is it possible with softice or another tool to set a conditional breakpoint on the data within the current instruction as in *(eip).. so I'd like to say break on a CMPXCHG, etc. or something else which exists in a few thousand possible places within the execution path.. is placing int3s at each instruction my only option? because that will get messy

thanks!

Hi

Yes, you should be able to. In a recent thread on conditional breakpoints in 16bit apps we found it was a problem, but in regular 32bit code you can set these opcode type of breakpoints. As an example say you wanted to break over the range of a program whenever you got the opcodes which defined the start of a regular call:

8BEC MOV EBP, ESP
83ECxx SUB ESP, xx

A conditional breakpoint which should break each time this code is used is

BPRW <modulename> R if *eip == EC83EC8Bh

note the reversed dword.

Apply it to your own situation and you should be able to do what you want, hope this helps.

Kayaker

See Using SoftICE.pdf chapter 6 for more on conditional breakpoints.
BPRW may fail on some AMD processors.

A truely great article on this subject is titled:

Rhayader's SoftICE conditional breakpoints

You could put that in google, or your favorite search engine and find many copies around. There is also one on the Fravia site here, but there may be some problems there at the moment.
Just gave it a test and this one works:

hxxp://www.woodmann.net/fravia/rhayader.htm <-- change "hxxp" to "http".

Everyone who uses Softice should read this article and try it's techniques.

Regards.

hello again,

I had previously read Rhayader's tutorial.. but thanks for your replies.. do you know of a manner of doing this with NTICE or any way under NT5?

BPR(x) commands no longer work in anything that is above Windows 98 (specially systems with NT as the base, that includes NT4, 2k Pro, 2K server, XP home, XP Pro and 2003 Servers)

As of yet, there is no known way to perform the actions that you require with Softice on NT based systems.

You will have to put an INT 03 (messy, but no choice) either physically or in memory.

A better (depending on your requirements) idea would be to:

1. Download Ollydbg
2. Trace and log the traces (do not trace system calls! turn on the option to jump over system calls in the Ollydbg -> Options menu)
3. Save the log file on the hard disk (its a simple text file)
4. Use findstr.exe (since you are using NT based systems) and get the lines which possess your instructions.

To do it in softice you would have to:

1. Increase the buffer size in winice.dat
2. Close the Code window
3. Trace or P-trace manually (the code, as it executes is automatically put in the command window)
4. Save the command window to a log file using the Softice loader
5. Use findstr.exe on it again.

Alternatively,

You may also use microsoft WINDBG to perform the same actions...

Bottom line is, NT based systems are not that easy to reverse-engineer with Softice. Lets see what Numega does next...

Have Phun

Driver Studio 3.0 is currently in beta testing. Does anyone know if it's got any of the long awaited features to bring it closer to Win9x power, like that one for example?


dELTA

JMI theres no need to change the hxxp to http ..its just a straight copy n paste as the browser will change it automatically ..

at least ie 5 n over does

paul333

Hello,

Actually, DS 3 won't offer BPM on 2K/XP systems.
Though, there are some nice features in it
XP is well supporter now as well.

Enjoy.

Analyst