Log in

View Full Version : SoftICE search function ?

spuTniK
October 3rd, 2002, 12:28
Yo guyz, who can tell me wether it is possible to find each location of a (equal) String in the memory with the Sice search-function ?

My problem is :
I was searchin for a Fakeserial "112233" with the command
s 0 L FFFFFFFF "112233", but I was only shown one Adress in the DataSegment where this String was stored, although it was stored at another location ( in the same Segment ) too.
So what can I do to find the other(s) ?

Thx for Help,
spuTniK
xor37h
October 3rd, 2002, 12:55
easy answer

type:

s

to search for next occurence...

xor37h
spuTniK
October 3rd, 2002, 13:25
Thanx a lot for answering ( so fast ), xor37h

ciao spuTniK
Snatch
October 3rd, 2002, 19:21
My question is how do I have Softice not search its own memory with that command. I mean the string you pass to the s command is stored in Softice memory and finding it annoys me .

Snatch
Kayaker
October 3rd, 2002, 20:30
Quote:
Originally posted by Snatch
My question is how do I have Softice not search its own memory with that command. I mean the string you pass to the s command is stored in Softice memory and finding it annoys me .

Snatch


Well, it may annoy you Snatch, but you should be grateful for it. Consider it like a seatbelt or set of brakes on a car. Have you ever continued a search with the 'S' command beyond SI memory? Odds are if you're using an upper address limit of FFFFFFFF you'll eventually hang your system when it just can't seem to find that very last occurence of the string.

Unless you're specifically scanning C0000000 and above, then if you ain't found your string by then, you ain't gonna find it. So take the forced stop in Softice memory as a blessing and get the hell out of the 'S' search function, if you know what I mean.

Try it sometime, then see if it's any less annoying than having to reboot

Kayaker
Snatch
October 4th, 2002, 05:44
Well I did not know Softice was at the end of the address range. Just recently when I was playing around with IEXPLORE.EXE in memory of course it loads a bunch of DLLs to do the dirty work but I was searching for all occurances of MSIE and replacing them with NOMS and of course I did land in Softice address space searched again and it came up with the same string later in Softice address space and kept doing it probably because I was going through the entire command history. Then I decided to push the start address up and your absolutely right. Crash and reboot. Still do not understand why that happens. But I guess your right it is a good thing .

Snatch