXE), the system freezes. The result is the same before or after DOS, HIMEM, or any other device. If I try to run MSYM.EXE with any application, the result, "Symbols are not properly loaded," is displayed.

Thank you again for your patience and help

WaxfordSqueers
May 31st, 2012, 22:57
Quote:
[Originally Posted by JesterXIII;92576]... but does not let me actually make calls, such as ctrl + d, to softice. However, I am still flirting with the EMM.


I think a big part of your problem is your DOS setup and not softice. The last version of real DOS was 6.1 or 6.2. You should be running at least that version if you want to use EMM and himem.sys effectively. Version of DOS before ver 6 were notoriously flaky and Win 3.1 was about as flaky as you could get, Just sneezing in the presence of either could cause a crash. Same with Win 95.

You should be able to run ICE 1.6 on Win 98SE (SE = second edition), and that's the lowest version I would use. Also, I've had it running in a DOS box on Win XP.

Setting up config.sys and autoexec.bat is vital. DOS had an upper memory of 640K and device drivers form softice had to be loaded between 640K and 1 meg. Many modern programs use that area for video and if you overwrite it, you'll get a crash. It's best to have a computer dedicated to DOS, where no other app is accessing it's memory area.

Quote:
[Originally Posted by JesterXIII;92576]

Third addendum: After reading through some of the new documentation, my config.sys is as follows:

DOS=HIGH, UMB
DEVICE=C:\2F5BC~1.6SI\CE.EXE ;config
DEVICE=C:\2F5BC~1.6SI\S-ICE.EXE /SYM 500 /EXT 2112 /EMM
DEVICE=C:\DOS\HIMEM.SYS
DEVICEHIGH=C:\2F5BC~1.6SI\UMB.SYS
DEVICE=C:\DOS\SETVER.EXE
DEVICE=C:\DOS\EMM386.EXE NOEMS I=E000-EFFF
FILES=255
BUFFERS=30
LASTDRIVE=Z
DEVICE=C:\RTC2000.SYS
DEVICE=C:\WINDOWS\IFSHLP.SYS
STACKS=9,256



Looks reasonable except for the 2F5BC~1.6SI directory. Remember, DOS is an 8 bit system. Keep all of your directory and file names to 8 characters or less. Also, statements like himem.sys and emm386 should come first. Read on the order in config.sys.

Find a book on DOS or find an article on it on the Net. eg. http://www.computerhope.com/ac.htm

DEVICE=C:\Windows\HIMEM.SYS
DOS=HIGH,UMB
DEVICE=C:\Windows\EMM386.EXE NOEMS

should be at top of config.sys. Change windows directory to wherever himem.sys and emm386.sys are found.

I don't know why you have the devices rtc2000.sys and ifshlp.sys in there. They are taking up valuable memory space and are not required from what I can see, unless rtc2000.sys is related to softice.

I don't know why you have umb.sys in there either. Himem.sys should handle upper memory. You don't need setver.sys either as you can set the version at a dos prompt if required.


Quote:
[Originally Posted by JesterXIII;92576]Fourth Addendum: With the previous config.sys, I experience the following errors in a system run:
[DOS boots normally until the UMB device is loaded. Returns the following:]
No high memory available.


remove umb.sys device...not needed.

Quote:
[Originally Posted by JesterXIII;92576][The next line, returned from the EMM386 device states:]
EMM386 not installed; protected mode software already running.


you are likely running DOS under a protected mode system like windows.

I think the rest of your problems will clear up after you fix the DOS environment. Pay particular attention to the requirements of softice. Look around the Net.

You need to understand that you have bitten off a lot more than you can chew. You said you are young, so you have a long time to chew it. If it interests you, hang in there. that's how we all learned.

WaxfordSqueers
May 31st, 2012, 23:30
Quote:
[Originally Posted by JesterXIII;92585]
That was one of the articles I had been reading carefully, actually. The following three steps on execution of WINICE.EXE is where failure occurs, I believe:

"2. test if Windows is already running in enhanced mode, and quit if so.
3. test if an XMS driver is installed, and quit if not. If installed,
SoftICE stores the XMS driver entry point.
4. test if CPU is 386+ by trying to write higher part of eflags, quit if not."

If I try to load it as a device (DEVICE=C:\WINICE\WINICE.EXE), the system freezes. The result is the same before or after DOS, HIMEM, or any other device. If I try to run MSYM.EXE with any application, the result, "Symbols are not properly loaded," is displayed.


Winice.exe is not a device. Devices are drivers and winice.exe is not a driver.

You need to study some basic DOS to understand the difference between real and enhanced modes, as well as the difference between extended memory and expanded memory.

Earlier computer had severe limitations with memory. The DOS system was limited to about 1 meg of memory. It used the lower 640 kilobytes for applications and data, and reserved the area between 640 K and 1 meg for video, device drivers and ROM memory dumps. Enhanced memory was above the 1 meg barrier and required smoke and mirrors to get to it. Windows used enhanced mode but DOS did not.

The area between 640k and 1 meg is called 'extended' memory. However, some companies developed means of using external memory boards called 'expanded' memory. You are only concerned with extended memory here.

There is also a small region above 1 meg called the high memory area (HMA) and himem.sys access that. The himem.sys statement should come first in config.sys.

The himem.sys and emm386.exe are 'extended' memory managers. They allow you to insert device drivers into holes in extended memory. In the device = c:/windows.emm386.sys statement in config sys, you often see a NOEMS statement. read here:

http://technet.microsoft.com/en-us/library/cc722864.aspx

The NOEMS tells the system there is no 'expanded' memory. If you want to reserve an area of 'extended' memory, you use x = aaaa - bbbb to specify the range. I believe softice has a range they recommend. So, you would have both a NOEMS and an x = aaaa - bbbb statemet in your device = emm386.exe statement.

Autoexec.bat is used to specify paths and drivers for devices like cdrom's. DOS required specific instruction as to where a device was located, and you could include those paths in autoexec.bat.

The first path is there should be where DOS is located. It does not hurt to tell it exactly where softice is located.

Don't be afraid to spend significant time learning some basic DOS. If it accomplished nothing else, it will allow you to argue with Linux freaks who try to pass off Unix obfuscation as being so much better. :-). At least with DOS you had file name extensions so you knew what you were dealing with.

JesterXIII
July 6th, 2012, 09:26
Quote:
[Originally Posted by WaxfordSqueers;92635]

You need to understand that you have bitten off a lot more than you can chew. You said you are young, so you have a long time to chew it. If it interests you, hang in there. that's how we all learned.

The further I dive into it, the more I realize that XD. However, if anything, the complexity of it only raises my interest I know it's been a long while since I've posted on this thread or worked on the project, as my responsibilities were placed elsewhere, though I'm hoping to return to it this week sometime.

Unfortunately, I can't run the program on any other platform than the one provided. The software in question comes packaged and integrated with window 3.1 and DOS. The "application" does not exactly start from a single executable, though, I believe that only one of the executables will make calls to the dongle. Also, it is very, very rigid with its system resources. There are very few modifications I can make to the EMM386 device. More liberal changes will cause the software to fail and initiate a System Exit.

In regards to the following,
Quote:
[Originally Posted by WaxfordSqueers;92637]Winice.exe is not a device. Devices are drivers and winice.exe is not a driver.


Perhaps my understanding with drivers is a bit flawed, however, I thought a device could be declared from a .sys, .cfg, or a .exe depending on the device. Since EMM386 is an executable memory manager as well as SIce, technically speaking, should I not be able to load the SIce executable as a device in a similar manner? Or, is SIce not an extended memory manager like EMM?

You also mentioned a few times that the issue was more with the DOS configuration than with SIce itself. Perhaps I am going about this the wrong way. Most of the modified configuration with SIce I'm implementing would most likely only affect DOS. However, the software runs in a 3.1 native environment. Should I instead focus much more towards a Windows 3.1 soft ice configuration and leave DOS in the default state of the packaged software?

I appreciate all the useful advice, and apologize if this is a frustrating topic. But I will definitely research more into the topic. I guess I was just spoiled with memory being managed by the physical processor growing up XD

tedshred
July 6th, 2012, 11:53
Please describe the dongle you are using.

JesterXIII
July 6th, 2012, 12:39
Quote:
[Originally Posted by tedshred;92841]Please describe the dongle you are using.


I don't want to get too specific on the hardware/software, but the dongle is a 25-pin (parallel) with a through port. I have more of an issue running the cracking tools than actually using it. That's the next part to tackle

WaxfordSqueers
July 7th, 2012, 00:49
Quote:
[Originally Posted by JesterXIII;92840]The software in question comes packaged and integrated with window 3.1 and DOS.
The problem I foresee is you spending a lot of time learning Win 3 and an older DOS then having to bring yourself up to speed on the PE files used in later versions of windoze. The NE file format is bad enough, but you are stepping back into ancient technology. Win 3 was highly unstable and was likely to crash as the result of a sneeze. The DOS version used in win 3 was nothing to write home about either. When you try to get ice 1.95 running on that it's tough to tell what is crashing what.

Quote:
[Originally Posted by JesterXIII;92840]Perhaps my understanding with drivers is a bit flawed, however, I thought a device could be declared from a .sys, .cfg, or a .exe depending on the device. Since EMM386 is an executable memory manager as well as SIce, technically speaking, should I not be able to load the SIce executable as a device in a similar manner?
Ice is not a memory manager it loads windoze on top of itself so that it can intercept windoze calls. In that respect, it's more of an OS manager.

EMM386 is required because of the nature of old DOS systems. They could not 'see' beyond 1 meg memory and reserved the first 640k of memory for apps. In the rest of memory, they had to allot space for video drivers, etc., but there were holes left over that could be used for drivers. A memory manager was required to give access to those holes. Also, there were holes at the high end of memory which himem.sys managed.

The memory manager was required to maximize the 1 meg limit and putting the ice executable up there serves no purpose since it wont run from there. Drivers were an extension of the old TSR (terminate and stay resident), which were early drivers which would load in memory and stay there. Later, drivers were called at boot time and loaded into extended memory (above 640k and below 1 meg). I think ice has a driver you can load in extended memory, and if so, it needs to be declared in config.sys as a DEVICE so it will be loaded in extended memory at boot.

Drivers can be called from an executable, meaning the system redirects calls from an executable's code to code in the driver. Same with dll's. However, executables are loaded by a different mechanism than drivers. For one, they are loaded directly from the hard drive, or floppy, or whatever you have. The image of the executable is loaded into memory below 640K. If you read on this it wont take you long to figure out the difference.

WaxfordSqueers
July 7th, 2012, 01:01
Quote:
[Originally Posted by JesterXIII;92842]I don't want to get too specific on the hardware/software, but the dongle is a 25-pin (parallel) with a through port. I have more of an issue running the cracking tools than actually using it. That's the next part to tackle
You might be out-thinking the problem. I have no expertise with dongles and someone else could help you better.

I can say that protection was pretty primitive in old system. Have you tried an app like IDA and tried to read the code directly? I don't know if IDA disassembles win 3 code but I am sure there are apps that will.

There is a dedicated interrupt for parallel ports and a dongle will likely have to use it to access the port. Scour the code for the interrupt and see if you can find out what they are doing. It might be as simple a changing one instruction to bypass the dongle. In old code like that they were just as likely to have a comment saying. "dongle code here".

There are some excellent tutorials on dongles in the archives. You might look up the +Ork tutorials which were pertinent to that era. +Orc was into not out-thinking problems.

WaxfordSqueers
July 8th, 2012, 09:32
Quote:
[Originally Posted by JesterXIII;92842]... the dongle is a 25-pin (parallel) with a through port....


Here's a link to an article on parallel ports with a short program in straight C:

http://et.nmsu.edu/~etti/fall96/computer/printer/printer.html

Here is a link to a woodmann article on dongle reversing:

http://www.woodmann.com/fravia/dongle_n.htm

Actually, it's an old fravia article, God bless his soul. Good guy...he is missed.

Note that they use an old tool, win32dis (they might mean win32dasm...look it up in google...or in RCE tools) to disassemble the code and hexedit to alter the code. You might not even need softice. I have solved a lot of my reversing problems by analyzing IDA disassemblies. Of course, in the old days, it was win32dasm. Shudder!!!

Note that in the code provided in the tute that there was a direct reference to the dongle code.

Here's the +Orc tutes on RCE. There's a link to this at the bottom of the first tute above:

http://www.woodmann.com/fravia/orc1.htm

It covers everything you need to know from basic DOS reversing up to win reversing. These tutes may be more applicable to what you are doing with win3.

dELTA
July 13th, 2012, 22:12
Fravia tutes, Win32dasm and Softice 2.62, oh the memories...

WaxfordSqueers
July 14th, 2012, 10:48
Quote:
[Originally Posted by dELTA;92900]Fravia tutes, Win32dasm and Softice 2.62, oh the memories...

Hey, Delta, whazzup??

I know I used ver 2.52 along the way, but it is so long ago I can't recall the specifics. win32dasm was a revelation at first, as I looked at the relative complexity of IDA with distrust, until I realized the difference in power.

WaxfordSqueers
July 14th, 2012, 10:53
Quote:
[Originally Posted by dELTA;92900]Fravia tutes...


I recall fravia as a kindly, helpful guy but he may be offended with the omission of the +fravia while +Ork gets one. I never did graduate from the HCU.

JMI
July 14th, 2012, 12:59
dELTA is incredibly busy with work and "real life" at the moment. I am sure he was intending no slight of +Fravia, but was rather, like you did, referring to the /fravia/ section of tutes found on these Forums. I don't believe the "links" in that "section" includes the "+" in front of the name of any of the members who have earned that "distinction," whose body of work is included there. But I didn't check.

They are simply "links" afterall. Not the works themselves. And I did not know the gentleman, but I doubt he was the type to place too much emphasis on the "symbol" itself.

Regards,

WaxfordSqueers
July 15th, 2012, 09:07
Quote:
[Originally Posted by JMI;92908] I am sure he [dELTA] was intending no slight of +Fravia, but was rather, like you did, referring to the /fravia/ section of tutes


Hey, JMI...my comment was meant light heartedly and not from officialdom. I could not give a hoot about +'s and I was referring more to my own use of a + in front of ORK and not in front of fravia. My comment was not aimed at dELTA.

I communicated with fravia and Greythorne several times over various issues and I did not pick him up as the type who was into officialdom either. I could see him looking down from the great hereafter and wondering why ORK got a + and he did not...all in humour, of course.

There's also the situation wih younger reversers where they might be curious about the derivation of the + sign. I don't know if the entire fravia archive is there at RCE but he did explain the HCU and the related + sign on there.

JMI
July 15th, 2012, 13:59
WaxfordSqueers:

No harm/no foul intended nor preceived. I was mostly attempting to point out how busy dELTA has been the last several months with work and "real life."

Regards,

redbull
September 10th, 2012, 04:21
I am not why you have to use Softice. have you tried other debuggers like TR 2.52??