(First off, I just wanted to give a quick thanks to anyone who replied to my thread a few months back about ASP*****t, especially Splaj, who was kind enough to e-mail me a few things about the program I was looking at. I didn't want to come back asking for help about something without giving my thanks first )

Anyway, I recently had to reformat the old HD. After reinstalling good old Windows 98 SE (I'll upgrade...one of these years...), I reinstalled Softice 4.05, Icedump and Iceload. Copied NMTRANS.DLL to Iceload directory, loaded Icedump/load and tried running a program with it...BSOD OK, that's weird. Reboot, and again, same thing. Uninstall SI, install DriverStudio (with SI 4.2.7 build 562), run appropriate Icedump, run Iceload, load an ASP*****ted proggy, crossed my fingers and ran - program runs without breaking. Tried again, same thing. Loaded good old Notepad (why is Notepad used as a target for everything, vile or benign?) and ran - loaded without breaking. Even the normal Symbol Loader itself won't break on anything.

Anyone here have any clue why this might be happening? Iceload worked just fine before I formatted, and I don't recall anything special I did to get it to work.

Shhhhh, don't tell anyone, but I think you can say 'Asprotect' here, the mods aren't that anal

But seriously, just to take a step back and simplify things a bit... You said you copied NMTRANS.DLL to the Iceload directory, loaded Icedump /load and tried running a program with it and got a BSOD. Maybe you meant something else, but I don't understand why you were using Icedump's /load command at all. Then you installed DriverStudio and added even more variables to the problem.

You may have tried this but I'm wondering what your results are with the *very* simplest situation, Win98SE + Softice 4.05 + the vile yet benign Notepad, either with the SI loader or with IceLoad, but without Icedump loaded. If IceLoad did its job then you should see the 'WinICE Notified' message meaning the appropriate flag for a WinMain break has been set in winice.exe. If that combination still doesn't break at the program start then we can eliminate Icedump and DriverStudio from the equation. The next question might be does Softice break at all on APIs and is your reinstalled winice.dat still OK? Maybe you could recheck these things and report back.

Kayaker

Hello triz- !

I have the same problem with ICEDump 6.0.2.6. It simply gives me a BSOD when I try to load any protected or unprotected executable with SoftICE 4.05 on Win98. This happens both with ICELoad or SoftICE Symbol Loader.

So I'm using ICEDump 6.0.2.5 and have no problems. You should try the previous version too, it should work.

Hi triz,

well, it happens that I *just* upgraded from DS 4.2.6 to 4.2.7, due to the final, working release of icedump 6.026, and i have the very same problem . Load a programm into symbol loader, run, and no break, although the "Break on WinMain" etc. is enabled.
I then tried to load some DOS executable via dldr.exe, and surprise, surprise, it breaks at EP, and also the 16bit wldr.exe makes SoftICE pop up at correct EP of 16bit windows application.
But the funny thing is, when loading a 32bit program, this time with debug information, in symbol loader, it breaks! Seems that the "Break on WinMain" has become what it sais literally: it breaks just when there's actually something called "WinMain", "_main",... but not on plain entry points anymore.
Probably NuMega wants to make cracker's life a little harder..

bye

PS. this sucks!

Very interesting bsod! Maybe if we make a tool to make a symbol file with the name WinMain at the EP of the target program we can restore the functionality . Or maybe we can disassemble ntice and patch it so it doesnt require a symbol there. After all it is called the "symbol loader"

Snatch

doh.. had to reinstall windows so i couldnt check earlier..
when loading nms file with WinMain symbol, it breaks.
hm would be nice if it was possible to find a way to patch the winice.vxd.. i'll try but i doubt i'll succeed

bye

This should get you started:

nmtrans!NmSymLoadExecutableEx
nmtrans!DEVIO_SetWLDRBreak
- this one sets the (BPM type) breakpoint
via DeviceIOControl 0x9c40601c
find related code in ntice.sys

PS:
Indeed having nms loaded on XP with DS 2.7 it breaks
Just tested now.(with _WinMain it breaks)

Based on what Kayaker wrote in another posting, he is working on a solution for Sice 4.27 breaking at the entry point again, like in the good ol' days. I have been using a temporary solution, while the l33t come with a more elegant fix: I edit the exe file in question, and change the entry point byte, which 99.9% of the time is '55': push ebp to 'CC': int 3.
Now I place a bpint 3 in softIce and viola, SIce breaks at the entry point. I then reset the first byte of the code to '55' and go my merry way.

Once inside the memory space of the app, setting breakpoints on common use API starts working again.

I am aware I may just have invented the wheel, but hey, if it works. . .

Just to mention...LordPE Break'nEnter + BPINT3 does that really nice too (racing tire?) ;-)