lol

I want to print without using the symbol loader and without the print screen key .

I want to print without breaking my debugging cession .Print the history file and after tracing immediatly and write my comments on the paper .

I have try the prn command but nothing happened .What is the utility of this command ?

I do this
1/ cls 2/U adresses L FF 3/wish to print the text unassembly 4/Trace F8 F10
5/And recommence to print if I need something

Have somebody the solution ? Thanks

May be this tutorial can give you some inspiration:

http://www.anticrack.de/modules.php?op=modload&name=News&file=article&sid=1865

It allows you to get the trace history dissasembly in printable form.

The backtrace buffer Disassembler that Kayaker posted 12/18 months ago is another alternative.

Heheh, we'll be sending you your well deserved advertising royalties cheque soon Naides :-)

Re the PrintScreen, I'm not sure if I ever got that to work myself (or tried too hard), maybe it only works with certain keyboards/luck. The other option might be to - maximize the SI code window by toggling off the data/register windows (wd, wr), Unassemble the code you want, then /SCREENDUMP (Icedump) or !DUMPSCREEN (IceExt) to a text file. Now you still want to access that from your harddrive without breaking from SI, but you can always suspend execution by inserting the bytes EBFE at the current eip
(or typing in the command window:
a eip
jmp eip

Now you should be able to open the screendump text file, print it if you want, then CTRL-D back to SI and replace the EBFE bytes you changed and resume execution. A bit of a pain, but...


If no one minds a slight sidetrack.. this is sort of within the realms of what the old Tracedump can still do in Win2k (maybe XP), and I'm wondering if there might be any interest in this capability. There are so many good RE tools around now it seems with disassembler functions built in and such, and there are always other ways of doing the same thing. I don't really use 'tools' per se other than my own or Softice/IDA, that I don't really know if this might be unique enough to be useful to anyone else.

The Win9x app whos memory Naides kindly keeps alive is Tracedump, meant to work interactively with the Softice Backtrace command, written with the help of Clandestiny. I still use it in Win2K (without the vxd and backtrace feature) as a loader/disassembler/cum dumper. What it *can* still do is much as I described above - you can suspend execution at any time (from SI) with the 'jmp eip' trick and *disassemble* any section of user/kernel code into a listview for closer analysis/ jump/call tracing / import listing / saving to text.

A side benefit to this is that you can halt encryption/decryption sequences and get a printout of the code as it exists before it might be overwritten later. Unfortunately, the full deobfuscation of SMC code that the *Backtrace* feature of SI provided in Win9x is of course missing in Win2K without the funky BPR command.


So what I'm trying to say is - is there another app/trick capable of
- tracing in SI as usual
- suspending execution at any time (jmp eip), and then
- having a disassembler dll/listview/save function available to disassemble, in context, user or system code?
- then return to SI and continue execution, repeat as required

Note that once an app is loaded, a button click will break SI in the dll (I1HERE ON required), which is also in the context of the app itself so new breakpoints/memory changes etc. will always be made in the correct context. I also use it to dump memory for PE rebuilding, but IceExt or LordPE could be used for that, my implementation is pretty basic at the moment.

Again, there's nothing particularly remarkable about Tracedump without the old Backtrace feature, other than you can jump from ring0 -> ring3 and disassemble live code in a suspended state. Does this sound useful at all? If there doesn't *seem* to be a similar feature around, I might press on and work with the code again. If not, I'll go back to playing UnReal...

Regards,
Kayaker

Recommended not possible.

Unless:

1. You have a printer attached on LPT1:
2. You have good knowledge of writing VXDs
3. You have good knowledge of internals of ICE.

I always use the SoftICE loader to print.

Or am I missing something....?

Have Phun

TraceDump, I suck as an Advertiser if I can't even remember the Catchy Name of the Product!!!

In Win98 this tool can save quite a bit of live tracing, if one gets the hang of it.

Two comments questions for Thalos:

Why don't you want to use the Symbol Loader, and need to do this while Sice window is still up?

While Sice has control, the computer has rather limited capabilities for printing, formatting, saving files, etc, it has the feel of an old DOS machine. No multitasking.

Perhaps,( I have not tried this, just read about it ), if you have two computers in a network and use Visual SoftIce, Compuware claims that the Client in the debugger computer runs in GUI, full Windows environment, with all the bells, lights, whistles that we became spoiled about using. The program you are tracing will be in the server, on a different machine. At least is worth taking a look.

Trace dump is a good tool .Thanks to Kayaker and Clandestiny .
This tool does what I want by suspending execution ;return and continue execution but between Trace dump can’t print his dump .
I hope this a constructive suggestion for this tool .(if I can help … translate this tool? At my low level , I ‘m not coder)

To answer to Aimless and Naides .

What I do most of the time
1/bpx hmemcpy
1.1/F12 bd hmemcpy
2/Search the kernel of the call « bad boy »
(easy if it is a messagebox)
2.1/Use « ws » between hmemcpy and the kernel of the call « bad boy »
2.2/Print the way , a kind of « call flow » (I have read the link Naides thanks) with the symbol loader of course .I try to print only the code wich has been traced .Here I waste time to cut the text
3/be hmemcpy + F12
4/begin to trace as soon as I see a kind of push ; push push containing my name false code and a call
4.1/I Enter in this call (a bpr is more quick to reach this kind of call ) ; put a bpx on this call bd this call
4.2/Print this call until I reach his ret by using the Symbol loader .I try to do something properly ; that why I don’t like screenn Dump a lot of lines will miss
5/be the call
Most of the time I will enter in a second , a third …. Call , I will print each to understand what my paramameters will become .(a call to uppercase , a call to calculate the lenght of false serial , a call to calculate the lenght of my name , a call to encrypt the false serial , a call where the comparaison is really do , a call to verif y)
Waste , waste , waste some time to cut the text , to print instead of to analyse and understand .
If the code is short to analyse I will find the solution in the second case Thalos = KO ….


Comments :

Printing and writting my comments is really a problem for me morever I don’t like dissasembler like windasm or IDA .Why ? Because in dead listing if I do a mistake in my analyse I see nothing(but I can print and comment) with Softice if I do mistake I see it because Softice is a better calculator than me .(but I can’t print and comment argggh !!!!!)
Finaly I become totaly stupid especially when I heard any crackers who say that they crack in few minutes .

Hi Thalos,

I'm glad you found Tracedump of some use, the hardest part was trying to make its operation and interface somewhat understandable. The underlying problem was that I don't think many people really used the normal Backtrace feature of SI much, mostly because it was a pain to analyze in the SI window.

This of course was the concept behind our app - to be able to output a hard copy of the backtrace buffer disassembly, but I always joked to Clandestiny that it was a monster that kept growing, as we played with new ideas and added features. It was simply a pet project we used to learn ASM coding, and neither of us mind any comments, constructive or otherwise.

Re the printing, uh, no, I never added that because I figured saving to a text file/binary dump was good enough? That part works OK for you? OK, so I didn't mention you need Notepad as well.. ;-)


By 'translate' the tool did you mean to add some feature like the printing, or in the language sense? I would think the source code is available to anyone who wants it, I've always been a fan of open source and if someone can learn something from it I think that would be great. Except for this app I've always provided source, because I've always appreciated it when other people do the same, that's how we learn.

The main reason I didn't release the source originally was out of respect for Iczelion (I reversed and made use of his Iczdump loader code but I knew he himself wasn't releasing it from a request someone once made to him), and for Tsehp who helped me with the NASM disassembler C code, also used in Revirgin, and asked that I not release it. I credited both of them and more than admire their work. (Thx to SV also - I reversed *his* reversal of Iczdump too

Except for Clandestiny's vxd code, little of the huge amount of code is particulary innovative mind you, and most of the basic ideas can be gleaned from the Win32asm forum or a bit of reversing. The most interesting part was the discoveries made in the dark codewoods of Softice, but it helps to be a bit crazy to go in there ;-)

Cheers,
Kayaker

By translate I mean tranlate in another language sense .I haven't the level to add the printing function .

I think I need 4 years to really understand the cracking +
2 years to begin to do any ASM programms inside Softice .
Bye