--- Alex Ionescu ionucu@videotron.ca wrote:
mrnobo1024 wrote:
--- Alex Ionescu ionucu@videotron.ca wrote:
I meant that instead of mov edx,[esp+8] mov eax,[esp+4] it could be mov edx,[esp+4] mov eax,[esp+8]. I don't think that would affect instruction
pairing.
That wouldn't swap them... you would just be inverting the bytes. Each ULONG must be swapped here.
Which can be done without an explicit swap. Just change the way they're read from the stack. As an example, suppose you're calling it with 0x0011223344556677:
edx eax ecx mov edx, [esp+8] 00112233 mov eax, [esp+4] 00112233 44556677 bswap edx 33221100 44556677 bswap eax 33221100 77665544 mov ecx, eax 33221100 77665544 77665544 mov eax, edx 33221100 33221100 77665544 mov edx, ecx 77665544 33221100 77665544
mov edx, [esp+4] 44556677 mov eax, [esp+8] 44556677 00112233 bswap edx 77665544 00112233 bswap eax 77665544 33221100
They both give the correct answer in edx:eax, but the second would swap the ulongs implicitly by reading the high ulong into eax and the low one into edx. Much like how RtlUshortByteSwap works, but with ulongs instead of bytes.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com