The MASM Forum

Hello Everybody,
I'm facing a problem.
I'm using a code example of Iczelion (PE tutorial no.5 (http://win32assembly.programminghorizon.com/pe-tut5.html)) to get some bytes from a specific section.
i grab the bytes doing this:

invoke SetFilePointer,hFile,newAdr,NULL,FILE_BEGIN
invoke ReadFile, hFile, pMemory, [esi].Misc.VirtualSize, addr ReadSize, NULL
invoke HexEncode,pMemory,[esi].Misc.VirtualSize,addr FBuffer
invoke SetDlgItemText,hDlg,1004,addr FBuffer
HexEncode is a function from cryptohash lib of drizz.

Well now that the hex is in my dialogbox, i'm looking to take it and apply a xor on my bytes
i'm doing:

;invoke lstrlen,addr FBuffer
;mov ecx,eax

mov esi, offset xored
;mov edi, offset FBuffer
;mov ecx, 4
;xor eax, eax
;DecryptionLoop:
; mov al, byte ptr [edi]
; xor al,41h
; mov byte ptr [esi], al
; inc esi
; inc edi
;loop DecryptionLoop
;invoke SetDlgItemText,hDlg,1005,addr xored
but looks like it's not good (mov edi, offset FBuffer issue?)
my bytes are took but not as hex byte also from what i see on a debugger.
or do someone know or have a code example on how can i move my read result from ReadFile and then move it to a buffer and apply a xor on it directly? (i mean without doing a Hexencode, i'm using that just for having a visual display of the read operation)

Thanks

Use vkdebug for  quick and simple data visualization

Quote from: ewok on November 02, 2015, 05:11:30 AMThanks

To really help you, we would have to
- grab your code,
- add headers,
- guess what the content of your file is,
- create that file,
- assemble your code,
- launch the debugger

What about posting a complete example? Or do you really think we have nothing better to do on a Sunday evening?

is it sunday, already ?

 2.5 hours till Monday here
Hello from the future !

Why Hex string to byte for your xor encryption
you can use pMemory

;mov edi, offset FBuffer        < pMemory
;mov ecx, 4
;xor eax, eax
;DecryptionLoop:
...
..
.

well i attached my code if you want to see, as well as a dummy.exe with the section i want to get from the file.
gonna look for vkdebug
edit: edited the code.
@ragdog:  i already tried mov edi, offset pMemory but looks like i've an issue too.

take care that the pe file had changed
https://msdn.microsoft.com/en-us/library/windows/desktop/ms680547(v=vs.85).aspx

Quote from: ewok on November 02, 2015, 06:19:35 AM
well i attached my code if you want to see

.while edi>0
..
mov edi, offset FBuffer
..
.endw

Quote@ragdog:  i already tried mov edi, offset pMemory but looks like i've an issue too.

mov edi, offset pMemory

Offset??

And your loop has no end for jump out




xor ebx,ebx
push edi
push esi
mov edx,[esi].Misc.VirtualSize
mov esi, offset xored
mov edi,  pMemory
xor eax, eax
.repeat
mov al, byte ptr [edi]
xor al,41h
mov byte ptr [esi], al
inc esi
inc edi
inc ebx
.until ebx==edx ;DecryptionLoop
invoke SetDlgItemText,hDlg,1005,addr xored
pop esi
pop edi


wow thanks ragdog, it worked :icon14:
For offset yeah i was desperate and started to try improbable things before finally asking on EFnet but everyone was idling so finally on this place.

Quote from: jj2007 on November 02, 2015, 08:05:39 AM

Code Select Expand

.while edi>0
..
mov edi, offset FBuffer
..
.endw

what's do you mean ?

JJ's loop isn't quite accurate because EDI is not the count

anyways....

    mov     edi,offset FBuffer    ;FBuffer is a label in global memory (.DATA or .DATA?)
    mov     edi,pMemBuff          ;pMemBuff is a variable that contains an address (i.e. pointer)
    lea     edi,FBuffer           ;FBuffer is a label in local memory (stack allocated)

Quote from: dedndave on November 02, 2015, 09:33:59 AM
JJ's loop isn't quite accurate because EDI is not the count

line 191 in pe5.asm, downloaded from reply #6 (the "edited" version):
assume esi:ptr IMAGE_SECTION_HEADER
.while edi>0
line 256:
mov esi, offset xored
;mov edi, offset FBuffer  <<< commented out by OP because "not good"
;mov ecx, 4
line 271
dec edi
add esi, sizeof IMAGE_SECTION_HEADER
.endw

So I removed the comment, ran it with deb (http://www.webalice.it/jj2006/MasmBasicQuickReference.htm#Mb1019), and indeed, surprise surprise, it was not working...

Quote from: ewok on November 02, 2015, 05:11:30 AMbut looks like it's not good (mov edi, offset FBuffer issue?)

Ragdog added the missing push edi ... pop edi :t

Quote.while edi>0

A executable or other file can contain 0 bytes

@ewok
Your code is very bad written by debug you application give many exception .



         

Quote from: ragdog on November 02, 2015, 06:57:40 PM

Quote.while edi>0

A executable or other file can contain 0 bytes

Irrelevant. The problem is not saving edi:
mov esi, offset xored
; push edi
mov edi, offset FBuffer
mov ecx, 4
xor eax, eax
deb 40, "DecryptionLoop in", edi
DecryptionLoop:
mov al, byte ptr [edi]
xor al,41h
mov byte ptr [esi], al
inc esi
inc edi
loop DecryptionLoop
invoke SetDlgItemText,hDlg,1005,addr xored
; pop edi

With push+pop, you get
While in        edi             5
While in        edi             4
While in        edi             3
While in        edi             2
While in        edi             1
DecryptionLoop in       edi             4231527
Loop end        edi             0   <<<<<< OK

When you forget saving edi, you get
While in        edi             5
While in        edi             4
While in        edi             3
While in        edi             2
While in        edi             1
DecryptionLoop in       edi             4231527
While in        edi             4231530
While in        edi             4231529
While in        edi             4231528   <<<<<< Loop end reached after 4.2 Million iterations
While in        edi             4231527
While in        edi             4231526
While in        edi             4231525
While in        edi             4231524

Is that clear enough, or shall I try another road?

Hello Jochen

QuoteIrrelevant. The problem is not saving edi:

Yes i know this is why add push/pop edi