Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-01-2023, 16:42
BlackWhite BlackWhite is offline
Friend
 
Join Date: Apr 2013
Posts: 81
Rept. Given: 4
Rept. Rcvd 14 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 48 Times in 21 Posts
BlackWhite Reputation: 14
Fix S-ICE 2.80 to Let It Update User Screen on Every Step

S-ICE 2.80 has a bug which concerns with denying updating user screen when we command p to step over one instruction, for example, the following code will not have the expected result if we step it from 684:0000 to 684:001A, neither the data window nor the user screen will be updated.

Code:
EAX=00000000  EBX=00000000  ECX=00000000  EDX=00000000  SP=FFFE
EBP=00000000  ESI=00000000  EDI=00000000  FS=0000  GS=0000
DS=0674  ES=0674  SS=0684  CS=0684  IP=0000  o d I s z a p c t
--------------------------------------------------------------------------
B800:0000  20 07 20 07 20 07 20 07-20 07 20 07 20 07 20 07   . . . . . . . .
B800:0010  20 07 20 07 20 07 20 07-20 07 20 07 20 07 20 07   . . . . . . . .
--------------------------------------------------------------------------
0684:0000 B800B8          MOV     AX,B800
0684:0003 8EC0            MOV     ES,AX
0684:0005 BF0000          MOV     DI,0000
0684:0008 B041            MOV     AL,41
0684:000A B471            MOV     AH,71
0684:000C B9D007          MOV     CX,07D0
0684:000F 268905          MOV     ES:[DI],AX
0684:0012 83C702          ADD     DI,+02
0684:0015 83E901          SUB     CX,+01
0684:0018 75F5            JNZ     000F
0684:001A B401            MOV     AH,01
0684:001C CD21            INT     21
0684:001E B44C            MOV     AH,4C
0684:0020 CD21            INT     21
If we set a breakpoint at 684:001A and command x, then the code will
have the expected result, both of the data window and the user screen
will be updated well.

So I debug S-ICE in Bochs and compare the code for command x with that
for command p, and finally figure out the variable which controls whether to
update user screen.

Here are the solution and analysis(Because I have no privilege to upload
an attatchment, the screenshots and the patched exe are not available).

