Results 1 to 6 of 6

Thread: How to retrieve values on the stack with SoftICE

  1. #1
    chopin
    Guest

    How to retrieve values on the stack with SoftICE

    I have a program that uses the Windows-function GetWindowText (exported by user32.exe)
    The declaration is like this (stdcall calling convention):

    int GetWindowText(
    HWND hWnd, // handle to window or control with text
    LPTSTR lpString, // address of buffer for text
    int nMaxCount // maximum number of characters to copy
    );

    In SoftICE 4.05 I set "BPX GetWindowText" and wait.

    On Breakpoint execution I would like to see
    - the value of hWnd
    - the value of lpString and the contents of the buffer
    - the value of nMaxCount

    After execution of the function I would like to see the above values again, plus the return value.

    How to do that?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Amante4
    Guest
    Hi,

    I ususally do this to see stuff on the stack:

    d esp->0
    d esp->4
    d esp->8
    d esp->c

    etc.....

    Hope this helps,

    amante4
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    ?ferret
    Guest
    Another possiblity is to scroll up in the code window just a bit when you break. Check out the values pushed (they will be in reverse order from the API ref (i.e. last pushed is 1st retrieved))

    after the function.....the registers change colors when they change in sice...simply check the ones that changed
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    chopin
    Guest
    Ok, I managed to retrieve the values.
    the first DWORD is on DD ESP+4
    the seconde on DD ESP+8 and so on.

    Anybody knows what I can find at DD ESP+0?
    And where is the return value stored after the RET.
    (Or is the value besides the RET, like RET 0004 the return value?)

    chopin
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    NchantA
    Guest
    chopin: a usefull thing to do is to break just above the getwindowtext function. an easy way to do this is bpx getwindowtexta, then when it breaks F11 to p ret to caller. then double click or manually set a bpx above it. that way you can easily check each paramater pushed onto the stack as it happens.

    im pretty sure GetWindowTexta puts its return value in eax, so after you press F11 to get back to program check eax's, value.

    from memory I have a feeling this is the size of the buffer read.

    if however you are wanting to pursue the operations of the stack try using 'stack' in softice, and if i remember correctly there is a stack window?? 'ws'? im afraid sice isnt loaded on this box atm

    NchantA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    DinDon
    Guest
    Anybody knows what I can find at DD ESP+0?
    The return address: the address of the instruction following the CALL. You will go there at the end of the subroutine, immediately after the RET instruction. The return address is automatically pushed on stack by the CALL itself.

    And where is the return value stored after the RET?
    The return value is in the register EAX if it is 4 bytes long (as normally it is) or in AX if 2-bytes long, or in AL if 1-byte long. It will be stored there before the RET.

    Or is the value besides the RET, like RET 0004 the return value?
    The value besides the RET is the number of bytes that were pushed before the CALL as arguments to the subroutine.
    If, for example, an API subroutine has one argument, you will find a single PUSH before the CALL in order to put that argument on the stack. But who will clean the stack with the corresponding POP? That job will be done automatically by the RET 0004!

    Hope it helps...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. FlexLM v8.x - Problem while trying to retrieve both encryption seeds
    By OHPen in forum Advanced Reversing and Programming
    Replies: 18
    Last Post: June 10th, 2009, 07:42
  2. Replies: 0
    Last Post: April 23rd, 2008, 10:01
  3. Replies: 0
    Last Post: January 12th, 2008, 00:08
  4. Replies: 3
    Last Post: January 5th, 2005, 07:40
  5. How does regedt32 save reg values if it doesnt use
    By Wayne in forum OllyDbg Support Forums
    Replies: 2
    Last Post: February 21st, 2003, 00:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •