Another bits reversing question 8) But different this time. I know how to nibble reverse 01234567h to 76543210h, but what if i seek to create my own static pointer, where it will auto update on it's own. For instance if 01234567h changes to 12345678h it will become 87654321h in my new static pointer. If it is 23456789h , it will automatically update and reverse it to 98765432h and so on ...
Any comments and examples how to do this will be very much appreciated. Thanks!
Any comments and examples how to do this will be very much appreciated. Thanks!
WHERE, HOW and by WHOM would your example of 01234567h be changed to 12345678h???
Raymond
Raymond
use XOR mask
WHERE, HOW and by WHOM would your example of 01234567h be changed to 12345678h???
Raymond
Raymond
Something like where = 01234567h and is constantly updating with a new DWORD value.
An example is :
push eax
mov al, byte ptr [esi+3F]
mov byte ptr [Pointer part 1], al
mov al, byte ptr [esi+3E]
mov byte ptr [Pointer part 2], al
mov al, byte ptr [esi+3D]
mov byte ptr [Pointer part 3], al
mov al, byte ptr [esi+3C]
mov byte ptr [Pointer part 4], al
pop eax
retWhere the result would = DWORD of 76543210h in , plus account for the auto-updating of the DWORD value in . So if 01234567h changes to 12345678h it will become 87654321 my new static pointer.
The problem is if i want to do this using shifting (shl/shr) or rotating or using a loop how can i do it?
use XOR mask
Thanks, can you give a partial example how to do it though as i am really lost.
Something like where = 01234567h and is constantly updating with a new DWORD value.
That tells me you must know the address where the change takes place but does not define the WHERE. Is it within your process data or stack area? Is it within another process or system memory area?
You did not answer the HOW (nor by WHOM) this memory area is being modified. For example, it could be the system clock being updated every 0.001 second by the BIOS!!!
And the code you last posted only seems to do a regular byte swap instead of a nibble swap. Was that your understanding?
Raymond
Something like where = 01234567h and is constantly updating with a new DWORD value.
That tells me you must know the address where the change takes place but does not define the WHERE. Is it within your process data or stack area? Is it within another process or system memory area?
You did not answer the HOW (nor by WHOM) this memory area is being modified. For example, it could be the system clock being updated every 0.001 second by the BIOS!!!
And the code you last posted only seems to do a regular byte swap instead of a nibble swap. Was that your understanding?
Raymond
I really have no idea about the HOW. This is just an idea i thought up suddenly. Any suggestions you can give will be of much help.
I know that is a byte swap, that's why i was asking how to update it for a nibble swap because i don't know how.
Here is a nibble swap (without auto updating) :
mov eax,01234567h
rol al,4
rol ah,4
bswap eax
rol al,4
rol ah,4
As for the WHERE, it should be within my process data yes.
See, my question is i need an algorithm to auto update it making use of a static pointer.
If it is within your process data, your own code would most probably modify the content of that memory area. Whenever your code does that, add the nibble swap code.
Raymond
mov eax,[esi+3C]
rol al,4
rol ah,4
bswap eax
rol al,4
rol ah,4
mov Pointer,eax ;assumes Pointer is declared as a DWORDRaymond
If it is within your process data, your own code would most probably modify the content of that memory area. Whenever your code does that, add the nibble swap code.
Raymond
mov eax,[esi+3C]
rol al,4
rol ah,4
bswap eax
rol al,4
rol ah,4
mov Pointer,eax ;assumes Pointer is declared as a DWORDRaymond
Thanks.
mov Pointer,eaxThat was part of what i was confused about i nthe first place. What can this "Pointer" be?
What can this "Pointer" be?
Being your own posted variable name, you should know (unless you are copying someone else's code in which case I can't read their mind). It has to be another declared variable and what you do with with its content (i.e. the swapped nibbles) is entirely up to you.
Raymond
What can this "Pointer" be?
Being your own posted variable name, you should know (unless you are copying someone else's code in which case I can't read their mind). It has to be another declared variable and what you do with with its content (i.e. the swapped nibbles) is entirely up to you.
Raymond
Yes, the byte swapping was an example i took from another forum. Only the nibble swap using rol is my code, that was why i have so many questions because i was trying to do what it was doing but yet i didn't understand it fully how to do auto update.
Anyway my last question was, the Pointer, what is it supposed to be? A register? Or my new input for example 12345678h. I understand its not your codes and you can't read minds :) but i mean just from the look of it, what is it supposed to be?
Edit - - And thanks for all the help
For general knoweldge, the offset +3c usually refers to the image dos header structure of an executable file. 3ch offset from the base of the file, holds the offset for the pe header, containting 'PE' first 2 bytes.
anyways moving on, you copy that value into eax, and reverse it with your method, and basically save it where you want. either a register, stack, memory etc..
In order to automatically read that specific value when it is changed, and then modify your static pointer is another story. There are a few ways we can assume bpm and settimer.
bpm involves modifying the drx registers, and when data is accessed should trip up an exception to your seh handler. i cant recall the exact method so just search around.
as for search timer. you can, for instance, check the data every second to see if it changed. like so
some issues like how to pass arguments to the timerproc. and where to save new pointer, and what to do if it did changed.
so this should keep checking every second the address pointed to by where, reverse it, and save new address to some place.
anyways you can kill the timer with KillTimer.
and i didnt run the code so i dont even know if it works. but i hope it helps. have fun.
anyways moving on, you copy that value into eax, and reverse it with your method, and basically save it where you want. either a register, stack, memory etc..
In order to automatically read that specific value when it is changed, and then modify your static pointer is another story. There are a few ways we can assume bpm and settimer.
bpm involves modifying the drx registers, and when data is accessed should trip up an exception to your seh handler. i cant recall the exact method so just search around.
as for search timer. you can, for instance, check the data every second to see if it changed. like so
lea eax, [esi+3ch] ; get address of data to check
mov where, eax
xor eax, eax
push offset timerproc ; address of proc to be called
push 1000 ; time 1 second
push eax ; timer id
push eax ; windows id
Call SetTimer
..
where dd 0
delta dd 0 ; will hold our reverse pointer
timerproc:
mov eax, where ; get pointer
mov eax, [eax]
rol al,4 ; reverse pointer
rol ah,4
bswap eax
rol al,4
rol ah,4
cmp eax, delta ; it changed, wow, do something wild.
jnz nothingchanged
mov delta, eax ; save new pointer to a mem address
nothingchanged:
ret 12 ; return and pop arguments
some issues like how to pass arguments to the timerproc. and where to save new pointer, and what to do if it did changed.
so this should keep checking every second the address pointed to by where, reverse it, and save new address to some place.
anyways you can kill the timer with KillTimer.
and i didnt run the code so i dont even know if it works. but i hope it helps. have fun.