Hi there ,

Its about this command /tracex <low eip>
erm I'm stupid, :-D, whats does <low
eip> refers to?
Could any one explain it more precise how to use this?

thanks
Best Regards
esther

1. did you check w9x/doc/icedump6.txt?

2. simple experiment: load a win32 app into winice, choose an instruction down
from the entry point, then issue /tracex your_chosen_instruction_address.
this will exit winice and soon pop it up again as the tracer has reached your
selected target EIP. the name <low EIP> is a bit of a misnomer (my idea was
to keep it in synch with the other invocation format, if you look at the actual
implementation, you will see why), just think of it as an address where you want
the tracer to pop up winice (provided that address is ever reached of course).
this form of invocation should normally be used when you want to land at a very
specific address that you know will be reached (e.g. you already know the OEP
but for some reason you cannot use other BPs to break there).

Hi Esther,

Low/High EIP refers to the Virtual Address range you want /Tracex to monitor. Normally you're interested in the .CODE section, so if a PE Editor shows that the first section is from 401000 to 409000, then the syntax would be
/Tracex 401000 409000

One of the message entries in the command window after /Tracex breaks will be (I think) CS:EIP. This tells you where you broke into this thread FROM. Handy for example if you break into program code from unpacking code because this will often tell you where the OEP is reached in unpacking code and where to dump it.

Hope this helps.

Regards,
Kayaker

Hi The Owl,Kayaker,

it doesn't work for me when using the latest
version of icedump.Probably not the os problem I have test in win95 and 98.it crashes :-( .

Thanks for all the help.
Kind Regards
esther

can you be a bit more descriptive, like what you did exactly that ended in a crash?

Hi The Owl,
its not problem of icedump either,could be sice problem.I'll install sice 4 .the prob seems that latest version of icedump is not compatiable with sice version 3.23.R0TCB error not fast enough blah blah... hangs
my win95 or 98 :'(
Could be my systems too
pentium 233mmmx
ram=32mb

laterz
regards
esther

Hi The Owl,
its not problem of icedump either,could be sice problem.I'll install sice 4 .the prob seems that latest version of icedump is not compatiable with sice version 3.23.R0TCB error not fast enough blah blah... hangs
my win95 or 98 :'(
Could be my systems too
pentium 233mmmx
ram=32mb

laterz
regards
esther

uhm, don't rush with that installation ;-). icedump should work will at those
version that it exists for, that specific message you quoted is not an error,
merely a warning that happens on older win95 versions, but it should not crash.
so my question is: when does icedump crash (and where, if you can determine
it)?

Hi The Owl,
I have tested on my two harddisk with 95 and 98
the first thing I do is load in autoexec.bat.
winice loaded in the memory it shows

"Softice 3.23 win95 /98 beta 1-2"


I choose the dumper from 3.23 ,copy to the winice directory
and execute.
and it shows as follows windows "blue screen of death"
exception vxd error...
the dumper which I copied is dumper.exe.
I have copied the versions from 3.22 to 3.25 and tested
each. it gives me the error "vxdldr fail to load"???
Same it happen in win98.I don't understand
why it doesn't work even in win98
I have a previous version of icedump which works well
version 6.0.1.8 for winice 3.23
Thanks for looking in

best regards
esther

you can execute the proper icedump.exe from any directory, no need to copy it
where winice is (winice detection does not rely on winice.exe being present in the
current directory).



ok, this seems to be a known issue that the web page refers to as well as:



unfortunately i don't have access to win95 versions and can't debug the problem for now.



other versions will simply fail to load as they recognize that the current winice
you are running is not the one they were created for (plus the issue with renaming, see below).



this is because you renamed icedump.exe and the self-defense mechanism did not
let it carry out all the initialization it needed to do.

Same it happen in win98.I don't understand
why it doesn't work even in win98


this is because you renamed icedump.exe and the self-defense mechanism did not
let it carry out all the initialization it needed to do.[/QUOTE]

Hi The Owl,
Thanks for the trouble again
I didn't renamed the file to dump.exe .it
comes from the zip.Doh even I renamed it
to icedump it still doesn't work
I got no choice I installed sice 4.05 in
win98 and finally works.
win95 doesn't work even I installed version sice 4.05.

Icedump Team ,thanks for the hard work

Best Regards
esther

uhm, now what is it that you got in your icedump archive? dumper.exe or
dump.exe or icedump.exe? if it's not the latter, i'd certainly like to know where
you downloaded icedump from.



i see. actually i can check out winice 3.2x and win98 myself, if i can reproduce
the problem here, i will fix it, but the win95 support will have to wait.

Hi The Owl,
Sorry,I must apologise about renaming the file.I
did renamed a file but not sure which one
at that time.I have checked the zips,its icedump.exe.
Maybe I'm just too tired

Thanks again.

respects
esther