Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-20-2002, 03:02
sync
 
Posts: n/a
Softice - how do I return to calling code?

I've read several tutorials that suggest breaking on a Windows message api and when the break brings up SI, to use F11 to return to the calling code. When I use F11 I exit SI.

So what command is used to return to the calling code? I thought that F12 (P RET) would work, but it also exits SI.

Last edited by sync; 08-20-2002 at 05:10.
Reply With Quote
  #2  
Old 08-20-2002, 04:25
 
Posts: n/a
two questions for ya

1. what operating system are you using?

2. what version of S-ice?


[email protected]
Reply With Quote
  #3  
Old 08-20-2002, 05:00
sync
 
Posts: n/a
I'm using XP and SI DriverStudio 2.6.
Reply With Quote
  #4  
Old 08-20-2002, 11:01
NE1
 
Posts: n/a
It is the F11 key as you thought, but it is not working for many people who use Win XP. There was a workaround for it, but I cannot remember exactly what it was. It had to do with, manually setting the breakpoint, but I do not remember the syntax.

Last edited by NE1; 08-20-2002 at 11:11.
Reply With Quote
  #5  
Old 08-20-2002, 20:58
NE1
 
Posts: n/a
BTW: I forgot to mention. Check your winice.dat and make sure it reads:
F11="^G @SS:ESP;"
Also note that changes to winice.dat may not take effect until you reboot.
Although I have other problems related to using Softice in Win XP, F11 does work for me.
Reply With Quote
  #6  
Old 08-21-2002, 10:44
saierdia
 
Posts: n/a
default is the key F12
Reply With Quote
  #7  
Old 08-21-2002, 11:03
NE1
 
Posts: n/a
Hmm, not sure why F12 is default for you, but it has always been F11 for me (from default install), and F12 is the Step until a return command ("^p ret;",).
Reply With Quote
  #8  
Old 08-21-2002, 14:30
Snatch
 
Posts: n/a
There are certain cases when debugging operating system files where f12 will lure you back to the system and though I am not sure what happens there I think theres a reason it exits. Just keep hitting f12...eventually you will be out of softice. Not sure the specifics for this but it is true.

Snatch
Reply With Quote
  #9  
Old 08-21-2002, 23:40
NE1
 
Posts: n/a
Remember, the original question was How to return to calling code, not return from calling code, for example, you set a breakpoint on an api and you want to see who or where the api was called from. That is where you would use F11.
On a side note: (so there is no confusion)
Taken straight from Softice's help file.
Default Function Key Assignments
F1 = H;
F2 = ^WR;
F3 = ^SRC;
F4 = ^RS;
F5 = ^X;
F6 = ^EC;
F7 = ^HERE;
F8 = ^T;
F9 = ^BPX;
F10 = ^P;
F11 = ^G @SS:ESP;
F12 = ^P RET;
SF3 = ^FORMAT;
AF1 = ^WR;
AF2 = ^WD;
AF3 = ^WC;
AF4 = ^WW;
AF5 = CLS;
AF11=dd dataaddr->0;
AF12=dd dataaddr->4;

Last edited by NE1; 08-22-2002 at 05:26.
Reply With Quote
  #10  
Old 08-22-2002, 04:55
sync
 
Posts: n/a
Is the address of the calling code stored in ESP?
Reply With Quote
  #11  
Old 08-22-2002, 06:16
NE1
 
Posts: n/a
To answer sync's question, if you looked up CALL on a learning assembly site (like Randall Hyde's Art of Assembly Language Programming) you would see that the CALL instruction Pushes the offset of the next instruction following the call onto the stack.
As ESP is just a pointer to the top of the stack, the offset is stored at the address in ESP. So the answer to your question is yes, except that it is not the caller's address, but the address of the next instruction following the call.

