I didn't think I'd be back with questions so fast but here I am.

I have a USB "only" printer that sends to a virtual printer according to the
system info (no other input plugs or sockets on the printer). SoftICE sends
the screen to LPT1 or to a com port. Is there any way to send the SoftICE
window to my printer or to a file that I can print later? I have the
"Printscreen" program but of course that doesn't work while in SoftICE, only
in Windows.

I vaguely remember an old DOS command that would forward from one
place to another (like a: = b but I doubt if that would work in XP anyway.
Any ideas?

I am moving along trying to change my Securom protected map program to
run from my HD without the original disk in the drive. I am following the
lead of some of your contributors named Pedro and R!sc. Very helpful stuff.

Search and you will find: http://www.woodmann.com/forum/showthread.php?t=9638

I read the suggested thread. I guess I was looking for some exotic way to send to my printer. I did a search for IceExt but couldn't find a download anywhere. I have used my Olympus before and this may be the way I may end up. It does work.

You're not thinking things through before posting a question.

1)You said Softice outputs to an LPT or COM port. Is a USB port either of those?

2)You claim you couldn't find IceExt on the net. I plugged IceExt into Google and found it on the first hit, but I don't suggest you try IceExt unless:

3)you understand that 'Softice' and 'exotic' is like an oxymoron. Softice is a barebones, bottom-end tool that comes with very few bells and whistles. You learn how to improvise and the thread you were pointed to has all the answers except one.

If you turn off all the windows in softice, using the toggles like wr, wd, wc, etc., then use a cls to clear the screen, you can get what you need by using the command window. For example, a 'd 401000' will give you a dump in the command window of the address 401000 for a few lines. A 'u 401000' or a 'u eip' will give you a few lines of code in the command window. Repeat as often as necessary to get the number of code lines you need.

When you exit Softice, go into loader32 and use the 'save Softice history' command. You might have to increase the size of the history buffer. You can load the saved file in a text editor, format it to your liking, and print it on your USB printer.

IceExt has the !dumpscreen command that works too, but you need another tool to convert it to a bmp file. Alternately, you can take the saved file, do a bit of work on it in a text editor, and recover the formatting of the entire screen. I get rid of the funny looking characters using a find/replace function, but if you examine the file carefully, the enter key (i.e. line feed/carriage return) will get the screen format close enough before getting rid of the non-ASCII characters.

Forget exotic.

Used, working dot-matrix printers can be gotten for free or very nearly so at your local computer recycling center

Run SoftICE in VMWare or Virtual PC, take a screenshot of the virtual machine's window, and print the screenshot.

I have my eye out looking for an old printer.

I have a tendency to cry "Help" and then find what I need. I'm fighting this but I do back slide a lot. When I printed up a book of commands from SoftICE.pdf I saw the info and how to collect it from "History". I do appreciate the step by step though.

I don't understand why I seem to have such difficulty on searches. This is the second thread I've been berated on for not being able to find what I'm looking for. I use "dogpile" to do my search in. I assumed it would look at Google too. Maybe not. I did a search for ProcDump, and IceExt. Both gave me lots of discussions, but no place to download a copy. I even looked in Bit Torrent. I'll try again.

Note to WaxfordSqueers:

What magic did you use? I went directly to Google, searched for both IceExt and ProcDump. I got one worthless hit to a "program encryption for sale" site.
Keep in mind, I was looking for downloads.

hehe if you really say you dont get iceext in first hit in first page on google

then you should really scan your system for dnshijackers,hostfile redirectors,timethreshold redirectors and all other rouge little idiots who might have hijacked your computer and might be redirecting your queries to viagra selling sites

anyway here is simple query result

Results 1 - 10 of about 559 for iceext . (0.06 seconds)

IceExt
IceExt project has been moved to the ******* server. Go there for the latest news. ... Visit IceExt ********* page for the latest sources snapshot. ...
********.net/ - 8k - Cached - Similar pages

IceExt | Programmers' ToolsIceExt is a SoftICE NT plugin. It adds some useful commands to the debugger. IceExt is your best helper when debugging your own programs. ...
*********/****/88 - 10k - Cached - Similar pages

Index of *********/iceext Index of *********/iceext. Icon Name Last modified Size Description. [DIR] Parent Directory -. Apache/2.0.52 (Red Hat) Server at ...
***********/iceext/ - 1k - Cached - Similar pages

and the first hit clicked shows this

Download:


--------------------------------------------------------------------------------

iceext-0.70-bin.zip (~150 kb) IceExt precompiled binaries.
iceext-0.70-src.zip (~390 kb) IceExt source code. Visit IceExt ***** for the latest sources snapshot. (NOTE: since ****** CVS site is tempoary down, latest sources are not available there. Will be fixed soon.)

News:


--------------------------------------------------------------------------------

0.70 - added ring-0 tracer (implementation by Godness).
- IceExt now has it's own loader and doesn't need to be installed as a service.
- project moved to the SourceForge.net.
0.67 - fixed small bug that resulted in incomplability with old DS versions.
0.66 - added DS 3.2 compability (thanks to Devilsclaw for some patterns he sent me).
- SoftICE.cpp has been rewritten a bit further with macroces. Found nice solution
to try several patterns one after another.
- now IceExt checks if KDExtension, KDHeapSize, KDStackSize registry keys are
properly configured (misconfigured keys can cause some system crashes).
0.65 - fixed DS < 3.1 incompability introduced in previous IceExt release.

and for procdump

Web Results 1 - 10 of about 247 for procdump lorian . (0.21 seconds)

[PDF] Know Your EnemyFile Format: PDF/Adobe Acrobat - View as HTML
ProcDump, written by G-RoM, Lorian, and Stone, is a powerful tool to. help with unpacking. Figure 2-9 shows the startup screen, which lists open tasks and ...
www.oreilly.com/catalog/swarrior/chapter/ch02.pdf - Similar pages

The ProcDump32 Site2) Tutorials (Tutorials for using ProcDump32). ProcDUMP32 is Copyright © 1998-1999 by G-RoM, Lorian & Stone. Site designed and maintainced by TORN@DO. ...
************/procdump.html - 8k - Cached - Similar pages

and if you follow this second link then you land in a skip add buttoned site and that gets you procdump ucf-pd14.zip



hopefully i was helpfull this time

Blabberer don't ever go too far away. You're magic. I swear to you, I did not mispell either IceEXT or ProcDump while searching. Before you, I got one hit, after you, I got exactly what you said was there and successfully downloaded all I was looking for.

I think I am due for at least a good scan with my Hijackthis. Something is definitely wrong. I also visit Daniweb and I have picked up junk there before. Maybe I have again.

Many thanks for the help.

http://fravia.com

Learn it, use it.

Which is the "Fravia's Searchlores" link you will find at the bottom of the Forums.

Regards,

I was using ver 0.67 and it suddenly stopped working. I remember something Sten said about registry values that needed to be adjusted for IceExt to work properly. I typed IceExt in Google and got it on the first hit. When you said you couldn't find it, I did the same and got it again, download site and all. I got ver 0.7, for my efforts, which doesn't use a driver, making it even more undetectable.

In one of your replies, you mentioned being berated. I wouldn't say anyone was berating you. In English, that refers more to calling someone a stupid, dumb, whatever. I felt that you hadn't looked that hard, but I wasn't calling you stupid, or implying that.

I know it's tough sometimes, and Softice isn't that easy to use, but anything I learned was usually from playing with it, working through frustration, and asking well-timed questions from the local ice-gurus. The quality of response you get will normally reflect the understanding of the problem you present, although many guys will help you just for the sake of it.

Don't take it personally.

Dogpile used to be really good but it's kind of crappy now. I have the home page of my browser pointed to Google, although I use Yahoo a fair amount. Google seems to have recently added a personal settings feature which allows you to specify the number of searches per page. I set mine to 100 to save flipping pages.

I don't think you'll get nearly the quality of hits with a meta-search like Dogpile as you will using Google directly.

Good stuff, Blabberer.
A word of thanks to Sten for IceExt and his continued efforts to keep it up to date. Like I said, it's so good it hides Softice from loader32.

I agree with you. Dogpile has it's problems. I plan to change to Google.

Blabberer hit the nail on the head when he said I must have some crap on my machine. What really bothered me about that was I had just totally rebuilt my hard drive about a week ago. I probably haven't got it all but I am cleaner now.

I'm presently reading through the threads to clean up my IceExt. I changed the heaps to 8000 as recommended but that didn't help. I am about to search more threads and try recommendations before I cry help again. Keep in mind I am learning gobs of stuff as I go.

one week
in one week the zombies out there could turn your computer into a top secret nasa computer that could make the world rotate in reverse direction

http://www.honeynet.org/papers/phishing/

http://www.honeynet.org/papers/phishing/details/uk-timeline.html

O.K. I give up. I've read threads till my eyes hurt. When I load IceExt in SoftICE it loads. I've loaded it both by Loader32 and using the self loader. When I hit ! I get an error message.

Loading with the self loader I get a message going in saying "SoftICE is misconfigured. Add KDExtensions Parameter of type REG_SZ under NTIce registry key."

Loading with Loader32 it looks like it's loaded but with ! I get "Extension Command not found"

What KDExtensions Parameter do I load and where. There are several registry entries in the Registry area. I guess I'm totally confused. Maybe I've been at it too long.

I'm presently running SP1 and I don't have KB890859 on my machine. (from one of the threads)

Hi, try this. You can pop it into a .reg file and enter the lines by double clicking, or enter them manually.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTice]
"KDStackSize"=dword:00008000
"KDHeapSize"=dword:00100000
"KDExtensions"=""

I put all of the above in including the "=" sign and the cmd line load still errored. I then took off the "="sign. I checked all the control sets and they had the above in. When I loaded then it said loaded sucessfully and I was elated. I then put in the "!" expecting it to fly. I got "Extension command not found". What do I do now?

I recently posted this thread about that problem:

http://www.woodmann.com/forum/showthread.php?t=9739

I had to change the registry in all of 'ControlSet, ControlSet001, ControlSet002 and ControlSet003' under the Services\NtIce key.

To WaxfordSqueers:

I read your thread and changed to 8000. It didn't help. Following your lead, I had checked all of my ConrolSets. It was interesting to me that when I changed one, all changed. I have all 4 you mentioned, but the top ControlSet only had my printers in it. All other 3 had NtIce and all changed when I changed #3.

I have since tried Kayakers suggestions and it looks better. I got a "Completed Successfully" but I guess it wasn't.

Kayaker knows more about Softice than I know about walking. I'm just offering some backup suggestions.

Keep pluggin' away...you'll get it eventually. You might have to uninstall IceExt and re-install. Have you tried ver 0.7 yet? If so, make sure the old driver isn't loading.

BTW...did you do a reboot after fixing the registry? I'm asking because some people never shut down their computers.

I didn't catch whether you now have a good install or not. If you run Softice without the X at the end of the initialization string, the window will remain open and you can read in the command window if it encountered any errors while loading.

BTW...how are you loading IceExt? Do you load it manually from the desktop? With the older version 0.67, if you loaded IceExt, I 'think' it loaded Softice at the same time. The new version, 0.7, loads independently of Softice. Assuming you're using XP, if you're loading Softice at boot time, you may have different issues.

I'm don't know what should have what, but all of mine have the following:

"KDStackSize"=dword:00008000
"KDHeapSize"=dword:00008000
"KDExtensions"=""

By 'ALL', I mean CurrentControlSet, ControlSet001, ControlSet002 and ControlSet003. I may have made a mistake earlier refering to them all as CurrentControlSet. Only one has that name, the rest are just ControlSet001, etc.

If one of your control sets has no NTIce key, you could try Kayaker's method (backup your registry first) and change the name in the key string he provided from CurrentControlSet to the applicable ControlSet name like ControlSet001, etc.

Although my reg had NTIce in all four control sets, IceExt gave me the error message you got about extensions till I manually set them all to 8000.

I'll try to answer each of your questions.

I never had any version of IceExt except ver .70 so I can't speak on older versions.

I always load SI manually when I want it. I have an Icon on my Desktop to start it. I am confident that SI is loading perfectly. At least I never get any errors and it seems to be working well based on my limited knowledge. I load IceExt after SI is running.

I wasn't getting a good load on IceExt until I put in Kayakers suggestions. Then the loader gave me a "Loaded Sucessfully" message. I can see IceExt as a loaded module in SI after it is loaded.

