hi all,

please help! my export symbols appear to based at a
different address from the code executing them.
let me explain.

my app loads up and i break in on the first instruction.
I have the following message:

WINICE load32 obj=007 add=16f:40001000 Mod = VCL50

which is the module VCL50.BPL I have loaded exports for.

exp vcl50! shows

016f:4000a314 @System@Initialization$qqrv
016f...........................

cs = 0167
ds/ss/es = 016f

map32 appname shows all sections loaded at offsets from 016F

now, most of the time the export symbols resolve and I can
see the names in the code listing. but sometimes I can only see
the names of the symbols when they are being accessed through
ds. So the all the CALL commands don't have symbol names.
but after a couple of steps into the app the code window refreshes and the CALL commands suddenly end up with symbol names instead of numbers.
(it depends how I break into the start of the app as to whether the above happens, eg: LordPE, or on api call etc.)

More frustrating than that, is that I can't bpx on the symbol name.
A Breakpoint on @System@Initialization$qqrv for example
places a breakpoint at 016f:4000a314, while the call goes
to 0167:4000a314 and my breakpoint isn't hit.
I can get around it with

bpx 0167:dword(&vcl50!@System@Initialization$qqrv)

but i would like to know what is happening. I read something
in the softice user guide p130 about when a .DLL is mapped into two processes at different base virual addresses, the export table uses the base address of the first process to open the .DLL. But I don't think anything else is using the DLL.

background:
the app was unpacked with aspackdie
driverstudio 2.6 on windows 98


any help would be very much appreciated
kind regards

I have the same problem.Maybe the mangled name
is too long?!

Sometimes I use this trick I wish it can help you.
In IDA pro,display the demangled name as name
(the default is coment) and create a NMS file using
a plugin,then you can load it into softice,now set
a breakpoint like this:

:bpmb functionname x

It can work most of time.

Goog luck!

i've haven't heard of that, what plugin is that?

It is the IDA2SICE Plugin written by Mostek. Look in tsehp.cjb.net/what_new

Signed,
-- FoxThree

thanks for the link foxthree

bpmb functionname x does the trick oyang2002! still would like to know why this happens and how you can get the export symbols working with the other selector

I don't know why it can work either,I just found it.

Most of the time I use bpmb instead of bpx because
the prior use debug register which is some stronger
than int 3. In Win9x the break point set by debug
register can be cleared using the trick of entering
ring 0,I don't know how to do that in NT/2000/XP,
I am a newbie;-)

Sometimes the trick of "bpmb functionname x" can't
work! Again I don't know why But if that occur
I could use another trick,I export a symbol where
I want to set break point and export it using SoftIce.
You can found the tool from the thread "Export
any functions from a Dll" in "Tools of Our Trade"
which was posted by me some time ago.

By the way,
there is somthing else to say if you want to use
that tool to export a function(that is why I wrote it

1.You must set the working directory to be the
original location where the Dll reside,some Dll
can't be loaded if they were copied into a separate
location.

2.Always export them using ordinal.Ofen they can't
be exported by name.

Here is some snippet:

SetCurrentDirectory("C:\\Progarm Files\\Dummy";
hInstance=LoadLibrary("C:\\Progarm Files\\Dummy\\Object.dll";
FARPROC test=GetProcAddress(hInstance,MAKEINTRESOURCE
(0x1));

Now you can call it use asm code or C code if you know
exactly the prototype of that function.

Let us say it is a function with void test(int),
We can call it by ASM like this:

_asm
{
push 0x5
call test
}

Attention to use the same call convention to keep the stack
balance,you can found that use SoftIce.

We can call it this way too:

int i=5;
test(i);

Good Luck!

very interesting oyang very interesting