Softice for Win95 Chinese Command Common (3) Copyright (c) 1999 http://coobe.cs.hn.cninfo.net/~tianwei command: BPINT Ren: Breakpoints on a break vector: bpint int-number [ If Expression] [Do "Command1; Command2; ..."] Usage: int-number: Interrupt vector number, from 0 to FFHIF Expression: conditional expression, only condition is "true", Sof-tice is in the breakpoint DO Command: When the SICE pops up, some commands are automatically executed. When the vectors of the hard interrupt and CPU exception error, Softice pops up when the first statement of the process of processing this interrupt. And the software is interrupted Then stop in int XX. Note: BPINT only functions on the interrupt from the interrupt descriptor table (Win95). If this breakpoint is in a DOS virtual machine (DOS window), the control is transferred from the protection mode to In the interrupt meter of the virtual machine. At this time, if you stop in int XXH, you follow F8, you can't see the real mode processing process for this interrupt, you have to go far, you can use: G @ $ 0: int-number * 4 Come to the process of processing to the real mode. Reviews: Note! Softice 30 command manual (English version of PDF format is wrong here! Write $ with!) ( The meant is to tell Softice to realize the paragraph. After the article, there are articles of these symbols.) If you are using a command line in the DOS window, then g @ 0: intNo * 4 can, at this time The default Selector is the real mode, the selector exists. But if you directly double-click a program in Explorer, take int 21h, one start is in Kernel, it is not to use $ not! In addition: Due to the IF clause, It can be convenient for various int XX breakpoints, such as on the file opening interrupt function, down-breaking point bpint 21 if ah == 3D command: BPIO effect: Upset point grammar on the input / output port: bpio [-h] port [VERB] [If express1; command2; ... "] usage: port: port number verb: When do you do what kind of operation, R is read; W is written; RW is read or written if Expression: conditional expression , Only the condition is "true", SOF-TICE pops up DO Command at the breakpoint: When the SICE pops up, some commands are automatically executed. -H: Use the hardware decentralized register in the VXD in the VXD, only Softice pop-up on the Pentium-level chip, CS: EIP is stopped in executing I / O operation Next instruction. If you do not bring parameter Verb, default is RW. Note: In WIN95, if you do not bring a -h parameter, you can only break in Ring 3, to operate with VXD and VMM, Please add -h.Win95 itself with VXD, you can see a lot of I / O operations, you can see the TSS command: You can see the TSS command you want. Command: BPM effect: Upgraded syntax on the memory unit: bpm [size] Address [VERB] [Debug-reg] [If Expression] [Do "Command1; Command2; ..."] Usage: size: Memory unit size, B is byte (default); W is word; D is double word. VERB: Operation, R is read; W is written; RW is read and write (default); X is executed .debug-reg: decentralized register, DR0, DR1, DR2, DR3.IF Expression: conditional expression, Only the conditions are "true"
When SOF-TICE pops up at the breakpoint. DO Command: When the SICE pops up, some commands are automatically executed. When Verb is R, W, RW, once popped up, Softice stops in the next instruction that has just happened. At the time of X, stop in the command to be executed. Generally, there is no need, do not bring the debug-reg parameter, Softice is automatically tape DR3, after you will be 2, 1, 0 when you debug a debugger And this Debugger also uses DRX to specify a special assignment of conflicts. BPM breakpoint If you are in (400000-7ffffffff), only the current addressable area when you break down (see AddR Review) Activation can be interrupted. There is no way. But if you are in the DLL, this DLL exists in multiple address areas, then interrupts in this multiple address areas, simple examples, such as kernel32.dll The size parameter is tight with BPM, BPMD, BPMW. Comments: BPM uses the DR3-DR0 register, so you can only set up to four breakpoints. Command: BPR effect: Decompression on a memory range: BPR Start-Address End-Address [VERB] [IF Expression] [Do "Command1; Command2; ..."] Usage: Start-Address: Start Address End-Address: Termination Address VERB: R Read; W Write; RW Reading and writing; t backtracking instructions; SOF-TICEs popping up DO COMMAND at breakpoints only When the condition is "true", SOF-TICE pops up in the breakpoint: When the SICE pops up, some commands are automatically executed .Bpr is used to break down on a memory area does not have an X parameter, but can be replaced with R parameters. T, TW is the parameter recorded trace, the specific visible trace command. BPR sometimes greatly reduces system performance, because all interrupts The memory operations on the page will be analyzed by SoftICE. If you use