Log in

View Full Version : How to retrieve values on the stack with SoftICE


chopin
November 4th, 2000, 08:36
I have a program that uses the Windows-function GetWindowText (exported by user32.exe)
The declaration is like this (stdcall calling convention):

int GetWindowText(
HWND hWnd, // handle to window or control with text
LPTSTR lpString, // address of buffer for text
int nMaxCount // maximum number of characters to copy
);

In SoftICE 4.05 I set "BPX GetWindowText" and wait.

On Breakpoint execution I would like to see
- the value of hWnd
- the value of lpString and the contents of the buffer
- the value of nMaxCount

After execution of the function I would like to see the above values again, plus the return value.

How to do that?

Amante4
November 4th, 2000, 10:03
Hi,

I ususally do this to see stuff on the stack:

d esp->0
d esp->4
d esp->8
d esp->c

etc.....

Hope this helps,

amante4

?ferret
November 5th, 2000, 20:36
Another possiblity is to scroll up in the code window just a bit when you break. Check out the values pushed (they will be in reverse order from the API ref (i.e. last pushed is 1st retrieved))

after the function.....the registers change colors when they change in sice...simply check the ones that changed

chopin
November 6th, 2000, 10:45
Ok, I managed to retrieve the values.
the first DWORD is on DD ESP+4
the seconde on DD ESP+8 and so on.

Anybody knows what I can find at DD ESP+0?
And where is the return value stored after the RET.
(Or is the value besides the RET, like RET 0004 the return value?)

chopin

NchantA
November 6th, 2000, 11:11
chopin: a usefull thing to do is to break just above the getwindowtext function. an easy way to do this is bpx getwindowtexta, then when it breaks F11 to p ret to caller. then double click or manually set a bpx above it. that way you can easily check each paramater pushed onto the stack as it happens.

im pretty sure GetWindowTexta puts its return value in eax, so after you press F11 to get back to program check eax's, value.

from memory I have a feeling this is the size of the buffer read.

if however you are wanting to pursue the operations of the stack try using 'stack' in softice, and if i remember correctly there is a stack window?? 'ws'? im afraid sice isnt loaded on this box atm

NchantA

DinDon
November 7th, 2000, 03:24
Quote:
Anybody knows what I can find at DD ESP+0?

The return address: the address of the instruction following the CALL. You will go there at the end of the subroutine, immediately after the RET instruction. The return address is automatically pushed on stack by the CALL itself.

Quote:
And where is the return value stored after the RET?

The return value is in the register EAX if it is 4 bytes long (as normally it is) or in AX if 2-bytes long, or in AL if 1-byte long. It will be stored there before the RET.

Quote:
Or is the value besides the RET, like RET 0004 the return value?

The value besides the RET is the number of bytes that were pushed before the CALL as arguments to the subroutine.
If, for example, an API subroutine has one argument, you will find a single PUSH before the CALL in order to put that argument on the stack. But who will clean the stack with the corresponding POP? That job will be done automatically by the RET 0004!

Hope it helps...