Interesting you mention that [yAtEs]. I was going to bring up the Iceclimber trick as well, then realized Dion probably wasn't trying to break into Softice code itself. But it is an interesting trick by itself. It's actually an easy patch in Softice you can keep permanent without using the Iceclimber vxd all the time. Basically its the code below in winice.exe:
:C003AD24 cmp eax, ds: off_0_C000BC95 ; starting address of WINICE
:C003AD2A jb short loc_0_C003AD34 ; patch to bypass error
:C003AD2C cmp eax, ds: off_0_C00F1EBC ; ending address of WINICE
:C003AD32 jbe short loc_0_C003AD36 ; if bpm set in winice code
:C003AD34 clc
:C003AD35 retn
:C003AD36 push esi
:C003AD37 mov esi, offset aBreakpointsNotAllowedWithinSoftice ; "Breakpoints not allowed within SoftICE"
:C003AD3C call sub_0_C001DE15
If your breakpoint address is set within winice code then you get the error message and the bpm never breaks. Dion, you should check if TRW may do something similar.
Tracing in Softice code is actually a lot of fun and probably the best way to learn how a real debugger works <that others try to imitate ;> It's also a good way to try to improve Softice. If you look at winice long enough you might discover that virtually *every* function in SI can be accessed and traced through disassembly or code through 1 function - the BCHK Boundschecker "Backdoor" interface.
There's enough information here for an essay, which I was thinking of writing one day ;-) , but it's basically related to the SI commands you can execute through your own code using the old:
mov ebp, 4243484Bh ; 'BCHK'
mov al, 0Eh ; Execute a SoftICE command
mov edi, offset SICommand ; ascii of command, i.e. 'SICommand db "HBOOT", 0'
INT 3
Softice intercepts the INT 3 and checks if the command is a valid one it wants to use. There are only 38 of them allowed, most of them just basic information commands, hboot is really the only "active" command allowed. It's interesting how the check is made. The ascii command used is identified, and a single byte bitmask value is retrieved from a table, this is then checked with the BT command against a long bitmask string. The bitmask string is hardcoded into winice and can be found by searching for the dwords immediately after "BCHKWPV.table r".
Here's the start of the BT section where it's decided where to branch to, to process whatever command has been sent via the BCHK interface OR typed into the SI window :
====================================
C00813FD BT DS: DWORD_C0081B07, EDX ; check byte against bitmask
C0081404 jb short loc_C0081412
C0081406 mov esi, offset aInvalidCommand ; "Invalid command"
C008140B call sub_C00818F5
C0081410 jmp short loc_C008141B
C0081412 push ebp
C0081413 call ds: off_C0022DC7[edx*4] ; jumps to *every* Softice command
The value of EDX is important here, it is the single byte bitmask value for the SI command you selected. This value is used as an offset to a jump table, which itself jumps to each and every Softice code routine that you might want to explore in winice.exe. The bitmask (edx) value for every function can be found in a table beginning at hex offset 00054288 in winice.exe. Hmmm, I guess I have to give an example here..
----------------------------------------------------------
Let's say you wanted to explore in code the I1HERE command, which enables whether Softice will break on an INT 1. Searching in winice.exe you'll find the ascii / bitmask table:
000543FF 49 31 48 45 52 45 00 51 I1HERE.Q
The "0051" is the bitmask value for this particular command. Plugging this value into EDX you can trace directly to the code associated with it:
I1HERE == 51h == EDX
C0081413 call ds: off_C0022DC7[edx*4]
(C0022DC7 [edx*4] == C0022DC7 + (51h*4) == C0022F0B)
:C0022F0B dd offset sub_0_C002926F
which leads to
:C002926F mov esi, offset dword_0_C002142F
:C0029274 call sub_0_C001F612
:C0029279 jb short loc_0_C0029288
:C002927B call sub_0_C0026808
:C0029280 jb short loc_0_C00292A1
:C0029282 mov ds: byte_0_C003509D, al
And the last line is the I1HERE ON/OFF flag. If al=0 I1HERE is OFF, al=1 I1HERE is ON.
------------------------------------------------
I found this so handy I made a module I use when writing vxd code to automatically set the flag to I1HERE ON, so I can use "INT 01" in code to debug it.
Well, I guess that's the snippet for the day
Regards,
Kayaker