View Full Version : Modifying the stack
5aLIVE
July 3rd, 2005, 11:22
Hello again,
I want to modify a ASCII string which can be seen on the stack. I right click to modify or edit the stack address, but it only shows four ASCII chars which doesn't correspond to the 20 char string I want to edit.
What am I doing wrong here?
Thanks
5aLIVE
blabberer
July 3rd, 2005, 11:31
right click --> follow in dump --> select the whole string
press ctrl+e and edit what you want it to
the edit in stack shows 4 chars because it is the address of the string
not the string itself the string is situated at the address that is shown on those 4 chars
0012FFBC 00403000 ASCII "Iczelion's tutorial no.2"
now if do right click edit you will see
00304000 which is 403000 inverted
at the address you will see the string
00403000 49 63 7A 65 6C 69 6F 6E 27 73 20 74 75 74 6F 72 Iczelion's tutor
5aLIVE
July 3rd, 2005, 11:55
Wow, I'm impressed with how quickly you responded to my question.
I followed your instructions and explanation by example.
Here's what happens:
0012F8B4 |00CF249C œ$Ï. ASCII "My string info"
I follow in dump which takes me to
00CF24B1 ^76 CF JBE SHORT 00CF2482
Hmm. Something not right here. I right-clicked and selected ASCII 64 chars, and low and behold the string I want to edit.
Thank you very much. This little exercise confirmed my theory that this particular string is not used to validate a password.
Ricardo Narvaja
July 3rd, 2005, 15:42
if you obtain
00CF24B1 ^76 CF JBE SHORT 00CF2482
you not are making FOLLOW IN DUMP, in the dump the bytes are viewed in hexadecimal mode
go to the lower left part of the olly and GO TO EXPRESSION
00CF2482
(put the 0 before the C)
and you look in the dump the string
Ricardo Narvaja
5aLIVE
July 4th, 2005, 03:09
Hi Ricardo,
I think you maybe misunderstand me?
I saw the line of disassembled code at
00CF24B1 ^76 CF JBE SHORT 00CF2482
is the dump screen, this is not actual code but the start of the string I was looking for.
I just changed the view from Disassemble to ASCII(64 chars)
to fix this.
Thanks,
5aLIVE
blabberer
July 4th, 2005, 08:37
well since you feel the problem is solved this is academical
0012F8B4 |00CF249C œ$Ï. ASCII "My string info"
on the above line if you follow in dump you should
reach cf249c
not 00CF24B1 like you say some thing messed up likely
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.