Hi...I've spent over 10 hours reading through the RCE archives the past few days looking for softice (DS31) setup hints on XP with SP2. A lot of the hints were helpful and I've got myself setup to a point where softice will stick at the program entry point using symbol loader. I can also trace through code without incident. The following are issues I'm having a hard time resolving.

1)my system slows down incredibly when I'm not in softice. If I try to open a file manager, it can take 30 secs to a minute before it loads. My system is P4 with a 2 gig processor.

2)the DOS window that opens when I load Ice manually stays open, even if I try to close it. I read about this in another thread and it seemed related to a firewall. I shut my firewall down and it did not help. It's a Sygate free personal firewall and I did not unload the app.

3)I can't shut down windows without using hboot in ice. After using ice, sometimes the task manager won't even open.

4)I'm afraid to try loading softice other than manually because I'm using a dual boot system with Win 98SE in the primary partition and XP on the second partition. It's on a FAT 32 system. I've heard there may be problems with a dual boot system.

5)I tried out IceExt and it loaded ice fine. I got it to dump a screendump from Ice in raw format so I could send it to this forum, but how do I translate the raw code? It's in unicode and I can see it on Uedit in hex dump mode, but not in text mode.

I wanted to send some code from ice, because IceExt 'seems' to have added an EB FE at F2D5F294 in NTICE. I did not use breakpoints in my tracing other than a 'G' instruction to jump to a code position. This prevents me terminating a running app in ice. Before the EB FE showed up, I was tracing an app that loaded a splash screen followed by an message box generated by an exception. The message box said the app trial had expired.

BTW...when the message box opened, it had an OK button. I hit it and Ice disintegrated. It was after ctrl-Ding out and back in that I noticed the EB FE in Ntice.

Actually, I found the code from NTICE:

0008:F2D5F28F 1F POP DS
0008:F2D5F290 83C404 ADD ESP,04
0008:F2D5F293 FB STI
0008:F2D5F294 EBFE JMP F2D5F294 <---------
0008:F2D5F296 CD01 INT 01
0008:F2D5F298 CF IRETD
0008:F2D5F299 53 PUSH EBX
0008:F2D5F29A 56 PUSH ESI

If I CTRL-D now, ice is stuck at the position indicated by the arrow above at F2D5F294. I know about the EB FE trick for freezing Ice so you can get out for a minute. But why was it inserted in NTice? It might explain why I'm having trouble shutting XP down after using Ice. It might be a good idea to look up the actual bytes so I can replace them.

Notes: I have added all the SP2 files recommended.

for #1 to #4
I'm not using DS3.1 nor SP2, so I can't help much.
However, after installing a new OS/system, softice is one of the first things I install. This removes a software/driver conflict from the list of possible cause(s) of problem(s).

Also, did you analyze carefully the log messages left by NTice & IceExt? IceExt outputs a detailed report of the hooks it installs & it is open source; so it is easier to find out why things go wrong by reading the src code :-)

for #5
there's a folder "SiwRender" in the IceExt installation.

edit SiwRender.ini to reflect your settings & desired font. then run SiwRender.exe

I did to the extent I'm capable. I noted three items as follows:

1)'Warning: AC97 not found.' ...near end of IceExt load

2)reference to AVP (Kaspersky) module that is being 'unloaded'. I don't know what the unloading means.

NTICE: Unload32 MOD=AvpShlEx
NTICE: Unload32 MOD=avp32Loc

I'm not using the AVP monitor features, but I'm wondering if it's spy
facility is still loaded. If so, I have no idea how to unload it. There was an app called Registry Drill that would let you block drivers at boot time.

3)in softice load, there is reference to an 'Int0E fault' with code 1. Most of
this is beyond me. I have copied the pertinent lines below. I didn't want to copy the entire loading log because it's quite long.

NTICE: Load32 START=73D30000 SIZE=17000 KPEB=FFA72590 MOD=wbemcons
001
Int0E Fault in SoftICE at address F2E69EF4 offset 00093C50
Fault Code=00000001
DS=0010 ES=0023 FS=0030 GS=0000 ESI=00000000 EDI=8058AE20 ESP=F3F0ECB4
EAX=00000001 EBX=F8947E20 ECX=00000000 EDX=00000001 EBP=F3F0ED08

FrameEBP RetEIP Syms Symbol
F3F0ED08 F887673A N NTice!.text+00095B74

Raw Stack Dump: ESP=F3F0ECB4
F2E68C6E
F8870010
00000086
8058AE20
00000000
F3F0ED08
F3F0ECE0
F8947E20
F88792EC
FE9ACBD8



thanks for the tip. When he said screen image, that's what he meant. It's a BMP file.