frequent memory operations in the program, the machine will be quite slow. When the condition is satisfied, the Softice pops up, the CS: EIP stops on the instruction of the memory operation. The BPR breakpoint is on the page table currently activated. If your Range is under physical 4MB, the breakpoint will be in various virtual machines, so that BPR is LDT, GDT, IDTS, page table itself Role. In addition, the 0-level stack and a serious (?) Memory area in the VMM are not allowed to crash. In 95, BPR can only be used for Ring 3, so the VXD of Ring 0 is useless. (V3.20) Reviews: BPR is sometimes very slow, the machine is like death, the reason is said. So when you know the memory unit Hou is best to use BPM, only to try to use BPR to use BPR. (Of course, there is a place to use BPR) Command: BPRW effect: The memory area where a Windows program or code segment is located. Breakpoint Syntax: BPRW Module-Name | Selector [VERB] [IF Expression] [Do "Command1; Command2; ..."] Usage: Module-name: Windows program module name Selector: Select Verb: r; W Write; RW read and write; t backtrack tracking instructions; TW backtracking tracking if Expression: conditional expression, only condition is "true"
When SOF-TICE pops up DO Command at the breakpoint: When the SICE pops up, some commands are automatically executed. Bprw is a relatively convenient way to make a breakpoint on one or more executable modules of the WIN program actually it is BPR, do not believe you can use BL to see. It is just more destined than BPR. Use the heap command to help users watch Module-name and selector.bprw No need to find a scope. Bprw is in tracing It is also useful. In addition, BPRW can also be used for Ring 0., and it is possible to slow down when using T parameters or and the CSIP command. RW parameters are the default value review: BPRW Sometimes it is very useful, because you have Maybe I don't know when a program participates in operation in memory. You can pop up when this program is running in this program. And you can divide different code segments. Command: BPT role: The previous breakpoint is template, set Ding new breakpoint. Syntax: BPT BREAKPOINT_INDEX Usage: Breakpoint_index: Breakpoint serial number. (Can be seen with BL) BPT is a new breakpoint for a new breakpoint. It is a new breakpoint. It is new for users. The breakpoint provides convenience. Review: BPE command command: BPX role: Set (or clear) breakpoint grammar on the executable statement: bpx [address] [do "Command1; Command2 ; ... "] Usage: Address if Expression: Conditional expression, only the condition is" true ", SOF-TICE pops up at the breakpoint. DO command: When the SICE pops up, automatic Some commands are executed. BPX is used to break the point at the instruction, and the program will pop up once it executes. When the cursor is in the code window, it will open the BPX directly to the spikes, and then Cancel when the BPX is called. When the cursor is not in the code window, BPX must follow the parameter (address). "Select: Offset", if only input offset, the current CS value defaults to selectors. BPX actual It is an int 3 instruction at your breakpoint. This will be bounced when you are in this instruction. This makes it possible to have multiple breakpoints in a program, not to use less poor registers. But when you When there is a breakpoint in the ROM, the SoftICE automatically uses the breakpoint register. You can also use the X parameter of the bpm command to force the SoftICE to set up with breakpoint registers (DRX). BPX can also use the 16-bit code module name To make address parameters, so that each exit function in the module is set up. BPX has a maximum of 256 breakpoints. (V3.20) BPX has a shortcut key F9, when the cursor is in the code window, press F9 to set (cancel). Review: BPX may be used up to breakpoint. Some Anti-Debugger procedures use INT 3 to make a article, watching the above things I think you can flash! (Don't include the DRX!) Command: bstat effect: Show a breakpoint Status Syntax: BSTAT [BREAKPOINT-INDEX] Usage: BREAKPOINT-INDEX: The serial number of breakpoints, can be seen with BL command to display a state of a breakpoint, various statistical parameters. Bp #: The serial number of the breakpoint. If there is "*" in front, it means that the breakpoint is prohibited in the Total section: Hits: Softice, count 1BREAKS: In the case of if Expression clauses, Softice will generate action, either pop-up, Either record in memory, no matter what, count 1Popups: Softice popped up in Breaks: SICE in Breaks will record the number of times Misses: In the case of if Expression clause, Sice is This breakpoint but does not pop up the number of times errors: Due to the problem of the problem or other causes of memory variables in the IF clause, the number of errors generated by other reasons, such as the program with a C, use variable "if mysymbol == 1"
