Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Softice - how do I return to calling code? (https://forum.exetools.com/showthread.php?t=1329)

sync 08-20-2002 03:02

Softice - how do I return to calling code?
 
I've read several tutorials that suggest breaking on a Windows message api and when the break brings up SI, to use F11 to return to the calling code. When I use F11 I exit SI.

So what command is used to return to the calling code? I thought that F12 (P RET) would work, but it also exits SI.

[email protected] 08-20-2002 04:25

two questions for ya

1. what operating system are you using?

2. what version of S-ice?


[email protected]

sync 08-20-2002 05:00

I'm using XP and SI DriverStudio 2.6.

NE1 08-20-2002 11:01

It is the F11 key as you thought, but it is not working for many people who use Win XP. There was a workaround for it, but I cannot remember exactly what it was. It had to do with, manually setting the breakpoint, but I do not remember the syntax.

NE1 08-20-2002 20:58

BTW: I forgot to mention. Check your winice.dat and make sure it reads:
F11="^G @SS:ESP;"
Also note that changes to winice.dat may not take effect until you reboot.
Although I have other problems related to using Softice in Win XP, F11 does work for me.

saierdia 08-21-2002 10:44

default is the key F12

NE1 08-21-2002 11:03

Hmm, not sure why F12 is default for you, but it has always been F11 for me (from default install), and F12 is the Step until a return command ("^p ret;",).

Snatch 08-21-2002 14:30

There are certain cases when debugging operating system files where f12 will lure you back to the system and though I am not sure what happens there I think theres a reason it exits. Just keep hitting f12...eventually you will be out of softice. Not sure the specifics for this but it is true.

Snatch

NE1 08-21-2002 23:40

Remember, the original question was How to return to calling code, not return from calling code, for example, you set a breakpoint on an api and you want to see who or where the api was called from. That is where you would use F11.
On a side note: (so there is no confusion)
Taken straight from Softice's help file.
Default Function Key Assignments
F1 = H;
F2 = ^WR;
F3 = ^SRC;
F4 = ^RS;
F5 = ^X;
F6 = ^EC;
F7 = ^HERE;
F8 = ^T;
F9 = ^BPX;
F10 = ^P;
F11 = ^G @SS:ESP;
F12 = ^P RET;
SF3 = ^FORMAT;
AF1 = ^WR;
AF2 = ^WD;
AF3 = ^WC;
AF4 = ^WW;
AF5 = CLS;
AF11=dd dataaddr->0;
AF12=dd dataaddr->4;

sync 08-22-2002 04:55

Is the address of the calling code stored in ESP?

NE1 08-22-2002 06:16

To answer sync's question, if you looked up CALL on a learning assembly site (like Randall Hyde's Art of Assembly Language Programming) you would see that the CALL instruction Pushes the offset of the next instruction following the call onto the stack.
As ESP is just a pointer to the top of the stack, the offset is stored at the address in ESP. So the answer to your question is yes, except that it is not the caller's address, but the address of the next instruction following the call.

As for some of the other stuff in this thread.
You may have noticed that I edited my last message and removed that part where I was trying to explain the difference between F11 and F12 in softice. I did this because it is hard to explain and I wasn't really explaining it right.
My answer to this question better explains what F11 does.
F12 is harder to explain because it is thread specific, but basically it executes one program step until it finds a return (within the current thread), and in the case of loops, or calls, etc., it runs the entire routine before returning control to softice. In a case where you are within a function (call) within your program (with the same thread, i.e. not an api call), then you would return at the next instruction following the call instruction.
Now, if your in an API call, your are in a different thread, so using F12, will look for the return in that thread, which is not necessarliy, the return to the program that called it (as some API functions, call other API functions, etc.). Mix that in with Windows trying to manage everything, and providing time slices for all the different applications, etc, you could end up anywhere, and thus why sometimes, you hit F12 you end up skipping right over whatever your program was doing (i.e. it acts almost like you hit F5). Softice my not pop back up for a while, because it is basically single stepping through every instruction, and in a long routine, it can take a long time. Anyway, that is the best I can explain it right now. Hopefully, I explained it enough to give a basic understanding of the differences between F11 and F12 (as they are setup by default in Softice).

sync 08-22-2002 07:43

Quote:

Originally posted by NE1
As ESP is just a pointer to the top of the stack, the offset is stored at the address in ESP. So the answer to your question is yes, except that it is not the caller's address, but the address of the next instruction following the call.

Thanks NE1. That makes sense.

I did a 'bpx getwindowtexta'. Then I selected a menu to enter a password. When SI popped up on the breakpoint I wrote down the value of ESP. Then I entered a bpx using the value in ESP. Then I selected the menu item again, got the password window, selected 'OK' and the breakpoint wasn't triggered. What am I missing?

NE1 08-22-2002 08:10

I think you just didn't understand the wording I used.

Quote:

the offset is stored at the address in ESP
ESP is a pointer to the top of the stack. This means it holds the address of the stack, not the data that is on the stack (just the location where the data is). So to get the address you are looking for, you would type d esp, and in the data window you would see the address you need. It will be written from right to left. So you would read the first 4 bytes listed in the data window from right to left. So if the data window listed say E0 C8 53 00 as the first four bytes. the actual address would be 0053C8E0.

Also, don't forgot that this is what F11 does for you in Softice. So the easier way to do it would be to set your breakpoint on getwindowtexta. When softice pops up, hit F11, and you will land on that address (the address that was in ESP). Then you can manually set the bpx on the current address (type it in or double click on the line), if you need to use it again (as F11 just sets a one shot breakpoint). Then next time you choose your menu item, you will skip that call to getwindowtexta, and softice will popup on the line right after that call.


EDIT: Oops, just noticed the you were the person that originally started this thread, and thus F11 may not be working for you. If it is not, then just ignore the second part of this message and do it the way I explained in the first paragraph. (Also double check the the F11 key is setup correctly in winice.dat. One again it should read F11="^G @SS:ESP;" with the quotes. Winice.dat should be in your WINDOWS/SYSTEM32/DRIVERS folder and can be edited with any text editor.)

sync 08-22-2002 09:03

Yes, that works now. It's great to be actually making some progress. Thanks!

sync 08-22-2002 10:35

Quote:

Originally posted by NE1
ESP is a pointer to the top of the stack. This means it holds the address of the stack, not the data that is on the stack (just the location where the data is). So to get the address you are looking for, you would type d esp, and in the data window you would see the address you need. It will be written from right to left. So you would read the first 4 bytes listed in the data window from right to left. So if the data window listed say E0 C8 53 00 as the first four bytes. the actual address would be 0053C8E0.
I found a shortcut for doing this: bpx *esp


All times are GMT +8. The time now is 01:21.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX