Our Tools
Our Tools

TheOwl's winice dumper (version 4)
Source code, program, everything you need...

by TheOwl

(16 September 1998)


Well, once more an Outstanding (and generous) wizard sends us a tool that will improve your work tremendously... I wonder if the smartasses at Numega are already using it (they are... :-) and wish you all GOOD WORK, or as our (disappeared ?) +Master would say: "work well" with this incredible tool... Long live TheOwl, a Master cracker that should deserve much more recognition...

           this is beta release 4 of my winice dumper.

      

           download it here





   news.



   - commented source code included, although putting it into winice.exe is

     another art itself... anyway, you can get a general idea on how it works.

     suggested order of reading: init, parser, dumper.



   - emulation of PAGEIN when invoked with old syntax: "PAGEIN <address>"

     this works in all modes now (V86, ring-3/16, ring-3/32, ring-0/32).



   - parser and dumper are more fool-proof (e.g. dumping not committed memory

     won't result in a system crash).



   - ring transitions from both PM and V86 mode have been enhanced by directly

     hacking the client CS:(E)IP registers. this also means that the dumper is 

     less intrusive and detectable.



   - support for paged out memory in V86 mode (previous versions would crash

     when one tried to dump paged out memory in V86 mode).



   - patcher included for both v3.22 and v3.23 of winice.





   usage.



   the syntax is as follows:



        PAGEIN <address> [<length> <file name>]



   if only <address> is specified, the old behaviour will be emulated, but this

   time 16 bit modes (V86 and PM) will be supported as well. in fact, ring-3/32

   support is somewhat better as well since the client's stack not longer has

   to be present (unlike for the old PAGEIN).



   both <address> and <length> can be any valid expressions. <address> has to

   evaluate to a flat address. e.g. CS:IP will NOT result in a flat address if

   used in 16 bit modes, you have to use the flat() operator.



   <file name> can be any valid name with drive/path. file will be created or

   overwritten if it already exists.





   notes.



   of course, the entire memory block you're about to dump should have been

   previously allocated and committed. nonetheless, trying to dump non-committed

   memory pages won't crash the system, but will instead write garbage into

   the dump file... well, if you don't know what you dump, you will get it ;-).

   the size of the dump file will be smaller than that of the block you

   specified if at the end of the block there are non-committed pages. if the

   entire block is not committed, you will end up with an empty file.



   trying to dump from an address context other than the one you popped up in

   won't work (this may be supported in the distant future, but you would have

   to come up with strong arguments to convince me to invest my time into it).



   interrupts must be enabled. you can try to change IF manually, but chances

   are that you will lock up your machine only.



   IFSMgr mustn't be reentered when dumping from ring-0 mode. this normally

   means, that you won't have a chance to dump while inside file system driver

   code. not that if many of you would ever debug FSDs... ;-). generally, be

   very careful when dumping from ring-0 mode, there're many circumstances when

   it just won't work. one rule of thumb is that if you see the client call

   other VxD services then it's probably also safe to invoke the dumper as well

   (since it does nothing else but invokes VxD services, those of IFSMgr).



   PAGEIN should only be invoked AFTER the DEVICE_INIT phase of the static VxD

   initialization procedure. if you're in ring-0 mode, then you can use it

   earlier as well, but only with the OLD syntax (i.e. no file dumping while

   VxDs are being initialized). hmmm, does it make any sense to page in anything

   before DEVICE_INIT at all? ;-)



   "ver ice" (v3.22) and "ver sio" (v3.23) had to be killed... oh well





   greets and thanks.



   Acp,Animadei,Domnar,Fossil,Gij,G-Rom,Groo,Ice-Man,LiuTaoTao,Lordbyte,MadMax,

   Marquis,Mave,Pain,tHeRaiN,Randall Flagg,Razzi,Regor,Slava,Xoanon,Zenix

redhomepage redlinks red+ORC redbots wars redstudents' essays redcounter measures
redbots wars redantismut CGI tricks redacademy database redtools redjavascript tricks
redcocktails redsearch_forms redmail_fravia+
redIs software reverse engineering illegal?