WaxfordSqueers
December 6th, 2004, 18:31
Quote:
[Originally Posted by mbro]I have a DLL file that contains a string I need to change. Now when I load the DLL in W32DASM and open string references I can see the string, when I load it into something like ResHacker to change the string - the string isnt there.
I am guessing that this could mean the string is being pulled from a different file or is not part of the string table - how do I change this string, can anyone help me pls?
Thanks |
There are search apps like 'grep', that are written to allow a search through files themselves. I couldn't tell you off-hand where you could find grep, but I think it's a Unix utility that can be used in Windows. You point it to a directory, or even the entire drive, and let it go.
Strings are often entered in Unicode. Each 8-bit byte is padded out to 16 bits. In a dead listing, byte will appear as 'b.y.t.e' . The period (.) doesn't mean it's a period, it's just that the hex editor can't reproduce that character. So, a text search wont find it unless the search engine is made aware of the unicode structure. Study unicode and look at how it is listed in a hex dump.
Alternately, you could follow up on your own point that the string is in another file. Don't assume anything, it may even be in a help file, or not even in the local directory. Hopefully it's not in a system file. Run other exe's, dll's and just about any executable through reshacker and see if you can spot it. It may not even be listed as a string. It may be part of a template. Look very carefully through every section of reshacker. To cut down your search, you can pretty well eliminate icons, etc.
The free tools from sysinternals are invaluable here. You can watch which files are being accessed, and that narrows down your search. That's partly what it's all about, learning how to make short cuts.
If you read +Orks tutorials, he urges you to think like the programmer. If you can't find the string as a unit, ask yourself why. Maybe the programmer doesn't want you to find it. So, how would you load a string so it couldn't be found by a dead listing? You'd load it one byte at a time and put pieces of it all over the place. To make it even tougher, you'd XOR them with a key byte and have them totally hidden.
Have you tried running the app through Boundschecker (or Smartcheck for VB apps). If you learn how to use these tools, you can pinpoint the string and see exactly where it's being loaded from, and how. Look up string functions in an API reference and see how each function manipulates strings. Then look for these string functions in Boundschecker. To save you scouring the entire app, learn how to use Boundschecker to zero in on where the string might be.
Using Sice, you can break near the string itself, and see where the string fuction is getting it from. In that case, all you do is run the app to the point where the string is being loaded and note where the bytes are being loaded from.
I would consider Tbone's advice to use IDA. WDASM is easier to use, but it doesn't have near the power of IDA. If you can't find something easily using WDASM, go to IDA.