Convert assembler instruction

[braveheart]

Is there a way to convert assembler code to byte?
push eax = $50

[cas]

Why would you need that? Anyway, look in manual at OnError library.

Code: Select all

If 0 ;do not execute asm code
Code_Start:
  !push eax
Code_End:
EndIf

If ExamineAssembly(?Code_Start, ?Code_End)
  If NextInstruction()
    Debug Hex(PeekC(InstructionAddress()))
  EndIf
EndIf

[braveheart]

cas, thanks for the answer. I need it to avoid error when poking bytes.

Code: Select all

If 0 ;do not execute asm code
  Code_Start:
   ! mov eax,[edx]
   ! push eax
   ! push $004b9568 
   ! jmp $0047e203
  Code_End:
EndIf
;Original
;01240005 - 8b 02                      - mov eax,[edx]
;01240007 - 50                         - push eax
;01240008 - 68 68 95 4b 00             - push 004b9568 : [00640025]
;0124000D - e9 f1 e1 23 ff             - jmp 0047e203

Global Dim aCounter(3)
aCounter(0) = 2
aCounter(1) = 1
aCounter(2) = 5
aCounter(3) = 5

If ExamineAssembly(?Code_Start, ?Code_End)
  While NextInstruction()
    s$ + InstructionString()+" - "
    For j = 0 To aCounter(iNum) - 1
      s$ + Hex(PeekC(InstructionAddress() + j)) + " "
    Next    
    iNum + 1
  Wend
EndIf
Debug s$
;Results
;mov eax, [edx] - 8B 2 
;push eax - 50 
;push dword 0x4b9568 - 68 68 95 4B 0 
;jmp dword 0x87f203 - E9 88 E1 47 0 

Why dos the jump address returns different address? This also applies to call?

[cas]

It is probably related to compiler. Compiler calculates this address relative to base address of something and adjusts it...
If i see it correctly... For push dword, InstructionString() shows exact address in big-endian byte order.
For jmp, InstructionString() shows address in little-endian format, but it has offset of -123.

Code: Select all

If 0 ;do not execute asm code
  Code_Start:
   ! mov eax,[edx]
   ! push eax
   ! push $004b9568
   ! jmp $0047e203
  Code_End:
EndIf

Global Dim aCounter(3)
aCounter(0) = 2
aCounter(1) = 1
aCounter(2) = 5
aCounter(3) = 5

Macro reverse()
  x$=LSet(Mid(a$,4),8,"0")
  x$=Mid(x$,7,2)+Mid(x$,5,2)+Mid(x$,3,2)+Mid(x$,1,2)
EndMacro
If ExamineAssembly(?Code_Start, ?Code_End)
  While NextInstruction()
    s$ = InstructionString()
    a$ = ""
    For j = 0 To aCounter(iNum) - 1
      a$ + Hex(PeekC(InstructionAddress() + j))
      If j=0 : a$+" " : EndIf
    Next
    If FindString(s$,"push dword",1)
      reverse()
      a$=Mid(a$,1,2)+" "+x$
    ElseIf FindString(s$,"jmp",1); Or FindString(s$,"call",1)
      reverse()
      x$=Hex(Val("$"+x$)+123) ;don't ask me where this 123 comes from
      a$=Mid(a$,1,2)+" "+RSet(x$,8,"0")
    EndIf
    iNum + 1
    Debug s$ + " - "+ a$
  Wend
EndIf

[braveheart]

That works cas. I still learn for big and litle-endian byte order
I want to poke these bytes to another process, it will be poke on $00457e61 (cave using VirtualAllocEx) address. It gives the right address on own process but how to dynamically change hVar to cave?

Code: Select all

If 0 ;do not execute asm code
  Code_Start:
   ! hCounter: ;$00457e61 in another process
   ! cmp dword [ecx + $0000009c], $01
   ! jne hCounter+$1c ; OK
   ! nop
   ! nop
   ! nop
   ! nop
   ! mov dword [hVar], ecx ; How to change hVar (hCounter+$18)?
   ! jmp hCounter+$1c ; OK
   ! nop
   ! nop
   ! nop
   ! hVar:
   ! add [eax], al
   ! add [eax], al
   ! mov [ecx + $000000a8], esi
  Code_End:
EndIf
Dim aCounter(13)
aCounter(0)  = 7
aCounter(1)  = 2
aCounter(2)  = 1
aCounter(3)  = 1
aCounter(4)  = 1
aCounter(5)  = 1
aCounter(6)  = 6
aCounter(7)  = 2
aCounter(8)  = 1
aCounter(9)  = 1
aCounter(10) = 1
aCounter(11) = 2
aCounter(12) = 2
aCounter(13) = 6