A possible solution to your softice problems - it worked wonders for me anyway.

It's avp fucking up your softice - bet you have it loaded on startup. If you don't let it run at startup, and don't run softice when it's been loaded, you might get lucky. There's an extra catch, tho, as avp loads a couple of services that you'll have to turn off manually. Search this place for "avp" or "kaspersky" - one of the threads should have details on how to change the registry, so those services will only load manually.

Anyway, that did the trick for me and others.

Fake

ps. In the future, stick your "softice doesn't work"-questions in tools of our trade.

thanks for the tip, but I don't. I also checked the registry thing earlier and could not find anything related to it starting any monitor.

I do think I have other problems which might be similar. I noticed on my bootlog.txt file that the system is loading vxd's from my win 98 partition. Programmers get arrogant and/or stupid at times and assume everbody loads Windows in C:\Windows. It's more stupid than arrogant, however, to load vxd's from another operating system into XP. They are in different partitions.
Then again, XP loads some of it's boot files in the Win 98 partition.

I've heard that XP doesn't deal with vxd's, but it must have a thunk system similar to what 95 and 98 had for 16 bit proggies. How else would it be able to run apps written for systems other than XP?




I didn't want to appear arrogant. I'm closer to a newbie in many things although perhaps intermediate in others. I felt some things in my post might not be intermediate enough to post in the Tools section.

I'll take you up on your tip to research AVP/Kaspersky on this site.

Thanks

Are you sure that you have all kaspersky services disabled or set to load manually? They only show up in the registry, not when browsing the services part of admin controls (and they still load even if avp isn't set to load automatically). Since you note that you see some references to avp I still think that this is your problem.
Look for services under hklm/system/yadayadayada/services/k???? that don't have any description, don't have counterparts in the services app, and don't have start value as automatic, disabled or manually. Check the files in your winnt dir, they should have version infos or the likes, identifying them as kaspersky files.

As for the forum part: It was meant as more of a suggestion, lest JMI should suddenly decide to edit your post for fun. The point was merely to divide your post in two, seeing half of it would be better put elsewhere.

Fake

I'm still working on it. I renamed both the drivers that show up in the softice log (from symbol loader) and AVP seem to work without complaining. It's getting late though, so I'll probably leave it till I'm fresh lest I make a catastrophic blunder. The AVP Control Centre shows up under Administration/Services and I have it both turned off and disabled. But I'll poke through the registry anyway. Thanks. I think I might uninstall my firewall too and hopefully remember to disconnect from the internet when I do it.
I'll check out all your tips. Thanks.

I'll PM JMI and ask if it's OK to advertise in both. The complexity level is about intermediate.

It's not ok to double post, but this thread is ok for the Tools of our trade forum, I just moved it there.

Hi, all
I don't know where is the problem but for sure, it's not Kaspersky. I'm using DS and KASPERSKY from many years now and never had any prob.
For your info, i have XP SP2 corporate, KAV personal pro 5.0.1.4, DS 3.1, ZAP 5.5.0.62.

Have you patched OSINFO.DAT for use with SP2 like it's said on compuware site ?

Yes...I did it exactly as shown on their site. I've got symbol rertriever working off my hard drive with the entire sym file from M$. All my NMS files are loading fine.

I'm concerned right now about a driver conflict. I have a dual-boot system with Win 98SE on partition 1 and XP home on partition 2. I was looking at a fresh bootlog.txt for an XP startup and it's loading a lot of vxd's from the win 98 partition (eg. C:\win98\smartdrv and C:\win98\himem.sys). I find it really strange that one operating system would go into another operating system's partition and load files from it.

This is NOT an old system which I loaded XP over. The initial intention was to load XP by itself. But I had problems with my new Intel motherboard (turned out to be a bad processor) and I loaded Win 98 fresh to see if it would load. It did load, which lead me into thinking it wasn't the processor. XP would not load at all, getting to the first splash screen and freezing. Of course, when I loaded XP, I did it as a dual-boot system on partition 2. Once the processor was replaced the dual-boot worked fine so I left it. I've had no problems with it since and it's handy to have 98 and XP on the same FAT 32 drive since I can use 98 to spy on XP.

