PDA

View Full Version : How memory map is done?

nelz
May 31st, 2007, 15:17
hello everyone,

can anyone tell me how
004060A0 is equal to 7C81EE79 in memory map...how it is calculated

ds:[004060A0]=7C81EE79 (kernel32.lstrcmpA)

quick reply will be appreciated
nelz
May 31st, 2007, 15:37
let me alaborate it further

actually i want to know ..how OllyDbg know that
004060A0 refers to kernel32.lstrcmpA api call
disavowed
May 31st, 2007, 15:50
It looks up lstrcmpA from kernel32.dll's Export Table and finds the address at run-time, making it a "known address" to OllyDbg. Then whenever OllyDbg needs to show an address, it checks if it's a "known address" and if so, displays the extra info like the API function name.
nelz
May 31st, 2007, 15:59
many thanks disavowed

but if we look at binary code of an executable and we dont have OllyDbg

and we come accross something like this FF15 A0604000
FF15 means that this is making a call but how can we know that A0604000 is pointing to memory address of kernel32 api call ....is there a way that we can find out without using OllyDbg
evlncrn8
May 31st, 2007, 17:41
well go get ollydbg, you obviously have inet access, olly is free... you have no excuse

ff 15 xx xx xx xx = call dword xxxxxxxx

look at xx xx xx xx = contains the va of the api
and it isnt a0604000 its 4060a0

maybe that sheds some light on it?
nelz
May 31st, 2007, 18:05
ya i know its free..i already have one...thanks for the advice any way

i want to disassemble bindaries on my own...without using any tool...

dont know how to disassemble api calls...
squidge
June 1st, 2007, 01:55
If you want to do that, your going to have to learn the PE spec first, then how data directories are stored and used, and then have a thorough understanding of x86 asm.

Much easier to just use a debugger like Ollydbg to do the work for you
blabberer
June 1st, 2007, 02:48
Quote:

FF15 means that this is making a call but how can we know that A0604000 is pointing to memory address of kernel32 api call ....is there a way that we can find out without using OllyDbg


in the pe header there is a data directory called import table

it has certain format
which include first thunk pointers and original first thunk pointers

the first thunk pointers get repalced during runtime

you can parse these thunk pointers to find what api will be called
and then name it as such they are linked to either import names or import ordinals

but to reach this point you have to spend a few sleeplesss night getting yourself accquinted with PE specs

if you are starting with dry theoratical stuff and have capacity to digest abstract and generic essays look for pe coff header specs in msdn

on the other hand you would like to be a tinker garage mechanic
go find iczelions pe-tuts bundle (a collection of six tutorials ) and pe.txt by luvelsmeyer
evlncrn8
June 3rd, 2007, 07:53
Quote:
[Originally Posted by evlncrn8;66094]
ff 15 xx xx xx xx = call dword xxxxxxxx
look at xx xx xx xx = contains the va of the api
and it isnt a0604000 its 4060a0



i just told u how to disassemble api calls

from the va contained in 4060a0, calculate its 'parent' - ie : the dll it belongs to
then walk the dll's export table for an address that matches the value in 4060a0.. hardly rocket science..