View Full Version : String references in Olly ?
Aquatic
February 14th, 2003, 17:24
When I open the game in Olly and search for "All referenced text strings" in the CPU window it gives me a lot text strings.
But when I disassemble the game in W32dasm it doesn't give anywhere near the same amount of text strings. So, I am thinking that maybe the text strings from Olly are useless?
Basically I am going to the addresses where the text strings are pushed and then trying to find out how to manipulate the corresponding code.
Aquatic
February 14th, 2003, 17:43
Also, the game crashes when I try to run it from Olly or do "attatch process".
_Servil_
February 15th, 2003, 05:13
Then your game is most likely using some antidebugger trick/s, there are several kinds of these, search the board to get more info about them.
About the strings, I dindt;use w32dasm for long time but as I can remember the difference is that W32 handles only strings referenced by code while OllyDbg searches whole module and finds all chunks of code possibly being texr. You can lookup the reference point by invoking context menu upon that entry and selecting 'Find references' or put a memory breakpoint on accessing it's first character.
Aquatic
February 15th, 2003, 05:53
Quote:
Originally posted by _Servil_
Then your game is most likely using some antidebugger trick/s, there are several kinds of these, search the board to get more info about them.
About the strings, I dindt;use w32dasm for long time but as I can remember the difference is that W32 handles only strings referenced by code while OllyDbg searches whole module and finds all chunks of code possibly being texr. You can lookup the reference point by invoking context menu upon that entry and selecting 'Find references' or put a memory breakpoint on accessing it's first character. |
Hmm, first I need to get the game running from Olly without it crashing.
I can get the game running with Softice in the background, but I want to be able to run it
from Olly. I can't find a way to do this.
Aquatic
February 15th, 2003, 06:07
w00t! I managed to do an 'attatch it to the process' without it crashing! I had to use that Int3/Int1 program...
Anyway, can you make it a little clearer about the string references in Olly? Will the referenced text strings found by Olly actually lead me to any useful code?
_Servil_
February 15th, 2003, 08:17
Can't answer this question, don't know your game and first of all you must know what you are seeking. Respective string might or not lead to... Why don't you try it self? If it finds a string it means the string is there nothing more or less, you just haveto decide what's it useful for...
Aquatic
February 18th, 2003, 16:12
Maybe if I take a string I find in Olly and then search for it in the game's memory while it is running. (doing an ascii search)
squidge
February 18th, 2003, 17:38
and what use will that do apart from give you the exact same addresses as what ollydbg itself has found?
now, searching for the string ADDRESSES may yield something...
Aquatic
February 18th, 2003, 18:20
Quote:
Originally posted by squidge
and what use will that do apart from give you the exact same addresses as what ollydbg itself has found?
now, searching for the string ADDRESSES may yield something... |
Not sure that I know how to do that.
In Olly when you do 'search for all referenced text strings' it gives you all the addresses where the strings are pushed.
For example
Where '
xxx' is the process name (blanked out).
So, I know where the string is pushed, but don't know how to get the address of the actual string.
Any ideas?
squidge
February 18th, 2003, 18:31
In your example, "ReloadTime" is the text, and the address by the push is the address of the string - 785D88.
However, if Olly gives you the reference by telling you what statements actually refer to the string, then it's pretty useless anyway as Olly is doing it all for you.
So, now you are armed with this information, it's time for you to decide whether these strings are useful or not for the task you have in mind.
Aquatic
February 18th, 2003, 18:36
Quote:
Originally posted by squidge
In your example, "ReloadTime" is the text, and the address by the push is the address of the string - 785D88.
However, if Olly gives you the reference by telling you what statements actually refer to the string, then it's pretty useless anyway as Olly is doing it all for you.
So, now you are armed with this information, it's time for you to decide whether these strings are useful or not for the task you have in mind. |
What do you mean by 'statements' ?
Sorry, I'm pretty new at this.
squidge
February 18th, 2003, 18:45
Sorry, I mean Mnemonics (I think)
Aquatic
February 18th, 2003, 18:59
Quote:
Originally posted by squidge
Sorry, I mean Mnemonics (I think) |
Where does Olly tell me the 'statements' that refer to the string?
Manko
February 18th, 2003, 19:29
Let's say your interested in what happens to the textstring "reloadtime". You get all references and investigate the code around the instruction that loaded/manipulated them.
Code:
005ED7F7 |. 68 885D7800 PUSH xxx.00785D88 ; ASCII "ReloadTime"
""""""""
^^^^^^^^
||||||||
This is the place! The code around this adress will perhaps be interesting.
I do not want to put you down, but these things are pretty basic and will be obvious to you once you get some practise. You should practice "simpler" cracking first. Getting to know tools and how code functions. There are numerous tutorials att krobar's site. Start in the newbie-section and try to understand what's going on. Tutorials often give you a short route to the answer, try to learn as much as you can anyway. Ask as many questions as you want here, we will try to help, but learning requires a lot of effort on your own behalf too... And getting results on the things you most desire might have to wait sometimes, till you have a better grasp of things.
/Manko
Aquatic
February 18th, 2003, 20:26
Thanks guys.
I am doing some other basic learning stuff, but I just wanted to get some feedback from more experienced ppl.
Anyway, it looks like the address for the string is outside the scope of the game's code. I disassembled it in W32Dasm and the last address it gives doesn't come close to *Code removed*.
The tutorial I am learning from is here: http://www.s-i-n.com/chaos/strmemory.htm
(gives you an Idea where I am coming from).
Basically I looked for a JNZ in the code around the *Code removed* address and didn't find one.
Aquatic
February 18th, 2003, 21:00
Quote:
Originally posted by Aquatic
Anyway, it looks like the address for the string is outside the scope of the game's code. I disassembled it in W32Dasm and the last address it gives doesn't come close to 00785D88.
|
yep, when I do an attach process in Olly it gives me a message:
*Code removed*
This is probably where my string is stored. Although that module could be something completely different, in which case I don't know where that string is being stored.
squidge
February 19th, 2003, 03:30
In Ollydbg, Select the "View" menu item, and then select "Memory". Find the closest memory location next to your your location and then write the entire line in this group and we'll tell you what it means. For example, the nearest to 785D88 could be 785000.
Manko
February 19th, 2003, 03:54
I looked at the mentioned tutorial. It was pretty nice. You need to perhaps read it again. It explained what you were supposed to look at. It also talks about packed programs, which seems to be the case here. May I ask what your target is and what string you have chosen to look at and have you tried to see what it is packed with, using for example PeID?
...and they have not always made it so easy as to have a jnz or something, closeby.
It's nice to see new people, and I'm not THAT good at cracking, so I appologise if I come across as just putting you down.
/Manko
Aquatic
February 19th, 2003, 04:29
Squidge, I think this is what you asked for.
Code:
Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
*Code removed*
nb: This is only a snippet of the whole memory map.
Where '********' is the process name.
So it looks like
*Code removed* is between*Code removed* and *Code removed*. What does this tell you?
Manko,
I can't reveal the target because of the rules on this forum, that's why I blank out the process name on any code I post.
The value I want to manipulate is the *Code removed*, I'm hoping it is related to the "*Code removed*" string I found in Olly.
squidge
February 19th, 2003, 04:56
Quote:
Originally posted by Aquatic
Squidge, I think this is what you asked for.
Code: Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00767000 00047000 ******** .rdata imports Imag R RWE
So it looks like 00785D88 is between 00767000 and 007AE000. What does this tell you?
|
Well, add the size of 47000 to 767000 and you get 7ADFFF, so your address of 785D88 is clearly in this range. This would explain why this address is not shown in W32Dasm, as it's resource data for the program (W32Dasm only shows you the code segments). You may want to sniff around in this data space to see what else you find interesting.
Also, if you look at the access level, it's read only - that means the program itself can not write to that area of memory, so no values can be changed there. It's therefore doubtful that the "ReloadTime" variable is placed here, and this is just an area for strings. You'll have to read through the code and see what happens around the area of the PUSH for that string.
Quote:
Manko,
I can't reveal the target because of the rules on this forum, that's why I blank out the process name on any code I post.
[/B] |
You can disclose the target via Private Message to Manko himself.
Aquatic
February 19th, 2003, 05:08
Well I right clicked on
*Code removed*, and then clicked 'dump'. I then scrolled down the dump window and found this
As you can see it says '*Code removed*'. Maybe it is just an area for strings as you say, but maybe it can lead me to the actual '*Code removed*' value?
squidge
February 19th, 2003, 05:28
That's exactly what I'm talking about. Those strings may be searched for in some file, and when matched, assigned a value in memory, so certainly worth checking out.
Manko
February 19th, 2003, 05:36
Hehe... So it wasn't packed. We just had to few information.

(Hmm... or it still might be... what does the sections look like in the file?)
Yup, you can always priv_mess people if they ask for something, but you needn't do that. You'll figure this out eventually.
Just don't ask moore than you think/do... :P
We have already answered all this...
You know how to get the adresses where reloadtime is used.
Now go there and investigate!
If your unsure what the code does. Post here and ask for help.
You might have to also put breakpoints and run it to see what happens there... Dissassemble too so you have a better overview and look in disassm and debug when you need to.
Maybe also you can give us more info on this reloadtime.
Does it come up as a number in the game somwhere, or is it only a bar? Keep working, you'll always learn something!
/Manko
Aquatic
February 19th, 2003, 06:19
Actually, I'm learning a lot, heh
All the values I gave so far were from when I opened the .exe in Olly.
So now I actually ran the game and searched its memory (using Tsearch) for "*Code removed*" Which is what I got for '*Code removed*' from the Dump window.
It found that^ value and the string '*Code removed*' at address
*Code removed*. So I disassembled the game at this address and it gave me the following code:
(It started at
*Code removed* ) - scroll down
Maybe you guys can find something in that code.

squidge
February 19th, 2003, 06:43
Well done, you've just managed to turn your string into a useless disassembly listing
What you need to do is find the PUSH and disassemble from there - NOT from where the string starts in memory.
Don't mean to put you down, but... Try again!
Aquatic
February 19th, 2003, 14:53
Ahh, so you want the disassembly from where the string was pushed...
Ok so that brings us back to this line that we found in Olly:
^As you can see it gives the 68 (PUSH) and then the string in reverse byte order.
So I disassembled at
*Code removed* and got the following code:
Sorry for these long code dumps
squidge
February 19th, 2003, 16:58
ok, time for you to do some work
Explain to us why the code you have just posted is not useful (look around the area of the PUSH).
Come on, we can help you out, but we can't do it for you.
Aquatic
February 19th, 2003, 17:28
Quote:
Originally posted by squidge
ok, time for you to do some work 
Explain to us why the code you have just posted is not useful (look around the area of the PUSH).
Come on, we can help you out, but we can't do it for you. |
Hmm, maybe you mean how there is no CMP followed by a JNZ near the PUSH?

squidge
February 19th, 2003, 17:33
Errrr.... No.
Look at the 3rd line after the push.
Aquatic
February 19th, 2003, 17:38
*Code removed*
So I should look at *Code removed*
Aquatic
February 19th, 2003, 18:08
Ok so I went into the CALL and didn't find a RET so I went into a deeper CALL and then I found a RET.
I.E
Then into the call at *Code removed*
squidge
February 20th, 2003, 03:24
yes, I think you need to learn a bit more assembler. Try getting some guides to Intel assembler and possibly download MASM32 to experiment.
Aquatic
February 20th, 2003, 13:27
So basically what I was trying to do isn't actually possible?
squidge
February 20th, 2003, 16:33
Yes, it's certainly possible. However, at the current rate it will take us about 5 years to explain how to do what you are requesting.
You don't seem to be contributing much at all and you seem to expect us to do the bulk of the work for you. For example, you are posting huge chunks of code and saying "What do I do with this?", when really you should be reading through the code yourself and trying to find out what the code is doing. Even when we drop huge hints as to what to look for, you simply post another chunk of code instead of investigating yourself.
Therefore, I suggest you pick something a little simpler, and learn Intel assembler before trying to do this target. Once you have learned Intel assembler, may I suggest a few CrackMe's to test your newly learned skill before trying to hack a "live" target ?
Quote:
Originally posted by Aquatic
So basically what I was trying to do isn't actually possible? |
Aquatic
February 20th, 2003, 17:46
Ok, I'll go learn some more tutorials and stuff.
Also, I am gonna remove all the code from my posts just for personal reasons.
enko
March 17th, 2003, 09:48
Ok guys, another newbie I'm afraid, its a question related to this one so here goes.
Having a lot of probs getting Softice to co-exist with the win2000 setup I'm using, so I tend to use W32dasm (slower I know, but I do learn a lot more having to step thru etc. Heres the thing, out of the last 5 progs I have looked at dont show the strings in reference in w32dasm, eg window pops up this product blah blah, search for "this product blah blah" not shown, but of course it IS there in hexedit. Are these strings being masked somehow (false info in header) or am I as I fear being thick.
Thanks in advance
Enko
squidge
March 17th, 2003, 10:47
More than likely the strings you are seeing are part of the resources in the program, and as such, these are not shown in w32dasm.
Download LordPE, enter the file offset you found the text at in the FLC section, and then see where it is...
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.