Interestingly, I get the same message "Extension Command not found" when I put in "!" whether IceExt is in or out.

I noticed that you placed quotes around your lines like Kayaker did. Two of the three lines existed before I started changing the size and did not have quotes so I did not put quotes on my third line. I'll try it and see what happens and also put quotes on the = sign and see what that does. What do I have to lose?

Later info from above---

Quotes caused a load fail again. I did notice something that I had not paid attention to before. The error message I got when I loaded IceExt contained a part about size. When I had added KDExtension reg had built a dword and I didn't know any better. I changed to RG_SZ and away we go.

I am not home but I am farther. I am loaded successfully and a "!dump" gives me the info I need to dump. I put it in as instructed and I get an error "Exception occured while dumping memory" What do I do next?

Later even more learning---

IceExt seems to be working. !help gave me the command names and they sort of work. I tried !dump (see above) and got an error. Then I tried !dumpscreen to a file. It worked. I got a file but all the entries seem to be chinese symbols. Still need some more ideas and trys from the outside world.

No quotes:

KDExtensions REG_SZ
KDHeapSize REG_DWORD 0x00008000 (32768)
KDStackSize REG_DWORD 0x00008000 (32768)

This is covered in the archives. The exception is caused by memory being paged out in the memory region you are dumping. My solution is to turn off all windows except the data window containing a dump of the code required. So, toggle wr, wc,ws, etc., and any other data windows not in use.

Using your mouse, drag the required data window till it fills up nearly the entire screen. If you want to dump code area 401000 to 4AC000, do a 'd 401000' (no quotes) in the command window. At the right of the data window, there are two arrows: one fat and one thin. The bottom thin arrow is 'page down' whereas the fat arrow moves one line at a time. There is a way to use the keyboard 'page down' and 'down' arrow.

In your data window, the first address should be 401000. Start paging down one page at a time (it's a bit tedious) till you reach address 4AC000. Then try your !dump command. It should work.

It has never failed for me, but if it does, try dumping smaller chunks of memory using the same method, and use the 'pagein' command. It only pages in a few pages at a time, and the 'page down' arrow is much faster. When you are using 'page down', anytime you see ?? ?? ?? ?? ............. it means that memory is paged out. Page it in with the 'pagein' command, but do it on a paragraph boundary with a zero on the end of the address.

eg. pagein 408800

You will get a few dumps such as dump1.bin, dump2.bin, etc. Paste them together using a hex editor.


You've got yourself caught up in a mode of being dependent on others to do your research. What you are asking for is already covered in this thread, never mind the archives. You've got to start thinking for yourself or you will be ignored.

The !dumpscreen command gives a .bmp file. You need another program to convert it to text (already covered in a URL in this thread), or you have to load the dumped file into a 'text' editor and recover the format manually. There is text, in the window format you require, between the chinese symbols. Look closely at it.

Your suggestion to close some of the windows worked. I can now dump to a file. I dumped a line of memory that was all text that I could read (English stuff). This is what dumped to my test.dat file:

卤楰䱮捯k敋牔呹䅯煣極敲畑略摥灓湩潌正䬀呥祲潔捁畱物
入敵敵卤楰䱮捯剫楡敳潔祓据h

This is the same stuff that !dumpscreen gave me. Are you sure that there is intelligent stuff in there somewhere? I hand copied 5 hex positions and it had 64 53 70 69 6E which should have been "dspin". If the first 5 positions above are dspin, I'm in deep do do.

My gut tells me I'm about to dump my HD again. I'll hold off dumping until you tell me this is normal stuff or not. I've never had a real !dump yet so I'm a poor judge.

Later----

Wow, this is amazing. When I sent this post, all Chinese symbols appeared to me in the above. I did a "Restore to previous" that took me back before I did a lot of viewing tutorials, ect. Back to just after I rebuilt my HD. Now the symbols in this post read normally. What ever was happening, you never saw the Chinese, only my computer saw it. I'm glad that is gone. I now have
!dump working properly thanks to your suggestions.

No you're in deep doo doo, all of the symbols ARE in Chinese.

