
SoftICE: a kernel mode debugger for Windows - majke
https://en.wikipedia.org/wiki/SoftICE
======
coo1k
Can't help but mention Fravia. RIP :( I came to know of softIce through his
essays.
[http://71.6.196.237/fravia/aca400.htm](http://71.6.196.237/fravia/aca400.htm)

his softice essays:
[http://71.6.196.237/fravia/project2.htm](http://71.6.196.237/fravia/project2.htm)

~~~
sheepmullet
+fravia produced so much worthwhile content without so much as a single ad. He
is sorely missed.

It's why I always laugh when people say the Internet needs ads to survive. It
was doing just fine before ads became so pervasive.

~~~
guipsp
Fravia wasn't doing it as a job

~~~
xorcist
That's true, but making a living from it is not everyone's end goal. If you
aren't doing it as a job, you can focus on quality, not on maximizing clicks.

There's absolutely no way quality can ever compete with thousands of underpaid
click farmers. Google is steadily getting smarter, but even they can't keep
up.

------
gregschlom
SoftICE was the tool that really got me into programming. Before that I was
coding in Visual Basic, and tried and failed several times to teach myself
C++. The books that I got where all talking about things like inheritance,
polymorphism and Microsoft's MFC and none of that made sense to me. Then I
found SoftICE and learned how to crack sharewares and eventually found an
amazing tutorial on how to write Windows apps in assembly using MASM and
calling the Win32 API directly. I used SoftICE as a debugger and it was
amazing to _see_ my code being run by the processor, instruction by
instruction. I had a feeling of having a complete understanding of the
computer. From there, I was able to work my way up the abstraction chain.

~~~
badreader
Please share the link to the MASM tutorial that got you started.

~~~
badocr
Iczelion's tuts maybe?

[http://win32assembly.programminghorizon.com/tutorials.html](http://win32assembly.programminghorizon.com/tutorials.html)

~~~
gregschlom
Yes! Iczelion's tuts! Brings back some good memories. Thanks!

------
cosmosgenius
Wow i had forgotten about this tool. This was so cool to put at debug point at
OS level. Well i mainly used this to bypass registration steps for tools which
required a paid license key or passcode :P(Replacing the cmp ops to noop or
jmp to success).

~~~
schandur
WinZip comes to mind.

~~~
vinceyuan
I followed a tutorial to crack WinZip with SoftIce. And then I tried cracking
WinRAR with SoftIce but failed. That's all I did with SoftIce.

------
iheartmemcache
SoftICE was one of the most amazing utilities out there both for debugging as
well as reverse engineering. The Wikipedia page is spot on about WinDbg/KD,
but pretty out of date re: modern tools. Ollydbg2 came out more than half a
decade ago and supports all the 64 bit registers and x86-64 instruction set.
Immunity Debugger took the place as the defacto standard, and most modern
scripts and tooling are built around Immunity for dynamic analysis and IDA Pro
for static analysis. IDA Pro adopted QT natively, so the plugin communities
are extending the hell out of what was already a great tool, and there are
good plugins that export annotations/symbols that Immunity can consume so the
union between static and dynamic analysis has never been smaller. If you don't
have an IDA license, Immunity combined with Radare (read down) is still pretty
powerful to play around with. Either way, the reverse engineering stuff out
there is quite simply amazing.

[https://github.com/aquynh/capstone](https://github.com/aquynh/capstone)

[https://github.com/REhints/HexRaysCodeXplorer](https://github.com/REhints/HexRaysCodeXplorer)
(this is CRAZY useful if you bought the Hex Rays license with IDA)

[https://github.com/ynvb/DIE](https://github.com/ynvb/DIE) \- makes IDA even
better ("DIE is an IDA python plugin designed to enrich IDA`s static analysis
with dynamic data)

[https://portal.cert.org/web/mc-portal/pharos-static-
analysis...](https://portal.cert.org/web/mc-portal/pharos-static-analysis-
tools) \- I haven't used this yet but Pharos is a static analysis tool out of
Carnegie Melon that's particularly useful for C++ gen'd code.
[https://insights.sei.cmu.edu/sei_blog/2015/08/the-pharos-
fra...](https://insights.sei.cmu.edu/sei_blog/2015/08/the-pharos-framework-
binary-static-analysis-of-object-oriented-code.html) Walks through some
feature set. HexRays is great for somethings but when you F5 some block, you
really are left wanting. This looks like it fills the gap quite nicely.

