icedump6.txt

Cracker终结者——提供最优秀的软件保护技术

   notes: when altering the filename, you can specify path and mask. for
   example, if you set the base filename to 'c:\temp\dump-*.dmp', icedump
   will auto-generate filenames like 'c:\temp\dump-001.dmp'. the number of
   positions can be changed by altering an EQUate in the code. make sure
   you have a valid filename.

        /OPTION B

   print out the current state of options for '/BHRAMA'.

        /OPTION B rR           - Recompute PE Object size on/off
        /OPTION B sS           - PE structure Reorganize on/off
        /OPTION B hH           - Restore PE header on/off
        /OPTION B [0..3]       - Import mode [0..3]

   These are the potential options u wish to set for ProcDump/Bhrama. These
   options won't apply in ProcDump if the checkbox 'User conf.' is set.

        /OPTION P

   print out the current state of options for '/PEDUMP'.

        /OPTION P vV           - Update PE Virtual Object size on/off
        /OPTION P pP           - Update PE Physical Object size on/off
        /OPTION P rR           - PE structure Reorganize on/off
        /OPTION P bB           - Rebuild PE header on/off
        /OPTION P I[0..3]      - Import mode [0..3]
        /OPTION P H[0..7]      - PE Header reload mode [0..7]
        /OPTION P cC           - Import caving attempt on/off

   These are the Phoenix v2.0 internal options. The rebuild PE header option
   only recomputes RVA offset nothing more.

   Import rebuilder method (Bhrama/Phoenix):

   * 0 : No rebuild

     Doesn't try at all to locate import section, leaves the related import
     information untouched.

   * 1 : Use import informations

     Read actual import information, and use them to recreate a valid import
     table.

   * 2 : Rebuild import table.

     Detect import table and fix it up if found.

   * 3 : Full Import rebuild (DEFAULT).

     Detect import table, generate a new import section, generate import
     function names & ordinals.

   PE Header reload mode: certain schemes may destroy/alter some fields
   of the PE header so you have the chance to reload a valid one from the
   original executable file.

   * 0 : No reload (DEFAULT).
   * 1 : Reload ImageSize only.
   * 2 : Reload Section informations.
   * 3 : Reload both.
   * 4 : Reload whole PE header.
   * 5 : Reload whole PE header but ImageSize.
   * 6 : Reload whole PE header but Section information.
   * 7 : Reload whole PE header but both of the above.

   The settings are getting bigger and bigger, but well that's for flexibility 
   in the rebuild process (Isn't it Owl ? :).

        /OPTION T

   print out the current state of options for the tracer engine.

        /OPTION T lL           - Print last but one address before break off/on
        /OPTION T bB           - Print branch addresses off/on
        /OPTION T aA           - Print all traced addresses off/on'
        /OPTION T pP           - Trace new threads in the same process off/on
        /OPTION T cC           - Trace threads in child processes off/on
        /OPTION T nN           - Break on new threads off/on
        /OPTION T rR           - Break before thread enters ring-0 off/on
                                 (NOT IMPLEMENTED YET)

   see the separate documentation on the tracer engine to understand what these
   flags do.


        -------------
        /CD [<track>]
        -------------

   control your cd-rom, without parameters it will stop playing the CD,
   otherwise it will attempt to play the specified track. this command can be
   invoked from all ring-3 execution modes.

   volume has to be set outside winice, but you know who to bug for support,
   don't you ;-)


        --------------
        /MP3 <0,n,+,->
        --------------

   control the mp3 VxDs (you should have started YogaPlay first and loaded
   a tracklist). '0' stops playing, 'n' (a playlist index, counted from 1)
   will play the specified track, '+' and '-' will skip to the next and
   previous track respectively.


        --------------------------------------
        /IMPORTS <imagebase> <imports-address>
        --------------------------------------

   an attempt at helping to rebuild an IAT where the APIs are thunking through
   some redirection code (protections often use such schemes). right now it
   can help with ASPROTECT but feel free to add support for other schemes as
   well. <imagebase> is obvious, <imports-address> is the VA (not RVA) of the
   imports as pointed to from the object table (hint: make sure the PE header
   does indeed point to the real imports, not that of the wrapper, this is also
   important for '/PEDUMP' which you will most likely use after this command).


        ------------------------------------
        /PEDUMP <imagebase> <EIP> <filename>
        ------------------------------------

   dump the current win32 process or a dll in its address space to a valid
   PE file. <imagebase> can be fished out from the MAP32 output, the rest
   should be obvious. look at '/OPTION P' to see what internal flags can be
   set.

   a tip: an easy way to get rid of wrappers that reside in the last few
   sections is to decrease the 'number of sections' and the 'imagesize' fields
   appropriately before dumping. of course this will work only if no critical
   information is stored in these sections (e.g. resources).

   Note 1 : EIP is a RVA one :).
   Note 2 : U MUST BE IN A WIN32 CONTEXT IN ORDER TO USE THIS.
   Note 3 : at <imagebase> a valid PE header is expected, if something is
            not right, either fix it by hand in memory or even better, reload
            the original header (or parts), consult '/OPTION P H' for details
   Note 4 : No need to try to fetch me (G-RoM) for whatever u want, it is as
            is, nothing more. No update promised.


