ASCIIs in executeables [w95] [Archive] - RCE Messageboard's Regroupment

View Full Version : ASCIIs in executeables [w95]

koyaan

November 29th, 2001, 11:11

after having read lesson 4 (1) of +ORC's tutorial
i decided to do like he suggested and wrote a little
c-prog to find strings in executeables...

but when i compare the offsets given by my prog they
dont allways match with the offsets given by w32dasm

e.g(getright.exe (version 4.2)):

kaf:
145818 -> h*tp://www.getright.com/remove_ads.html

w32dasm:
* Possible StringData Ref from Data Obj "http://www.getright.com/remove_ads.html"
|
:00401BA2 68187A5400 push 00547A18

am i missing something here

?

since i am a complete newbie, help would be greatly appreciated
(i am sure its something obvious....)

cheers
koyaan

ps: glad to have found the door to a really fascinating new world of possiblities, cheers to all crackers, theres a new newbie in town...

DakienDX

November 29th, 2001, 12:16

Hello koyaan !

You must know that Win32 programs have 'segments', which have a virtual address space where they are loaded into. Your program searches for strings and displays their physical offset. These 'segments' have a virtual size, a virtual address, a physical size and a physical address. Physical means here the place in the file and it's real size. The virtual address is a position in memory where the program is loaded into and the virtual size the memory size the program allocates.

It is nothing unusual that the data from 400h in the original file is loaded into the memory at address 00401000h. So if your program would find a string at 484h in the file, W32Dasm would show it at address 00401084h.

If you go onto a disassembled line in W32Dasm, it should show you the 'virtual' address, but also the corresponding 'physical' address.

All segments are defined in the PE-header. You should search for some information on it and try to understand how it works.

koyaan

November 29th, 2001, 21:55

yeah i will thanks....
thought it would be something like that...

/me googles

Aimless

November 30th, 2001, 03:56

alternatively...

try putting your wdasm green bar on the line which you want to find the address of.

On the left hand side the address you see is the "Virtual Address". that means, as it is in memory

On the STATUS BAR, you will see an address. This is the physical address in the file.

Your status bar adderss and the proggy-you-wrote address should be the same.

...Have Phun