[http://www.radare.org/r/cmp.html](http://www.radare.org/r/cmp.html) \-
Comparison beween IDA and Radare (admittedly unfair, even titled so, ha)

There are dozens of plugins I use which are just python scripts mapped to
keyboard shortcuts so I don't even remember what they're called. Someone else
is going to have to jump in because I'm not on my work machine and can't look
it up.

You lost Ring0 with the demise of SoftICE, but the RE community is more active
than ever. Just watch a few CCC talks if you're not convinced.

Just a note guys: I know you can pirate IDA but some companies just "do it
right" and should be supported. I buy from Adafruit even though they're more
expensive because I support them. IDA is _one dude_ , who's responsive within
the community, who goes out of his way to be nice and implement bug fixes and
feature enhancements. I try not to get all preachy, but pirating IDA isn't
stealing Visual Studio from Microsoft- you're ripping a dude who's contributed
a lot to the community and even offers a free (granted less featureful)
version.

~~~
mschuster91
> IDA is one dude

Seriously? One lone guy coded up all of IDA and the Hex Rays decompiler? Whoa,
hat off.

I always thought that there was a group of more-or-less shady highly
experienced hackers, but not a single dude.

~~~
nekitamo
IDA Pro used to be one dude. Right now it's at least 3-4 people.

~~~
userbinator
One Russian dude, to be precise:

[https://en.wikipedia.org/wiki/Ilfak_Guilfanov](https://en.wikipedia.org/wiki/Ilfak_Guilfanov)

I don't know if it's just perception bias or something cultural, but I seem to
hear a lot more about famous/advanced Russian reverse-engineers than anywhere
else.

~~~
SXX
I think there is a lot of reverse-engineers from CIS you know about it's
because once USSR disappear there was a lot of freedom (many would call it
anarchy) in copyright area and very limited pressure on illegal activity in
internet in general.

Basically anyone who had PC and interest in reverse engineering may do almost
anything without consequences. There was a lot of people that did it all
publicly without really hiding their identity or even making business off it
(like well-known DRM-removal tools). If you would try to do anything like that
in western would you'll end up in prison soon.

Also reverse engineering isn't some independent area, but it's usually linked
with black hat security, virus making, carding, SEO, etc. There was a lot of
CIS-based illegal and gray area communities and services that only may exist
because lack of government control and many still exist.

So it's was as well one of ways to make a lot of (illegal) money, but at some
point any person grow up, get married (and make a child) and don't want to
take criminal risks. Many of them want move to EU/US where risks are higher.
Here you go where huge part of experts has come from.

~~~
viraptor
Not from Russia, but I imagine it was a similar situation over the border:
another part is that you literally could not buy original versions due to lack
of distributors / internet / easy connectivity. Or if you found a way, a
typical game would cost you half the family spending budget for a month. So
it's not always due to only lax copyright enforcement, but simply because
cracking software was close to the only way to use it.

------
csdrane
I recall that there was a plugin for SoftICE called FrogsICE, which would
block programs from detecting whether SoftICE was loaded. But, FrogsICE was
itself able to detect whether it was already loaded (to prevent loading
multiple instances).

------
DEinspanjer
SoftICE holds a fond place in my heart even though I was never more than
passingly capable with it.

I worked at Numega from 1999 through 2001 in the technical support department.
When I started, I provided support for another product, but over time became
familiar with all of the tools and eventually managed the technical support
team.

We would frequently get support requests from companies asking for ways to
detect and/or prevent SoftICE, and we had some nice reply templates trying to
break it gently to them how there was no practical way for software loaded
after SoftICE to reliably stop a determined user from debugging and/or
tampering with it.

The SoftICE tech support issues were always the tough ones. We had a small
team of elites who would slog through those issues while the other team
members could only wonder what they were talking about sometimes. :) Some
companies even resorted to shipping hardware to the team to help reproduce and
resolve tough issues.

My favorite memory though is when I was learning SoftICE and I grabbed one of
the guys and asked them if they could help me figure out a weird issue with
it. As we walked over, I shared with them that every time I broke into
SoftICE, my CRT monitor would shut off, and it wouldn't come back on until I
closed SoftICE. I asked them if it could be some sort of new countermeasure.

They looked at me with that disbelieving look one shares with a mere novice,
and sat down at my computer and pressed Ctrl-D. Click! Off went the monitor.
Their eyes bugged just a bit and they tentatively toggled the power switch
just to make sure. Dead. With hesitation, they typed the command to close the
SoftICE window and blinked as the monitor hummed back to life.

As I said though, these guys were good. After hitting Ctrl-D a few more times
and watching the monitor switch off and on, this person didn't let the mystery
send them down any rabbit holes. They immediately went fishing for the monitor
power cable and traced it to the plug where they found a suspicious looking
box it was plugged into. As they looked back at me with a glare, I guiltily
held up the remote control for the power switch and fessed up.

Good times.

------
jw2k
During the early 90's we used to reverse-engineer computer viruses (DOS) at
the Peter Norton group using SoftICE. All in the name of creating repro's and
fixes of course.

~~~
CamperBob2
Many dongles fell by the hand of SoftICE in those days, I can tell you. I, uh,
wouldn't know anything about that.

------
JoeAltmaier
Before SoftICE was ICE: In-Circuit Emulator. Originally developed by Intel, it
was one of their crappy Blue Boxes with a special cable. You plugged the cable
into your processor socket. From the blue box you could set breakpoints on bus
conditions, step and disassemble. You could even break on I/O or writing to a
location.

It was awful. The huge noisy blue box ran on floppies; it booted like
molasses; it's fullspeed emulation was nowhere near fullspeed. It had an
arcane debugger and an arcane file system. The cable was fragile (1-inch pins!
that would crimp and break when inserting into the socket).

When Intel asked us "What do you want in the next generation of processor
chips?" I knew exactly what to say. I requested special registers where I
could set bus conditions and masks, that created an NMI (non-maskable
interrupt) on a match. With that I could do data breakpoints, I/o traps,
pretty much anything that a hardware ICE could do.

The next spec had my register(s)! It was one of the happiest days of my life.
And the rest is history.

------
lottin
SoftICE was a classic reverse engineering tool. I remember that I taught
myself assembler for the sole purpose of cracking Microprose's F1GP, as I'd
thrown the manual away, which was needed to play the game. It took me months
to do it, but the sense of achievement afterwards was totally worth it.

------
markbnj
A hardware ICE or a copy of this was pretty much all I wanted when I was doing
C++ back in the early 90's. All I had was Bounds Checker and Turbo Debugger.

------
ilurk
heh! :)

I remember that one.

I used it when hopelessly trying to RE some applications (either Aspack,
Securom or Safedisk). Dat self modifying code :3

Got to learn a couple of things thanks to RE. Never became an expert, with
college becoming more demanding and then lack of interest, but got to work
around some shareware and crackmes. My most "notable work" was dumping an UPX
packed executable and rebuilding the PE tables.

A shoutout to all the +RE and Cracking4Newbies and REA people for all the help
and tutorials.

fake edit: my first introduction to crypto was from REA... Vigenère cipher
comes to mind.

------
ddmf
I miss SoftICE. Was great for helping making game trainers..

------
linkydinkandyou
Ah yes! I remember way back in the day (1989 or so) you could tell who the
_real_ Windows programmers were because they had a second monochrome monitor
(and old Hercules card) in their computer so SoftIce could display on that
screen while the main EGA screen had Windows.)

~~~
johal2
We were cracking games in the early 90ies using Borland Turbo Debugger on two
machines with a null modem between them.

~~~
DanBC
A blog post about this would probably be interesting to many on HN, especially
if you can remember the details.

~~~
jalk
From a technical perspective I doubt I will be able to bring a whole lot more
to the table than the Fravia articles already linked to. We were just a couple
of guys trying to code demos, and cracking for the fun of it. We never
releasing anything - all of the games were already cracked by others, and our
demos were not very impressive :) But a common technique when bypassing "auth-
code barriers" was to enter some text in the "textbox", that you were certain
wasn't in RAM already (think profanities), break to the debugger before
submitting the input, search entire mem for the text you entered, set a read-
breakpoint on the found mem location so that when the game starts to validate
your input, the breakpoint is triggered and you can single step through the
disassembled validate logic of the game.

The remote debugging was needed as switching between the graphics mode of the
game and text mode of the debugger was totally unstable - Now that I think of
it, it might actually have been a "anti-debugging" measure of some games, as I
vividly recall a Bards Tale cracking session on a single machine.

