Getting started with SoftICE

SoftICE interfaces and operations are relatively simple. As long as you are familiar with some basic commands, you can start to use them to serve us. One thing to remind everyone: SoftICE loads windows into the system before Windows starts, and then loads windows (because it needs to be controlled and intercepted)
Windows action), so it works on the system level 0 (that is, the privileged level ). When SoftICE is called out with a hot key in Windows, it controls the entire system. At this time, any other program (including the system clock) will be in the stopped state.
This document only describes how to use SoftICE. For more information about how to use SoftICE, see the command manual and operation manual attached to the software. Here, "related information" contains the Chinese usage instructions of SoftICE.

★How do I call/exit SoftICE?
★SoftICE Interface
★Functions of SoftICE predefined function keys
★Usage of common SoftICE commands

◆ How do I call/exit SoftICE? -- In Windows, you can use the key Ctrl + D to call out SoftICE in the memory at any time, and press F5 to exit SoftICE ◆

FAQ:
What should I do if I cannot call SoftICE with Ctrl + D?
-- If SoftICE is successfully installed, for Windows 9x, check that the batch file autoexec.batcontains winice.exe. For Windows NT, select start SoftICE under START> program> num1_softice to start SoftICE.
Is the SoftICE screen not displayed?
-- Under "start-> Program-> num1_softice", select "display adapter setup" to reset the video card.
Why is the mouse function abnormal in SoftICE?
-- In "start-> Program-> num1_softice", select "Mouse setup" to reset the mouse
When the "Universal Video driver" option is selected in the video card settings, is SoftICE still calling a full screen dos interface?
Two countermeasures:
-- 1. Change the number of lines XX in the initialization command line (that is, init) of winice. DAT to a smaller value, for example, lines 40.
-- 2. Change "manufacturer" to "standardvga" in the video card settings, and then "test". After the operation is successful, exit.
Note: All the above modifications must be restarted before they take effect !!!

◆ Interface diagram of SoftICE (because SoftICE is working at the system level 0, there is no way to intercept its interface. Here we use the interface diagram of trw2000, which is basically the same) ◆

 

★About the register area: there are two ways to modify the register value: 1. click the place where you want to modify it. 2. run the modify command "r", for example, R eax-> modify register eax, r FL-> modify flag bit (use the "insert" key to change the flag status ), r flz-> change the zero flag status (switch between 0 and 1 ). After modifying the register value, Press ESC to return to the command line status zone.

★There are two ways to modify the value of a Data zone: 1. click the desired area (hexadecimal display area or character display area) with the mouse to modify the area. 2. use the modify command "E", for example, e XXXXXXXX-> to modify the data at the memory address XXXXXXXX. Use the tab key to switch between the hexadecimal display area and the character display area. After modifying the register value, Press ESC to return to the command line status zone.
There are two ways to view the content of a Data zone: 1. use the Alt + ↑ and ↓ arrows to move the data display area; 2. click the upper and lower arrows (not shown in the figure) at the rightmost of the data window to move the display area.

★About the program area: the display/Close of the machine code must be switched by running the "Code on/off" command. The default working screen of SoftICE does not display the machine code. Note: The program's airspace region, the picture in the figure is cracking the WinZip program, when you see "winzip32 !. Text indicates that the program has returned to WinZip's airspace ^_^
There are two ways to view the content of the program area: 1. use the CTRL + ← and ← arrows to move the code display area; 2. click the upper and lower arrows (not shown in the figure) on the rightmost side of the program window to move the code display area.

★About the command area: it is the place where we enter various commands to complete various operations, control, and crack.

★Action status zone: displays the command usage and format when you enter a command.

★Stack zone: Only trw2000 has this window zone.

◆ Functions of SoftICE predefined function keys ◆

F1:
F2:
F3:
F4:
F5:
F6:
F7:
F8:
F9:
F10:
F11:
F12:
Shift + F3:
CTRL + F8:
CTRL + F9:
CTRL + F10:
CTRL + F11:
CTRL + F12:
Alt + F1:
Alt + F2:
Alt + F3:
Alt + F4:
Alt + F5:
Alt + F8:
Help
Register display/disable Switch
Source program/disassembly code switching (available when the program source program is used)
SoftICE interface/original screen display Switch
Exit the SoftICE window
Enter/exit code window
Run the program to the cursor
Single-step tracking
Set a breakpoint at the cursor position
One-step execution (skip the subroutine call)
Run the program to ES: Where ESP points
The program is executed to the RET instruction, that is, it is returned from the subroutine call.
Change the display format of the data window and display it cyclically in the format of "Byte-> word-> double-> short real-> long real-> 10-byte real -".
Single-step tracking in simulation mode
Exit the current simulated tracking mode
Single-step execution in simulation tracking mode
Display commands from the last entry of the History Trace Buffer
Simulate tracking from the First Command
Display/close register window
Show/Close data window
Show/close the program window
Display/close monitoring window
Clear characters in the Command window
Single-step reverse tracking in simulated tracking mode
 

◆ Usage of common SoftICE commands ◆

--------------------------------------------------------------------------------
 
Command form description

--------------------------------------------------------------------------------
 
. Locate the current command. When you move the content in the code window up or down, use this command to return to the current Cs: EIP command immediately without moving the code window back.

--------------------------------------------------------------------------------
 
? The SoftICE built-in calculator used to calculate the expression value. hexadecimal is the default mode. The following statements indicate hexadecimal numbers: FF, 123, and 0x123; the 10-digit number must be plus + (positive number) or-(negative number), for example, + 42,-123,-ff (corresponding to the 10-digit number-255), + (20) (corresponding to the 10-digit number + 32); the character form is appended with the ''number, for example, 'A', 'ddcrack '. The calculation results are displayed in hexadecimal, decimal, and ASCII characters, respectively. For example:
? Eax
00000045 00000069 "e"
? 0073173 + 00066400
00796573 007955827 "yes"
 

--------------------------------------------------------------------------------
 
A [address] Anyone who writes assembly code and uses the DEBUG command under DOS will not be unfamiliar with this command. Usage:
A starts from the current Cs: EIP.
A xxxxxxxx assembly starts from the program address XXXXXXXX

--------------------------------------------------------------------------------
 
U [address] disassembly code U starts disassembly from the next instruction of the last instruction on the current screen
U xxxxxxxx starts disassembly from the program address XXXXXXXX

--------------------------------------------------------------------------------
 
BC list | * clear breakpoint BC 3 clear breakpoint 3
BC * clear all breakpoints
 

--------------------------------------------------------------------------------
 
BD list | * disable breakpoint BD 3 disable breakpoint 3
BD * disable all breakpoints
 

--------------------------------------------------------------------------------
 
Be list | * restore prohibited breakpoint BD 3 restore breakpoint 3
BD * restore all breakpoints
 

--------------------------------------------------------------------------------
 
BH display historical breakpoints display breakpoints that have been set in SoftICE

--------------------------------------------------------------------------------
 
BL lists all the breakpoints set in the current SoftICE, including activated and disabled breakpoints. The "*" before the disabled breakpoint is displayed.

--------------------------------------------------------------------------------
 
BPE breakpoint number edit breakpoint BPE 3 edit breakpoint 3

--------------------------------------------------------------------------------
 
Bpint interrupt number sets the breakpoint for the specified interrupt bpint 13 sets the breakpoint on the 13 th interrupt

--------------------------------------------------------------------------------
 
Bpio port number sets a breakpoint for the specified I/O port bpio 378 is interrupted when the operation on port 378 is performed

--------------------------------------------------------------------------------
 
BPM [address] sets a breakpoint for a specified memory address. bpm xxxxxxxx is interrupted when operations are performed on data in the memory address XXXXXXXX unit.

--------------------------------------------------------------------------------
 
******** Data in a unit is interrupted during operations

--------------------------------------------------------------------------------
 
BPX [address] specifies a breakpoint. This is one of the most common commands for cracking.
BPX sets a breakpoint where the current cursor is located
BPX XXXXXXXX
BPX getdlgitemtext sets a breakpoint on the API function getdlgitemtext

--------------------------------------------------------------------------------
 
The Code on/off display/off command machine code is not displayed by default. Open it when necessary, otherwise the screen will appear messy.

--------------------------------------------------------------------------------
 
D [address] the following modes can be specified for displaying the memory address: DB byte, DW, DD, DS, DL, DT, 10B, the default value is dB, that is, the byte mode.
D. The display starts from the address after the last command.
D XXXXXXXX: display the content in the memory address XXXXXXXX Unit

--------------------------------------------------------------------------------
 
E [address] You can specify the following mode to modify the memory unit: EB byte, ew, Ed, elasticsearch, and elasticsearch, the default value is EB, that is, the byte mode.
E. Modify the address unit after the last command.
E xxxxxxxx modify the content in the memory address XXXXXXXX Unit

--------------------------------------------------------------------------------
 
H/help [command] Get help information H get all help information
Help BPX

--------------------------------------------------------------------------------
 
Set lines to lines on the SoftICE interface lines 45 set the number of lines displayed on the SoftICE interface to 45

--------------------------------------------------------------------------------
 
View the SoftICE version number

--------------------------------------------------------------------------------
 
X exit SoftICE and return the control to the program interrupted by SoftICE. The shortcut key is F5, which we often use.

--------------------------------------------------------------------------------
 
Exit force exit DoS or Windows program when a fatal error occurs that causes SoftICE to pop up, if the "X" command is useless, you can try it.

--------------------------------------------------------------------------------
 
WC
WD
WR
WW display/close program window
Show/Close data window
Display/close register window
Display/close monitoring window where WC and WD can specify the number of rows displayed in the window. For example, WD 4 indicates that the display data window is 4 rows.

//////////////////////////////////////// //////////////////////////////////////// //////////////////////////////
Source code-level debugging driver

Compile the driver in the check mode,
Then, use the SoftICE symbol loader to compile the generated driver. SYS file,
Then translate it into. NMS, and add it to symbols in symbol loader to implement source code-level debugging.

Specific,
Convert to generate symbols
Symbol loader-> file-> Open Module-> after selecting the driver file. sys->
Module-> translate

Add symbols
Symbol loader-> edit-> SoftICE initialization settings...-> symbols