SiGiNT

(Must be running a Lenovo)

Chineese Simple Translation:Halogen □□□k □□□□□□knocks □slightly □□□□the □□□□□□thing to enter □□the halogen □□□□□□□祓 according to h

Chineese Traditional:□楰 □捯 k □□□□煣 extremely knocks □slightly 摥 □湩 □the □呥 祲 clean 捁 □thing to enter the enemy enemy □楰 □捯 剫 □敳 to be clean 祓 according to h

It doesn't look like it from the sample you have provided. What are you using for a text editor? Notepad wont work. It is useless, even for text editing, and should be used only for reverse engineering experiments. You need a proper text/hex editor like Ultra Edit.

Let's back up. Your initial problem was not being able to print the Softice screen to a USB printer. I assume you're still trying to get a printable format of a Softice screen.

!dumpscreen will dump the Softice window to a .bin file. Using Ultra Edit, you can load the file in 'text' format (not hex format) and see the entire Softice screen in bits and pieces. It's easier to see the components of the Softice window in hex format, however, but you need the text editor to reformat it. The window is unformatted with no linefeed/carriage returns. There are a lot of non-ASCII characters mixed into it.

Using a search/replace on the squares, with the square copied to the 'Find what' input and nothing in the 'replace with' input, (repeated twice), you get this:

EAX=00000000 EBX=7FFD9074 ECX=00000000 EDX=000D0001 ESI=00400000

It's plain to see that is the top line of the register window. In fact, just two search/replaces on the squares gives you a very clear format of the entire window. Two more search/replaces on squares and an alpha character makes the entire layout of the softice screen very legible. All you have to do then is search manually for recognizable parts of the window, like a code window or data window address.

Putting the cursor at the beginning of an address and hitting 'enter', places the entire line of the register, data or code window at the left-hand side of the text editor window where they should be. With the format roughly in place, it is then a matter of cleaning up using search/replace and manual editing.

I don't know what you've done above, but it seems you have mixed up the !dump command with the !dumpscreen command. You can't dump a line of memory with the !dumpscreen command, it dumps the entire window. The !dump command is intended for dumping the binary 'content' of a memory location. There wont be any ASCII in it because all the ASCII will be in it's HEX format. If you have a hex editor, it will kindly convert the hex to ASCII in the right hand column, just as Softice does in it's data window. That's not what is stored in memory, hence not what is dumped with !dump.

The !dump command is used to dump memory after it is loaded from a file on disk. You can use that dump to replace code in a file that has been deliberately obscured to prevent it being loaded in a disassembler. For example, an IAT table. The !dumpscreen command is what you need if you want to print to a USB printer.

If you're trying to dump the Softice screen, I don't see how you're getting Chinese characters, unless you've got a Chinese version of Softice.

There's a lot easier way to deal with the !dumpscreen file using the command-line tool, Siwrender. It takes the raw output file of !dumpscreen and makes a bmp file out of it. The bmp file is a perfect copy of the Softice screen, colour and all. I find my method is better for me. It saves fiddling with a bmp file, trying to get it into printable format.

Why don't you check this out, a well written step by step guide to Softice:

The big SoftICE howto

This essay discusses the installation & configuration of the debugger, the most useful commands SoftICE offers, a rocking extension called IceExt, as well a categorized list of good breakpoints. For a better understanding screenshots are placed at distinctive points.

http://www.reconstructer.org/papers/The%20big%20SoftICE%20howto.pdf

Kayaker

Thanks guys. I'll check out that recommended pdf. I learn something new from every tutorial I read.

To Waxfordsqueers: Thanks for the input. It's too bad that you could not see the Chinese characters on your screen like I had. It turned out they only showed on my screen. It screwed with my head at a time when I was getting a little impatient. I want to get started on clearing Securom from my map maker program and each failure I have to work with stretches that out. I had been reading a tutorial that had Chinese in it and somehow my machine got messed with.

Once again, I'm not trying to be rude or insensitive, but you don't seem to understand what you're dealing with. My opinion is reflected in the fact that you have received good advice from several people on how to proceed, yet you continue to ignore that advice. How you plan to deal with Securom, one of the harder protections, is beyond me.

Chinese characters just don't appear in a file from an IceExt dump from reading a tutorial, and a normal tutorial is not going to mess with your machine. The characters might appear if you had loaded the tute earlier and had dumped the wrong area of memory. The other alternative is that you loaded an executable file purporting to be a tutorial.

