Reverse hex number in executable memory region

[Jabberwock]

Since in the memory the hex number is reversed, how can I reverse it to its right order without too much hassle?

Here is how it is in CE:



As you can see I want to reverse "54B0F801" to "01F8B054".
And how I "retrieve" it from that position?

[.::SCHiM::.]

What are you trying to do here?
Because I can tell you in advance that what you're planning is not the best way to go about it.

[Jabberwock]

I'm trying to retrieve an address. What do you mean it's not the best way?

I'm being assisted with a signature scanner.

[.::SCHiM::.]

If you want to read the bytes at that position you can just do so with a DWORD* pointer. The bytes will turn up in the right order (01f8b054).

EDIT:

I meant you can just use the bytes like you see them. The signature will be:

"\xa2\x54\xn0\xf8\x10" xxxxx

[Jabberwock]

And how I convert them to unsigned long?

Look, I have access to the bytes.
A_bytes[length] will output 54
A_bytes[length+1] will output BO

And so on.

What I need to do is reverse the bytes and return them as unsigned long, meaning the address.

[.::SCHiM::.]

unsinged long* s = (unsigned long*)&a_Bytes[ offset ];

There you have them. The bytes are 'reversed' to the right order by the mov instruction, this is hardware related there is no reason to try and reverse them in software. You should just use them as you see them. For more info search for big endian format, or little endian format.

[Jabberwock]

Your code give me the address to the container of 54.


OK I understood what to do. Thanks

[radnomguywfq3]

Windows is a little endian system, which is why it interprets dwords as a series of bytes where the last byte is the higher address and the first is the lower address. On a big endian system (some linux operating systems) it would be the other way around.

[.::SCHiM::.]

Linux uses that horrible at&t syntax too, it feels so counter intuitive to me :/ It's like doing:

5 = a int;

[radnomguywfq3]

Linux uses that horrible at&t syntax too, it feels so counter intuitive to me :/ It's like doing:

5 = a int;

Yeah I agree, I don't see the appeal of AT&T syntax :S

[.::SCHiM::.]

It's probably only because of GAS that everyone uses at&t in that crowd. Our preferences are basically determined by our experiences. Or maybe it's because all other assemblers were closed source

[ntKid]

Code:

DWORD ReverseDWORD( DWORD Original )
{
	BYTE Inv[ 4 ] = { 
		( Original >> 24 ) & 0xFF, 
		( Original >> 16 ) & 0xFF, 
		( Original >> 8 ) & 0xFF, 
		( Original >> 0 ) & 0xFF 
	};
	return *( PDWORD )Inv;
}

DWORD Add = ReverseDWORD( 0xAABBCCDD ); //output is 0xDDCCBBAA



---- Here is a more reduced way of doing it inline with a macro.

Code:

#define INVERSE_DWORD( Original ) ( ( DWORD )( ( ( ( ( Original >> 0 ) & 0xFF ) & 0xFF ) << 24 )|( ( ( ( Original >> 8 ) & 0xFF ) & 0xFF ) << 16 )|( ( ( ( Original >> 16 ) & 0xFF ) & 0xFF ) << 8 )|( ( ( Original >> 24 ) & 0xFF ) & 0xFF ) ) )

DWORD Add = INVERSE_DWORD( 0xAABBCCDD );//output is 0xDDCCBBAA

['Bruno]

I used AT&T Syntax for some time on university projects, and tbh I cant be bothered to switch to Intel syntax.

Its like you say, "Our preferences are basically determined by our experiences.".

Not saying it is better or worst.

[Jabberwock]

You can close the thread now.

['Bruno]

Closed and marked solved as requested.