Hi! I have recently started in the wonderfull world of ASM.  :lol:

I wonder how the following ideá could be implemented in a easy way? (if possible)

Check that Adress 00401234 is for example :
90 | NOP
----------
Pseudo code

Cmp adress,NOP
je yes
jmp no

Best Regards
Posted on 2006-08-09 14:04:17 by Tosselini
If you are talking about checking a presence of nop instruction at some address in another process, then simply checking for a 90h byte wont work since it may come as a part of other instruction and not to be a nop at all.
You will need to make some kind of disassembling engine and a get around for stuff like accessing memory of another process.

Please explain for what purpose you want to do that and also take a look at the community rules.
Posted on 2006-08-09 14:34:50 by arafel
Thanks for the reply arafel!

No i donīt want to check another process, just like a selfchecking in the own program.  :)
Can be usefull if the program has been damaged by a virus or similar. I was thinking to make it check the whole code, but for now i just stick with checking 1 adress for learning purpose.



Posted on 2006-08-09 14:47:35 by Tosselini
Tosselini,"cmp byte ptr , 90h" should do the trick for you. An alternate approach would be checksumming ranges of your program (stick to the code section, data has a habit of changing :)). You can't just blindly scan for "90h" or "CCh" though, since those can appear as part of valid instructions.

It's not going to buy you a lot of security, though.
Posted on 2006-08-09 14:52:20 by f0dder
Thanks f0dder!  :D
It works, funny to see when i change it.

cmp byte ptr
This is for checking 1 byte? Like 90, 74, 50 etc etc.

If i wanna do it on a 8BC8 (MOV ECX,EAX) how shall i write it?

I tried with
CMP WORD PTR DS:[401706],8CB8
and
CMP DWORD PTR DS:[401706],8CB8

Best regards



Posted on 2006-08-09 15:24:58 by Tosselini
For hex numbers, get in the habit of writing them "0xxh".

Intel machines are little-endian, so you must compare with "0C88Bh".
Posted on 2006-08-09 15:30:29 by f0dder
Good reading, i was trying my new skills and did.

CMP DWORD PTR DS:[401706],0C085h

Didnīt work so i tried ( i was sad now because i thought i understood  :lol:)

0c058h
085C0h
0C085h
0850Ch
0c805h
005C8h
0C508h

and every possible combination i could think of. Just to notice that it works with
CMP WORD PTR DS:[401706],0C085h
Byte, word , dword, little endian...

:P
Posted on 2006-08-09 16:39:11 by Tosselini

Good reading, i was trying my new skills and did.

CMP DWORD PTR DS:[401706],0C085h

Didnīt work so i tried ( i was sad now because i thought i understood :))

DWORD means you're checking four bytes... so you're actually checking for "00000C085h", so to speak...
Posted on 2006-08-10 07:11:36 by f0dder
My thought was 'If i use a DWORD it would be enough'  :lol:

Byte = 00
WORD = 0000
DWORD = 00000000


Right?  ;)
Posted on 2006-08-11 15:59:18 by Tosselini
If you're retrieving data, it's enough.

If you're storing or comparing, it may be too much.
Posted on 2006-08-14 23:59:04 by tenkey