Hello
After working with win32dasm for a little while , i thought the moment was right to start with softice.
But if i use the symbol loader there is always a message that say's that there was an eror during translation.
I've got also the message that no debuging information was found
In the winice.dat file i removed the ; 's
My dat file is placed on winnt\system32\drivers (i read also that it is placed in the same directory as softice?)
In softice's dat file the path's to the drivers are called:EXP=\SystemRoot\System32\ntoskrnl.exe (i.e)

Is that the right path if you read above? , ore shall i specify the exact path?

Maybe can someone help me!

Greetings

Jan.

hi,

may i guide you here:

h**p://www.woodmann.net/forum/showthread.php?t=5043&highlight=modules

h**p://202.114.22.131/mirrors/www_litespeed_org/Siceinst.htm

some more nice comments can be found by searching this forum, eg. for 'winice.dat'

you can ignore the "no debug info" message. not many releases contain such debug-information, its ripped out after testing it.

good luck!

hehe, i have to add one ressource..browse OZ COZ krobars archive!!
url see below!

on krobar site: tutlist/s/SOFTICE STUFF...a number of tuts & guides

have fun!

Do not worry about those Warnings.
If you are doing reverse engineering, you usually DON'T have the application symbols table (Unless you wrote the application yourself, and you are using Symbol loader to debug it, which is the intended use of Sice in the first place)

Also, the target applications are compiled without debugging information, once they are released to the public. That is the reason for the second warning MessageBox. Just ignore them.

The Symbols you do possess are the ones of the Operating System API dll, which are pointed by the EXP=SystemRoot\System32\ntoskrnl.exe kind of statements in winice.dat

You NEED to change them to the ACTUAL addresses of the system DLLs, which in a typical WinXP system will be

EXP=c:\windows\System32\ntoskrnl.dll (this is the kernel dll) and so on

for a Win2000

EXP=c:\WINNT\System32\ntoskrnl.dll (this is the kernel dll) and so on.

Thankz jojojo/naides for advise!

Working with softice i tried the often named command (bpx)"hmemcpy"
It won't work so far (unknown command)
Who's got an idea wath i do wrong?

Greetings

Jan.

jan:

We have a tradition here, repeated all too ofter. One should endevour to help themselves before they ask for help. One of the things you were supposed to do before you began to post is to read the FAQ. You will find a link at the bottom of the Forums. They will tell you what you should do before you post and how you should post. That's why the title of the Forum includes the statement: "Please use the search function to see if your question has already been answered. ."

Although your first question is borderline OK, is suggests that you did not search the forums for information on your topic BEFORE you asked. Your second question confirms that you essentially have done none of your own research and simply want someone else to do that basic work for you.

To put it directly, did you perhaps use the search function, found at the top of each page and enter "hmemcpy"? Had you done so you would have found all the information you would need to answer the question yourself. That answer is that "hmemcpy" does not exist in NT based systems and you will not find it in Win2K or XP. Other breakpoints are necessary in those systems and you will find the discussions there.

My purpose here is not to be too hard on you, but to point our that there is already a great deal of information available to you here, that we shouldn't have to repeat, simply because you do not take the time to look FIRST. Learning to use Softice, especially with WinXP, takes some study and effort. Use the resources here to acquaint yourself with its operation in that context. You can use the search function and review the Tools of the Trade Forum where those subjects are generally found. AFTER you have studied on your own, and reach a problem you searched for, but did not find, THEN ask for help, indicating you did search, but didn't find the answer.

Regards.