(0) How to fix
Code:
Search hex bytes : C6063D5F01 
Replace them with: C6063D5F00
(1) ds:[5F3D] controls whether to recover & back up user screen
Code:
0040:0000EEE2(00FAFEF2) 33C0                xor ax, ax
0040:0000EEE4(00FAFEF4) C606385FFF          mov byte ptr ds:[0x5F38], 0xFF
0040:0000EEE9(00FAFEF9) C6063D5F01          mov byte ptr ds:[0x5F3D], 0x01; command p will set it to 1
                                                                          ; which means no need for 
                                                                          ; recovering & backing up
                                                                          ; user screen
0040:0000EEEE(00FAFEFE) 803EE1C202          cmp byte ptr ds:[0xC2E1], 0x02
0040:0000EEF3(00FAFF03) 7520                jnz 0xEF15
0040:0000EEF5(00FAFF05) C6063F5F01          mov byte ptr ds:[0x5F3F], 0x01
0040:0000EEFA(00FAFF0A) B82600              mov ax, 0x0026
0040:0000EEFD(00FAFF0D) E8C66D              call 0x5CC6
0040:0000EF00(00FAFF10) A3F063              mov word ptr ds:[0x63f0], ax
0040:0000EF03(00FAFF13) B82A00              mov ax, 0x002A
0040:0000EF06(00FAFF16) E8BD6D              call 0x5CC6
0040:0000EF09(00FAFF19) A3EE63              mov word ptr ds:[0x63ee], ax
0040:0000EF0C(00FAFF1C) B83200              mov ax, 0x0032
0040:0000EF0F(00FAFF1F) E8B46D              call 0x5CC6
0040:0000EF12(00FAFF22) A3F263              mov word ptr ds:[0x63f2], ax
0040:0000EF15(00FAFF25) 33C0                xor ax, ax
0040:0000EF17(00FAFF27) C3                  ret
(2) If ds:[5F3D]==0 then do recovering user screen from S-ICE's buffer
Code:
0040:00000356(00FA1366) C606385F00          mov byte ptr ds:[0x5F38], 0x00
0040:0000035B(00FA136B) E8F5C3              call 0xC753
0040:0000035E(00FA136E) E89FE2              call 0xE600
0040:00000361(00FA1371) 803E385F00          cmp byte ptr ds:[0x5F38], 0x00; FF
0040:00000366(00FA1376) 74EE                jz 0x0356
0040:00000368(00FA1378) 803E30E500          cmp byte ptr ds:[0xE530], 0x00; 00
0040:0000036D(00FA137D) 750E                jnz 0x037D
0040:0000036F(00FA137F) 803E3D5F00          cmp byte ptr ds:[0x5F3D], 0x00; if(byte ptr ds:[5F3D]==0)
0040:00000374(00FA1384) 7407                jz 0x037D                     ; ==>037D
0040:00000376(00FA1386) 803E3E5F00          cmp byte ptr ds:[0x5F3E], 0x00; 00
0040:0000037B(00FA138B) 7403                jz 0x0380
0040:0000037D(00FA138D) E8120B              call 0x0E92; recover_user_screen_from_sice_buffer
0040:00000380(00FA1390) 07                  pop es
0040:00000381(00FA1391) B001                mov al, 0x01
0040:00000383(00FA1393) C3                  ret 
  ||
 \||/
  \/
;*recover_user_screen_from_sice_buffer
0040:00000E92(00FA1EA2) 803EC10A00          cmp byte ptr ds:[0x0AC1], 0x00; 00
0040:00000E97(00FA1EA7) 0F851200            jnz 0x0EAD
0040:00000E9B(00FA1EAB) 6651                push ecx
0040:00000E9D(00FA1EAD) B80000              mov ax, 0x0000
0040:00000EA0(00FA1EB0) BB0100              mov bx, 0x0001
0040:00000EA3(00FA1EB3) E8D50D              call 0x1C7B
0040:00000EA6(00FA1EB6) 6659                pop ecx
0040:00000EA8(00FA1EB8) E8200D              call 0x1BCB
0040:00000EAB(00FA1EBB) EB05                jmp 0x0EB2
0040:00000EAD(00FA1EBD) C606791001          mov byte ptr ds:[0x1079], 0x01
0040:00000EB2(00FA1EC2) B80100              mov ax, 0x0001
0040:00000EB5(00FA1EC5) BB0000              mov bx, 0x0000
0040:00000EB8(00FA1EC8) E8C00D              call 0x1C7B; do_recover_or_backup 
0040:00000EBB(00FA1ECB) C3                  ret 
  ||
 \||/
  \/
;*do_recover_or_backup 
0040:00001C7B(00FA2C8B) F606507A80          test byte ptr ds:[0x7A50], 0x80; 00
0040:00001C80(00FA2C90) 741F                jz 0x1CA1; ==>1CA1
0040:00001C82(00FA2C92) 0BC0                or ax, ax
0040:00001C84(00FA2C94) 751A                jnz 0x1CA0
0040:00001C86(00FA2C96) 0BDB                or bx, bx
0040:00001C88(00FA2C98) 7516                jnz 0x1CA0
0040:00001C8A(00FA2C9A) B061                mov al, 0x61
0040:00001C8C(00FA2C9C) E620                out 0x20, al
0040:00001C8E(00FA2C9E) E800FF              call 0x1B91
0040:00001C91(00FA2CA1) B064                mov al, 0x64
0040:00001C93(00FA2CA3) E6A0                out 0xA0, al
0040:00001C95(00FA2CA5) E8F9FE              call 0x1B91
0040:00001C98(00FA2CA8) B062                mov al, 0x62
0040:00001C9A(00FA2CAA) E620                out 0x20, al
0040:00001C9C(00FA2CAC) E8F2FE              call 0x1B91
0040:00001C9F(00FA2CAF) FB                  sti 
0040:00001CA0(00FA2CB0) C3                  ret 
0040:00001CA1(00FA2CB1) 55                  push bp
