VS2005 - Code bytes to asm instructions?

This might sound like a stupid question to some, but I am curious if I am able to convert code bytes into assembly instructions in VS2005

I ask this because I have been playing around with VS2005 and C++ with its _asm keyword and then seeing the code bytes in the Dissassembly window when debugging (Alt+8).

So I am wondering if I am able to do the reverse in visual studio 2005?


I found that I could do it this way:
1. creating a file and using a hex editor to manually enter the byte codes
2. Using CFF Explorer's Quick Disassembler (By NTCore.com) feature to view the instructions

although I am curious if there is any easier way, or if there is a way to do it in VS2005?
Thanks.




Edited by Matts_User_Name - 10 July 2009 at 3:20am

I tried it in ollydbg, but it appears to not work if it is not a valid executable (I am not really familiar with it anyway)
Plus I found that CFF Explorer's "Quick disassembler" was a lot easier/more sinple to use than olly. (olly is too scarry because of how cryptic & robust it appears)

But that method is for using hex bytes inside of files, and I am trying to do this in VS2005 if possible.
Ex:
In the editor, if I entered 68 then in the disassembler window would show a push.


see what I mean now?





Edited by Matts_User_Name - 10 July 2009 at 4:17am

of course that doesn't work.. you have __emit opcodes.. for that to work.. ;]

regards BanMe

Actually now experimenting with this for an hour or so I should clarify a few things for anyone else that comes across this in the future wondering the same thing (probably assembly noobs like me)

1. It appears that on the keywords emit and asm, there appears to be no difference between a single underscore _ or a double one __. Both work. (But any more than 2 or less than 1, will not)

2. semicolons on code inside asm{} blocks are not required.

3. To put an instruction on 1 line, this will actually NOT work and cause a different result (see the code bytes(opcodes) in the VS's Disassembly window, which is Alt+8 when debugging)
_emit(0xB8); _emit(0x00); _emit(0x00); _emit(0x00); _emit(0x00);

You either must put each emit on its own line like this: (BTW this is a mov eax, 0x00000000 instruction)
_emit 0xB8       
_emit 0x00
_emit 0x00
_emit 0x00
_emit 0x10


OR you can do this (I found this way from here  http://msdn.microsoft.com/en-us/library/1b80826t%28VS.80%29.aspx )

_asm _emit 0xB8 _asm _emit 0x00 _asm _emit 0x00 _asm _emit 0x00 _asm _emit 0x00
Note: The _asm keyword is REQUIRED before every _emit even when enclosed in an _asm{} block. Trust me I tried it various other ways.

OR even easier for multiple lines you could create a #define var like this:
#define bt _asm _emit
bt 0xB8 bt 0x00 bt 0x00 bt 0x00 bt 0x00


This is actually pretty cool how flexible "#define" can be (Nothing like that would ever go over well in VB6, haha)



Anyway, well that's it for for now.
Thanks for showing me the emit keyword BanMe. It was what I was seeking. It could have at least been named better than "emit", no wonder I couldn't find it, haha.

BTW, if anyone is curious what sparked my interest in this: It is because I am experimenting with code caves (just for fun really) in VB6 where I have to manually write in the code bytes (opcodes) to create a call stack, and I wanted to see what assembly instructions that VS2005's disassembly window translated some of the bytes to.


Edited by Matts_User_Name - 10 July 2009 at 9:12pm

"define byte" makes more sense to me than "emit".
When I hear emit I think of a flashlight, although I guess a mnemonic could be "emit" = light= flashlight = Windows Internals books = asm. lol.

I guess instead, one could do #define db _asm _emit
and use db [byte] instead of _emit [byte] in an _asm{} block or _asm _emit [byte]


BTW, @ wj32 congrats on the exam score. At first I thought TS was for Terminal Services, but I guess it is for Trouble Shooting


Edited by Matts_User_Name - 10 July 2009 at 11:31pm