Log in

View Full Version : Softice - how do I return to calling code?


sync
August 19th, 2002, 16:17
I've read several tutorials that suggest breaking on a Windows message api and when the break brings up SI, to use F11 to return to the calling code. When I use F11 I exit SI.

In the SI manual it says that F11 is the 'G' command and that the 'G' command, when used without any parameters, is the same as the 'X' command.

So what command is used to return to the callng code? I thought that F12 (P RET) would work, but it also exits SI.

DakienDX
August 19th, 2002, 19:57
Hello sync !

Yes, the G command is the same as the X command if used without paramters.

But normally the F11 command is "G @SS:ESP" which stands for "run the program until you get to the memory location where SS:ESP points to".

This works fine if you're at the begin of a Windows API. But as soon as something changes the stack pointer (because of "Push ???" or "Sub ESP, ???", the location @SS:ESP will not contain your return address but usually some useless code.

However, F12 (P RET) should work fine with APIs. It exits the SoftICE window and runs the program until it reaches a "RET" command and pops up SoftICE again. However, if there is no RET command or depending on the protection used in the program, it will not stop.

sync
August 19th, 2002, 20:28
Hello DakienDX,

Thanks for explaining "G @SS:ESP". I guess since I didn't understand what "@SS:ESP" meant, I only wrote down that F11 = "G". duh

I found something that seems to explain the problem I'm having. I don't understand most of it, but will try if it works.


GetWindowTextA uses _stdcall calling convention. That means that arguments will be pushed right to left. Since SoftICE pops up before the prologue code is executed, the EBP stack frame isn't set up yet. So we had to use ESP to address the argument. Here's how the stack will look like when SoftICE pops up :-

...
[ESP+0Ch] - nMaxCount
[ESP+08h] - lpString
[ESP+04h] - hwnd
[ESP+00h] - return EIP

When the function returns, GetWindowTextA will place the text it retrieved to the location pointed to by lpString (LPTSTR is a long pointer to a null terminated string). Thus, we had to use SoftICE's indirection operator (it's the * character, same as C language. For example, the command :-

D *(esp+8)

This means, "show in data window, the location pointed to by the content of esp+8". Since, this is a very common operation, SoftICE had a shorthand for it: esp->8. Alright then, now we can set a breakpoint such as this :-

BPX getwindowtexta DO "D esp->8;"

When we hit F12, we return to the caller and the text we entered will sit nicely at the top of the data window, waiting for us to set up a BPR with it. Why don't we do a return to the caller automatically? Well, in my case, the screen flashes, and I hate it. But, if you want to try, you can set the breakpoint as :-

BPX getwindowtexta DO "D esp->8;P RET;"

DakienDX
August 19th, 2002, 20:38
Hello sync !

The "@" and "*" signs do the same in SoftICE. I just use "@" because it's easier to find for me on the keyboard (just my personal oppinion).

The text passage you found does not explain why your "P RET" or "G @SS:ESP" doesn't work. You'll have to try yourself a bit. Sometimes breakpoints don't work depending on OS and SoftICE installation.

But the text you found will help you to start with basic cracking.

sync
August 19th, 2002, 22:03
Quote:
Originally posted by DakienDX
The text passage you found does not explain why your "P RET" or "G @SS:ESP" doesn't work.

Yes, after reading it again, I see that now.

I've tried a bunch of tutorials and none of them work on my system the way they are supposed to.

Manko
August 20th, 2002, 00:16
I had the same problem... sortof?
I was using softice 4.05 for nt on a w2k.
f10,f11 and f12 would NOT work as they ought to do...
I upgraded to softice 4.25 from the driver studio package and now it works like a charm! ...

/Manko