Log in

View Full Version : Soft Ice breakpoint


crUsAdEr
February 2nd, 2002, 17:29
I 've been practising unpacking for a while, but there is 1 problem with softice which i do know why.

Sometimes Soft Ice does not break at my breapoint eventhough i have set it in the right context... esp when i unpack AsProtect... after i found the RVA of "popad ; jmp eax" i set
bpm RVA x
bpm RVA rw
bpm RVA x if EIP = RVA
bpm RVA x if EIP > some number smaller than RVA

None of these works... why????

Thank you in advance!

If this helps, i am using Driver Studio 2.5 on Win2k SP2
thanx

Kayaker
February 2nd, 2002, 18:32
Hi

I think part of your problem may be due to Softice breakpoints, especially bpm's, not "sticking". You may see this even with a basic program like Notepad, set a bpm and it works fine the first time, open up notepad again and the breakpoint misses. It seems you often have to delete and reset the bpm breakpoints each time.

For one, I'd suggest trying SuperBPM by Elicz, I know it helps especially in Asprotect on breaking on 'slightly advanced' breakpoints. Now Asprotect and likely other packers are another issue slightly. If you try setting a bpm on the OEP popad/jmp eax from the start of unpacking code it will never break on it. It *might* break if you set it on the actual OEP in program code, but I wouldn't count on it, I've seen it happen and I've seen it not happen. I'm not as convinced that it's breakpoint detection per se as has been mentioned recently. I don't know for sure that Asprotect even *uses* breakpoint detection, but I've never really looked into it. It would be interesting to explore this further mind you.

Rather, I've always put it down to a combination of "unsticky" breakpoints on pages already mapped into memory (SuperBPM has helped there), breakpoints on SMC code that aren't resolved yet and don't stick, and possibly setting breakpoints on addresses that aren't mapped into memory yet that also don't trigger.

There is one clue as to why bpm breakpoints don't stick in Spaths Softice Internals doc:

A BPM on execution can be set on any piece of code with any size (as
long as alignment is correct). However, you should be very careful here
because of the lack of command line checking : to have a chance to be
triggered, the breakpoint must always be set on the address of the
first byte of the instruction, and must also have a byte size. Any
other address/size combination, even accepted by SoftICE command line
parser, will never trigger.

This might explain why setting a BPM breakpoint on an address that you *know* will resolve from SMC code into a valid address, will not break. There may be other idiosyncracies with the OS/SI version/system combination you have as well.

Back to your main question/real issue, why can't you just set a bpm on the popad at the start of unpacking code. It just ain't going to happen unless you've manually traced close enough to the address so that it's resolved from SMC (Self Modifying Code) and/or you won't run into any possible breakpoint detection code. At that point a double mouse click BPX is likely to work just as well.

Hope this helps,
Kayaker

crUsAdEr
February 4th, 2002, 16:24
Thanx for the reply...

I didnt noe the moderator move my post to this forum, tot it was deleted bocause i asked dumb question :<

Yep.. that cleared my doubt.. thanx a lot...