|
DS3 not breaking
Hi,
Ds3 isn't breaking on bpx or bpm at all. any clue is appreciated. Thanks. |
Did you have enabled 'NTSYMBOLS=ON' yet?
|
To be honest - I have exactly the same problem. Well, maybe not "exactly".
I'm loading the very small test program (BTW Symbol Loader now stops at entry point!), do bpm x and it is OK! Later on I do bpx MessageBoxA (bl shows me that everything is OK and I have NTSYMBOLS = ON and I have a valid path to user32.dll in my winice.dat) and NOTHING happens. I don't think it is a bug in Soft-Ice. I might be missing something... I don't know what :((( BTW - usual bpx on a certain address is working fine! |
Piece of shit!
bpx MessageBoxA is NOT working... but bpx ExitProcess is working fine! What's the hell? |
Piece of shit twice!
Seems to me either it is something wrong with my head or Soft-Ice doesn't seem to work stable with breakpoints! |
To Bimode
Thanks for the reply, Yes I did, and I aslo used symbol retriever util. with no luck. britedream |
Same problem here guys .
It will not break all :( I set the first breakpoint click on the desired program but Ice will not break and not popup by itself. Finaly my mous works with this version but ice is useless this way. Hope that there will be a fix. ysco. |
I have found the issue. To get this to work, you must create/enable the breakpoint while in the address context of the process who will actually call the function you want to break on.
You can see your current address context in the bottom-right of the SI window, I think it is always Idle when you Ctrl+D. As an example, I wrote a quick Delphi app to test this (just a button on a form that calls MessageBoxA), it's called Project1. When I Ctrl+D, my address context is Idle. If I bpx MessageBoxA now, pressing the button on my form will show the messagebox without breaking. But, if I Ctrl+D, then do ADDR Project1 (or if I have more than one process running called Project1, I can do PROC, see the Process ID of the instance I want to break, and do ADDR <Process ID>), then do bpx MessageBoxA, when I press the button on my form, it breaks correctly. Also, if you already have a breakpoint, instead of clearing the breakpoint and recreating it in the right address context, you can just disable it then reenable it in the right address context (less typing! :)). As far as I know, you had to do this same thing to get breakpoints to work in SoftICE 2.7. At least I did. That's how I knew what the problem was, since I had to figure this out while using 2.7 :cool:. One thing I discovered is, when you run an app through symbol loader, and SI breaks on entry point, even though SI says you're in the right address context, if the PROC command shows more than one process with the name of the process you're debugging, you still have to manually do ADDR <process id>. I found that while Delphi was open, PROC listed two or more Project1 processes, one being my real running process, and the others having a status of Deleting. When I loaded my app through SL and immediately did bpx MessageBoxA, it didn't break properly. But, if I loaded my app through SL, and did ADDR <my running process id>, it worked. Once I closed Delphi, and loaded my app, PROC only showed one instance of Project1 (the one with the status of Deleting was no longer there), and immediately setting my bpx without doing ADDR worked. So, the rule here is, if PROC shows more than one process with the name of the process you're debugging, you always have to type ADDR <process id> before setting any breakpoints, regardless of what SI says your current address context is! Since every time you press Ctrl+D, your address context is Idle, I find it useful when debugging an app to write a quick macro (I call mine AC) that just does ADDR <name/id of process I'm debugging>. Then, every time I hit Ctrl+D, I just type AC to get in the right address context, then breakpoints etc work correctly. Let me know if my explanation is too confusing, or if you find a better solution. |
Isn't this why programs like SuperBPM were created - to address this very issue?
|
I have found a command in SoftICE to automate the whole ADDR thing. The ATTACH command lets you set the default address context and symbol table to change to when SoftICE pops up. This eliminates the need to manually (with ADDR or with a macro) set your address context every time you go into SoftICE. The DETACH command then clears any attached address contexts.
|
Satyric0n
You explanation is clear, thanks. But! It means I have to have Ice in the necessary context that automatically does many tricks useless! :( |
Thanks for the info Satyric0n but Ice must can work like it worked before in the previous versions.I think that i install Ice 4.05 again that 1 worked oke in xp but only my mous wasn`t supported.
I can`t believe that this is the way that 3.0 must work.There is some kind off bug in it. Have try to set some macro but i can get it to work :confused: ysco. |
This problem exists in all version DS2.7 and later when using win2k/xp/2003.
I've used all these versiongs on these OSs. ICE can not work like previous. :mad: So, many times, i using DS2.7 in win98 to do my cracks. Just as mentioned by Satyric0n, using DS on Windows2k/xp/2003 is very annoying. I found ICE can work occasionally without ADDR/ATTATCH preceeding on my Windows2003. But it's very very annoying still. :mad: |
Maybe a solution....
Hi guys,
I haven't installed DS 3.0 yet, but I encountered this problem in DS 2.7. I found a way around it: Open the Symbol retriever (comes with the Softice package), and download the symbols for the file ntoskrnl.exe. When finished, exit the Symbol retriever. Now you have a folder in c:\ named c:\nmsout (unless you told the retriever to put the downloaded symbols someplace else..). Open up winice.dat and add the following line: LOAD=C:\nmsout\ntoskrnl.nms When you reboot and restart Softice, it should now react to breakpoints. At least, this worked for me. If not, use the method described by Satyricon. It should work every time. regards, hobgoblin |
@@Hobgolbin,
Hi..:) This is the similar one which Volodya mentioned above. I am using this trick but it is not breaking even on BPX getwindowtexta. I'm on W2k Adv Server with sp4. I installed the sp4 patch d/led from Compuware Support site, but no luck. With regards, |
Thanks also for the info hobgoblin i try`t to download the files from _http://msdl.microsoft.com/download/symbols but site will not load can you send me the symbols don`t know how big they are.Please let me know.
Thanks in advance. ysco. You can send it to [email protected] |
Quote:
I plan on trying hobgoblin's suggestion (thanks hobgoblin!), I will report here whether or not it works for me. (And to ysco, to get the symbols, either use Symbol Retriever that comes with SoftICE, or go to hxxp://www.microsoft.com/whdc/ddk/debugging/symbols.mspx and download Microsoft's debugging tools) |
Satyric0n
Let me clarify the situation for you. Suppose you are researching ntdll.dll. Let it be LdrLoadDll function. Previously you need only do Ctrl+D, bpx LdrLoadDll and that's it and that's all. Now you have to go to page LdrLoadDll write down PHYSICAL address and put CC over there MANUALLY! Isn't it a pain in the ass? |
hobgoblin is correct - you get the symbols by using the symbol retriever, - get the symbols for ntoskrnl.exe
Then, add the symbol file to the list of symbols to be loaded at boot time, by using the nice DS2.7 settings dialog box. GO TO Start->Programs->Compuware"""->SoftICE->Settings. There will be an option for symbols. Add the symbol file you just downloaded to the list box. Then, go to "Advanced", and add an NTSYMBOLS=ON string. Done. Reboot. I've had to do this with each DS release, AND if you apply a service pack to your WIN you'll have to get a new symbol file! It aint rocket science !! -Lunar |
Quote:
So, unless you need to set a break on that function when any process in the system calls it (in which case, just hook the API call and set a breakpoint in the hook function), I don't see what's so bad about just using ATTACH... Or maybe I'm still missing the point? :confused: EDIT: Are you saying that you can set the bpx but it doesn't break correctly (this is what I assumed you meant previously), or that you can't even set the bpx at all? If you can't even set the bpx (by name), you just need to go to the SoftICE Initialization->Exports tab and put ntdll.dll (for your LdrLoadDll example) in the list and reboot. (I put ntdll, kernel32, user32, gdi32, etc, in this list, for a total of about 15 files). |
ntoskrnl.exe symbols
I have just tried what hobgoblin and Lunar_Dust suggested, using Symbol Retriever to get the ntoskrnl.exe symbols and loading them upon boot. I see no difference whatsoever to the way things worked previously for me; you still have to set the appropriate address context before setting a breakpoint, either using ADDR or ATTACH (preferred, and very easy for all you naysayers, since you only have to do this once per process name).
This is the way I have SoftICE set up, and it seems to be working fine (assuming you don't consider the fact that you have to set your breakpoints in the appropriate address context to be a problem, as Squidge and I don't): On the SoftICE Initialization->Exports tab, I simply added the following files in the list: advapi32.dll comctl32.dll comdlg32.dll gdi32.dll hal.dll kernel32.dll msvcrt.dll ntdll.dll ntoskrnl.exe ole32.dll shell32.dll user32.dll version.dll And then also some other files that are specific to my machine/configuration. Again, loading the symbols for ntoskrnl.exe made no difference whatsoever on my machine; everything worked just the same as if I hadn't loaded those symbols. I realize now that I have always set my exports before using SoftICE, and I have never loaded the symbol for ntoskrnl.exe before. So the fact that loading the symbol for ntoskrnl.exe now made no difference at all makes me wonder if doing that is unnecessary if you just set your exports as I described? |
Quote:
No difference found. I think , this is NOT A BUG of SI. Maybe, it's because some reason of ths OS & LDT & GDT etc. Maybe, using SI on Windows NT/2K/XP/2003, we must use ADDR/ATTACH cmd. Maybe, on Windows NT/2K/XP/2003, we can not set a bpx, break any process who hit it. I'll study the manual of DS and something related. |
I have a problem still.
