Admiral
January 28th, 2006, 14:26
I'll just reiterate what naides said:
The column width of a hex-editor is purely aesthetic and varies from one editor to the next. Common values will be powers of two and multiples of four.
Regarding instruction lengths: x86 instructions vary from one byte in length to (in theory) fifteen. Though you'll rarely see anything above eight. However, there should be no mystery as to how long your instruction is. Whatever debugger you're using, it should give you a few fields of information for every instruction, in its disassembly window. Usually these will include
The virtual address (VA) of the intruction
The opcodes of the instruction
The mnemonics of the instruction
along with information regarding branching, prefixes, comments and any references to remarkable memory locations. For example (a snippet from ntdll's exception handling code):
Code:
7C90EAFF 59 POP ECX
7C90EB00 6A 00 PUSH 0
7C90EB02 51 PUSH ECX
7C90EB03 E8 11EBFFFF CALL ntdll.ZwContinue
7C90EB08 EB 0B JMP SHORT ntdll.7C90EB15
Suppose you wanted to NOP the JMP SHORT.
You'd first locate the address of the instruction. Obviously, this is 0x7C90EB08 in memory, but it would be different if you wanted to patch ntdll.dll on disk... This, of course, isn't advisable
Second, you'd make sure that you have the bytes EB 0B at your cursor, next you'd overwrite the two of them with 90.
So in general, if you're planning to NOP an instruction, the number of 0x90s needed will be exactly the length (in bytes) of the entry in the opcode field.
However, if you're only patching in memory, you're taking three sides of a square. Any debugger worth the disk-space it's written on will have a one- or two-click (or one or two word) feature for NOPing the instruction at any given address. I know there are at least three easy ways to do this from OllyDbg, and I can only assume that SoftICE can do the same with a 1-parameter command.
Regards
Admiral
