Log in

View Full Version : Strange string

WebRIPPER
February 23rd, 2004, 12:15
Bug, or doing something wrong...

The same test program, with Olly and W32Dasm
Following {Olly} :
--------------------------
0042F35B . 50 PUSH EAX
0042F35C . 68 1B270000 PUSH 271B
0042F361 . E8 3AF40100 CALL hb3.0044E7A0
0042F366 . 83C4 04 ADD ESP,4
0042F369 . 50 PUSH EAX ; |Text
0042F36A . 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8] ; |
0042F36D . 50 PUSH EAX ; |hOwner
0042F36E . FF15 6C044600 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; &#92;MessageBoxA
--------------------------------------------
Following {W32Dasm} :
--------------------------
:0042F35B 50 push eax 0

* Possible Reference to String Resource ID=10011: "Test for UNICODE key as reference"
|
:0042F35C 681B270000 push 0000271B
:0042F361 E83AF40100 call 0044E7A0
:0042F366 83C404 add esp, 00000004
:0042F369 50 push eax 0
:0042F36A 8B4608 mov eax, dword ptr [esi+08] re
:0042F36D 50 push eax d

* Reference To: USER32.MessageBoxA, Ord:01BEh 11
|
-----------------------------------
As you can see W32Dasm detect the string, but Olly does not. How make Olly able to detect unicode referenced strings?
Ricardo Narvaja
February 23rd, 2004, 17:04
Olly detect the string too, go to view-executables, select the exe and right click view string resources for this type of string, and you see the string

Ricardo
Ricardo Narvaja
February 23rd, 2004, 17:05
Olly detect UNICODE, only this is a RESOURCE STRING you go and look in the correct window and you see the string

Ricardo
WebRIPPER
February 24th, 2004, 00:01
Thank you. I see it now, but...
It is no search option in this window and how can I go to selected address (except manually). I think it make sense to add right-click function like in string search window...
Ricardo Narvaja
February 24th, 2004, 01:34
Write to Oleh and tell if in the next beta, the resource string can be wieved and managed how the common string references, and in the same window all references together, common string references and resource strings, how wdasm without differences.

Ricardo
helloword1
February 24th, 2004, 04:21
WebRIPPER It's possible with OLLYDBG to know where the ressource string are linked with assembler code.

- In the "Resources String" window there is a colunm name Index
For example
index: 80(128.)
string: Cannot open file blabla

- Take the index number and go to
CPU window
Right click
Search for
All sequences
and write :
mov R32, 80
You can also try
push 80