        -----------------------------------------
        /TRACE [<R0TCB> [<low EIP> [<high EIP>]]]
        -----------------------------------------

   control the tracer engine. note that this command cannot be used to trace
   the current thread, use '/TRACEX' for that. also look at '/OPTION T' to see
   what internal flags can be set.

        /TRACE

   print out the R0TCBs of all traced threads.

        /TRACE <R0TCB>

   stop tracing the thread whose ring-0 Thread Control Block is <R0TCB>. use
   the THREAD command to get it.

        /TRACE <R0TCB> <low EIP>

   start tracing the thread whose ring-0 Thread Control Block is <R0TCB>. use
   the THREAD command to get it. if the thread was already being traced, only
   the target range for EIP will be updated.

   tracing will stop and pop up winice if the thread's EIP reaches <low EIP>
   (technically the engine will look for a 1 byte long range by setting
   <high EIP> to the same value). this also means that EIP must be exactly
   this value in order to trigger winice to pop up, i.e. if it lies in the
   middle of an instruction, it will not trigger.

        /TRACE <R0TCB> <low EIP> <high EIP>

   start tracing the thread whose ring-0 Thread Control Block is <R0TCB>. use
   the THREAD command to get it. if the thread was already being traced, only
   the target range for EIP will be updated (however, keep in mind that if
   <low EIP> > <high EIP>, i.e. the range is invalid, then instead of updating
   the range, the engine will simply stop tracing the thread. this is how the
   stop command is implemented by the way).

   tracing will stop and pop up winice if the thread's EIP falls into a range
   specified by <low EIP> and <high EIP> (bounds inclusive).
  

        ------------------------------
        /TRACEX <low EIP> [<high EIP>]
        ------------------------------

   control the tracer engine AND exit winice. note that this command can be
   used to trace the current thread only, use '/TRACE' for other threads. also
   look at '/OPTION T' to see what internal flags can be set.

        /TRACEX <low EIP>

   start tracing the current thread. note, that whenever winice pops up in
   a context of a traced thread, you must exit winice via '/TRACEX' if you
   want to continue tracing. this is because on a normal 'X' winice erases
   EFLAGS.T and the tracer engine effectively loses control over it in the
   given thread's context.

   tracing will stop and pop up winice if the thread's EIP reaches <low EIP>.
   this means that EIP must be exactly this value in order to trigger winice
   to pop up, i.e. if it lies in the middle of an instruction, it will not
   trigger.

        /TRACEX <low EIP> <high EIP>

   start tracing the current thread. same note applies as above.

   tracing will stop and pop up winice if the thread's EIP falls into a range
   specified by <low EIP> and <high EIP> (bounds inclusive). note that there
   is no check for the validity of the range, so having <low EIP> > <high EIP>
   will simply start tracing the thread but will never make winice pop up
   (unless the range is changed later, see '/TRACE' for details).


        ----------------
        /BREAKR3 <R0TCB>
        ----------------

   instruct winice to break into the specified thread when it gets scheduled
   next time. note that this command will exit winice. <R0TCB> must be a valid
   ring-0 Thread Control Block executing in protected mode (no V86 support).


        -----------------
        /TETRIS [<speed>]
        -----------------

   start tetris in the winice window. <speed> is measured in millisec (default
   value is 150), and it is the delay in the main loop (the lower the delay
   the faster the game). there appears to be a bug in winice which prevents it
   from successfully calibrating its own internal delay loop (you can see a
   message right at the very beginning of the winice history buffer, provided
   it is big enough to hold all the messages during bootup), in this case the
   default delay value will be too big, feel free to choose your own. users of
   winice v4.05 and newer can explicitly specify their CPU's speed via the
   CPUSPEED keyword in winice.dat (e.g. CPUSPEED=700 for a 700 MHz monster).

   control: left/right arrow shits block left/right,
            up arrow rotates block,
            down arrow makes block fall faster,
            escape quits game (should you get bored ;-)


        -----
        /HELP
        -----

   print out usage info.


   -----
   todo.
   -----

   1. two-way symbol transfer between IDA and SoftICE

   2. script language, a'la procdump

   3. vcd player... just kidding ;-)


   -----
   cast.
   -----

   since there're some people wondering about who's who in this game, let's
   tell you about what to blame on whom ;-)

   fOSSil:
      - raw->html converter for '/SCREENDUMP'
      - optimized '/OPTION', '/SCREENDUMP'
      - '/CD'
      - vxdn.inc, winddk.inc
      - mp3 player (VxDs, mp3 decoder, YogaPlay)
      - '/IMPORTS'

   Ghiribizzo:
      - '/SCREENDUMP'
      - '/OPTION'
      - raw->LaTeX converter for '/SCREENDUMP'

   G-RoM:
      - '/PEDUMP' (CodeShot/Phoenix engine)
      - some cleanup in the parser and help

   Ice:
      - all thread related stuff ('/SUSPEND', '/SUSPENDX', '/RESUME')
      - nticedump

   igNorAMUS:
      - macros for LaTeX mode dump
      - EPS output for '/SCREENDUMP'

   The Owl:
      - maintainer, at least for the time being


   ------------------
   thanks and greets.
   ------------------

   the icedump team thanks everyone who contributed to the project or otherwise
   inspired us to make this happen, that means all users as well ;-).