0

working on my reversing skillset here and I came upon something I thought i understood but I managed to confuse myself.

Working in C mainly

My function returns me an address for the information I want to access.

LRESULT ret = SendMessage(hComboBox, CB_GETITEMDATA, (WPARAM)0 , (LPARAM) 0); // the exact function doesn't really matter here. printf("Address: %p\n", ret); // Output is 09437DF8

A dump of this address results in

09437DF8 A0 55 E8 12

This is the address (note endianness) of the data I really want to read. 12e855A0

12 E8 55 A0 - 30 00 3A 00 30 00 33 00 3A 00 32 00 32 00 00 00 - UNICODE "0:03:22"

Now I'm fairly certain this is just basic pointers/referencing/de-referencing but i cant wrap my head what I have to do to read this value pragmatically.

wprintf(L"%s\n", <value at address pointed to by ret>); // Yes its a null terminated string // Im working via injected dll, so no access violations // string is unicode
Improve this question
6
  • Perhaps this will help? Commented Dec 6, 2019 at 7:45
  • Trying to follow, ret a pointer, is point to address 09437DF8. As seen by printf("%p", ret);. %p of ret should be my 12E855A0 (another pointer) except it throws an error: error: invalid type argument of unary '' (have 'LRESULT {aka long int}') So i feel like i got to cast the long int so its an address, something like printf("%s", *(wchar_t *)ret); But just seg faults. Commented Dec 6, 2019 at 9:45
  • Perhaps posting a complete (small) compilable code example, that demonstrates the seg fault, would be helpful? Commented Dec 6, 2019 at 16:37
  • I'll work on that a little later. I wouldn't be able to provide an direct code that i'm working on due to all the parts involved. Id have to build a simplified version but the problem with that being that I'm working in reverse by inspecting memory and trying to build the code. If i knew the code that created what i see in memory id already have my answer... So, i'll have to experiment a bit to see what lines of C create the same layers in memory that i'm seeing. Good idea. Commented Dec 6, 2019 at 17:06
  • Without a code example, it is difficult to guess... perhaps something like: wprintf(L"%ls \n", *(wchar_t **)ret); Commented Dec 7, 2019 at 0:32

1 Answer 1

Reset to default
0

Perhaps something like this?

 #include <stdio.h> #include <wchar.h> int main() { wchar_t *name = L"UNICODE String"; void **ret = (void **)&name; wprintf(L"%ls \n", *(wchar_t **)ret); return 0; }
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is correct. wprintf(L"Value: %p %ls\n", *(wchar_t **)ret, *(wchar_t **)ret) Address of ret: 0028FF04 Value: 005C3B48 0:03:22

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.