Hi,

I find string in memory (s 300 l ffffffff 'Some string') change that string, then put break bpm or bpr point on that adress, exit from softice ctrl-d, programs get that changed string but softice not popup!

Anybody can help why softice not popup on memory break point?

First, it would be helpful if you would read the FAQ because then you would know that you shouldn't be posting essentially the same question on two forums. You are having a problem with Softice. Learn to use the search button on the top of each of the forums and you will find a great deal of information about why and on which operating systems breakpoints work and on which ones they don't.

Second, how is anyone going to help you if you give no information necessary to help you. For example: Which operating system are you using? It makes a difference to which features of Softice work and which ones don't work. Which version of Softice are you using? What, if anything do you know about Softice? For example have you read any of the fine tutorials on using Softice? Do you understand the difference between BPM, BPR and BPX?

You will find more help here if you are willing to do work on your own and show that you have done some work in the way you form your question. Show what you've done to help yourself and then ask for someone to help you learn more.

Regards.

I know to use SoftIce, and know diference what is bpm or bpr or bpx.

I use SoftIce 4.05 on Win98SE. I first find that string in memory and change string then I put break point on adress where is that string bpm 0030:c51809d2 program get that changed string but softice not popup??

hi neschannel.

What program are you playing with?

Your bpm might be cleared off by the program... does your bpm usually works on other program? If so then that is prolly the case...

You might want to delete the thread on the TOT forum... save the admin some work... and read the FAQ, it is really big on top, consider yourself lucky that noone bashes you yet :>>

Regards,
crUsAdEr

Sorry for posting message on two forums it will not happen yet.

About that program.
Program use protection from softice but I run frogsice and programs then run. Program generate string in run time and string change location in memory every time when programs start.

I try to delete from TOT forum but I have no permission

Hiya,

SoftICE uses the debug registers for bpm style breakpoints. If your app doesn't respond to memory breakpoints, I'd suspect some Anti-SICE tricks. Some apps, clear or modify the debug registers to disable these breakpoints.

Excerpted from Spath's excellent winice internals essay:
**************************************************
BPM is used to set a breakpoint on memory access or code execution,
based on debug registers. The breakpoint type is stored in the breakpoint
structure, and is translated into the R/Wn fields of DR7 :
code execution = 00
data write only = 01
data read/write = 11
data read only = 11 (read and write sorted in the handler)

A BPM for data access can be set on byte, word or dword ; when setting
such breakpoint, SoftICE checks for correct address alignment, according to the chosen size (which actually is not necessary, since the processor performs automatic alignment). Following debug registers' behaviour,
the breakpoint is triggered if any of the bytes accessed is in the
range defined for the breakpoint.

A BPM on execution can be set on any piece of code with any size (as
long as alignment is correct). However, you should be very careful here
because of the lack of command line checking : to have a chance to be
triggered, the breakpoint must always be set on the address of the
first byte of the instruction, and must also have a byte size. Any
other address/size combination, even accepted by SoftICE command line
parser, will never trigger.

**************************************************

1) Read up on debug registers in your intel docs

2) Read more of Spath's excellent winice internals essay to gain an overview of how SoftICE implements the various style breakpoints...
ht*p://mail.sarai.net/pipermail/2600/2001-July/000023.html

3) Read some tuts on anti-debug tricks

4) Check into available tools (ie. Super BPM for win 9x)

Cheers,
Clandestiny

There's a very simple reason you're not getting it to break. You're setting a bpm on the buffer softice uses for commands! 0030:c51809d2 is in SoftIce's data, not your program's. The string must not appear in your program's memory at all. SoftIce's search feature scans all of memory, including it's own. So it will always find your search string, but that false positive will be the command buffer if the string isn't found.

Do this to clear out the white noise in the memory:

1. Write down your string (say: AIMLESSREADSTHEBOARD)
2. Search in softice, the partial string
(say: s 30:0 L FFFFFFFF 'AIMLESSREADSTHE')
3. When searches hit, you will find strings in the data window which show you the COMPLETE strings and the string you have entered in the new search command)
4. The complete strings are your actual strings in memory
5. The incomplete strings are fragments or pieces of your strings left from previous searches/softice buffers/memory manipulation clearences, etc.

...Have Phun

Thanks for answer but this is a fact:

1. Program detected softice and won't run
1.1 I run FrogsIce and program then start.

2. I search in W32Dasm and HEXWorkShop for that string ref. and can't find. So that string is generated in runtime.

3. Then I start program, go in SoftIce search for that string with >>s 300 l ffffffff 'MARKO'<< then after few >>s<< (again search) I found that string on 0300:c51349d2 (every time when I start program string change location always somewhere c5xxx9d2). How I know is it that string from program, because after that string appears second name and address of this guy e.g.. MARKO PERTIC WWW.*O.COM and that additional information I'm not input in search string and that additional data is what appear in program in runtime only in runtime.!!

4. Then I change that string from MARKO to JOHNY put >>bpm 030:c51349d2<< and return in program. Then I press button in program, program get this changed string from that adress and display JOHN PERTIC WWW.*O.COM but SoftIce not popup.

Thanks!

Similar Questions have been asked before. Look these Refs inside the board:

http://www.woodmann.net/forum/showthread.php?s=&threadid=2096&highlight=softice+break+point

http://www.woodmann.net/forum/showthread.php?s=&threadid=2621&highlight=softice+break+point


Setting a bpm is context specific. The bp will not "stick" if the ds changed from the time you set it, to the time the location in memory got red.

Search aorund info about superbpm, or other tricks that may work in your particular situation.

I also noticed the addresses in which you find your string: 0030:C5. . .

They seem way too high to belong to an application. This is the area where the OS dll and functions keep their data.
I am not saying that the string you see was not generated by your app at some point, but what you are seeing may be the shadow of some string manipulation or memory transfer executed by windows and not the data that your app is using.
Just a suggestion

Hiya neshannel,

BTW, what is the target in question? I've developed something of an interest in anti-SICE code

Cheers,
Clandestiny

Howdy,

I had moved this thread to TOT, it was posted in general RCE.

This was against my better judgment, next time I will
listen to me
I shall restrain from bashing this person.
But, this is another example of people who dont read the FAQ.
Even when its posted in RED letters and the first thing you see when you look at it is:

Hi Clandestiny,

Long time no see :>>... take a look at Daemon's site and bit-art Titanium.. real heavy anti sice protection....