I use .Data to store all my strings and such..

Is there a way to create strings on the fly??

for example the string OLLYDBG

mov eax , 1001100 1001100 1011001 1000100 1000010 1000111  ; binary representation.... I know this wont work
How can I move the binary represenation into  a register??

Afterwards... Convert it to hex ( 4F4C4C59444247h ) then to ascii (79767689686671)... Then into string

aftwards just show it in a messagebox....

I just need some hints or whatnot to point me into the right direction... Im doing this  so I dont have to have visible strings right away in Ollydbg or any debugger :)
Posted on 2005-08-10 19:36:51 by shism2
The extended registers are 32-bit registers. 

The value 4F4C4C59444247h is greater than 32-bits

You'd need to transfer the data to a byte array.

Do some searching in the forum, I'm sure you'll find what you're looking for.
Posted on 2005-08-10 19:47:27 by BBS
mov eax, 010101010b

Posted on 2005-08-10 20:34:08 by evlncrn8
Try this:

    txtbuf  db  32 dup(0)

    mov  edi,offset txtbuf
    mov  eax,"OLLY"    ;4 characters at a time
    bswap eax
    mov  eax,"DBG "    ;pad last characters with tailing spaces if necessary
    bswap eax
    xor  eax,eax
    invoke MessageBox,0,ADDR txtbuf,0,MB_OK
    invoke ExitProcess

You could avoid the "bswap" instructions by loading the EAX register with the characters in reverse order. However, your source code would not be as legible and prone to mistakes.

Posted on 2005-08-10 21:27:28 by Raymond
THAT Worked PERFECTLY!!! wow thanks alot :) but other than I was looking for byte arrays examples but couldn't find any.... Is there anyway you can point me to some examples ??

Also I before encrypted the strings with rc6fish....and To still be able to do that I would have to? encrypt the txtbuff at runtime then?

Then decrypt it after when I need to use it?

invoke FindWindow, ADDR txtbuf,NULL
? ? ? ? ? ? ? cmp eax,00000000h
? ?
? ?
? ?.if eax!= 0
? ?
invoke MessageBox,0,ADDR txtbuf,0,MB_OK
? ?
? ?.else

? invoke ExitProcess,0
? ?
? .endif

Ok problem is without the space next to "DBG" only the OLLY will be generated... BUt the classname is OLLYDBG no space.....
Posted on 2005-08-10 22:16:52 by shism2
Functions dealing with strings "generally" expect the string to be null terminated, otherwise they have an argument specifying the length of the string.


Posted on 2005-08-10 23:17:47 by Darrel
When you use the Messagebox function it is supplied with a null terminated string:

DisplayString BYTE "This is displayed in MessageBox.",0? ? ? ? ?;32 Bytes not counting 0 termination

invoke MessageBox,0,ADDR DisplayString,0,MB_OK

using the WriteFile function:

invoke WriteFile,hFile,ADDR DisplayString,32,ADDR NumBytesWritten,NULL

other functions require either the length of the string or a -1 for a null terminated string I believe MultiByteToWideChar is an appropriate example


Posted on 2005-08-10 23:40:28 by Darrel
Here is one way to embed txt in the .code section by placing it on the stack.


Ther are multiple postings in this thread so there is no point duplicating it here but it is a useful method.
Posted on 2005-08-11 00:45:04 by hutch--
shism2, what's the point? But constructing the strings runtime, your program will be larger and slower. It might offer protection from people who have just learned to use a hex editor, but not people who have a little experience.
Posted on 2005-08-11 06:44:16 by f0dder
Ok problem is without the space next to "DBG" only the OLLY will be generated... BUt the classname is OLLYDBG no space.....

With an instruction such as mov eax,"DBG" (i.e. without the trailing space filler), it would load EAX with:
With the bswap instruction, it would result in:
When that is stored in memory in "little-endian" fashion, it would look like the following hex numbers at consecutive memory addresses:
00 44 42 47
and have the effect of inserting a terminating 0 immediately after the previous partial string.

(As an exercise to better understand the underlying principal, do the same as above with the space filler.)

If the trailing space filler(s) is a problem, adjust the pointer accordingly before inserting the terminating 0 separately.

;after storing your last partial string with space fillers
    sub  edi,X        ;replace X with the number of space fillers
    xor  eax,eax

Posted on 2005-08-11 08:57:35 by Raymond
with macros one can do wonderful things!

?RandcSeed = @CatStr(@SubStr(<%@Time>,1,2),@SubStr(<%@Time>,4,2),@SubStr(<%@Time>,7,2))
?Randc macro Range
local __Result
; Xn = (aXn-1 + b) mod m
?RandcSeed = ((?RandcSeed*54321)+12345) MOD 31337; am i 31337 or what :)
__Result textequ @CatStr(%(?RandcSeed mod Range))
exitm __Result

UnHideString macro qtext:req,buffreg:req
LOCAL i,k,xc,sym,txt,@dec
sym label byte
i = @SizeStr(qtext)
i = i - 2
db i
xc = ?Randc(0FFh)
txt textequ @SubStr(qtext,2,i)
%FORC j, <txt>
db ("&j" xor xc)
db 0
mov eax,offset sym
movzx ecx,byte ptr
inc eax
mov ,ch
jmp @dec
mov dl,
xor dl,xc
mov ,dl
dec ecx
.until sign?

sub esp,40h
mov edi,esp
UnHideString "OLLYDBG XORED",edi
invoke MessageBox,0,edi,0,0
xor eax,eax
mov ecx,40h/4
rep stosd
mov esp,edi
invoke ExitProcess,eax
end start

Posted on 2005-08-11 16:59:58 by drizz