0040:00001CA2(00FA2CB2) 83EC04              sub sp, 0x0004
0040:00001CA5(00FA2CB5) 8BEC                mov bp, sp
0040:00001CA7(00FA2CB7) 894600              mov word ptr ss:[bp], ax
0040:00001CAA(00FA2CBA) 895E02              mov word ptr ss:[bp+0x0002], bx
0040:00001CAD(00FA2CBD) 83F902              cmp cx, 0x0002; cx=1
0040:00001CB0(00FA2CC0) 7402                jz 0x1CB4     ; no
0040:00001CB2(00FA2CC2) 33C9                xor cx, cx
0040:00001CB4(00FA2CC4) E85300              call 0x1D0A; CF=0
0040:00001CB7(00FA2CC7) 724C                jb 0x1D05  ; no
0040:00001CB9(00FA2CC9) 33C0                xor ax, ax
0040:00001CBB(00FA2CCB) E8EFF2              call 0x0FAD
0040:00001CBE(00FA2CCE) 668B3E9064          mov edi, dword ptr ds:[0x6490]     ; EDI=10000h
0040:00001CC3(00FA2CD3) 837E0200            cmp word ptr ss:[bp+0x0002], 0x0000; 0
0040:00001CC7(00FA2CD7) 7405                jz 0x1CCE                          ; ==>1CCE
0040:00001CC9(00FA2CD9) 668B3E9464          mov edi, dword ptr ds:[0x6494]
0040:00001CCE(00FA2CDE) 6633F6              xor esi, esi
0040:00001CD1(00FA2CE1) FC                  cld 
0040:00001CD2(00FA2CE2) 66B900100000        mov ecx, 0x00001000
0040:00001CD8(00FA2CE8) 0FA0                push fs
0040:00001CDA(00FA2CEA) 06                  push es
0040:00001CDB(00FA2CEB) E851FE              call 0x1B2F
0040:00001CDE(00FA2CEE) 8E264A7A            mov fs, word ptr ds:[0x7A4A]; FS=30h(base addr=B8000h)
0040:00001CE2(00FA2CF2) 8E069000            mov es, word ptr ds:[0x0090]; ES=50h(base addr=F74000h)
0040:00001CE6(00FA2CF6) 837E0000            cmp word ptr ss:[bp], 0x0000; 0001 
                                                                        ; 1 for recovering user screen
                                                                        ; 0 for backing up user screen
0040:00001CEA(00FA2CFA) 7409                jz 0x1CF5                   ; no
0040:00001CEC(00FA2CFC) 6687F7              xchg edi, esi; ESI=10000h, EDI=0
0040:00001CEF(00FA2CFF) 0FA0                push fs
0040:00001CF1(00FA2D01) 06                  push es
0040:00001CF2(00FA2D02) 0FA1                pop fs       ; FS=50h(base addr=F74000h)
0040:00001CF4(00FA2D04) 07                  pop es       ; ES=30h(base addr=B8000h)
0040:00001CF5(00FA2D05) F36764A5            rep movsw word ptr es:[edi], word ptr fs:[esi]
                                                         ; copy 2000h bytes from buffer to B800:0000,
                                                         ; thus recovering user screen
0040:00001CFA(00FA2D0A) 0FA1                pop fs
0040:00001CFC(00FA2D0C) E866FE              call 0x1B65
0040:00001CFF(00FA2D0F) B80100              mov ax, 0x0001
0040:00001D02(00FA2D12) E8A8F2              call 0x0FAD
0040:00001D05(00FA2D15) 83C404              add sp, 0x0004
0040:00001D08(00FA2D18) 5D                  pop bp
0040:00001D09(00FA2D19) C3                  ret
(3) If DS:[5F3D]==0 then do backing up user screen to S-ICE's buffer
Code:
0040:000002A3(00FA12B3) 33C0                xor ax, ax
0040:000002A5(00FA12B5) 86063D5F            xchg byte ptr ds:[0x5F3D], al; AL=ds:[5F3D]
0040:000002A9(00FA12B9) 0AC0                or al, al                    ; if(AL==0)
0040:000002AB(00FA12BB) 7406                jz 0x02B3                    ; ==>02B3
0040:000002AD(00FA12BD) 38263E5F            cmp byte ptr ds:[0x5F3E], ah
0040:000002B1(00FA12C1) 740B                jz 0x02BE
0040:000002B3(00FA12C3) E89A0B              call 0x0E50  ; back_up_user_screen_to_sice_buffer
  ||
 \||/
  \/
;*back_up_user_screen_to_sice_buffer
0040:00000E50(00FA1E60) 1E                  push ds
0040:00000E51(00FA1E61) 07                  pop es ; ES=08h
0040:00000E52(00FA1E62) 803EAA6400          cmp byte ptr ds:[0x64AA], 0x00; 0001
0040:00000E57(00FA1E67) 7507                jnz 0x0E60                    ; ==>0E60
0040:00000E59(00FA1E69) FE06AA64            inc byte ptr ds:[0x64AA]
0040:00000E5D(00FA1E6D) E85C00              call 0x0EBC
0040:00000E60(00FA1E70) 06                  push es
0040:00000E61(00FA1E71) B82000              mov ax, 0x0020
0040:00000E64(00FA1E74) 8EC0                mov es, ax
0040:00000E66(00FA1E76) 26A08404            mov al, byte ptr es:[0x0484]  ; AL=18h 
0040:00000E6A(00FA1E7A) 40                  inc ax
0040:00000E6B(00FA1E7B) A2677A              mov byte ptr ds:[0x7a67], al
0040:00000E6E(00FA1E7E) 07                  pop es
0040:00000E6F(00FA1E7F) 6651                push ecx
0040:00000E71(00FA1E81) B80000              mov ax, 0x0000
0040:00000E74(00FA1E84) BB0000              mov bx, 0x0000
0040:00000E77(00FA1E87) E8010E              call 0x1C7B; do_recover_or_backup

Last edited by BlackWhite; 11-01-2023 at 16:52. Reason: edit
Reply With Quote
The Following 3 Users Gave Reputation+1 to BlackWhite For This Useful Post:
dion (11-03-2023), Jupiter (11-06-2023), MarcElBichon (11-01-2023)
The Following 3 Users Say Thank You to BlackWhite For This Useful Post:
errorinside (11-02-2023), niculaita (11-30-2023), tonyweb (11-01-2023)
  #2  
Old 11-02-2023, 00:37
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 646
Rept. Given: 111
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 234
Thanks Rcvd at 246 Times in 158 Posts
bolo2002 Reputation: 14
I've spend a lot of times decades ago with softice but is it worth to correct and use a deprecated tool?
__________________
I like this forum!
Reply With Quote
  #3  
Old 11-02-2023, 01:30
BlackWhite BlackWhite is offline
Friend
 
Join Date: Apr 2013
Posts: 81
Rept. Given: 4
Rept. Rcvd 14 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 48 Times in 21 Posts
BlackWhite Reputation: 14
Quote:
Originally Posted by bolo2002 View Post
I've spend a lot of times decades ago with softice but is it worth to correct and use a deprecated tool?
Yes, it's well worth fixing the bug, because I still use it to demo 16-bit
debugging techniques for my students, and they also need this unparalleled
tool to debug their assembly language programs.

Last edited by BlackWhite; 11-02-2023 at 01:46.
Reply With Quote
The Following User Says Thank You to BlackWhite For This Useful Post:
bolo2002 (11-03-2023)
  #4  
Old 11-02-2023, 09:10
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 802
Rept. Given: 42
Rept. Rcvd 50 Times in 31 Posts
Thanks Given: 711
Thanks Rcvd at 1,112 Times in 514 Posts
chants Reputation: 51
Softice was amazing. It seems a convenient powerful kernel debugger like it won't happen again.

Softice is to reversing what IDE studios e.g. MSVS are to programming. Rapid application cracking vs rapid application development (RAD).

But nothing prevents it from being possible. I think it's closer to the high amount of technical aspects to maintaining such a tool compared to low profitability has made it so no company bothers trying anymore.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
WRP (11-05-2023)
  #5  
Old 11-05-2023, 02:18
th3tuga th3tuga is offline
Friend
 
Join Date: Oct 2023
Posts: 30
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 9 Posts
th3tuga Reputation: 0
Quote:
Originally Posted by BlackWhite View Post
Yes, it's well worth fixing the bug, because I still use it to demo 16-bit
debugging techniques for my students, and they also need this unparalleled
tool to debug their assembly language programs.
Is it possible to make this run on Windows 7? As far as I remember it runs okay with WinXP SP2 but throws errors on WinXP SP3.
Reply With Quote
  #6  
Old 11-05-2023, 10:14
BlackWhite BlackWhite is offline
Friend
 
Join Date: Apr 2013
Posts: 81
Rept. Given: 4
Rept. Rcvd 14 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 48 Times in 21 Posts
BlackWhite Reputation: 14
Quote:
Originally Posted by th3tuga View Post
Is it possible to make this run on Windows 7? As far as I remember it runs okay with WinXP SP2 but throws errors on WinXP SP3.
S-ICE 2.80 runs in DOS, it can also run in Bochs above 2.6.11 which has been removed a critical bug by me, but it's not a Windows version.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 06:18.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )