need help with asm (using mac)

[Cheetoz]

So there is this binary I want to edit. I want to change the x86 asm

mov    (%rax),%eax

to

mov %rax,FFFh

.

gdb told me what the opcode was for the original, and I found its location using a hex editor. But how do I obtain the opcodes for the new operation I want to replace it? Can I use nasm or something else to convert just a single operation to hex opcode?

Thanks

 

[jimmyb]

Run nasm using the binary output format "-f bin" and you'll just get the opcode output.

 

[pxc]

So there is this binary I want to edit. I want to change the x86 asm
...
to

mov %rax,FFFh

It should be this:
48 C7 FF 0F 00 00

There may be more bytes in the replacement instruction (mov rax, imm32) than original, so good luck with the substitution.

Note that this mode will sign extend the immediate value provided, so if bit 31 is set, expect rax bits 32-63 to also be set.

 

[Cheetoz]

how'd you get that, nasm told me

48B8FF0F000000000000

which in gdb gave me

mov    $0x4890909000000fff,%rax

And those 90's were suppose to be NOP

I tried your code, and it gave me

rex.W (bad)  
decl   (%rdi)
add    %al,(%rax)

 

[pxc]

how'd you get that,

It's a mistake. Without an assembler handy, I looked up the opcode in the instruction set reference and didn't include the correct byte for mov rax, imm32 so it's not decoding properly. I was trying to save 4 bytes if they weren't needed for a full mov rax, imm64.

If you have 10 bytes to replace the original "mov (%rax),%eax" with "mov %rax, FFFh", the code nasm gave you is correct of course (48 B8 FF 0F 00 00 00 00 00 00). Otherwise you may be overwriting other code beyond the original "mov (%rax),%eax".

 

[Cheetoz]

yeah, I miscounted and only had 9 bytes free. So I could only fit a mov for eax and not rax.

thanks for the help!!