Using SoftICE on an XP machine - I have yet to see a bpx on GetWindowTexta and GetDlgItemTexta work!

I'm trying various crackme's - and even when the solution indicates that one of them should do it, it doesn't!

I can't even use Hmemcpy - since XP doesn't support it, so I'm finding a whole lot of tutorials that I can't do anything with.

Can anyone tell me why I'm having this problem and how to solve it?

Thanks!

Here's one consideration. With the new SI versions, the breakpoints are context sensitive, meaning they only work in the context in which they are set.

Do what you probably should have done first, which is to use the search button at the top of the forums and try with "softice and breakpoints" and you should find alot of discussion of these issues. Particular attention should be paid to the discussion in the one titled "DriverStudio 3.0 BreakPoints. "

I don't recall reading any suggestion that those specific API's don't work on XP, so it is more likely that you are not getting them set in the correct context to break.

Regards,

Many applications (e.g. Delphi applications and other) don't use these APIs at all though, but when the crackme solution mentions it, it is of course most likely something else wrong too.

JMI, thank you for your suggestion - but you should not assume. As it happens, I *did* do a search - several, in fact. But I never did that particular search, as it seemed too generic.

So, while I appreciate the help, I don't appreciate the condescension.

Cumulous:

Perhaps you failed to notice the phrase included the word "probably" with "should have done first" because you did not indicate that you had searched for the answer and I could not determine whether or not you had already done so. Perhaps you also failed to notice that encouraging people to search before they ask questions is what I do and "condescension" has nothing to do with it.

Had I wished to be "condescending," I could merely have told you that the answer is available by searching this forum. Instead, I gave you the answer to your question, not only by helping with search terms, but with a specific thread which I believed would answer your question. The "object lesson" regarding searching was intended for a wider audience.

I simply do not have the time or energy to engage in ego evaluative analysis of posters or to attempt qualitative ratings of their skill set verses my own skills or lack thereof. I do tend to encourage everyone to try to help themselves before asking for help. And I have found that, more often than not, the more "generic" the search terms, the greater the probability of success.

Regards,

Hi,

Well i see this discussion - like many others - is more about how to search or read FAQ, but not how to slove the problem

I had the same problems with 3.0 in the past too. The problem is that you must specify the program you are debugging, only then breakpoints will work. This was not aceptable to me - so i'm using 2.7 and it works ok - just like i want.

Regards

dee:

If you have read the thread I identified for cumulous you will discover that saying "The problem is that you must specify the program you are debugging, only then breakpoints will work" is the same thing as saying "the breakpoints are context sensitive, meaning they only work in the context in which they are set.

This is explained in detail in the thread I identified and it describes how to accomplish setting the "context." So your suggestion that the answer given was "not about how to slove the problem" is simply incorrect.

Regards,

ok, here is "Z-Method" for breaking SICE anywhere:

YOU must do debugger's work by your hands, e.g.
1. go to specified address(where you need BP)

1a. if this address is NOT in memory(you see> ????),
then load it with SICE command > PAGEIN

2. execute in SICE command > BPINT3

3. now write down (or remember) first byte of instruction,
then change (in memory) this instrucion to CC(hex) & go..

4. IF this command will executed, then SICE will break;
here restore your original byte in instruction & press F8 once;

4a. IF you again want break here, put again CC..
(& on finish always restore all original bytes)

x. such like CC can break also in other processes;

Eval, I guess the problem is that you have to be in the correct context to be able to set that int3 at the correct place (the same virtual address can be mapped to different places in different processes, as you know), so it seems to me that it is the exact same problem anyway?

Seems that DriverStudio 3.1 has escaped into the wild. Maybe there will be some improvement with the new Softice version. Anyone "tested" it yet?

Regards,

I don't know why you guys are arguing about the context thing. ONLY BPMS are context sensitive. BPX's are not. BPXs are global. At least in DS 2.7. Why bother using 3.0 anyway, I say good choice going back to 2.7. (Which means you can also get my patches to hide it which saves you time too)


Cumulous, if you go into SoftICe and do a "U GetDialogItemTextA", does any code show up in the code window, and does it say GetDialogItemTextA at the code block that does show up?

If not - if all you see is some random code, the solution is to get the XP SYMBOLS WHICH NO ONE AROUND HERE seems to LISTEN. If you search this board about "SoftICE not breaking" you will find information which I've posted over and over, that you need to get the XP debug symbols from Microsoft and tell SoftICE to use them, and all will be well. The reason I am so animate about this is that on EVERY system I've done this on, it's fixed all those wierd softICE not breaking issues completely. You need to get the symbols for ntoskrnl, otherwise SoftICe doesn't know where to hook into the kernel at load time, in order to install its break handlers correctly.

Oh, and it never hurts to double check that you are loading USER32.dll exports into softice as well...

-nt20

I dont use softice that much as i m also usin xp.

But here is a solution.
GO to WINDOWS\SYSTEM32\DRIVERS
then go to winice.dat.
DONT FORGET TO MAKE A BACKUP COPY.

Now open it in notepad and scroll to the bottom
there u will see some crap startion with ":"
just delete it.
Now save and run softice hopefully it will break.

Laterz

sLayer!

can you post that magic lines from your backup-ed 'winice.dat'?
bcoz in my 'winice.dat' i not found nothing with ":"

Eval:

You KNOW that was a "typing" error and he meant ";".

Regards,

JMI, you again..

I'm waiting for answer from sLayer!
OK, sLayer!?

Open Notepad in winice.dat and scroll down until u see these lines

; EXP=\SystemRoot\System32\hal.dll

Just delete all the ";"s

Laterz

I think that you need to understand the "principle" behind the tutorial rather than trying to crack it step by step. The author, for all you know, could be working on Win95 with SI 3.22.

Have Phun

You're right. Even Hmemcpy doesn't work
Especially when I registered SICE with
CODE ON; FAULTS OFF; I3HERE OFF; WD 3; WF; X;,
My computer crashes.

HMEMCPY was discontinued, beginning with WindowsXP.

Unless you are running 9x/Me/2000

http://support.microsoft.com/kb/129947

And hackermasteryX:

Did you pay ANY attention to the DATE of the information contained in the previous posts in this Thread? All but the two previous posts are from 2004! I may be mistaken, but I believe the there have been some significant changes in the software and the functionallity of some of the debuggers as a result!

Of course, I'm so old, I may just be forgetting my history.

Regards,

Does it mean that it's impossible to "reverse" new application?

P.S. BEST WORD:CRACK, just joking

face + palm