How to use the cmd HWND & BMSG? When using DS2.7 under Windows 98, I always use the cmd like this: ----------------------------------------------------------------------------- PROC SomeProc // get the PID and TIDs of its sub-thread THREAD thePID //get the TIDs of it HWND aTIDofIT // get a list of the HWND of the thread BMSG aHWNDofIT WM_COMMAND if...... ----------------------------------------------------------------------------- but now, using DS3.0 under Windows 2003. the HWND cmd CAN NOT get the HWNDs of a Process/Thread. so BMSG CAN NOT use. I've tried to use Spy++ to get the HWND of some window. then use BMSG cmd with this HWND. it said: Invalid window handle. I've also tried to use a test program wrote by myself which tell me the HWND returned by its CreateWindowExA and then I use the HWND cmd with the handle it tell me, it still said: Invalid window handle. Then, I use attach/addr, use HWND. it still said:Invalid window handle. Sigh!!! :o :o |
I assure you that DS2.7 works fine and correclty on both WIndows 2000 and Windows XP concerning BPX. Like I've said before you have to use SYmbol retriever for your particular ntoskrnl.exe, and of course add the DLL's you are interested in, in the exports dialog of SoftICE (as well as ntoskrnl.exe itself too)
You can even load any DLL after boot by just using the symbol loader. Here is something for you to try: Go into softice. Type "u messageboxa" (assuming first of course you've loaded user32.dll into either symbol loader or exports dialog at boot time). Do you see any valid code come up? If you don't have the correct ntoskrnl.exe symbol file, or it's not being loaded correctly, you won't see any code. You'll see that its supposed to be an export, but there won't be any code in the code window that looks correct at all. THIS MEANS the symbol file isnt' working and you didnt set it up right. This is how I always test my new SI installations to make sure they look correct. As far at Bp on the HWND you can't be in idle process to use it. You have to "PROC", and then "ADDR" to some process with a window, and now you should be able to set such a breakpoint...some may not like the ADDR. I am telling u that ADDR is NICE. You could never do such a thing on win98. Using ADDR you can set BPXs in a process without having to first break into it. It's much more convenient. Here is at least the minimum exports you need in dat file: EXP=\SystemRoot\System32\ntoskrnl.exe EXP=\SystemRoot\System32\ntdll.dll EXP=\SystemRoot\System32\kernel32.dll EXP=\SystemRoot\System32\user32.dll -Lunar |
Well, the case with DS3.0 is that doing U MessageBoxA shows the right code (and this is without loading any symbols, only exports). But regardless, bpxs are still not global to all processes; they only apply to the process whose address context is active when you actually set the bpx.
Again, I personally don't consider this to be a problem, on the contrary, I prefer this over the way it used to be. But for those who want the bpxs to be global, I do not see a way to do this any more. Quote:
|
A thought..
Just my two cents....
I don't think this is a bug in Sice either. It is probably working as it should be. As Satyricon and Squidge are posting: I don't see this as a problem. On the contrary, I see this as a nice detail. As I said, just my two cents.... hobgoblin |
Not really.. Just write an app that you know will call LdrLoadDll (either some framework function will call it or you can call it yourself), run that app, ATTACH to that app, and set the bpx.
You, of course, know that ntdll.dll is AUTOMATICALLY being proected into the address context of the process before symbol loader pops up, before main, before everything. And it is not reasonable at all to create any Native API application. So I myself will try to play with Lunar_dast suggestion. Unfotirnately it seems to be the only real way... |
Quote:
|
OK. I don't like your idea with Native API app - it is just not reasonable to create even a very small app for the Native API testing, especially if I don't know the parameters of the function.
So, how it worked with previous GOOD soft-ice: you do Ctrl+D (Soft Ice pops up hell knows where) and set up bpx on shall we say LdrpProcessRelocationBlock. Noone really knows how is it possible to set up the GENERAL breakpoint on ANY process in Windows NT+ (with 9x everything is easy). So, you launch your app and everything is fine - SoftIce pops up on bpx and everything is working. Now what? You can't set uo the bpx on the address context because there is no address context (well, actually in the case of bpx it is but, obviously long before main()), you can't do your ATTACH macro which is, of course, nice but the general behaviour of Ice is so bad now that I just don't know what to do. Pity I don't have enough time to disassemble Ice itself. |
Thanks for all the info guys i have played with it and addr is indeed easy so my problem is solved thanks again for all the info that you guys have given ;)
ysco. |
I have downloaded the corresponding ntoskrnl.nms and added the following lines to WINICE.DAT and rebooted, but BPX breakpoints not working yet.
NTSYMBOLS=ON LOAD=C:\nmsout\ntoskrnl.nms I'm using Chinese Win2k Adv Server SP4. |
| All times are GMT +8. The time now is 20:58. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX