Results 1 to 8 of 8

Thread: From file addres to Memory address??

  1. #1
    lemoniscool
    Guest

    From file addres to Memory address??

    Hey there! Im facing a problem that i cant seem to solve by myself ...

    Im searching for an IP adress in an executable with a Hex Editor and i get the adress "0x005826E8". But in olly in the CPU window when i go to that adress there is nothing. I then tried to find what i was looking for by opening the File window and go there to the adress "0x005826E8" and there it is ...

    my question is now, how do i get from that adress in the File Window to the adress in the CPU window??

    thanks in advance

    greetz
    LemoniscooL
    Last edited by lemoniscool; January 5th, 2010 at 07:43.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    you should read up about the PE format
    ( if you're working with an *.exe? )

    many tools (other than olly?) have a feature that will convert between the two addresses

    try:
    CFF Explorer - www.ntcore.com
    IDA Pro 4.9 Freeware - www.hex-rays.com/idapro/idadownfreeware.htm
    Last edited by aqrit; January 5th, 2010 at 15:23.

  3. #3
    lemoniscool
    Guest
    yeah thx but i already solved it i just forgot to post ^^"
    i had to add the base offset to the adress i got .. the base adress can be found with StudPE. thats really easy xD
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    You can do that using OllyDbg too, heck, you could even throw away your hex editor and search for the IP in Olly too, so then you wouldn't even have to convert the address as it'll be the proper format already.

  5. #5
    lemoniscool
    Guest
    hehe .. like i didnt try to search the ip in olly xD
    i searched but it was in there like:

    xxxxxxxx DB "1"
    xxxxxxxx DB "2"
    xxxxxxxx DB "3"
    xxxxxxxx DB "."
    xxxxxxxx DB "4"
    xxxxxxxx DB "5"
    xxxxxxxx DB "6"
    xxxxxxxx DB "."
    etc
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Because it is pushing it one at a time, it's not always a string you can match with a simple search function.
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

  7. #7
    lemoniscool
    Guest
    thats why i searched it in a hex editor ^^
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Quote Originally Posted by lemoniscool View Post
    hehe .. like i didnt try to search the ip in olly xD
    i searched but it was in there like:

    xxxxxxxx DB "1"
    Then your searching for it wrong. ALT+M CTRL+B. It will show you where in memory the string is, rather than a file offset. No need for hex editor.

Similar Threads

  1. (Yet another) Memory dumper
    By OpenRCE_omega_red in forum Blogs Forum
    Replies: 0
    Last Post: November 16th, 2010, 08:17
  2. Find Memory address
    By Toby in forum The Newbie Forum
    Replies: 1
    Last Post: March 21st, 2009, 16:57
  3. Memory address changes everytime
    By cps530 in forum OllyDbg Support Forums
    Replies: 9
    Last Post: August 24th, 2007, 17:20
  4. help for converting map file of ida to sym file sice
    By farzad23 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: September 9th, 2005, 23:31
  5. Memory address ref.
    By Hoof Arted in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: August 12th, 2001, 02:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •