0

I have instructions which are like this

pokeEnableMap = new byte[6]{
        233,
        0,
        0,
        0,
        0,
        144};

and I'd like them like this:

pokeEnable = @"call 0x{0:X}
        nop
        nop
        nop";

or this

pokeCodeCave = @"movss [0x{0:X}],xmm0
        fld dword [0x{0:X}]
        fld dword [0x{1:X}]
        faddp
        fstp dword [edi+0x0000014C]
        ret";

How can I convert/interpret the bytes?

EDIT: Well I found a way to do it and for documentation purpose: After finding dozens of ended projects I found the GitHub of 9ee1 Capstone.Net which is build on Capstone. After downloading the Projectfolder and building each of the projects, the CMD didnt allocate enough memory, so after increasing the value from 80 to 180 the exe said that it was missing capstone.dll which isn't Gee.External.Capstone.dll. I downloaded the release version 1.2.2 from their GitHub and there was a capstone.dll but this CMD didn't allocate enough memory either. So I copied the .dll files from the release to the fixed CMD.exe and now everything was working.

Now i converted my code from decimals 233,0,0,0,0,144 to hex 0xE9,0,0,0,0,0x90 and entered them in the Programm.cs X86 section, rebuild the CMD and there it was: jmp 0x1005 | nop or a little bit more complex example:

dec: 139,78,4,185,0,0,0,0,184,0,0,0,0,137,69,216,233,0,0,0,0
hex: 8B 4E 04 B9 00 00 00 00 B8 00 00 00 00 89 45 D8 E9 00 00 00 00
op: mov ecx,[esi+4] | mov ecx,0 | mov [ebp-28],eax | jmp 0x1015
Cortex
  • 1
  • 1
  • Forgive me if I'm being naive, but can't you just look at the opcode to work out which op it is, and use what you know about that you determine its arguments, etc.? – ProgrammingLlama May 22 '18 at 04:12
  • I'm afraid not because I can't inject the code to see the change or location in opcode – Cortex May 22 '18 at 04:15
  • @Cortex I'll rephrase: 233 is presumably the opcode for `movss`, right? So can't you look at 233 and go "OK, that's movss. movss has N arguments so the next N bytes are those arguments." etc. – ProgrammingLlama May 22 '18 at 04:17
  • @john Thanks I'll try that – Cortex May 22 '18 at 04:19
  • @john isn't it like this: 233 in hex is E9 so that means jmp? – Cortex May 22 '18 at 04:27
  • @john: Unfortunately x86 machine code is hard to decode / disassemble. Even finding the length of an instruction is hard, because you can have different numbers of optional prefixes, and the opcode byte (once you find it) doesn't determine the length of the rest of the instruction. You have to decode the ModR/M byte to find out how many more bytes are used to encode an addressing mode (optional SIB + 8 or 32-bit displacement). Also, in 32-bit mode VEX prefixes (AVX) use otherwise-invalid encodings of LES / LDS. – Peter Cordes May 22 '18 at 04:28
  • Anyway, yes 233 is `0xE9`, the opcode for [`jmp rel32`](http://felixcloutier.com/x86/JMP.html), which takes a 4-byte relative displacement. Your text decoding of it is wrong: you have `call` which is `0xE8`. Single-byte NOP is 0x90, though (or 144 decimal). See links to docs / manuals in the x86 tag wiki: https://stackoverflow.com/tags/x86/info – Peter Cordes May 22 '18 at 04:31
  • @Peter I'll defer to your greater experience in this area :) Either way, there's nothing built-in for it, OP will have to find a library that does it, or interpret it themselves. – ProgrammingLlama May 22 '18 at 04:32
  • 1
    @john: Yup, exactly. My point was that you should really look for a library if you want this to be robust. Writing an assembler / disassembler for modern x86 is a big job if you want it to not suck, and there *are* libraries around which have this functionality (like LLVM or GNU binutils). I think LLVM has a permissive license (non-GPL), if that matters. – Peter Cordes May 22 '18 at 04:34
  • 1
    @john: And it turns out there are already some .NET disassembler libraries; Presumably some of them can assemble as well (I think the OP wants to go both directions). Added a 2nd duplicate with some library-recommendation answers. – Peter Cordes May 22 '18 at 04:39
  • Thanks for the answers; I'm trying to use these libraries you linked me like sharpdisasm or beaengine but I don't know how. I have both their full VS Projectfolders from GitHub but can't find any instructions – Cortex May 22 '18 at 05:19
  • @peter If you know LLVM can you give me some quick instructions? – Cortex May 22 '18 at 05:37
  • No, I don't know any details of how to use LLVM as a library. There are docs, though, like https://llvm.org/docs/GettingStarted.html. I only use LLVM via clang, the C / C++ compiler front-end. I don't know C# at all. – Peter Cordes May 22 '18 at 05:42
  • @peter Alright thanks anyway, you gave me lots of information to work on – Cortex May 22 '18 at 05:44
  • http://www.keystone-engine.org/ has C# bindings, [as well as C++](https://stackoverflow.com/questions/50465724/anyone-knows-anything-that-can-encode-an-asm-string-in-bytes-using-c); it just came up in a recent answer which reminded me of this question. – Peter Cordes May 22 '18 at 12:05
  • @peter Thank you again, very nice of you; Keystone is an assembler but don't I need a Disassembler? I'm trying to use Capstone; a Disassembler made by the same guy but still I have no idea how to use it – Cortex May 22 '18 at 14:56

0 Answers0