Exetools - Problem with referenced strings in Olly.

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Problem with referenced strings in Olly. (https://forum.exetools.com/showthread.php?t=9579)

Problem with referenced strings in Olly.

I think the problem actually has to do with the compiler I am using. I was looking at this http://www.mmdhaven.com/NoUse//howtocrack.html (It is old I know) and me and a friend were going through it, but each of us compiled the code. Well the code we used was below, a tiny bit different but nothing special.

Code:

#include <iostream>



using namespace std;



int main(){



char done [100] = "Hit any key to continue";

cout << "\"This will be gone\"\n";

cout << done;

system("PAUSE");



return 0;



}

He had Microsoft Visual C++ Compiler version 6.0 and I had version 8.0. In Olly he was able to see all the strings, yet I could only see 3 strings when I went to view all the referenced strings. We couldn't figure out why until we tried each others binary and then released. (Also my binary even gave an error on his system when he try to run it) I don't think it is .NET dependant because I just chose to compile as a simple console application.

I have provided both binaries incase it will help you to help me.

I have no idea why I don't see all the strings.

Thanks

mscvr80.dll and mscvp80.dll is needed to run v8.0 file (as I don't have VC 8.0).

But OllyDbg has no problem with v6.0 strings.

Code:

Text strings referenced in MSVC_6_0:.text

Address    Disassembly                                 Text string

0040100C   MOV ESI,MSVC_6_0.0040D0C0                   ASCII "Hit any key to continue"

00401020   PUSH MSVC_6_0.0040D0A8                      ASCII ""This will be gone"

"

00401040   PUSH MSVC_6_0.0040D0A0                      ASCII "PAUSE"

00402577   MOV ESI,MSVC_6_0.0040B1BC                   ASCII "ios::badbit set"

00402581   MOV ESI,MSVC_6_0.0040B1A8                   ASCII "ios::failbit set"

00402588   MOV ESI,MSVC_6_0.0040B198                   ASCII "ios::eofbit set"

004039C9   MOV ESI,MSVC_6_0.0040B2B0                   ASCII "string too long"

00403BF5   MOV ESI,MSVC_6_0.0040B2E0                   ASCII "invalid string position"

00403E5B   PUSH MSVC_6_0.0040B314                      ASCII "COMSPEC"

00403E8C   MOV DWORD PTR SS:[EBP-C],MSVC_6_0.0040B310  ASCII "/c"

00403EC6   MOV DWORD PTR SS:[EBP-10],MSVC_6_0.0040B30  ASCII "command.com"

00403ECF   MOV DWORD PTR SS:[EBP-10],MSVC_6_0.0040B2F  ASCII "cmd.exe"

0040436C   PUSH EBP                                    (Initial CPU selection)

00405239   MOV EAX,MSVC_6_0.0040B340                   ASCII "Unknown exception"

00405776   PUSH MSVC_6_0.0040B37C                      ASCII "PATH"

004058E2   PUSH MSVC_6_0.0040B3A4                      ASCII ".\"

00406EDE   PUSH MSVC_6_0.0040B6F8                      ASCII "<program name unknown>"

00406F20   PUSH MSVC_6_0.0040B6F4                      ASCII "..."

00406F34   PUSH MSVC_6_0.0040B6D8                      ASCII "Runtime Error!



Program: "

00406F52   PUSH MSVC_6_0.0040B6D4                      ASCII "



"

00406F7A   PUSH MSVC_6_0.0040B6AC                      ASCII "Microsoft Visual C++ Runtime Library"

00407B76   ASCII "h0{@",0

004094B8   PUSH MSVC_6_0.0040B740                      ASCII "user32.dll"

004094CF   PUSH MSVC_6_0.0040B734                      ASCII "MessageBoxA"

004094E0   PUSH MSVC_6_0.0040B724                      ASCII "GetActiveWindow"

004094E8   PUSH MSVC_6_0.0040B710                      ASCII "GetLastActivePopup"

Maybe your debugger is f*cked up ! ;)

No, not a bug of OllyDbg. VC++ 8 optimize code by breaking the string "Hit any key to continue" to an array of dword, and move every dword to local buffer, work with this local buffer. It not directly access to the address of char done[100] in the readonly section (rdata).

Code:

.text:004012C0

.text:004012C0 main    proc near                       ; CODE XREF: start-14Ep

.text:004012C0

.text:004012C0 localBuffer= byte ptr -68h

.text:004012C0 stackMask= dword ptr -4

.text:004012C0

.text:004012C0         sub     esp, 68h

.text:004012C3         mov     eax, g_dwCookie

.text:004012C8         xor     eax, esp

.text:004012CA         mov     [esp+68h+stackMask], eax

.text:004012CE         mov     eax, dword ptr ds:szHitanykeytocontinue ; "Hit any key to continue"

.text:004012D3         mov     ecx, dword ptr ds:szHitanykeytocontinue+4

.text:004012D9         mov     edx, dword ptr ds:szHitanykeytocontinue+8

.text:004012DF         mov     dword ptr [esp+68h+localBuffer], eax

.text:004012E2         mov     eax, dword ptr ds:szHitanykeytocontinue+0Ch

.text:004012E7         push    4Ch                     ; size_t

.text:004012E9         mov     dword ptr [esp+6Ch+localBuffer+0Ch], eax

.text:004012ED         mov     dword ptr [esp+6Ch+localBuffer+4], ecx

.text:004012F1         mov     ecx, dword ptr ds:szHitanykeytocontinue+10h

.text:004012F7         mov     dword ptr [esp+6Ch+localBuffer+8], edx

.text:004012FB         mov     edx, dword ptr ds:szHitanykeytocontinue+14h

.text:00401301         lea     eax, [esp+6Ch+localBuffer+18h]

