VS2005 - Code bytes to asm instructions?

Originally posted by molotov TS stands for Technology Specialist, I believe. (And BTW - nice work, wj32!)

Thanks. That was 1.5 weeks ago...


Edited by wj32 - 11 July 2009 at 3:04am

"define byte" makes more sense to me than "emit".
When I hear emit I think of a flashlight, although I guess a mnemonic could be "emit" = light= flashlight = Windows Internals books = asm. lol.

I guess instead, one could do #define db _asm _emit
and use db [byte] instead of _emit [byte] in an _asm{} block or _asm _emit [byte]


BTW, @ wj32 congrats on the exam score. At first I thought TS was for Terminal Services, but I guess it is for Trouble Shooting


Edited by Matts_User_Name - 10 July 2009 at 11:31pm

Actually now experimenting with this for an hour or so I should clarify a few things for anyone else that comes across this in the future wondering the same thing (probably assembly noobs like me)

1. It appears that on the keywords emit and asm, there appears to be no difference between a single underscore _ or a double one __. Both work. (But any more than 2 or less than 1, will not)

2. semicolons on code inside asm{} blocks are not required.

3. To put an instruction on 1 line, this will actually NOT work and cause a different result (see the code bytes(opcodes) in the VS's Disassembly window, which is Alt+8 when debugging)
_emit(0xB8); _emit(0x00); _emit(0x00); _emit(0x00); _emit(0x00);

You either must put each emit on its own line like this: (BTW this is a mov eax, 0x00000000 instruction)
_emit 0xB8       
_emit 0x00
_emit 0x00
_emit 0x00
_emit 0x10


OR you can do this (I found this way from here  http://msdn.microsoft.com/en-us/library/1b80826t%28VS.80%29.aspx )

_asm _emit 0xB8 _asm _emit 0x00 _asm _emit 0x00 _asm _emit 0x00 _asm _emit 0x00
Note: The _asm keyword is REQUIRED before every _emit even when enclosed in an _asm{} block. Trust me I tried it various other ways.

OR even easier for multiple lines you could create a #define var like this:
#define bt _asm _emit
bt 0xB8 bt 0x00 bt 0x00 bt 0x00 bt 0x00


This is actually pretty cool how flexible "#define" can be (Nothing like that would ever go over well in VB6, haha)



Anyway, well that's it for for now.
Thanks for showing me the emit keyword BanMe. It was what I was seeking. It could have at least been named better than "emit", no wonder I couldn't find it, haha.

BTW, if anyone is curious what sparked my interest in this: It is because I am experimenting with code caves (just for fun really) in VB6 where I have to manually write in the code bytes (opcodes) to create a call stack, and I wanted to see what assembly instructions that VS2005's disassembly window translated some of the bytes to.


Edited by Matts_User_Name - 10 July 2009 at 9:12pm

of course that doesn't work.. you have __emit opcodes.. for that to work.. ;]

regards BanMe

I tried it in ollydbg, but it appears to not work if it is not a valid executable (I am not really familiar with it anyway)
Plus I found that CFF Explorer's "Quick disassembler" was a lot easier/more sinple to use than olly. (olly is too scarry because of how cryptic & robust it appears)

But that method is for using hex bytes inside of files, and I am trying to do this in VS2005 if possible.
Ex:
In the editor, if I entered 68 then in the disassembler window would show a push.


see what I mean now?





Edited by Matts_User_Name - 10 July 2009 at 4:17am