Jump to content
Tuts 4 You

[Question/Assembly] How to check for Byte Array?


0xNOP

Recommended Posts

I have a situation over here and I need some help, well, figure the following:

EDX Holds a value of an address, in which that address contains data in a byte array I want to check...

But I have something like this:

0167C000 | 66 BB 40 B4              | mov bx,B440                             |
0167C004 | 66 39 DA                 | cmp dx,bx                               |
0167C007 | 74 08                    | je unknown.167C011                      |
0167C009 | 90                       | nop                                     |
0167C00A | 90                       | nop                                     |
0167C00B | 75 0A                    | jnz unknown.167C017                     |
0167C00D | 90                       | nop                                     |
0167C00E | 90                       | nop                                     |
0167C00F | EB EF                    | jmp unknown.167C000                     |
0167C011 | 31 D2                    | xor edx,edx                             |
0167C013 | 74 02                    | je unknown.167C017                      |
0167C015 | 90                       | nop                                     |
0167C016 | 90                       | nop                                     |
0167C017 | E8 D0 30 D9 FE           | call unknown.40F0EC                     |
0167C01C | E9 63 68 B3 FF           | jmp unknown.11B2884                     |

But, notice that I'm currently checking if the value at DX is equals to B440 (Something static), if so, then it XORs EDX
if not it then jumps to the outside and continue with normal flow...

Now this check that I perform is a static check, meaning I can't really go into EDX and check what does it contains... the data length is approx. 16 bytes long, Now I come to you guys because there are many experts in this area and people with more knowledge than me, so I come to you my masters seeking for your wisdom :D

Ultimate question is, instead of just performing this static check, how can I check if the address at EDX holds the data that I want to check, and also apply the check and fix ups (xor edx)

Link to comment

If I'm understanding correctly, something like this might work on a little-endian system:

; Check for 8 bytes: 0x12 0x34 0x56 0x78 0x90 0xab 0xcd 0xef
cmp dword [edx], 0x78563412
jne BAD
cmp dword [edx+4], 0xefcdab90
jne BAD
; Good code here
BAD:
; Bad code here

The main downside to this method is that it assembles to 0x15 bytes, a lot for just 4 instructions. If you have a lot of room to work with it should be fine though.

Another method you could use, if you have the good 16 bytes in memory somewhere, is to use a stdlib/api call like memcmp or RtlCompareMemory.

  • Like 2
Link to comment

Or write i loop with a counter to get the pointer to the byte for compare it

cmp al,byte ptr[esi+ecx] 

or use repz cmpsb

Quote

For a block compare of CX or ECX bytes, words or longs, precede a cmps instruction with a repz or repnz prefix.

 

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...