2

I just started playing around with reverse engineering and Ghidra, so please bear with me.

I wanted to run an old game. One version available on archive.org does not work even when I have mounted the ISO, the other one does. As a learning exercise, I wanted to try patching the latter anyway: https://archive.org/download/Loewe2/Loewe2.iso/Setup%2FWinRoot%2FTerzio%2FLoewenzahn%202%2FLoewenzahn%202.exe

When I run the exe without the ISO mounted I get the error message Bitte die CD-ROM "Löwenzahn 2" einlegen!, which means Please insert CD-ROM "Löwenzahn 2"!.

So I ran strings -t x Loewenzahn\ 2.exe | grep einlegen and got the output 17020 einlegen!. I found the same address using the hex-editor Okteta.

file Loewenzahn\ 2.exe gives the following output:

Loewenzahn 2.exe: PE32 executable (GUI) Intel 80386, for MS Windows

Now when I import Loewenzahn 2.exe into Ghidra and run all analyzers, there's a discrepancy between the addresses and I can't find the string "einlegen" via Search > For Strings....

Ghidra:

enter image description here

Okteta:

enter image description here

Why is there an offset and can I configure Ghidra to start at 0? Can I configure Ghidra to show the raw strings, like "Th is program canno t be run in DOS mode"? And how can I find it using the String search?

804b18f832fb419fb142
  • 121
  • 4
  • Looks like I need to calculate the virtual address to find the corresponding section in the disassembled code: https://reverseengineering.stackexchange.com/questions/8050/raw-offsets-to-disassembler-offsets – 804b18f832fb419fb142 Jun 30 '22 at 17:38
  • When I use Ghidra's Hex editor via Window > Bytes, it only shows the contents of the file up to the PADDINGXX section. However, Okteta shows more data after that point, which is where the string "einlegen" is defined as well. – 804b18f832fb419fb142 Jun 30 '22 at 17:54
  • I'm is possible to append data to an Windows executable which can be used by the executable. But on a strict perspective this data does not belong to the executable as it was just appended. A common example for such executables are self-extracting archives and installers. May be Ghidra only shows you the actual executable content? As the executable seems to be an installer I would check if a program like 7Zip can extract it. – Robert Jun 30 '22 at 20:48
  • Thanks for the hint. This exe is not an installer and I couldn't extract it either. However, I tried Cutter with the Ghidra plugin and it listed all the strings and recognized library functions out of the box. – 804b18f832fb419fb142 Jul 01 '22 at 01:34

0 Answers0