Memory offset of simple program

[mo5342]

Good day!

For test perpose I wrote some code .

PHP Code:

#include "stdafx.h"
#include <iostream>
#include <string>
#include <sstream>
#include <string>


using namespace std;


class Object {
public:
    bool dummy;
    int someField;
    Object* child;
};

void foo() {

    Object *obp = new Object();
    obp->dummy = false;
    obp->someField = 3;
    cout << std::hex << &obp << endl;
    cout << std::hex << obp << endl;
    cout << std::hex << &obp->someField  << endl;
    cout << std::dec << obp->someField  << endl;
    string input = "";
    int secretNumber = 5;
    int myNumber = 0;

    while (true) {
        cout << "Please enter a valid number: ";
        getline(cin, input);
         
        stringstream myStream(input);
        if (myStream >> myNumber) {
            if (myNumber == 0) {
                cout << "last " <<  obp->someField << endl;
                continue;
            }
            obp->someField  = myNumber;
            if (myNumber == secretNumber ) {
                cout << "You win" << endl;
                break;
            } else {
                cout << "access denied " <<   obp->someField << endl;
            }
        } else {
            cout << "Invalid number, please try again" << endl;
        }
    }
}

int _tmain(int argc, _TCHAR* argv[]) {
    foo();

    return 0;
} 


The perpose is to find static offset to obp->someField.

With CE I have found it like this (pseudo code)

ReadDword(ReadDword(ProgramBaseAddress + 0xCB340) + 0x34)

But I don't understand why is 0xCB340 and 0x34. Only what I can say 0xCB340 - it is offset from base address of the program to .data section. But how to find this offset in olly\ida? And why is 34 if offset in class is 4, because before our field we have another field, and it takes 4 bytes.

So I open olly ada ida.
When we read a number. This number puts to DWORD PTR SS:[EBP-58], and here we can see

PHP Code:

0132E131   8B45 E8          MOV EAX,DWORD PTR SS:[EBP-18]
0132E134   8B4D A8          MOV ECX,DWORD PTR SS:[EBP-58]
0132E137   8948 04          MOV DWORD PTR DS:[EAX+4],ECX 


and foo function
[Z80 Assembler] 0132DF00 > 55 PUSH EBP 0132DF01 8BEC MOV EBP,ESP 0 - Pastebin.com

how first take a pointer from the stack DWORD PTR SS:[EBP-18], then we add offset 4 and get
our someField.
Here is everthing clear.
EBP-18 - because is local variable.
+4 - because of structure of the object (before we have dummy field).

The question is how I get static offsets in olly\ida of the stack( or ebp)?
I don't understand how to get to local variable, because the place of stack always change , so ebp also.

So I would like to understand step by step. And in final to get

ReadDword(ReadDword(ReadDword(ProgramBaseAddress + 0x????) - 0x18 )+0x4) - how it should be from asembler code.
and how to find 0x???? in olly\ida if address of stack always change?

I'm new here and if I post it in wrong place, tell me please and I will chage. Really hope for your help. It seems very easy, but I can't understand last step.

[Valediction]

First, your results are full of compiler and architecture dependant settings and implementation details, so you simply won't be able to reliably determine or predict some of the magic constants you point out.

Notice that you're trying to retrieve a static pointer (your word was offset even though you don't say relative to what, I guess it's common practice to call it that way) to a member of a variable which is dynamically allocated:

Code:

Object *obp = new Object();

In general, you can only hope to get that variable allocated on the heap, potentially in a different address each time, not in a static pointer or a reachable-by static pointer.

You will always find that a reference object within foo's stack, though. There's no general mechanism to get to the stack of a function, as the "ownership" of the stack is time dependant based on the program flow. You could detour or debug that function and "steal" the pointer and that function's variables.

You could find a static pointer if you had, somewhere in your code, say a global variable, outside of every function:

Code:

Object *gObj;

Which you then initialize. That pointer would be in a constant address every time. This is customary for certain structures and important variables, as we see in WoW, for instance the Object Manager: in this case, they do have a global variable so you can get a static pointer.

[mo5342]

Thank you for an answer. And you are right - I want a static pointer.
How to deal with global data I understand, especially in .rdata section, like strings.
For example, to get string "You win", I can do like that

ReadString( moduleBaseAddressById + 0x000B43C4, 14)

and any time I restart the program, I always get the string. I thought the same way I can get local variables.

There's no general mechanism to get to the stack of a function, as the "ownership" of the stack is time dependant based on the program flow.

You are right and I know that the stack always change. First change the base address of a stack. And when we enter in a function we set ebp = esp

Code:

push ebp
mov ebp, esp

and get a new stack frame. Now we can get local variables like [epb-4], [ebp-xx], where xx is offset on the stack frame.

But how could work offset to a static pointer like this?

Code:

 ReadDword(ReadDword(moduleBaseAddressById + 0xCB340)  + 0x34)

I get it from Cheat Engine (CE), by pointer scan method. 0xCB340 - somehow CE can get this offset, so in olly\ida it is possible too? Am I right? If so , how to do it?

And here I do not understand the point.

You could detour or debug that function and "steal" the pointer and that function's variables.

I have debug the function, but as I said there are two offsets.

1. eax+4 - it is offset in the object (obp).
2. ebp-18 - it's offset on a stack.

Could you explain me more specific how to "steal' the pointer and what else I could do ?
Because I really stuck.
From one side I see that it is possible,

Code:

 ReadDword(ReadDword(moduleBaseAddressById + 0xCB340)  + 0x34)

from another side I can't find it in olly\ida.

I need algorithm to find the static pointer of obp (the pointer to class).
Or there is no any way to get it? And 0xCB340 - it's just offset in a middle of a heap, and it's static only because the compiler put variables in that way and I can't find this offset in olly\ida and only way I can find in CE? I'm pretty sure it should be the way, because olly\ida much more advance tools.

[mo5342]

I have added a global pointer, so as were expected ida shows static address.

PHP Code:


#include "stdafx.h"
#include <iostream>
#include <string>
#include <sstream>
#include <string>


using namespace std;


class Object {
public:
    bool dummy;
    int someField;
    Object* child;
};

Object *gObp;

void foo() {

    Object *obp = new Object();
    gObp = new Object();
    obp->dummy = false;
    obp->someField = 3;
    gObp->dummy = false;
    gObp->someField = 1;
    cout << std::hex << &obp << endl;
    cout << std::hex << obp << endl;
    cout << std::hex << &obp->someField  << endl;
    cout << std::dec << obp->someField  << endl;
    string input = "";
    int secretNumber = 5;
    int myNumber = 0;

    while (true) {
        cout << "Please enter a valid number: ";
        getline(cin, input);

        stringstream myStream(input);
        if (myStream >> myNumber) {
            if (myNumber == 0) {
                cout << "last " <<  obp->someField << endl;
                continue;
            }
            obp->someField  = myNumber;
            gObp->someField  = myNumber;
            if (myNumber == secretNumber ) {
                cout << "You win" << endl;
                break;
            } else {
                cout << "access denied " <<   obp->someField << endl;
            }
        } else {
            cout << "Invalid number, please try again" << endl;
        }
    }
    delete obp;

}

int _tmain(int argc, _TCHAR* argv[]) {
    foo();
    cout << "final " <<  gObp->someField << endl;
    string input = "";
    cin >> input;
    delete gObp;
    return 0;
} 


from olly

Code:

MOV EAX,DWORD PTR DS:[A2B1A0]

and we can read it

Code:

ReadDword(ReadDword(moduleBaseAddressById + 0x00CB1A0) + 0x4