As for some of the other stuff in this thread.
You may have noticed that I edited my last message and removed that part where I was trying to explain the difference between F11 and F12 in softice. I did this because it is hard to explain and I wasn't really explaining it right.
My answer to this question better explains what F11 does.
F12 is harder to explain because it is thread specific, but basically it executes one program step until it finds a return (within the current thread), and in the case of loops, or calls, etc., it runs the entire routine before returning control to softice. In a case where you are within a function (call) within your program (with the same thread, i.e. not an api call), then you would return at the next instruction following the call instruction.
Now, if your in an API call, your are in a different thread, so using F12, will look for the return in that thread, which is not necessarliy, the return to the program that called it (as some API functions, call other API functions, etc.). Mix that in with Windows trying to manage everything, and providing time slices for all the different applications, etc, you could end up anywhere, and thus why sometimes, you hit F12 you end up skipping right over whatever your program was doing (i.e. it acts almost like you hit F5). Softice my not pop back up for a while, because it is basically single stepping through every instruction, and in a long routine, it can take a long time. Anyway, that is the best I can explain it right now. Hopefully, I explained it enough to give a basic understanding of the differences between F11 and F12 (as they are setup by default in Softice).
Reply With Quote
  #12  
Old 08-22-2002, 07:43
sync
 
Posts: n/a
Quote:
Originally posted by NE1
As ESP is just a pointer to the top of the stack, the offset is stored at the address in ESP. So the answer to your question is yes, except that it is not the caller's address, but the address of the next instruction following the call.
Thanks NE1. That makes sense.

I did a 'bpx getwindowtexta'. Then I selected a menu to enter a password. When SI popped up on the breakpoint I wrote down the value of ESP. Then I entered a bpx using the value in ESP. Then I selected the menu item again, got the password window, selected 'OK' and the breakpoint wasn't triggered. What am I missing?

Last edited by sync; 08-22-2002 at 08:02.
Reply With Quote
  #13  
Old 08-22-2002, 08:10
NE1
 
Posts: n/a
I think you just didn't understand the wording I used.

Quote:
the offset is stored at the address in ESP
ESP is a pointer to the top of the stack. This means it holds the address of the stack, not the data that is on the stack (just the location where the data is). So to get the address you are looking for, you would type d esp, and in the data window you would see the address you need. It will be written from right to left. So you would read the first 4 bytes listed in the data window from right to left. So if the data window listed say E0 C8 53 00 as the first four bytes. the actual address would be 0053C8E0.

Also, don't forgot that this is what F11 does for you in Softice. So the easier way to do it would be to set your breakpoint on getwindowtexta. When softice pops up, hit F11, and you will land on that address (the address that was in ESP). Then you can manually set the bpx on the current address (type it in or double click on the line), if you need to use it again (as F11 just sets a one shot breakpoint). Then next time you choose your menu item, you will skip that call to getwindowtexta, and softice will popup on the line right after that call.


EDIT: Oops, just noticed the you were the person that originally started this thread, and thus F11 may not be working for you. If it is not, then just ignore the second part of this message and do it the way I explained in the first paragraph. (Also double check the the F11 key is setup correctly in winice.dat. One again it should read F11="^G @SS:ESP;" with the quotes. Winice.dat should be in your WINDOWS/SYSTEM32/DRIVERS folder and can be edited with any text editor.)

Last edited by NE1; 08-22-2002 at 08:26.
Reply With Quote
  #14  
Old 08-22-2002, 09:03
sync
 
Posts: n/a
Yes, that works now. It's great to be actually making some progress. Thanks!

Last edited by sync; 08-22-2002 at 09:06.
Reply With Quote
  #15  
Old 08-22-2002, 10:35
sync
 
Posts: n/a
Quote:
Originally posted by NE1
ESP is a pointer to the top of the stack. This means it holds the address of the stack, not the data that is on the stack (just the location where the data is). So to get the address you are looking for, you would type d esp, and in the data window you would see the address you need. It will be written from right to left. So you would read the first 4 bytes listed in the data window from right to left. So if the data window listed say E0 C8 53 00 as the first four bytes. the actual address would be 0053C8E0.
I found a shortcut for doing this: bpx *esp
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Calling function from a class AdamD General Discussion 0 02-17-2005 22:59
how do you stop a program from calling home? sb1855 General Discussion 4 03-29-2003 04:40


All times are GMT +8. The time now is 23:25.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )