The debugger runs the default command string when it reaches any breakpoint that you have set with the g (go), bp (Breakpoint), or br (Breakpoint Register) command. It also runs the default command when you run the p (program trace), t (trace), or zd command.
Initially, the default command string is set to the r (Register) command, but you can change it by using the zs (Set Default) command. If any errors occur (for example, if the command line is too long), the default command returns to the r command. The default command can be any sequence of debugger commands each separated by a semicolon (;). In the default command, j commands can be useful.
Here is the default command needed to continue execution each time the application or test program encounters an Interrupt 3:
zs "j (by cs:eip) == 0cc 'g'"
The following sample will trace until the doubleword at 137:00001234h is equal to 0EEDh (a primitive watchpoint). This operation must be started with a T, a P, or a ZD command so that the default command can be executed. If this operation is started by the G command, the default command will not execute unless execution is stopped on a go breakpoint or on a sticky breakpoint with no breakpoint command.
zs "j (dw 137:00001234) == 0eed 'r';t"
zd
The following sample will perform a trace that displays each instruction until control is returned to code segment or selector 137h. Notice that PN displays only the disassembly line and not the register set, saving line space on the debugger's terminal screen.
zs "u cs:eip l1; j cs == 0137 'r';pn"
zd
You can use the debugger default-command option to loop through a linked list (in this example, the next pointer is at offset 14), printing each packet on the list.
zs "?'%08.8x', eax; reax = dw (%(eax+14));zd"
It does destroy the contents of eax, but that can be restored. You can also replace the zd with a j eax != 0 'zd', and then it will stop at the end or some other condition to stop on. You need to set eax to the address of the first record and execute zd.
When finished, type zs "r" to restore the default-command to its normal value.