--------------------------------- IDA to SoftIce symbol loader version: 4.09 release --------------------------------- 1st Setting the plugIn: You MUST add next "4" lines to ..IDA\PlugIns\PlugIns.cfg file (in this order exactly), because plugIn depends on the number of init calls made to i2s: I2S_Setup i2s 0 3 I2S_Source_Info i2s Ctrl-F12 2 I2S_Save_NMS i2s Shift-F12 1 I2S_Conversion i2s F12 0 NOTICE: If any of the IDA commands uses any of the upper hot-keys, you can change those to something else in idagui.cfg in IDA dir. I2S_Conversion - Key: F12 It creates NMS file and loads it directly to SIce. When this option is used plugIn will always add source listing to NMS file (packed NMS). I2S_Save_NMS - Key: Shift-F12 It creates NMS file and saves it. This is very useful as sometimes creation of symbols takes really long (especially some M$ dlls). So you can save it and use it the next time you need it. When saving the database: -If you have 'Add source listing to NMS file' checked(read under I2S_Setup) than everything will be saved in nms file. -If you have 'Add source listing to NMS file' unchecked(read under I2S_Setup) than a directory will be created with the name 'databaseName source'. All source files will be saved to this directory. NOTICE: You can define a standard export directory for every database you save. Or you can set the export directory just for current database. Read about this under I2S_Setup. I2S_Source_Info - Key: Ctrl-F12 It includes source files info. In 'Source files definition' you can enable/disable source files that you want/(don't want) in your nms database (you can drastically lower the size of nms file and needed memory for source files in SIce). If you don't want to disable all source listing you can disable that in 'Setup Window'. If you will double click on the source file a DialogBox will open with file info. You can change the file name (default file names are made as: seg%Dfile%D.asm). Notice: Only asm extensions are allowed(plugIn will automatically add it if you forget it). Notice2: File names can be only 31 chars long(you will get an error if this is not true). You can enable/disable just the current source file symbols and/or source listing. Notice: Other options in "Source File Information" DBox aren't written yet, so you will have to wait to next version. (I don't know if this will ever be done.) I2S_Setup - Key: Ctrl-F12 -> double click on 'I2S Setup Window' line (1st one) OR you can select it from plugIn menu. It includes I2S setup info. NMS File Path: -With this path you can define export directory for nms files(I2S_Save_NMS). This directory can be export directory only for current database. To set this: define 'NMS File Path'->'Ok' button. Notice: If you will change the export directory I2S will ask you if you want to change the export directory to currently one. This directory can be default directory for every new IDA database also. To set this: define 'NMS File Path'->'Set Default' button (be careful this button sets other things too->read below). -'Use project's saving directory' option sets NMS directory to the same directory as project's one. You can set it as default option. Input File Path: -You can change the input file path saved in IDA database. This is useful if SIce has problems with recognizing(attaching) symbols to your file. Reason: If breakpoints don't work, check if your exe(dll,..) name is exactly the same as that of nms file. It's best for the name length to be only 8chars long(not counting extension). If you have IDA database that already uses long program name then rename the input file name (in Setup DBox) and the executable to the same name. Notice: This shouldn't happen for system files (or dlls) as they normally use short names. If somebody has a system file or dll that has more than 15 chars long file name please contact me. NMS Database: -Create Source Files: You can enable/disable creation of source files with this flag. -'Add source listing to NMS file' causes that I2S appends source listing to nms file. (Loader32: Package source) Defaults: -Always Use Default Values If you want for every new IDA database to use current settings as default values then check the flag and press 'Set Default' button. If this flag is unchecked plugIn will open Setup DBox the first time you will use I2S on new database, so that you will be able to set appropriate paths/flags. Fix Import Names: -This button checks all the import names for appended '__fileName' string and removes it. All this is done automatically now so this will be removed in next version. 2nd Using the plugIn: NAMES: -You can have spaces in your names if you want. PlugIn replaces them with '_'. So in Sice you will have '_' in place of spaces. e.g. name in IDA -> 'my name' name in SIce-> 'my_name' This is because SIce uses spaces as separators. -SoftIce supports extended ASCII table, so you can use those characters too. This is not so useful for names but it's a great feature for anterior and posterior lines. -Demangled/Mangled names: If you are using mangled names in IDA then plugIn will use those as symbol name. But this can cause a problem in SIce, because SIce doesn't support some characters ( '(',... ). e.g. WinMain(x,x,x,x) <-It's a mangled name and not the right procedure name. But because plugIn retrieves mangled names it will set 'WinMain(x,x,x,x)' as a procedure name->impossible to set break point in SIce. So to use mangled names in IDA and that you will be able to set break points in Sice you have to check 'Inhibit everything except the main name' in short version of demangled names menu. How to: IDA->Options(menu)->Demangled Names...(menu item)->dBox will open -> ->press 'Setup Short Names'->dBox will open-> ->check 'Inhibit everything except the main name' (it's the 1st option)->press 'Ok'. NOTICE: I'm not sure if ':' is set as allowed by default in IDA (user names), but SIce can handle it. This means that in SIce you can write something like 'u areacb_t::choose_area2' and everything will work as it should. If ':' is not allowed you can add ':' to 'NameChars' variable in ida.cfg file(IDA directory). NOTICE2: Almost all new IDA databases use some form of mangled names, so you have to set 'Inhibit everything except the main name' as default value for new databases. How to: In ida.cfg go to line that includes 'ShortNameForm' variable. Default value is 0x001BBE61 set it to 0x001BBE69 <-MNG_SHORT_FORM = (MNG_NODEFINIT|...). REGISTERS: -You can rename function registers to some useful name and you will see that name in SIce. NOTICE: Only standard registers are supported (from al to edi, no FPU or similar). You can have a new register name on every instructions in procedure (Not really as IDA crashes if you try to rename register on only one line->select at least two lines). PROBLEM: Without source included, when in SIce, you will only see the name of the first register(SIce will rename the selected register(to the first name) in the whole function). But notice that other names will still work. So you can still use SIce commands on every name. You can use register as value or as pointer to structure. If register comment is not present then plugIn will assume that register is a value. If register comment is present then plugIn will assume that register is a pointer to 'structure' -> type defined in comment. e.g. Old name = ecx New name = this Comment = class_SetSoftIce <-class_SetSoftIce is a structure defined in IDA (be careful case sensitive) PROBLEM: Without source included, when in SIce, you will only see register names that represent a value. BUT if register is used as a pointer the '?','d',... SIce commands will still work. e.g. '?this' will show all variables of class_SetSoftIce structure ex1: '?this->currentIndex' will show the value of currentIndex) ex2: struc myStruct2 { dw var1; dw var2; }; struc myStruc { dw var1; myStruc2 part2; } 'pMyStruc->part2' will show the values of myStruc2 structure) NOTICE: You can use '.' in the place of '->' and commands will still work. Notice: If you want to use a pointer to a variable length structure you also need to define the length of the last variable. e.g. _strings [5] SOURCE FILES: -You can see IDA listing in SIce. Comments and other sweet stuff can now be seen in SIce. :) (SIce supports extended ASCII table, so you can use those characters too.) ADVICE: SoftIce cuts very long lines so use anterior and posterior lines for your longer comments. And more it's annoying to move the SoftIce source screen left and right all the time. Read how to enable source listing in I2S_Setup and I2S_Source_Info short keys section('Setting the plugIn'). Segment alignment: Only code segments are source listing bearers. All the other segments source is appended to them. e.g. segments in IDA: 1 2 3 4 5 6 7 8 9 10 11 DATA, DATA, CODE, DATA, IDATA, CODE, DATA, CODE, DATA, CODE, CODE You will have 5 source bearers -> seg1fileX.asm, seg6fileX.asm, seg8fileX.asm, seg10fileX.asm, seg11fileX.asm In seg1fileX.asm you will have listing from DATA(1), DATA(2), CODE(3), DATA(4), IDATA(5) In seg6fileX.asm you will have listing from CODE(6), DATA(7) In seg8fileX.asm you will have listing from CODE(8), DATA(9) In seg10fileX.asm you will have listing from CODE(10) In seg11fileX.asm you will have listing from CODE(11) This means that every segment listing until first code segment and all until next code segment will be in the first code segment listing. All other code segments will have only segments listings of itself and those DATA segments until next code segment.