Ok, first I ran the program i was reverse engineering. SoftIce didn't break into the WinMain procedure, so I put a bpx CreateWindowExA just to get in somewhere. Then, I made a few breakpoints inside the code, disabled the CreateWindowExA breakpoint, and closed the app.

When I started the program again, it didn't break anywhere. So I typed bl into softice, just to see that all my breakpoints (except the CreateWindowExA) were gone. I did the same thing with another program, and the breakpoints didn't disappear. So judging from that, I would say there's something going on in the program I'm working with.

Could this be some kind of anti-sice code, or is it happening just because of my stupidity?
The app is WebFerret from www.ferretsoft.com, and I'm trying to remove the advertisements thing from it...

Maybe you did a bc * to remove breakpoints? in that case you removed all breakpoints, i dont think a program can gain control of sice and disable breakpoints, nor did it occur to me while looking at webferret.

Regards,
Cast

Hi Me.
First of all the nickname you are using is MINE. Me (Copyright).
The behavior you are seeing in your program does not come from antiSice code. About half of the programs I have Siced (traced with SoftIce), the Break points disapear when the program closes. Some other programs (the lucky ones, for us) the Breakpoints remain active and work, at least temporarily, when you re-run the program. the explanation lies in the way the operating system maps the memory for the program, I think. What I have done with this problem is:
1 avoid closing the program
2 set a BP in getversion an then using the history feature of Sice re-set all the breakpoints I need

Bratcher : before posting bullshit, please consider knowing what u are talking about. BPs are only removed when u BC them... otherwise they may not work coz they are segment related, hence if ur app start with new segments, ur bp won't apply. Magic disappearance on program death, luck ? Why not trying to explain it with a virus of a special kind ?

So check BP list and see if segment match, if not, u know what's the problem.

As a more general note, would u mind people start to think before posting ? What's the purpose to post "fake" informations or half fucking guessed one ? This is pathetic and u help nobody. Even worse, u can risk to be laughed at.

Cheers,

Your unpolite posting was quite uncalled for.
I did not claimed to know all the answers, as you seem to know, I was plainly sharing what I have experienced. Please read above. I have observed that the BP disapear with some apps and remain in others. And I guessed, and clearly stated so, it had something to do with memory handling by the OS. I stated that it was unlikely to be due to antiSice code because way too many apps have such behavior.
I am certainly glad that there are experts, with more in depth knowledge, like you, that would provide a more complete explanation. Please do not take it on me. I was sharing my experience, not giving court sworn expert dictamination. If I bothered you or the original poster, I apologize.

I don't think my post was unpolite, but harsh and sarcastic most probably (i am a very sarcastic person). Unfortunatly for you, I got fed up to see posts that claims stuff which aren't exact at all (and sometimes by people who call themselves "expert" !!). I don't call myself an expert and don't want to be called like this. However I really think that posting guess, half understood things aren't a good thing (lack of knowledge is better than knowing a false thing). Indeed last part of ur answer is quite exact for a guess BUT first part of ur answer tend to bring a false idea (BP disappears after app terminated), hence my reply to ur post. Well at least u seems to be a reasonable person, don't take it too bad .

Clearly a BP can be rendered inapplicable for a couple of reasons, but in no way can disappear from SICE list by itself.

Speaking about antisice... only way to remove a BP from list would be to issue BC command using SICE backdoors command (via int 3) but it is unlikely to happen here.

Cheers,

I have encountered such problems many times.
The breakpoints disappeared when the program exited though I didn't typing any "BC" command in SoftICE.

regards

Mr Arthaxerxes :

I spoke about SOFTICE internal list of BP... not about currently system applied bp which u can disable, or fuckup using a bunch of methods (r3, r0). Another way would be that u code a kmd/vxd (or using a r0 hack) to issue the remove BP command directly to SICE code (needs some RE .

There is a difference between breakpoints list known by SICE (BL result) and breakpoints lists really effective on system (hwbp and softbp).

I resend u ur remarks since u are everything except precise. Speaking of oil on fire... I think urs started to burn ... coz i remember ur statement about hwbp from ntuser mode... which were false .

Cheers,

It seems to me that SoftICE is removing your breakpoints because it does not think you are placing them within a code section. This is probably because the PE header is telling SoftICE that the section is C0000040, which means it is initialized data. You can use a PE editor and change it to E0000020 which indicates executable code.

This is common with packed programs. It would also explain why the loader wouldn't break at the first line of code.

I am going to re-state my previous posting. in a way that G-ROM may find less objectionable. MY intent was and still is share what I have experienced and give some solution to the problem me (original isn't it) was having. from all the postings around this, I think I did the most sincere effort to fulfill the original intent of the board: Help Others.



Hi Me.
First of all the nickname you are using is MINE. Me (Copyright).
The behavior you are seeing in your program does not come from antiSice code. (I THINK IS UNLIKELY)
About half of the programs (OBSERVED FACT) I have Siced (traced with SoftIce), the Break points
disapear (DISAPEAR IN THE SENSE "STOP BEING EFFECTIVE". THE BRAKPOINTS REMAIN IN THE SICE LIST, BUT THE SELECTOR CHANGES TO 0001:. . . SO THEY DO NOT POINT TO THE ADDRESS IN THE ORIGINAL CODE, AND DO NOT BREAK. THIS APPLY ONLY TO BP SET TO THE CODE, THE DATA OR THE DLLS SPECIFIC TO THE PROGRAM IN THE LOWER 2 GB OF MEMORY SPACE. THE BP SET TO THE EXECUTIVE FILES OF THE OPERATING SYSTEM REMAIN ACTIVE DESPITE CLOSING THE APPLICATIONS) when the program closes.

Some other programs (the lucky ones, for
us) the Breakpoints remain active and work, at least temporarily, when you
re-run the program . the explanation lies in the way the operating system maps
the memory for the program (WHEN THE CODE AND DATA OF THE PROGRAM RESIDES IN MEMORY MAPPED FILES SICE WILL UPDATE THE SELECTOR OF THE BP AND THEY WILL WORK AGAIN IF THE APP IS RELOADED) , I think. What I have done with this problem is( i PROVIDED SOME SOLUTIONS THAT HAVE WORKED FOR ME):
1 avoid closing the program
2 set a BP in getversion ( BECAUSE IT ALMOST ALWAYS BREAKS AT THE BEGINING OF AN APPLICATION) an then, using the history feature of Sice re-set all the
breakpoints I need (BECAUSE THEN THE CS AND THE DS WILL BE POINTING TO THE CORRECT SELECTORS NEEDED FOR THE BREAKPOINTS TO START WORKING AGAIN)

The upper case was used to highlight the new added comments, not in the form of screaming.

Well , this wasnt a bad post after all , it was much better than your first one. With a single point , flat images are always memory mapped under "Win32" , so it's not a question of how the image is mapped or loaded in memory.
And for the sake of this thread , lemme know guys, are we speaking here about NTICE , Winice or both? It might be important to get a clue on it.
Also , can you give an example of a program which do work and one if which does not ?

First, I would like to say that I have nothing personal against you. As you expressed in another thread, I do not know you. I can only go by your nickname and your postings when they happened to coincide, and I may debate some of your opinions. I have full respect for your kowledge, and I have derived quite a lot of benefit from your postings. I thing we agree on a lot of things, except the fundamental.
Regarding the specifics of this thread, My comments pertain only to winIce. I have not had a lot of experience with NTice, so I do not know if what I said pertains to the NT /WIN2000 environment.
The examples you requested may be the following:
1:
NotePad. if you place BP inside Notepad, and then quit the program, the selectors go to 0001: xxxxxxx. If you reload notepad, the selctors update and the BP will work again.

2: SigmaPlot2000: Happened to be a file I was tracing when I read your posting.
If you quit the program, and then reload, the BPs stop working.