I also had the Win 98/XP dual-boot computer networked with an older P2 Asus 440BX computer. I'm not running that system now, but I'm seeing drivers being loaded currently by XP that were for the older computer. For example, XP is loading drivers for an Asustek Broadcom NIC that has never been on my new dual-boot system. In fact, it's an on-board NIC on my P2 440BX on the old computer. The only way XP could do that is if it got information through the old network. But why would it go into another partition to do that?

I know this is getting away from 'our tools' but it's still a problem about why softice in DS31 wont load, and maybe it will help others in the future. Does anyone have any thoughts on this other than flames?

thanks Delta.

My opinion is that there are too many possible issues for it to be worth investing time troubleshooting; unless you are really keen on the subject and want to study it.

Softice either works well or doesn't. Why it works well on some systems and not on others is rumoured to be a random process

I hear what your saying. Whereas it can be aggravating at times, I have an interest in breaking through to new ground. I have enough experience to realize it could be about something really simple that's not obvious.

I feel like I'm close enough that giving up is not an option yet. The fact that the DOS window ice opens in does not shut down is a clue. I'm currently trying to eliminate things and reading a lot. Of course, like you say, it could be a total waste of time.

thanks for dropping in.

Feel like a bit of a dummy. It was the Sygate firewall. I say a bit of a dummy because I did follow my options relatively methodically, but there is another thread in the archives (from quetzalcoatl ....thanks Q) which specified that very remedy. After uninstalling the firewall and rebooting, everything was hunky dory. It was even peachy.

The symptoms are as follows:

-When ice is activated manually, a DOS window opens, and the typical Ice screen (not to be confused with Ice cream) can be seen loading in the window.

-Under normal conditions, the DOS window closes by itself. With Sygate loaded, it doesn't close and it can't be closed, even with a kill from the task manager.

-XP can't be shut down other than by using HBoot in ice.

-other apps in XP slow right down, some intolerably.

-this error message appears in a history dump:

"Int0E Fault in SoftICE at address F2E69EF4 offset 00093C50
Fault Code=00000001"

-ice will appear to crash at times, with the screen breaking up like a jigsaw puzzle. CTRL-Ding out and back in again clears the screen breakup and will reveal code from NTIce which has an EB FE opcode at EIP. ie. The instruction jumps to itself. Funny enough, you can reload the app through symbol loader and it breaks happily at start of code again. And tracing is normal. The mystery is what puts the EB FE into NTIce and what reinserts the original bytes. I thought we were the only one's who did that.

All that from a firewall. BTW...for anyone using the free Sygate firewall, the new version (5.6 build 2808) is reported to have bugs in it which Sygate have acknowledged. They claim the bugs will be removed by the next upgrade.

Well, it sure was my problem. I'd say Doug is more than half right.

Fake

Update: Ice (ver. 4.3.1 in DS31) seems to work with the most recent update (ver 5.6 build 2808) of Sygate's free personal firewall. All of the problems I listed above have disappeared and I was able to reverse a simple 'trial expired' app. As I pointed out, however, this version of Sygate has been reported as buggy. So far, I've had no problem with it on XP with SP2.

It has crossed my mind that maybe it's not the upgrade per se. It may just have been uninstalling Sygate and reinstalling that did the trick. Maybe it needs to detect the debugger and can't do that if the debugger is installed after the firewall is installed. I read something about debuggers and Sygate on a forum at one time, so if anyone is having problem with an ice install on XP, they might check that out.

Be aware that M$ turns on their own firewall by default when SP2 installs. From the reports I've read the M$ firewall still does not block outgoing traffic. Although Sygate claims their firewall will happily co-exist with the XP firewall, I'd check that if there are problems with ice.

All is not quite well yet in reversing land, however. When using the DEX command to setup the four DATA windows, I was able to switch between data windows by clicking on the number of the window at the top right of the window. That doesn't seem to work now. It's been a couple of years and my memory is foggy. Maybe there was another way of switching them. I found it really helpful to give data windows to ds:esi and es:edi. to keep tract of ascii strings, etc.

Also, there seems to be a problem with the ADDR context switch, although I may be using it wrong. There were times when I couldn't dump various register addresses to the data window in order to examine their contents. All I got were question marks in place of data, even though I knew there was data at the address. That seemed to be a context issue.

I typed in 'ADDR' and the highlighted context address of my app and got an error message that the context can't be found. Sometimes, however, it worked. I don't know if these problems are related to firewall issues, or whether I'm not applying them correctly. I know there's an option to turn off the newer context switching and return to the older type. I'm checking that out.