Results 1 to 4 of 4

Thread: how to log buffer more than 8 length?

  1. #1
    Teerayoot
    Guest

    how to log buffer more than 8 length?

    I need to log buffer at send winsock api with length of data 12 and i need to log whole buffer how to do ?

    ok give a example that olly only show 8 first digit

    i set in [eax] expression condition log

    i got this out put


    00704185 | COND : 204C4143 in log window.
    it show only partial output.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,506
    Blog Entries
    15

    how to log buffer more than 8 length?

    20404143 == " LAC" so it is a string [eax] is dword by default so it
    shows only 4 bytes
    set decode value of expression as to ---> pointer to ascii string or

    or use [string [eax]] as expression to log

  3. #3
    Teerayoot
    Guest

    how to log buffer more than 8 length?

    u miss understand me!

    ok this is buffer in c

    unsigned char my_buffer[16] = {0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00
    };

    i need to log whole buffer written to log window as this format

    00704185 | COND : 4D5A90000300000004000000FFFF0000


    it not ascii.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,506
    Blog Entries
    15

    how to log buffer more than 8 length?

    well there is only one way you can use STRING [[ESP+CONST]] or use pointer to unicode string both have thier limitations they will stop at first null terminator ie either 0 or 00

    here is how some logs will look like

    the break point i place here is like this

    0040107A STRING [[esp-10h]] |. FF35 24304000 PUSH DWORD PTR DS:[403024] ; /hObject = 0000002C (window)

    i set it on one line below ReadFile
    note [esp-10] will hold the buffer pointer to which the file was read

    00401069 |. FF35 30304000 PUSH DWORD PTR DS:[403030] ; |Buffer = 00132BE0
    0040106F |. FF35 24304000 PUSH DWORD PTR DS:[403024] ; |hFile = 0000002C (window)
    00401075 |. E8 40010000 CALL <JMP.&KERNEL32.ReadFile> ; &#92;ReadFile

    and i set the same expression to be logged

    COND: ReadFileOutput = Œœ’rd9#*4rurdt:r<drœŒrt0ES1 E33c0rktcsu`kubszlkxi`~ihy imavlfxnl{~hyhSMUEV_FnMCZISCQ@GzDKXLAYMAQFŒt1d}zloyil~h{@DhRWQ@WFAW Q@WFAWQ@WFAWQ@WFAWQ@WFAWQ@WFAWQ@WFAWQ@WFAWQcbmtfpdAegerfrsšdytedp pdtercdrtercdr`wcsrgg

Similar Threads

  1. Idc script and stack frame variables length
    By ZaiRoN in forum Blogs Forum
    Replies: 0
    Last Post: February 15th, 2008, 06:31
  2. About the buffer overflow bug
    By thomasantony in forum Bugs
    Replies: 7
    Last Post: April 16th, 2005, 05:34
  3. [BUG] CRASH on long arguments length
    By Anonymous in forum Bugs
    Replies: 2
    Last Post: June 9th, 2003, 23:50
  4. W32DASM Max path length
    By redblkjck in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: February 18th, 2002, 17:24
  5. Opcode length recognition
    By Latigo in forum Advanced Reversing and Programming
    Replies: 11
    Last Post: April 30th, 2001, 14:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •