b_branford
asked on
How to search conventional memory
Hi,
I have hex workshop and was told that I should check the conventional memory for a particular info. First of, what is conventional memory. Secondly, how do I check it?
Thanks,
bb
I have hex workshop and was told that I should check the conventional memory for a particular info. First of, what is conventional memory. Secondly, how do I check it?
Thanks,
bb
ASKER
Hi Skylab,
Actually, I'm trying to check the conventional memory for a particular text string. How do i do that?
Actually, I'm trying to check the conventional memory for a particular text string. How do i do that?
Ooops.
You should reject my answer here so others can join in.
You should reject my answer here so others can join in.
b_branford -- can you provide more information? Firstly, did skylab's suggestion work or display any info? Because depending on your version of DOS, the /p cannot be coupled with /c "classify" parameter (you'd have to use the pipe char. "|" and the "more" command) though the /p "page" parameter became available with Win95 and 98 (not NT -- /p in NT means "program" and it also must be used by itself) -- in other words, you cannot use them together in any version of DOS prior to version 7.0 (the equiv to W95). Also, exactly what "string" from what kind of program are you trying to display and what is your working environment outside of DOS (Windows 3.x with Dos 6.22, Win95, 98....). Aside from windows, if you are using it, you can check your DOS version by getting to a DOS prompt and typing the "ver" (w/o quotes) and pressing enter.
Not true czpczp
The /c /p worked with DOS 6.0 and up.
The /c /p worked with DOS 6.0 and up.
You can carry out string comparison checks on all of your conventional memory using search command in 'Debug'. Is this what you are trying to do?
Because of a quirk in the way that Dos addresses memory, nearly 64kb above the 1 Mb mark can be directly accessed. This 64kb is called the High Memory Area. The area between 640kb and 1mb is the Upper Memory Area. It is confusing especially when the Loadhigh command actually loads devices into Upper memory.
ASKER
Hi,
Where I am studying, we have foolproof installed. I was told that I could find out the password by looking for it by doing a string search in conventional memory using a hex editor.
Thanks,
Brad
Where I am studying, we have foolproof installed. I was told that I could find out the password by looking for it by doing a string search in conventional memory using a hex editor.
Thanks,
Brad
- there is no other way besides in DOS to check what is loaded in memory! The command I use is 'mem /d/p' that shows what is loading and at what address - also tells you how much conventional mem is available in DOS. I use DOS v 7
Obviously if a program requires all of the 640k and you dont got that much available you must edit the command files for DOS and remove or redirect drivers to other memory locations - That is usually done with the LH command etc.,
Obviously if a program requires all of the 640k and you dont got that much available you must edit the command files for DOS and remove or redirect drivers to other memory locations - That is usually done with the LH command etc.,
I assume you forgot the password to foolproof, now you want to get at some files?
Foolproof encrypts the boot sector so that you cannot use a floppy to boot and recover your files.
1. If you have access to the important data files that you need, I would copy them off and reload the computer. That is the easiest solution. This means that you need to do an Fdisk and reformat, since the boot sector is encryted. You can try a virus scanner, it might be able to rebuild the boot sector for you, and allow you to access the drive with a bootable disk, since the program is essentially acting like a boot virus.
2. If you are trying to crack the password that resides in the DOS conventional memory, forget it. That isn't really a password, it is an encyption key for the boot sector. The password you are probably looking for is to disable the security features of the Windows part of foolproof. Since Windows uses "Protected Memory" and accessing this protected memory usually leads to a "General Protection Fault"(GPF) or an "Illegal Operation" as they are called now. However if you are sure that you can find the password with a memory editor we have to turn to the Cutting Edge of memory editors. This leads us to Game Cheat Editors... probably the best sorce of memory editors for windows. Here is a list, search on the internet for the URLs and download locations:
Cheat O Matic
Cheat32
Fix People Expert
Game Buster
Game Master
GameHack
GameWiz
GameWizard
Magic Trainer Creator
Master Cheater
TinkerBell
WinHack http://ourworld.compuserve.com/homepages/grantmalinverni/
You will have to try them out and read up on them... You can do your own searching on the internet for other editors too. I haven't tried any of them, but most claim to be able to search and edit memory contents, which is what you are looking for. If you are intent on searching DOS conventional memory from Windows, you can do that with some of those programs. Pretty amazing stuff actually, I don't know how they manage to do it. :)
3. You might be able to disable foolproof by corrupting or renaming some of the Windows portions of the program. This can be risky as you may lock yourself out of Windows entirely. If you have no access to Explorer, try running a web browser. In the URL location type in c:\ and enter and see if you can browse the drive. See if you can get access to the Foolproof directory and rename a file that is accociated with windows, like a dll file. I have no idea how foolproof works, and I am not even sure what it does... but you that might give you something to work from, SO DO SO AT YOUR OWN RISK. Make sure you don't wreck the DOS side of the Foolproof security, you need it running so you can access the info on the Harddrive.
Good luck.
Foolproof encrypts the boot sector so that you cannot use a floppy to boot and recover your files.
1. If you have access to the important data files that you need, I would copy them off and reload the computer. That is the easiest solution. This means that you need to do an Fdisk and reformat, since the boot sector is encryted. You can try a virus scanner, it might be able to rebuild the boot sector for you, and allow you to access the drive with a bootable disk, since the program is essentially acting like a boot virus.
2. If you are trying to crack the password that resides in the DOS conventional memory, forget it. That isn't really a password, it is an encyption key for the boot sector. The password you are probably looking for is to disable the security features of the Windows part of foolproof. Since Windows uses "Protected Memory" and accessing this protected memory usually leads to a "General Protection Fault"(GPF) or an "Illegal Operation" as they are called now. However if you are sure that you can find the password with a memory editor we have to turn to the Cutting Edge of memory editors. This leads us to Game Cheat Editors... probably the best sorce of memory editors for windows. Here is a list, search on the internet for the URLs and download locations:
Cheat O Matic
Cheat32
Fix People Expert
Game Buster
Game Master
GameHack
GameWiz
GameWizard
Magic Trainer Creator
Master Cheater
TinkerBell
WinHack http://ourworld.compuserve.com/homepages/grantmalinverni/
You will have to try them out and read up on them... You can do your own searching on the internet for other editors too. I haven't tried any of them, but most claim to be able to search and edit memory contents, which is what you are looking for. If you are intent on searching DOS conventional memory from Windows, you can do that with some of those programs. Pretty amazing stuff actually, I don't know how they manage to do it. :)
3. You might be able to disable foolproof by corrupting or renaming some of the Windows portions of the program. This can be risky as you may lock yourself out of Windows entirely. If you have no access to Explorer, try running a web browser. In the URL location type in c:\ and enter and see if you can browse the drive. See if you can get access to the Foolproof directory and rename a file that is accociated with windows, like a dll file. I have no idea how foolproof works, and I am not even sure what it does... but you that might give you something to work from, SO DO SO AT YOUR OWN RISK. Make sure you don't wreck the DOS side of the Foolproof security, you need it running so you can access the info on the Harddrive.
Good luck.
ASKER
I've found out that all I need is to read the win386.swp file. How do I read it? I tried to copy it but it didn't work since it's a dynamic file and neither windows nor dos allows you to copy it.
thanks,
bb
thanks,
bb
Well that is simply incorrect. Your win386.swp file is what windows uses when there isn't enough RAM in your system to be able to run programs. (Simplified Explaination) So in order for a hex editor to load the file to edit it, it would require more ram, and the swap file would get bigger and the program would require more ram. So you couldn't load that file with a hex editor even if you wanted to.
What you need is a disk editor, this allows you to view to contents of the disk, and of particular files, it loads them chunks at a time so you are able to view the contents of such files. I haven't actually used one for windows, but Norton might have such a treat in thier package.
And just to make things clear, the answer you are looking for in the swap file may not be there, since it is just memory. Depending on how many programs you are running, and the amount of RAM that is in your system, there may not be much at all in the swap file. So searching the memory is actually what you want to do, but you might luck out and find it in the swap file, but it will not work all the time.
Trevor.
What you need is a disk editor, this allows you to view to contents of the disk, and of particular files, it loads them chunks at a time so you are able to view the contents of such files. I haven't actually used one for windows, but Norton might have such a treat in thier package.
And just to make things clear, the answer you are looking for in the swap file may not be there, since it is just memory. Depending on how many programs you are running, and the amount of RAM that is in your system, there may not be much at all in the swap file. So searching the memory is actually what you want to do, but you might luck out and find it in the swap file, but it will not work all the time.
Trevor.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
bam87, that doesn't make any sense. When you start a DOS prompt in Windows it runs it in a Virtual Machine. Any access outside of the VM would result in a Illegal Operation or a General Protection Fault. All you are doing is seaching a small random chunk of memory that was allocated to the VM. I am not sure if the memory is cleared before the VM runs or not, but even if it is not cleared there is little to no chance of randomly getting allocated a chunk of memory that was deallocated by the security program which the cleartext password is stored.
If you can shutdown to DOS after running windows it might work, as long as the password isn't stored in the swap file.... if it is then it is gone.
If you can shutdown to DOS after running windows it might work, as long as the password isn't stored in the swap file.... if it is then it is gone.
The portion of memory that is available to standard DOS programs. DOS systems have an address space of 1MB (megabyte), but the top 384K (called high memory) is reserved for system use. This leaves 640K of "conventional memory". Everything above 1MB is either extended or expanded memory.
To Check it:
In DOS type "mem /c /p" (without quotes) then hit the "Enter" key.
It will plainly show you how much conventional memory you have available.
Hope this helps.