New feature:

(1) Improved F-12 & F-11:

Auto set Break Point on the last F-11, or F-12 press EIP that will back to windows.

(2) F-2 become a "reverse TEST condition" that will make jump if it was originally NOT.

(3) Support:



DUMP [SIZE]

It will dump to c:\DUMPED.EXE (With win 32)

Hi

Thanks for the updated .dat file. I have a question for you though, on your site you have a jpg of a Softice screen, how did you manage to capture it? I've been playing with the idea of doing just that recently, just for the fun of it. The only possible solution I've found, other than taking a direct picture, is using a second computer and the SERIAL32 program to run Softice in a DOS box, then capturing the console window with the default Alt-PrintScreen which you can then paste into a paint program.

Instead, I thought about finding the SI screen in video memory and trying to dump/capture it directly. There are a couple of little known SI commands, CTRL-ALT-C and CTRL-ALT-arrowkeys which allow you to centre and move the Softice screen around your desktop. Since these must use the screen coordinates of the SI window, I thought the boundaries might be accessible from this code (which I haven't found yet anyway).

Your screen capture jpg looks a little off-centre, but I was just curious how you managed it at all. Also, in your .dat file why do you have such a large value for DRAWSIZE=2000000?

Kayaker

Thank for asking such a good Question. ). I strongly recommand you to visit my "forum" and post that question on my form (below is the link I WILL answer it ^_^


Visit My Forum (http://bbs.ysl.net/bbs/?MID=127014)

I checked out the site and forum and all was cool except the forum is in Chinese...very difficult for me to effectively navigate or post to it. Maybe you could provide us the answer here? I am also interested in taking screenshots practically though Kayaker did have one possible way.

Snatch

Uhmm, OK thanks, but other than a bunch of edit boxes in what looks like a submit form of some kind and a bunch of smiley face icons, none of the text on your "forum" is recognizable in my browser (Chinese site?). I can't even tell what is says on the buttons. I see only one question there, posted by you, and even though it's in English, all it says is something about Mr. Jackson being fucking gay. To be honest, this doesn't give me a lot of confidence in posting a question there and whether this is a serious forum or a joke.

Is there any reason why you can't answer me here where others could read it and we could perhaps develop some ideas towards accessing Softice video memory or developing a screen capture utility?

Kayaker

This is screen from TRW2000.


The_Philosopher

Doh, you're right. That's what I get for believing everything I read. So it's a fake Softice jpg but I guess the windows are similar enough to TRW for its purposes of demonstration. I suppose it was too difficult to just admit that up front when asked...

Guess we're back to square one Snatch

How about a 'grep -i video icedump/w9x/src/inc/' ? I can see several symbols that are probably pointing to the right direction. Maybe someone should volunteer for writing some script or plugin for IDA to import the icedump includes ;-). Just my 2 cents of course.

Hi, thanks for the input. I had definitely looked at cmd_screendump.asm as a starting point and figured line 61 was the clue:

call GetVideoMem ; get start of video memory

then follows the parsing routine for the various /screendump modes. I got hung up though on just how the defined value for oVideoMem was determined for each different version of Softice, or why modifying the linear address was necessary for some of the 3.x SI versions:

in util.asm


I thought the Mode 4 dump into an EPS formatted file would suffice to be able to convert it into a graphic, but initially the only conversion program I had tried was CorelDraw7 and all it gave was a gray background with the text of the filename and "Icedump EPS Export v1.0".

However, I just tried the same thing using PaintShopPro to convert the EPS file, and lo and behold, it worked perfectly! What can I say? Kudos ;-)

I'm still curious about that addressing though...

Regards,
Kayaker

2 computers would be a nice way to do it though still. Cant believe I was fooled into thinking that was a Softice screenshot though. I never really thought much about how difficult a screen shot of a ring0 debugger would be but its an interesting challenge. I will take a look at the mentioned code but this is sounding like a major project to me .

Snatch

Ok, i took a look at it too and what i think happens here is that callers of GetVideoMem expect a linear address for the video memory and for some reason certain 'old' versions of SoftICE require a different mechanism to compute it (if someone has those versions, he/she could verify this theory). In any case, since this code seems to work for icedump, so should it work for you as well IMHO ;-).

It just occured to me that you may have another 'easy' way to get graphics output. The thing is that based on the /screendump code we can safely assume that the softice video memory (or at least the one accessed by /screendump) is in a very well known format, the one used back in the DOS world since the mono video cards came into existence (and i think every modern card still supports it). This mode is very simple, it stores two bytes per character (ascii code/attributes such as color) in a linear array, so if you could find out the softice font bitmaps (it must have them somewhere or get it from the video BIOS/whereever) and the color encodings (the 24 bit RGB equivalents) then you could write a simple conversion routine for the raw dump.

Grepping for 'font' i see a few hints so that may be a good starting point and for the RGB values you could just 'invent' something 'close to what it looks in softice' at the beginning.

PS. why on earth is the timeout for answering so short? You guys make one choose between the toilet and posting right away, as i had to learn it the hard way :P.