FISAT
March 8th, 2004, 10:42
Hi to all 
Is it possibel to put a NOP in vb pcode?? If so, witch is the opcode value
thanx
Is it possibel to put a NOP in vb pcode?? If so, witch is the opcode value
thanx
View Full Version : Quiestion about vb pcode
sarge
March 10th, 2004, 18:47
The answer is both "Yes" and "No".
If you are looking for a magic single byte value that you can use to overwrite/bypass unwanted pcodes, then there isn't anything that suitable for a "no-brainer" substitution. And, considering the way pcode is used, you shouldn't expect any; why create a token that does nothing? Instead, you would of course simply just not put a token in the code. Even the concept of two mutually opposing opcodes (like the old "Push-Pop" sequence) won't necessarily work cleanly.
However, if you are looking to bypass a pcode sequence (like an unwanted call, or a byte comparison routine), then there IS hope:
1. If there is an even number of bytes to bypass (the byte count has to include both the opcode itself as well as the parameters), you can usually replace the offending sequence with the byte sequence "0x00 0x00 0x00 0x00...". This works because the opcode sequence you are then using is "0x00 0x00", repeated as needed. This sequence is not a "NOP", but is rather more of a "Do something, but make sure it's insignificant". Usually, it's insignificant enough to not harm the code.
2. If there is an odd number of bytes to bypass, you can use the same concept; use the "0x00 0x00" trick. Except here, you replace the last three bytes with "0x1E, 0x03, 0x00". This works because this sequence is a "branch to the next opcode" operation. So, the end result is a series of insignificant-do-somethings, followed by a jump to the next command (which is where the code is going anyway!).
Hope this info gives you enough of a start; just don't expect the above concepts to be a cure-all.
Sarge
If you are looking for a magic single byte value that you can use to overwrite/bypass unwanted pcodes, then there isn't anything that suitable for a "no-brainer" substitution. And, considering the way pcode is used, you shouldn't expect any; why create a token that does nothing? Instead, you would of course simply just not put a token in the code. Even the concept of two mutually opposing opcodes (like the old "Push-Pop" sequence) won't necessarily work cleanly.
However, if you are looking to bypass a pcode sequence (like an unwanted call, or a byte comparison routine), then there IS hope:
1. If there is an even number of bytes to bypass (the byte count has to include both the opcode itself as well as the parameters), you can usually replace the offending sequence with the byte sequence "0x00 0x00 0x00 0x00...". This works because the opcode sequence you are then using is "0x00 0x00", repeated as needed. This sequence is not a "NOP", but is rather more of a "Do something, but make sure it's insignificant". Usually, it's insignificant enough to not harm the code.
2. If there is an odd number of bytes to bypass, you can use the same concept; use the "0x00 0x00" trick. Except here, you replace the last three bytes with "0x1E, 0x03, 0x00". This works because this sequence is a "branch to the next opcode" operation. So, the end result is a series of insignificant-do-somethings, followed by a jump to the next command (which is where the code is going anyway!).
Hope this info gives you enough of a start; just don't expect the above concepts to be a cure-all.
Sarge
sarge
September 10th, 2004, 10:26
A minor error was pointed out to me by a friend. The statement (in step #2):
"last three bytes " should be "first three bytes". This properly results in a jump to the first of the "0x00, 0x00" sequences.
Thanks to "void" for pointing this out.
Sarge
"last three bytes " should be "first three bytes". This properly results in a jump to the first of the "0x00, 0x00" sequences.
Thanks to "void" for pointing this out.
Sarge
dELTA
September 10th, 2004, 17:27
If the even pairs of 0x00 are practically equivalent to NOPs, and those three bytes are "branch to the next opcode" as you say, why doesn't it work either way (i.e. the three bytes either before or after the 0x00 pairs)?
sarge
September 11th, 2004, 17:34
Yup, you are right, you would think that it should work that way. But I mis-analyzed the usage of those three bytes. It would be more correct to say that they mean "branch to the byte at the third OFFSET" (which is the fourth byte). So, that byte sequence can only go at the beginning of your desired NOP code sequence. That way, the first thing that would happen is, three bytes of code are used up to get to the fourth byte; then, the fourth byte begins the remaining groups of NOP pairs.
Thus, you have the desired effect of an odd number of bytes being NOP'ed out.
Sorry for the error, I remember doing that in the wee hours of the morning. It worked on a 3 byte sequence, so it looked like it jumped over 3 bytes; instead, it was actually jumping to the fourth byte, which happened to already be the end of the test sequence.
My apologies...next time I'll test more fully.
Sarge
Thus, you have the desired effect of an odd number of bytes being NOP'ed out.
Sorry for the error, I remember doing that in the wee hours of the morning. It worked on a 3 byte sequence, so it looked like it jumped over 3 bytes; instead, it was actually jumping to the fourth byte, which happened to already be the end of the test sequence.
My apologies...next time I'll test more fully.
Sarge
br00t_4_c
September 13th, 2004, 17:41
Just for the record: PCode makes me feel "stabby" 
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.