hi, well, i try to reverse a piece of software, and i'm facing a problem. if i'm opening the main exe in a hexeditor, i can find all the strings i'm looking for (Demo, License Expired, etc.). but in the dead list (olly, IDA, Wdasm), i cannot see them. any hint?

thanks alot,
zombie

Unicode?

What is "the dead list" ?

Git

Hi Git,

By "dead list" i mean the dissasembled file. I was asked on another forum if I'm loading the resurces in IDA. And, yes, I'm loading them. Also, the filse seems not to be packed (quite big exe file, it's about 13 Mb; ResHacker says nothing about packed (and it's not showing me any Demo string whatsoever) . PEiD show "Nothing found [Overlay] *"

Thanks for your time,
zombie

Load the exe in PE-Explorer and look at the Resources. Every resource, including the Strings, has a unique ID that the program loads them by. Find the ID number for the "Demo" string you are interested in - let's say it is 35 (PE-Explorer shows them in decimal). 35 = 0x23 in hex. Now in IDA go to the Search menu and choose Immedeate Value. Enter 0x23 and put a check against the box for Find All Occurences and hit OK. From the resulting list you will soon find where your resource is being used - it will be associated near a LoadResource() call, or sometimes a GetResourceValue() call or similar.

I don't bother these days loading the resource section into IDA, I find it quicker to work with PE-Explorer open too and also use some IDC scripts. The reason you can't see your string is probably because it is in Unicode so every character is represented by 2 bytes, the 2nd one usually being 0x00 for Latin fonts.

You could also try searching for Sequence Of Bytes and enter 44 00 65 00 6D 00 6F 00. That may find your 'Demo' string. Then hit Alt-A followed by U with the cursor on the address with the 0x44 byte and it will make your unicode string readbale.

Git