Some tutes come as exe files, which should be regarded very suspiciously as possible sources of a virus. Others come in Word format (doc) or chm format, both of which can introduce a virus. Even a jpg file, prior to the SP2 upgrade on XP could introduce a virus. Still, what you are describing doesn't sound like the work of a virus.

If a virus was introduced, then running a good antiviral program like Kaspersky AVP would no doubt reveal the virus. As far as I know, you haven't done that. There's a free app called 'Hijack This' which will reveal a virus installing a runtime loader in the registry. 'Autoruns' from Sysinternals gives an even more comprehensive readout. These are steps an experienced reverser would take rather than claiming how something got on his/her machine was beyond him/her.

You claimed earlier to be looking for an exotic way to print the Softice screen to a USB printer. Now you claim it's beyond you how those Chinese characters got there. What you are saying in effect is that you're in over your head. All of us have been there, and there's no shame in that, but you'll always be there til you slow down and try to understand what is going on.

The Chinese characters have nothing to do with the !dumpscreen command unless there were Chinese characters in the Softice display. If you don't understand that, stick with it til you do. They could have been in the app you were trying to dump with the !dump command, but you didn't say what you were trying to dump. If you dumped pure code there would be no Chinese characters in it. You could have tested that by checking for pure code around 401000 and dumping that. You claimed to have dumped text that you recognized. If you recognized it, and you speak English, there's no way the dump would be in Chinese.

If you don't understand what me and others are trying to tell you, you should put your Securom reverse on hold til you do. It seems obvious that you have dumped the wrong area of memory. Instead of rushing off to try something else, you should stick with the IceExt dump til you get it right. You seemed to be making progress. Forget about the Chinese characters. Go back and do several dumps, comparing them each time to what is actually in memory. Or, compare them to a disassembly of the app in IDA, provided the app isn't packed.

Note to WaxFordSqueers:

I found out how my machine put Chinese characters in place of regular characters. I was searching for SIWRender and ended up with several posts with Chinese and English in them. The same thing that had happened to me when looking at tutorials earlier. A box appeared and ask me if I wanted to read the information. This time I knew better. First time I didn't. If you say yes, XP will interpret but in the wrong direction. You get Chinese.

I have HijackThis. Of course this problem didn't show up in HJT. My machine was changing certain hex into Chinese. The problem is it doesn't stop on reboot. Once in, it's in. I had to use "Restore to an earlier time" to clean off the interpreter.

The reason you could not see the Chinese was only my machine was printing it to screen. You were receiving the hex which looked normal.

I have to admit, I didn't even know my machine could do what it did. I'll bet a lot of other guys don't know that either. The secret. Don't answer yes if there is a foreign launguage and English both in one post and you are ask if you want to read it.

Woodmann has been off the air for a while. Missed you.

For all those that have been mesmerized by the on going saga of my
learning first how to get SoftICE and IceExt up and running. Then the
baby steps as I start breaking into my Securom protected disk, here
is an update.

I am running and tracing thru my program. My Securom is
ver. 5.03.13.0022 which appears to be not old but not the latest
either. Some of the problems others have enjoyed fighting with have
not been there for me so far. I can break on "writeprocessmemory" and
"GetdrivetypeA" without any shut downs. I can also break as I load my
main module and I can break on "Autorun" which starts the SecurRom
and the preloading of some smaller files.

I have "!dumpscreen"ed all of the important screened files and have
succeeded in adjusting the .bin's to readable stuff but (hate to admit
it) I have used my trusty Olympus to give me instant gratification too.

It appears that my programs on the disk are packed with Petite.
I have'nt had to unpack anything manually yet because I just let it
unpack and load my machine before I start tracing.

This looks like it will be a long process but I am having fun
learning as I go.

I finally got my head out of my butt and discovered the program
I wanted to play with (SIWRender) was already on my computer.I am
still working on getting SIWRender to work the way I want but it
does work.

Later---

SIWRender works with the bin's provided by SIWRender but not with "my" screen dumps. Looking at the dumps, it is obvious that my dumps are very different than the example dumps. May be from my resolution or may be because my IceExt doesn't like XP Sp1. Thank you Olympus.