WEBVTT

1
00:01.740 --> 00:03.390
Hello and welcome back.

2
00:03.390 --> 00:08.970
In this lesson, I will show you how to store string constants in memory.

3
00:09.330 --> 00:12.000
So let's open up our template first.

4
00:14.080 --> 00:18.490
And then we'll hollow out the .EXE file.

5
00:20.110 --> 00:22.450
So just select all this.

6
00:26.450 --> 00:27.320
Right-click,

7
00:28.520 --> 00:32.180
select "Binary," "Fill with NOPs."

8
00:34.240 --> 00:35.320
Click "OK."

9
00:37.740 --> 00:40.770
Next, we are going to put a string in memory.

10
00:41.340 --> 00:48.900
So since it's going to be a constant—constant meaning that initialized already, preset—go to "Memory

11
00:48.900 --> 00:49.230
Map."

12
00:49.230 --> 00:53.490
Before that, make sure you select Dump 1.

13
00:53.490 --> 00:55.440
It's already selected by default.

14
00:55.890 --> 01:01.470
Then go to "Memory Map" and look for data, initialized data.

15
01:01.890 --> 01:10.350
So double-click on the data segment and it will take you to the memory showing in Dump 1.

16
01:10.740 --> 01:15.870
Then look for an empty space in the data segment, for example, this one here.

17
01:16.470 --> 01:24.720
And let's say we want to put a string in this memory location, so we can select all the entire

18
01:26.860 --> 01:27.820
bytes here.

19
01:28.120 --> 01:33.610
So we have 4 times 4 is 16 bytes.

20
01:34.030 --> 01:38.410
So 16 bytes means you can store 15 characters.

21
01:38.650 --> 01:43.060
You need to reserve the last character for a null terminator.

22
01:43.660 --> 01:47.260
The last character of the string must be 00.

23
01:48.190 --> 01:50.890
So you can store 15 characters here maximum.

24
01:51.580 --> 01:57.610
So right-click on this now and then select "Binary," "Edit."

25
01:58.480 --> 02:05.290
And now over here, go to the ASCII—ASCII text box—and type in your string.

26
02:05.320 --> 02:09.460
Let's say I'm typing a string: "Hello World."

27
02:13.420 --> 02:15.040
And then click "OK."

28
02:16.240 --> 02:22.390
And so now "Hello World" is here in this memory address starting at 403000.

29
02:23.380 --> 02:25.090
The first character is "H."

30
02:27.070 --> 02:29.080
So "H" is at this memory address.

31
02:29.080 --> 02:33.880
If you hover your mouse, you can see the address: 403000.

32
02:34.300 --> 02:36.820
And then "e."

33
02:37.900 --> 02:39.460
"e" is at this address.

34
02:39.760 --> 02:44.530
If you hover the mouse, you can see it is 403001, and so on.

35
02:45.040 --> 02:47.620
And then 20 is a space.

36
02:47.620 --> 02:51.850
If you hover your mouse, you can see the address: 403005.

37
02:52.390 --> 02:54.820
And the last character is "d."

38
02:55.300 --> 03:00.010
And then there must be a null terminator, 00, after it.

39
03:00.010 --> 03:02.890
The 00 acts like a full stop in the sentence.

40
03:03.010 --> 03:09.580
This lets the program know that you have come to the end of the string, so always make sure you allocate

41
03:09.580 --> 03:12.490
one byte for the null terminator.

42
03:13.060 --> 03:16.870
So now you have this string inside your memory here.

43
03:17.830 --> 03:19.990
So how can we use it?

44
03:19.990 --> 03:24.670
For example, we can move this string into - or any register that you like.

45
03:24.910 --> 03:28.270
So let's say we want to move this string into -.

46
03:28.810 --> 03:32.290
So now we select this address here.

47
03:32.290 --> 03:36.310
To copy it, copy the address.

48
03:36.610 --> 03:44.380
Then we select this line, this address, press the spacebar, and then type "MOV."

49
03:46.490 --> 03:48.170
Move into -.

