3

I'm debugging one DLL via OllyDbg and found the following command:

LEA ECX,DWORD PTR DS:[ECX+EDX+8771F681]

ECX is 90C85FFF and EDX is 13F5A9CE, so the final address is 0x90C85FFF + 0x13F5A9CE + 0x8771F681 = 0x12C30004E. Unfortunately, I don't know how to view the value located at this address. Ctrl-G in the FPU window says that "No memory on the specified address".

Thanks in advance.

FrozenHeart
  • 19,844
  • 33
  • 126
  • 242
  • Note you have a wrap around, the 32 bit truncated address is just `2C30004E`. Maybe you'll have better luck with that. – Jester Apr 29 '15 at 15:27
  • ...or with your effective address computation. – Weather Vane Apr 29 '15 at 15:52
  • By the way: The value of the DS register would not help you in this case if DS would not point to the linear memory. – Martin Rosenau Apr 29 '15 at 16:30
  • @Jester Thanks for the answer, but it doesn't help anyway -- the address is still unable to find – FrozenHeart Apr 29 '15 at 18:19
  • @Martin Rosenau Can you give me more info about it, please? – FrozenHeart Apr 29 '15 at 18:20
  • @FrozenHeart: In 32-bit-mode the segment registers do not contain segment values but selectors. Depending on the operating system it is not possible to find out the "real" (linear) address given the selector and offset. CS and SS for example always contain different values in 32-bit mode although they point to the same memory in Windows and Linux. In Window FS points to another memory area. It would be possible to copy the value of FS into the DS register for some reason. In this case you would have a problem finding out the real address of "DS:xxx"... – Martin Rosenau Apr 30 '15 at 04:38

1 Answers1

1

Remember that LEA can be used used for any calculation, not just an address (the actual result of the calculation is never accessed / dereferenced). Also, segment override has no effect on calculation.

  • ecx = 0x402000 ; ebx = 0x20 ; FS segment prefix override (FS base = 0x7FFDD000)
  • mov ecx, [ecx+ebx-4] ; result = ecx = 0x40201c

To check quickly that an address is mapped, in OllyDbg, you can stop at an instruction and check the mini-window between the CPU windows and the dump window:

enter image description here

The Address=XXXX line indicates the result of the calculation (before actually executing the instruction). If you right click this line, you might see a popup window:

  • If the address is mapped in the process address space, then you'll see a Follow in Dump entry on the popup-menu.
  • If the address is not mapped, the popup-menu doesn't display the Follow in dump entry.

Note: OllyDbg (at least v2) will consider mapped kernel addresses as mapped, although they are obviously not accessible from userland. So if the MSB is set in an address, just consider it as not mapped.

Neitsa
  • 7,693
  • 1
  • 28
  • 45