Log in

View Full Version : IceDump lame question


Czajnick
February 4th, 2001, 06:46
My problem with icedump 6.0.2.1 is that I can't even load it Sorry for that lame question, but...
What is the loading procedure for icedump ?

I always get: "VXDLDR failed to load icedump"
I've tried it on every version of SoftICE i have - 3.23, 3.25, 4.01, 4.05... Nope...

The Owl
February 4th, 2001, 11:16
1. do you load kernel32 exports in winice.dat?
2. do you see any messages in the winice window?

Czajnick
February 4th, 2001, 12:12
Quote:
The Owl (02-04-2001 00:16):
1. do you load kernel32 exports in winice.dat?

This was the problem.
I've found a note about it in docs, but I simply missed it.
I think it should also be added to the "Usage" section...

Well, thanx, now everything is clear

+SplAj
February 6th, 2001, 04:46
Hi OWL

I did not forget your Q re icedump and the Softlocx bug

Unfortunately I had installed that MS Virus WinME and it has taken me until today to fully clear it from my PC.

I had the same problem as Czajnick (VXDldr failed...) fixed that and now I am discovering what you asked .........

Please see the following text from an exception after /protect on with id 6021 was set and Fusionv2 then loaded :-


EAX=816FFA24 EBX=C0000027 ECX=E25EED00 EDX=00000020 ESI=0000000D
EDI=C17931B0 EBP=E25EEF70 ESP=E25EEE50 EIP=C02A217C o d I S z a P c
CS=0028 DS=0030 SS=0030 ES=0030 FS=0000 GS=0000 DS:C000002B=FFFFFFFF
哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪byte哪哪哪哪哪哪哪PROT哪�(0)哪
0030:00000000 9E 0F C9 98 65 04 70 00-16 00 8B 09 65 04 70 00 ....e.p.....e.p.
0030:00000010 65 04 70 00 54 FF 00 F0-77 A5 00 F0 53 FF 00 F0 e.p.T...w...S...
哪哪腳VWIN32_Npx_Exception+021E哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪PROT32�
0028:C02A211A 8BC8 MOV ECX,EAX
0028:C02A211C 66874D2C XCHG CX,[EBP+2C]
0028:C02A2120 33C8 XOR ECX,EAX
0028:C02A2122 F6C502 TEST CH,02
0028:C02A2125 7411 JZ C02A2138
0028:C02A2127 F6C402 TEST AH,02
0028:C02A212A 740C JZ C02A2138
0028:C02A212C 6681652CFFFD AND WORD PTR [EBP+2C],FDFF
0028:C02A2132 CD20 INT 20 VXDCall Enable_VM_Ints
0028:C02A2138 668345300E ADD WORD PTR [EBP+30],0E
0028:C02A213D 83CEFF OR ESI,-01
0028:C02A2140 F7C701000000 TEST EDI,00000001
0028:C02A2146 7518 JNZ C02A2160
0028:C02A2148 BE2C000000 MOV ESI,0000002C
0028:C02A214D 66A1F8C832C0 MOV AX,[C032C8F8]
0028:C02A2153 663B4528 CMP AX,[EBP+28]
0028:C02A2157 0F8513FEFFFF JNZ C02A1F70
0028:C02A215D C1EE02 SHR ESI,02
0028:C02A2160 56 PUSH ESI
0028:C02A2161 55 PUSH EBP
0028:C02A2162 CD20 INT 20 VXDCall _VWIN32_FaultPopup
0028:C02A2168 83C408 ADD ESP,08
0028:C02A216B C3 RET
0028:C02A216C A15CBB13C0 MOV EAX,[C013BB5C]
0028:C02A2171 0BC0 OR EAX,EAX
0028:C02A2173 7411 JZ C02A2186
0028:C02A2175 8B5878 MOV EBX,[EAX+78]
0028:C02A2178 0BDB OR EBX,EBX
0028:C02A217A 740A JZ C02A2186
0028:C02A217C 855304 TEST [EBX+04],EDX
0028:C02A217F 7504 JNZ C02A2185
0028:C02A2181 8B1B MOV EBX,[EBX]
0028:C02A2183 EBF3 JMP C02A2178
0028:C02A2185 F9 STC
0028:C02A2186 C3 RET
哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪VWIN32(05)+0C42哪哪哪哪哪哪哪哪哪哪哪哪哪哪�
MSR LastExceptionToIp=C02A2178


Please e-mail me and maybe I can help you. It's a bit embarrassing discussing it here P)


+SplAj

The Owl
February 6th, 2001, 06:11
thanks for your offer, but i have already solved the problem with softlocx (many
thanks to SV). all is fine now, you can check it in the latest 6.022 pre release.

what's left is a /tracex issue with some old version of pecrypt (1.0 or so it seems),
for some unknown reason the tracer loses control at some point (before reaching
OEP) and gains it back, but somewhat after the OEP (a few function calls deep).
if you want to figure this out and need a target, try

h**p://www.powerup.com.au/~marver/dl/textdrop103.exe

(the app is not really interesting, but i know that it was wrapped by a version of
pecrypt on which the tracer fails).

The Owl
February 6th, 2001, 17:10
well, i've nailed down the problem to this: when an app does a loadlibrary() for mmsystem.dll, by the time the loadlib call returns, eflags.tf is turned off. presumably mmsystem's dllmain performs some operation that leads to this side effect. anyone care to figure out where/why it happens?