50
03:49.040 --> 03:54.050
The string itself: 0x and paste, within like that.

51
03:55.800 --> 04:00.780
So I guess—click "OK."

52
04:02.220 --> 04:05.940
And then you see this is actually -.

53
04:05.940 --> 04:08.430
But x64dbg changes to -.

54
04:08.430 --> 04:09.060
It doesn't matter.

55
04:09.060 --> 04:09.570
It's OK.

56
04:09.570 --> 04:10.530
It's still -.

57
04:11.040 --> 04:16.200
So now that you have moved this to here, you can now execute the breakpoint and see it.

58
04:17.040 --> 04:18.390
So let's run.

59
04:19.440 --> 04:20.520
Here's our breakpoint.

60
04:21.150 --> 04:22.860
Step over, step over.

61
04:22.860 --> 04:26.250
And now it's going to move this string into -.

62
04:27.180 --> 04:27.780
Step over.

63
04:27.780 --> 04:31.230
And you see now the string is there.

64
04:34.000 --> 04:36.640
It has the address 403000,

65
04:36.640 --> 04:38.020
which is this address here.

66
04:39.190 --> 04:39.430
All right.

67
04:39.430 --> 04:45.790
So what it's actually doing is moving the address of the first character, which is the hex value 48.

68
04:45.820 --> 04:48.850
48 is ASCII code for "H."

69
04:49.480 --> 04:51.790
It's moving the address of the first character.

70
04:52.360 --> 04:53.980
It cannot move the whole string.

71
04:54.280 --> 04:55.720
So it's OK.

72
04:55.750 --> 04:59.980
When you move the address of the first character, it means you are referencing the whole string.

73
04:59.980 --> 05:02.830
This is the convention used in assembly code.

74
05:03.610 --> 05:10.210
So it has only the first character, "H," here, but it knows—it's smart enough to know—that this is a string.

75
05:10.930 --> 05:16.540
So this is how we can create the string constants in memory.

76
05:17.230 --> 05:21.400
Now, you want to patch this, you can click "File" and then go to "Patch."

77
05:21.820 --> 05:24.970
These are all the patches that will be applied.

78
05:25.000 --> 05:28.720
Click on "Patch File" and you can give a new name.

79
05:28.720 --> 05:32.560
Let's call it "02_String_

80
05:34.160 --> 05:35.630
Store," let's say.

81
05:36.860 --> 05:39.710
".exe," and then click "Save."

82
05:42.420 --> 05:44.280
And now you can open it.

83
05:44.940 --> 05:48.150
You can open this new file in your x64dbg.

84
05:50.270 --> 05:55.100
And scroll down and then you can go to your "Memory Map."

85
05:55.910 --> 06:00.200
Before that, always make sure you select which dump you want to show your memory map.

86
06:01.520 --> 06:07.850
So select Dump 1, go to "Memory Map" and look for data segment and double-click on it.

87
06:08.510 --> 06:11.510
And if you scroll down, you will see your string still there.

88
06:13.680 --> 06:14.190
"Hello..."

89
06:15.390 --> 06:16.950
And then you can put your breakpoint.

90
06:17.220 --> 06:22.740
Right-click, "Breakpoint," "Toggle," run to the breakpoint, and then step over.

91
06:22.740 --> 06:23.730
Step over.

92
06:23.730 --> 06:26.580
And now it's going to move—

93
06:26.610 --> 06:29.160
it's going to copy the string into -.

94
06:29.460 --> 06:30.480
So let's step over.

95
06:30.480 --> 06:32.640
And you can see now - is there.

96
06:33.360 --> 06:40.170
So in this lesson, we have learned how to create string constants in memory in the data segment,

97
06:40.530 --> 06:44.190
also how to move a string to the register,

98
06:44.610 --> 06:49.890
and also explained that when you address—when you put the address of the first character

99
06:49.890 --> 06:54.450
of a string, you are essentially referencing the entire string.

100
06:55.440 --> 06:57.300
So that's all for this video.

101
06:57.300 --> 06:58.560
Thank you for watching.