组装-Cmp不起作用
[英]Assembly - cmp doesn't work
问题描述
I'm trying to replace an unicode string (its length is 8) in assembly with some other. 
我正在尝试将汇编中的Unicode字符串(长度为8)替换为其他字符串。 The address of the string beginning increased by 0x10 and is stored in EDI. 字符串的地址开始以0x10递增,并存储在EDI中。 I know the string value, but its address is changing, so I can't replace it by address. 我知道字符串值,但是它的地址正在更改,所以我不能用地址替换它。 I'm using Code Injection in Cheat Engine. 我在作弊引擎中使用代码注入。 That code works: 该代码有效:
alloc(newmem,4096)
label(returnhere)
label(originalcode)
label(exit)
newmem:
repe movsb
cmp edi,0341E340
jne originalcode
mov [edi-10],31
mov [edi-0E],32
mov [edi-0C],33
mov [edi-0A],34
mov [edi-08],35
mov [edi-06],36
mov [edi-04],37
mov [edi-02],38
originalcode:
jmp MSVCR120.memcpy+53
exit:
jmp returnhere
"MSVCR120.dll"+F20C:
jmp newmem
nop
nop
returnhere:
but that doesn't: 但这不是:
alloc(newmem,8192)
label(returnhere)
label(originalcode)
label(exit)
newmem:
repe movsb
cmp [edi-10],41
jne originalcode
cmp [edi-0E],42
jne originalcode
cmp [edi-0C],43
jne originalcode
cmp [edi-0A],44
jne originalcode
cmp [edi-08],45
jne originalcode
cmp [edi-06],46
jne originalcode
cmp [edi-04],47
jne originalcode
cmp [edi-02],48
jne originalcode
mov [edi-10],31
mov [edi-0E],32
mov [edi-0C],33
mov [edi-0A],34
mov [edi-08],35
mov [edi-06],36
mov [edi-04],37
mov [edi-02],38
originalcode:
jmp MSVCR120.memcpy+53
exit:
jmp returnhere
"MSVCR120.dll"+F20C:
jmp newmem
nop
nop
returnhere:
Of course both codes could be assembled, but the second one does nothing (it can't go through the comparison part). 当然,两个代码都可以汇编,但是第二个代码什么也不做(它不能通过比较部分)。 I'm sure the values I compare are good, because I've set a breakpoint when edi is 0341E340. 我确定我比较的值是好的,因为当edi为0341E340时我已经设置了一个断点。 What's more, when I execute the first and the second code (together, to be sure the value is right) it also doesn't work. 而且,当我执行第一个和第二个代码(以确保值正确)时,它也不起作用。 Cheat Engine treats constants as hex values (exactly what I want) and it doesn't understand if I write, for example, 0Ch. Cheat Engine将常量视为十六进制值(正是我想要的值),并且不了解我是否编写例如0Ch。 So how should I compare the values? 那么我应该如何比较这些值?
2 个解决方案
解决方案1
0 2016-09-27 09:58:27
cmp edi,0341E340 compares value in edi ( no memory access ) with something, what was supposed to be hexadecimal constant, I guess. cmp edi,0341E340将edi( 无内存访问 )中的值与某些东西进行比较,我猜这应该是十六进制常数。
cmp [edi-10],41 compares value at address edi-10 ( content of memory ) with 41. From this instruction format it's not clear, whether byte or dword value is compared. cmp [edi-10],41将地址edi-10( 存储器的内容 )上的值与cmp [edi-10],41进行比较。从这种指令格式来看,不清楚是比较字节还是dword值。
But in any case, the two are doing something completely different. 但是无论如何,两者所做的事情完全不同。
If you do for example: 例如,如果这样做:
; preparing test values + memory content for examples
mov edi,bufferAddress ; pointer to some writeable free memory
mov [edi],byte 41 ; all values are decimal
mov [edi+1],byte 1
; then these will evaluate as "equal" (ZF=1)
cmp edi,bufferAddress
cmp [edi],byte 41
cmp [edi],word 256+41 ; x86 little-endian
; these will evaluate as "not equal" (ZF=0)
cmp edi,bufferAddress+1
cmp [edi],word 41 ; on [edi+1] is "1" instead of 0
So it's completely confusing, why you even mix those two examples together. 所以这完全令人困惑,为什么还要将这两个示例混合在一起。
Whether the second case works depends on the content of memory. 第二种情况是否有效取决于存储器的内容。 Whether the first works depends on the value in edi (probably some buffer address). 第一个是否起作用取决于edi的值(可能是某些缓冲区地址)。
解决方案2
0 已采纳 2016-09-27 12:49:36
The problem was Cheat Engine was treating constants as 4 bytes, not 1 byte. 问题是作弊引擎将常量视为4个字节,而不是1个字节。 I had to write it like: 我不得不这样写:
cmp [edi-10],00320031
jne originalcode
cmp [edi-0C],00340033
jne originalcode
cmp [edi-08],00360035
jne originalcode
cmp [edi-04],00380037
jne originalcode
Now it works. 现在可以了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.