Another bits reversing question 8) But different this time. I know how to nibble reverse 01234567h to 76543210h, but what if i seek to create my own static pointer, where it will auto update on it's own. For instance if 01234567h changes to 12345678h it will become 87654321h in my new static pointer. If it is 23456789h , it will automatically update and reverse it to 98765432h and so on ...

Any comments and examples how to do this will be very much appreciated. Thanks!
Posted on 2004-11-14 18:25:08 by Randomizer
WHERE, HOW and by WHOM would your example of 01234567h be changed to 12345678h???

Raymond
Posted on 2004-11-14 19:29:59 by Raymond
Posted on 2004-11-14 19:43:07 by comrade
WHERE, HOW and by WHOM would your example of 01234567h be changed to 12345678h???

Raymond

Something like where = 01234567h and is constantly updating with a new DWORD value.

An example is :

``````
push eax
mov al, byte ptr [esi+3F]
mov byte ptr [Pointer part 1], al
mov al, byte ptr [esi+3E]
mov byte ptr [Pointer part 2], al
mov al, byte ptr [esi+3D]
mov byte ptr [Pointer part 3], al
mov al, byte ptr [esi+3C]
mov byte ptr [Pointer part 4], al
pop eax
ret``````

Where the result would = DWORD of 76543210h in , plus account for the auto-updating of the DWORD value in . So if 01234567h changes to 12345678h it will become 87654321 my new static pointer.

The problem is if i want to do this using shifting (shl/shr) or rotating or using a loop how can i do it?
Posted on 2004-11-14 19:47:15 by Randomizer

Thanks, can you give a partial example how to do it though as i am really lost.
Posted on 2004-11-14 19:49:12 by Randomizer
Something like where = 01234567h and is constantly updating with a new DWORD value.

That tells me you must know the address where the change takes place but does not define the WHERE. Is it within your process data or stack area? Is it within another process or system memory area?

You did not answer the HOW (nor by WHOM) this memory area is being modified. For example, it could be the system clock being updated every 0.001 second by the BIOS!!!

And the code you last posted only seems to do a regular byte swap instead of a nibble swap. Was that your understanding?

Raymond
Posted on 2004-11-14 20:07:54 by Raymond
Something like where = 01234567h and is constantly updating with a new DWORD value.

That tells me you must know the address where the change takes place but does not define the WHERE. Is it within your process data or stack area? Is it within another process or system memory area?

You did not answer the HOW (nor by WHOM) this memory area is being modified. For example, it could be the system clock being updated every 0.001 second by the BIOS!!!

And the code you last posted only seems to do a regular byte swap instead of a nibble swap. Was that your understanding?

Raymond

I really have no idea about the HOW. This is just an idea i thought up suddenly. Any suggestions you can give will be of much help.

I know that is a byte swap, that's why i was asking how to update it for a nibble swap because i don't know how.
Here is a nibble swap (without auto updating) :
``````
mov eax,01234567h
rol al,4
rol ah,4
bswap eax
rol al,4
rol ah,4
``````

As for the WHERE, it should be within my process data yes.

See, my question is i need an algorithm to auto update it making use of a static pointer.
Posted on 2004-11-14 20:24:48 by Randomizer
If it is within your process data, your own code would most probably modify the content of that memory area. Whenever your code does that, add the nibble swap code.
``````mov  eax,[esi+3C]
rol al,4
rol ah,4
bswap eax
rol al,4
rol ah,4
mov Pointer,eax   ;assumes Pointer is declared as a DWORD``````

Raymond
Posted on 2004-11-14 20:39:21 by Raymond
If it is within your process data, your own code would most probably modify the content of that memory area. Whenever your code does that, add the nibble swap code.
``````mov eax,[esi+3C]
rol al,4
rol ah,4
bswap eax
rol al,4
rol ah,4
mov Pointer,eax   ;assumes Pointer is declared as a DWORD``````

Raymond

Thanks.
``mov Pointer,eax``

That was part of what i was confused about i nthe first place. What can this "Pointer" be?
Posted on 2004-11-14 21:01:43 by Randomizer
What can this "Pointer" be?

Being your own posted variable name, you should know (unless you are copying someone else's code in which case I can't read their mind). It has to be another declared variable and what you do with with its content (i.e. the swapped nibbles) is entirely up to you.

Raymond
Posted on 2004-11-14 21:12:47 by Raymond
What can this "Pointer" be?

Being your own posted variable name, you should know (unless you are copying someone else's code in which case I can't read their mind). It has to be another declared variable and what you do with with its content (i.e. the swapped nibbles) is entirely up to you.

Raymond

Yes, the byte swapping was an example i took from another forum. Only the nibble swap using rol is my code, that was why i have so many questions because i was trying to do what it was doing but yet i didn't understand it fully how to do auto update.

Anyway my last question was, the Pointer, what is it supposed to be? A register? Or my new input for example 12345678h. I understand its not your codes and you can't read minds :) but i mean just from the look of it, what is it supposed to be?

Edit - - And thanks for all the help
Posted on 2004-11-14 21:19:40 by Randomizer
For general knoweldge, the offset +3c usually refers to the image dos header structure of an executable file. 3ch offset from the base of the file, holds the offset for the pe header, containting 'PE' first 2 bytes.

anyways moving on, you copy that value into eax, and reverse it with your method, and basically save it where you want. either a register, stack, memory etc..
In order to automatically read that specific value when it is changed, and then modify your static pointer is another story. There are a few ways we can assume bpm and settimer.
bpm involves modifying the drx registers, and when data is accessed should trip up an exception to your seh handler. i cant recall the exact method so just search around.

as for search timer. you can, for instance, check the data every second to see if it changed. like so

``````
lea   eax, [esi+3ch]     ; get address of data to check
mov   where, eax

xor   eax, eax
push  offset timerproc   ; address of proc to be called
push  1000               ; time 1 second
push  eax                ; timer id
push  eax                ; windows id
Call  SetTimer
..
where dd 0
delta dd 0               ; will hold our reverse pointer

timerproc:

mov   eax, where         ; get pointer
mov   eax, [eax]
rol   al,4               ; reverse pointer
rol   ah,4
bswap eax
rol   al,4
rol   ah,4
cmp   eax, delta         ; it changed, wow, do something wild.
jnz    nothingchanged
mov   delta, eax         ; save new pointer to a mem address
nothingchanged:
ret   12                 ; return and pop arguments
``````

some issues like how to pass arguments to the timerproc. and where to save new pointer, and what to do if it did changed.
so this should keep checking every second the address pointed to by where, reverse it, and save new address to some place.
anyways you can kill the timer with KillTimer.
and i didnt run the code so i dont even know if it works. but i hope it helps. have fun.
Posted on 2004-11-14 22:21:45 by pwn