.text:00401305         push    0                       ; int

.text:00401307         push    eax                     ; void *

.text:00401308         mov     dword ptr [esp+74h+localBuffer+10h], ecx

.text:0040130C         mov     dword ptr [esp+74h+localBuffer+14h], edx

.text:00401310         call    memset

.text:00401310

.text:00401315         mov     ecx, ds:std::basic_ostream<char,std::char_traits<char>> std::cout

.text:0040131B         push    offset szThiswillbegone ; "\"This will be gone\"\n"

.text:00401320         push    ecx

.text:00401321         call    cout

.text:00401321

.text:00401326         mov     eax, ds:std::basic_ostream<char,std::char_traits<char>> std::cout

.text:0040132B         lea     edx, [esp+7Ch+localBuffer]

.text:0040132F         push    edx

.text:00401330         push    eax

.text:00401331         call    cout

.text:00401331

.text:00401336         push    offset szPAUSE          ; "PAUSE"

.text:0040133B         call    ds:system

.text:0040133B

.text:00401341         mov     ecx, [esp+88h+stackMask]

.text:00401348         add     esp, 20h

.text:0040134B         xor     ecx, esp

.text:0040134D         xor     eax, eax

.text:0040134F         call    stack_check

.text:0040134F

.text:00401354         add     esp, 68h

.text:00401357         retn

.text:00401357

.text:00401357 main    endp

.text:00401357

...........................

.rdata:0040213C szHitanykeytocontinue db 'Hit any key to continue',0 ; DATA XREF: main+Er

.rdata:0040213C                                         ; main+13r main+19r

.rdata:0040213C                                         ; main+22r

Regards,

Quote:

Originally Posted by newbie_cracker

mscvr80.dll and mscvp80.dll is needed to run v8.0 file (as I don't have VC 8.0).

But OllyDbg has no problem with v6.0 strings.
...

Maybe your debugger is f*cked up ! ;)

If you need those 2 files for running VC 8.0 files just say and I'll give them to you, Olly seems fine because it opens VC 6.0, just like yours did. But it couldn't find the strings with the 8.0 file. But the person below answers that.

Quote:

Originally Posted by TQN

Thank you for the information. Is there a way of being able to kind of "search" for this as a string though, some kind of Olly trick, that even though it is split up, Olly will know that the split buffers are actually related to each other to make up a string? Like a way of viewing it as a string even though it isn't as a string.

I can find most of the strings by tracing into the program stopping the trace and then viewing all the referenced strings. But I think it would be good if I knew a way of finding strings like the one in this program as it may be useful sometime.

Thanks.

noramlly olly would only find string that are referanced if a string is not referanced directly olly will not list them if you are using rightclick ->search for referanced text string

because looking for strings of all types and all lengths including both ascii and unicode can be a very time consuming and slow task

but if you know a string for example "hit" in tha above example you can use the

alt+m ctrl+b type in "hit" on ascii and hit enter olly will find all strings that have hit on them

Code:

0040D0C0  48 69 74 20 61 6E 79 20 6B 65 79 20 74 6F 20 63  Hit any key to c

0040D0D0  6F 6E 74 69 6E 75 65 00                          ontinue.

Code:

80887042  48 69 74 20 61 6E 79 20 6B 65 79 20 74 6F 20 63  Hit any key to c

80887052  6F 6E 74 69 6E 75 65 0D 0A 2E 3F 41 56 69 6F 73  ontinue...?AVios

80887062  5F 62 61 73 65 40 73 74 64 40 40 0D 0A 2E 3F 41  _base@std@@...?A

Code:

809D0A69 68 69 74 65 62 6F 61 72 64 2E 2E 2E 00 00 00 7E hiteboard......~

Code:

80B42FFB  68 69 74 65 62 6F 61 72 64 2E 2E 2E 2E 2E 2E 7E  hiteboard......~

80B4300B  0D 0A 0D 0A 00 1D 3F 1C 56 74 00 69 00 6E 00 75  .....?Vt.i.n.u

Code:

817477FC  68 69 74 81 68 69 74 81                          hit�hit�





826E70BA  68 69 74 65 2E 69 63 6F 00 00 00                 hite.ico...





8314B0C5  68 69 74 65 3B 62 61 63 6B 67 72 6F 75 6E 64 2D  hite;background-

8314B0D5  69 6D 61 67 65 3A 6E 6F 6E 65 7D 0D              image:none}.





8314B4D0  68 69 74 65 3B 62 61 63 6B 67 72 6F 75 6E 64 2D  hite;background-

8314B4E0  69 6D 61 67 65 3A 75 72 6C 28 2E 2E 2F 2E 2E 2F  image:url(../../

8314B4F0  63 6F 6E 74 72 6F 6C 73 2F 69 6D 61 67 65 73 2F  controls/images/

8314B500  63 61 72 61 74 2D 6F 70 65 6E 2E 67 69 66 29 7D  carat-open.gif)}

and all else :) use ctrl+l to search for next

noramlly i use sysinternals strings or bintext by foundstone for looking at all strings

Code:



Strings v2.2

Copyright (C) 1999-2005 Mark Russinovich

Sysinternals - www.sysinternals.com



         (((((                  H

!This program cannot be run in DOS mode.

Rich

$]D

.text



<-----snip----->

jE@

PAUSE

"This will be gone"

Hit any key to continue

.?AVios_base@std@@

.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@

.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@

<----snip---->

Thanks mate, I've used sysinternals strings program before it is very good, I have never tried bintext, though I have used some of foundstones other utilities.