[Question] Dumping Memory

04/27/2009 18:53 Kozue#1

This snippet is in a loop that dumps values from memory.

PHP Code:


			
char &myposition=*(char*)offset;
printf("%x \n",myposition);
offset++;

This is a little of my output:

PHP Code:


			
55 ffffff8b ffffffec ffffff83 ffffffec 18

The data is correct but can anyone tell me why there are leading f's on some of the output? Any comments would be appreciated.

04/30/2009 16:29 Kozue#2

This is dump is actually based on a single line in the public SearchPattern function. Put it in your dll.cpp It will dump all memory to the screen from your starting offset to the end if you run it (but be prepared to wait a looong time for it to finish running).

PHP Code:


			
if (strcmp(input,"mem") == 0)

{

    DWORD offset =0x00401000;

    DWORD end =0x0061A587;



    while (offset < end)

    {

        char &myposition=*(char*)offset;  // from public SearchPattern func

        printf("%x \n",myposition);

        offset++; 

    }

}

However, as I mentioned before, some output has 6 leading f's. No f's and it's a complete and correct dump of memory.

PHP Code:


			
55 ffffff8b ffffffec ffffff83 ffffffec 18 ........

But the f's don't seem to fit any pattern and I'm totally new at working with memory. Anyone know why these f's are showing up in my output?

04/30/2009 17:11 shad0wZ_#3

I believe you want printf("%02x ", ...), using only %x will assume that you are passing an integer and thus print the bytes for 32-bit in your case. The 0 will allow padding (in case your value is between 0-F, it will pad to 00 etc.) and the 2 specifies the width, which would be 2 digits in this case.
The C++ way of doing it:

Code:

#include <iostream>
#include <iomanip>

std::cout << std::hex << std::setw(2);
for (...)
    std::cout << myposition << " ";
std::cout << std::endl;

04/30/2009 18:29 Kozue#4

Quote:

Originally Posted by shad0wZ_

I believe you want printf("%02x ", ...), using only %x will assume that you are passing an integer and thus print the bytes for 32-bit in your case. The 0 will allow padding (in case your value is between 0-F, it will pad to 00 etc.) and the 2 specifies the width, which would be 2 digits in this case.
The C++ way of doing it:

Print formatting didn't help, but thanks for getting me to think about designing a fix. I'll have to take some time to figure out originally why the f's were displaying, but after some experimenting what I did was make the following simple changes.

before

PHP Code:


			
char &myposition=*(char*)offset;

after

PHP Code:


			
BYTE &myposition=*(BYTE*)offset;

output

PHP Code:


			
55 8b ec 83 ec 18 ........

Actually, don't even need to use the & operator.

I've done a lot of shell scripting and php, but I'm starting to really get hooked on c/c++.

04/30/2009 19:40 shad0wZ_#5

Quote:

Originally Posted by Kozue

Print formatting didn't help, but thanks for getting me to think about designing a fix. I'll have to take some time to figure out originally why the f's were displaying, but after some experimenting what I did was make the following simple changes.

before

PHP Code:

char &myposition=*(char*)offset;

after

PHP Code:

BYTE &myposition=*(BYTE*)offset;

output

PHP Code:

55 8b ec 83 ec 18 ........

Actually, don't even need to use the & operator.

I've done a lot of shell scripting and php, but I'm starting to really get hooked on c/c++.

Yeah a byte is an unsigned character. Didn't think printf() would make a difference there, since it can't make a difference between the types (it basically just gets the parameters from the stack in dword-format). Must be something with your compiler.
You don't need "myposition" at all. You can just use printf("%02x", *reinterpret_cast<byte*>(offset)).

With the &-operator you are creating a reference. This can be useful if you want to use the variable multiple times and modify the original source aswell (it is basically a pointer behind the scenes).