SoftIce ------- Main window manipulations: ------------------------- :SET - displays current preferences :LINES n - set the amount of lines in SoftIce window (28-128) :WIDTH n - set the amount of columns in SoftIce window (80-160) :SET ORIGIN x y - set SoftIce window possition Ctrl Alt Home - reset SoftIce window possition to 0, 0 Ctrl Alt C - set SoftIce window possition at the scenter :WC size (Alt F3) - Code :WD size (Alt F2) - Data :WF size - FPU Stack :WL size - Locals :WR size (F2)(AltF1) - Register (Display/Hide)(Open/Close) (standing on a flag press 'Insert' to modify its value) :WW size (Alt F4) - Watch (watch variable, memmory, register values) :WS size - Stack :WX size - Pentium 3 Registers Alt C - go to Code window Alt D - go to Data window Alt L - go to Locals window Alt R - go to Register window Alt W - go to Watch window Run-time Macros: --------------- MACRO macro_name = "command1; command2; ... commandn" - create or modify a macro (no semicolon after the last command) MACRO macro_name = "command %#" - pass parameter to a macro command from the command line. # - number of the argument. removed if no argument supplied \", \%, \\ - to embed ", %, \ in the macro body use backslash MACRO macro_name * - delete a macro MACRO * - delete all macros MACRO macro_name - edit a macro MACRO - list all macros Commands: -------- :FORMAT (Shift F3) - change the format of the Data window (byte, word, dword, short real, long real, 10-byte real) :RS (F4) - show program screen :CLS (Alt F5) - Clear Screen :WATCH register - watch register value in the Watch window (:WATCH *register - register address etc.) :D address - address to view in Data window :E - Edit data at the Data window :H - help on all the SoftIce commands :H "command" - help on a specific command :CLASS "appname"- examines the classes registered by your application :CLASS -X - more specific information on window class definitions :TABLE - displays all the symbol tables that are loaded (currently active table is listed in bold) :TABLE "tabname"- makes your table the active symbol table :SYM - display the symbols from the current symbol table :U address - go to instruction at current address :. - go to instruction at current EIP :A address - assemble instruction directly into memory :T (F8) - trace one instruction (assembler or source) (:T start_address count) :SRC (F3) - view mixed code (assembler to the source line) :P (F10) - step (executes one source line and returns only after it ends - function call might take some time...) :U .61 - jump to line 61 :HERE (F7) - execute from the current instruction to the instruction that contains the cursor. set 'one-shot breakpoint' on the specified address/source line :G .61 (F11) - go to (the same functionality like previous "U .line" and "HERE") :BPX (F9) - set 'sticky breakpoint' (inserts INT3 instruction into the code). F9 again to clear the breakpoint :BPX "function name" [IF expression] [DO "command1; command2;..."] - expressopn (boolean) like ((ESP->4) == 0x100172), command like macros :BL - verify that the breakpoint is set (output - all breakpoints) :X (F5) - execute the instructions until the breakpoint triggers :G - go to an address (:G start_sddress break_address) :BL - view information about breakpoints that are currently set :? .61 - find the address for source line 61 (hexadecimal) :P RET (F12) - return to the point where current function was called :BC index - clear breakpoint (* - all breakpoints) :BD index - disable breakpoint (* - all breakpoints) :BE index - enable breakpoint (* - all breakpoints) :HWND "process" - handle (returns process handle. if it didn't return the dessired handle exit softice and repeat HWND) :BPE hanlde_num - breakpoint edit (to modify the existing breakpoint using handle that we recived from HWND) :G .61 - obtain the pointer value for the windows instance (Win32 API LocalLock function translates handle into a pointer that can be used to access the window's instance data) :BH - breakpoint history (u can set up to 256 breakpoints at once) :BPM[B|W|D] address [R|W|RW|X] [debug register] [IF expression] [DO "command1;command2;..."] - memmory break point B(bite - by default BPM) W(word) D(double word) R(read) W(write) RW(read/write) X(execution - addresses that are not present) debug register (which debug register to use) :BPMD EAX - set a memory breakpoint on the instance data pointer (Win32 API functions return 32-bit values in EAX) :BPINT interrupt_number [IF expression] [DO "command1;command2;..."] - interrup breakpoint (interrupt_number 0-255) :BPIO port_number [R|W|RW] [IF expression] [DO "command1;command2;..."] - I/O breakpoint. R(read - IN) W(write - OUT) RW(IN/OUT). All port I/O use EAX register :BMSG window_handle [L] [begin_message [end_message]] [IF expression] [DO "command1;command2;..."] - window message breakpoint. L(window message should be printed to the Command window without popping into SoftICE) begin_message(single/low message number - hexadecimal or ascii string WM_...) end_message(higher message number) :WMSG - list of messages SoftIce understands