0

working on my reversing skillset here and I came upon something I thought i understood but I managed to confuse myself.

Working in C mainly

My function returns me an address for the information I want to access.

LRESULT ret = SendMessage(hComboBox, CB_GETITEMDATA, (WPARAM)0 , (LPARAM) 0); 
// the exact function doesn't really matter here.
printf("Address: %p\n", ret); // Output is 09437DF8

A dump of this address results in

09437DF8  A0 55 E8 12

This is the address (note endianness) of the data I really want to read. 12e855A0

12 E8 55 A0 - 30 00 3A 00 30 00 33 00 3A 00 32 00 32 00 00 00 - UNICODE "0:03:22"

Now I'm fairly certain this is just basic pointers/referencing/de-referencing but i cant wrap my head what I have to do to read this value pragmatically.

wprintf(L"%s\n", <value at address pointed to by ret>);
// Yes its a null terminated string
// Im working via injected dll, so no access violations
// string is unicode
Jake Null
  • 17
  • 3
  • Perhaps [this](https://stackoverflow.com/questions/23963269/can-someone-explain-how-pointer-to-pointer-works/23964156#23964156) will help? – Mahonri Moriancumer Dec 06 '19 at 07:45
  • Trying to follow, ret a pointer, is point to address 09437DF8. As seen by printf("%p", ret);. %p of *ret should be my 12E855A0 (another pointer) except it throws an error: error: invalid type argument of unary '*' (have 'LRESULT {aka long int}') So i feel like i got to cast the long int so its an address, something like printf("%s", *(wchar_t *)ret); But just seg faults. – Jake Null Dec 06 '19 at 09:45
  • Perhaps posting a complete (small) compilable code example, _that demonstrates the seg fault,_ would be helpful? – Mahonri Moriancumer Dec 06 '19 at 16:37
  • I'll work on that a little later. I wouldn't be able to provide an direct code that i'm working on due to all the parts involved. Id have to build a simplified version but the problem with that being that I'm working in reverse by inspecting memory and trying to build the code. If i knew the code that created what i see in memory id already have my answer... So, i'll have to experiment a bit to see what lines of C create the same layers in memory that i'm seeing. Good idea. – Jake Null Dec 06 '19 at 17:06
  • Without a code example, it is difficult to guess... perhaps something like: `wprintf(L"%ls \n", *(wchar_t **)ret);` – Mahonri Moriancumer Dec 07 '19 at 00:32
  • Ok so i built an example. When if i set CB_SETITEMDATA like this: `wchar_t * wString = calloc(100, sizeof(wchar_t)); wsprintf(wString, L"0:03:22"); SendMessage(hCmbBox, CB_SETITEMDATA, 0 , (LPARAM) &wString);` I get the same results in memory as the main program. Result: 0028FF04 48 3B 58 00 H;X. 00583B48 30 00 3A 00 30 00 33 00 0.:.0.3. 00583B50 3A 00 32 00 32 00 00 00 :.2.2... – Jake Null Dec 07 '19 at 02:39

1 Answers1

0

Perhaps something like this?

  #include <stdio.h>
  #include <wchar.h>

  int main()
    {
    wchar_t *name = L"UNICODE String";
    void **ret = (void **)&name;

    wprintf(L"%ls \n", *(wchar_t **)ret);
    return 0;
    }
Mahonri Moriancumer
  • 5,993
  • 2
  • 18
  • 28
  • This is correct. `wprintf(L"Value: %p %ls\n", *(wchar_t **)ret, *(wchar_t **)ret)` Address of ret: 0028FF04 Value: 005C3B48 0:03:22 – Jake Null Dec 07 '19 at 02:42