0

I don't really see where 0055AE9C is located. I thought Ollydbg would indicate the value in that location as "???" since there is no such address. Or is there?

ollydbg screenshot

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
James Park
  • 165
  • 1
  • 2
  • 14
  • http://i.stack.imgur.com/D5eae.png – James Park Aug 15 '16 at 08:08
  • 2
    What evidence do you have that `0x0055AE9C` isn't mapped in your process? You seem to have your hexdump window showing a completely different range of addresses somewhat near the current value of EIP. – Peter Cordes Aug 15 '16 at 08:30
  • what evidence do I need more ? could this 0x0055AE9C be located at somewhere else other than Hex dump, IP, SP? – James Park Aug 15 '16 at 08:45
  • Yes. Your screenshot doesn't show anything that lists all the valid parts of your process's virtual address space. IDK what kind of addresses are typical for Windows processes, but the fact that Ollydbg shows a value (and I assume the instruction doesn't fault) are strong evidence that it is mapped. Probably in the data section, or read-only data in the text section, or in some malloced memory. – Peter Cordes Aug 15 '16 at 08:49
  • ok I'll check it thanks for the information – James Park Aug 15 '16 at 08:59
  • What is that `call` just ahead? It looks like the `arg` provided to it is pointer to memory `[ebp-18]`, where that `ecx` comes from. It may be it's pointing to data not even originating from source directly, like maybe some file info structure provided by OS, etc.. Whatever. If you know what is that previous `call` supposed to do, it may explain what is the content of memory around that `0x0055...` address. – Ped7g Aug 15 '16 at 09:29
  • 2
    As a side note, you can actually click on a an address in this little window (between code and dump windows) and then click "follow in dump". If the address is not mapped in the process address space, you wont get the possibility to follow it in the dump ([this looks like this](http://imgur.com/a/eoJOb)) – Neitsa Aug 15 '16 at 10:51
  • OMG that is life worth tip ! Ty – James Park Aug 15 '16 at 15:02

1 Answers1

1

the instruction at address (eip) in your screen shot is 

cmp dword ptr ds:[ecx-0x0c] , 4

ecx is 0x55aea8 as shown in your register window

so 0x55aea8-0x0c = 0x55ae9c

and that address contains 0x4

that is what is shown in the area you marked in question mark in blue

if you want to see that address

select the dump pane (down left )

hit ctrl+g type in 55ae9c and hit enter

or select what you marked in blue -> right click -> follow in dump

blabb
  • 8,674
  • 1
  • 18
  • 27