Log in

View Full Version : Setting up IDA for analysing Softice functions


Kayaker
November 7th, 2004, 22:57
Hi All,

A lot can be learned about low level system operation from reversing Softice itself. While it is possible to trace live certain sections of Softice code, the more useful analysis is through IDA. Since questions seem to come up all the time which could be clarified by examining SICE code, I decided to write a small introduction to setting up IDA for analysing Softice.


Step 1, as always, is to make use of the invaluable resource provided by The Owl, in the form of IDB files and Softice headers produced while developing Icedump. The package is one I put together to preserve the info and Yates was kind enough to host it.

NTICE and WINICE IDB Files by the_owl (IDB)
http://woodmann.net/yates/ida/softice_idb.zip

There is also a script by Toteu that may be useful:
Icedump inc parsing scripts (IDC)
http://woodmann.net/yates/ida/ice_script.zip


To begin with, you should update the IDA disassembly of Softice to your latest version. I will explain how to set up what I term the CommandIndex, a call table of all the Softice command function addresses. To properly identify each function, you can use a corresponding ascii table, the NameIndex.

These tables have been consistent since early SICE versions, you can usually find them by locating some *known* function by examing SICE messages ("I1HERE is ON" for example), then tracing backwards until you find a long list of pointers. In Win9x they were easy to find by tracing the BCHK interface. The simplest method now is probably to search for the ascii message
'A General Protection Violation has occurred'
the CommandIndex table follows immediately, and the NameIndex follows thereafter. Addresses are from DriverStudio 3.1:

Code:

.data:00111061 aAGeneralProtec db 'A General Protection Violation has occurred',0
.data:0011108D CommandIndex dd offset sub_69F81 ; DATA XREF: sub_68326+2C9r
.data:00111091 dd offset sub_5F0F7 ; Altscr
.data:00111095 dd offset sub_A2D5E ; Be
...

.data:00111381 21 00 NameIndex db '!',0 ; DATA XREF: sub_6864B+5o
.data:00111383 AA db 0AAh ; ¬
.data:00111384 2E 00 a__1 db '.',0
.data:00111386 38 db 38h ; 8
.data:00111387 3F 00 a?_3 db '?',0
.data:00111389 30 db 30h ; 0
...


Each ascii string in the NameIndex is followed by an index value which references the correct function address in the CommandIndex. New versions of Softice add new functions to the end of each table.


Parsing the NameIndex:
----------------------
As an example of parsing the NameIndex to identify the correct CommandIndex function address, let's take the PHYS command. When you enter a command in the Softice window it eventually gets called indirectly in the form:

call CommandIndex[eax*4]

where eax is the corresponding NameIndex index value. You may also see it as:

shl eax, 2
call ds:CommandIndex[eax]


Now search in the NameIndex for the command you want to identify, extract the index value, in this case 76h, and plug it into the call equation:

.data:00111648 50 48 59 53 00 aPhys db 'PHYS',0
.data:0011164D 76 db 76h ; v

CALL CommandIndex[eax*4]
or by address
CALL 0011108D[eax*4]

0011108D + (76h*4) =
0011108D + 1D8h =
00111265

00111265 is now the correct CommandIndex address which identifies the PHYS function:
.data:00111265 31 80 01 00 dd offset c_Phys
----------------------


crUsAdEr came up with a very nice IDA script for automating this. I'll take the liberty of posting it here from a PM we had, he can add any comments he may have.

Code:

static CmdTable(NameTable, CommandTable) {
auto i, j;
auto CmdIndex, CmdName ;
i = NameTable;
j = NameTable;
while ( Word(i) != 0) {
while ( Byte(j) != 0) j++;
j++;
MakeStr(i,j);
CmdName = "c_" + substr(Name(i),1,j-i);
CmdIndex = Byte(j) * 4;
MakeName( Dword(CommandTable+CmdIndex), CmdName);
j++;
i = j;
}
}

with idc command
CmdTable(0x111381, 0x11108d);
on DS3.1


Now that you have the all the Softice functions named, you can go back to The Owl's IDB files and start filling in the missing pieces, updating your new IDA disassembly. Many of the functions are identical or similar enough that you can start naming some of the global variables and subfunctions that he identified. Do a few of these and you can begin to "read" the disassembly code. It's about here that the little lightbulb above your head goes on ;-)

Regards,
Kayaker

dELTA
November 8th, 2004, 06:24
Cool, high quality stuff as usual, thanks Kayaker!

SynApsus
November 8th, 2004, 07:24
Yeah ! Thanks Kayaker ! This post is in a certain way a reply to my question, isn't it ?
Identification of the PHYS command will a lot help me. Big, big thanks man ! I'll post the results of my research in one week, and i'll certainly write tutie + example on my website.
Have a nice day !

JMI
November 8th, 2004, 12:52
Great information on the dark codewoods, as usual.

Regards,

Neitsa
November 8th, 2004, 13:54
Thank you for sharing informations like this one. This is trully great and could help many reversers. It will help me a lot.

Thank you very much.

Regards, Neitsa.

crUsAdEr
November 8th, 2004, 22:11
Nice one, Kayaker.
Could not have done it any better!!! Somehow i am quite sure you are in the teaching profession or along that line of work ?

Kayaker
November 9th, 2004, 11:16
Glad it's useful. I figure if everyone is on the same 'page' so to speak and has these basics in hand, it might encourage further documentation of Softice internals.

Sorta like this description of the PHYS command....

http://woodmann.net/forum/showpost.php?p=41341&postcount=13