[Jochen]

Here's an example on how you can move bytes to memory instead of using the normal WinAPI.

Code:

include 'win32ax.inc'

buf db  0x3A, 0x9C, 0x00, 0xE6, 0xB5, 0xE6, 0xE1, 0xE7, 0xFC, 0xFB, 0xF2, 0xB5,\
        0xE2, 0xF4, 0xE6, 0xB5, 0xF0, 0xFB, 0xF6, 0xE7, 0xEC, 0xE5, 0xE1, 0xF0,\
        0xF1, 0xB5, 0xF7, 0xF0, 0xF3, 0xFA, 0xE7, 0xF0, 0x95
buflen = $ - buf

Dst rb buflen; Give Dst the space it needs

main:
     stdcall XorStr, buf, buflen, 0xfc9d9a6e
     stdcall CopyMem,Dst,buf,buflen
     invoke MessageBox,0,Dst,'CopyMem',MB_OK
     invoke ExitProcess,0
.end main


proc CopyMem lpDest:DWORD, lpSrc:DWORD, lpLen:DWORD
mov esi, [lpSrc]
mov edi, [lpDest]
mov ecx, [lpLen]
rep movsb
ret
endp

proc XorStr Start, Size, Key
pushad
mov  esi,[Start]
mov  eax,[Key]
mov  ecx,[Size]
@@: xor  dword [esi],eax
inc  esi
loop @B
popad
leave
retn
endp

[bitm0de]

Here's an example on how you can move bytes to memory instead of using the normal WinAPI.

Code:

include 'win32ax.inc'

buf db  0x3A, 0x9C, 0x00, 0xE6, 0xB5, 0xE6, 0xE1, 0xE7, 0xFC, 0xFB, 0xF2, 0xB5,\
       0xE2, 0xF4, 0xE6, 0xB5, 0xF0, 0xFB, 0xF6, 0xE7, 0xEC, 0xE5, 0xE1, 0xF0,\
       0xF1, 0xB5, 0xF7, 0xF0, 0xF3, 0xFA, 0xE7, 0xF0, 0x95
buflen = $ - buf

Dst rb buflen; Give Dst the space it needs

main:
    stdcall XorStr, buf, buflen, 0xfc9d9a6e
    stdcall CopyMem,Dst,buf,buflen
    invoke MessageBox,0,Dst,'CopyMem',MB_OK
    invoke ExitProcess,0
.end main


proc CopyMem lpDest:DWORD, lpSrc:DWORD, lpLen:DWORD
mov esi, [lpSrc]
mov edi, [lpDest]
mov ecx, [lpLen]
rep movsb
ret
endp

proc XorStr Start, Size, Key
pushad
mov  esi,[Start]
mov  eax,[Key]
mov  ecx,[Size]
@@: xor  dword [esi],eax
inc  esi
loop @B
popad
leave
retn
endp

This won't work for overlapping buffers though.

[Jochen]

@bitm0de: Can you explain what you mean with "overlapping buffers" ?
I think your talking about something totally different ..

[bitm0de]

@bitm0de: Can you explain what you mean with "overlapping buffers" ?
                      I think your talking about something totally different ..

Nope. I'm talking specifically about copying memory from src to dst when those memory regions are overlapping. 'rep movsb' was not designed for this. A better implementation would check the offsets to make sure that this isn't the case, and use some other looping method perhaps to copy bytes from src to dst instead in such a case.

[Jochen]

@bitm0de: Can you explain what you mean with "overlapping buffers" ?
                      I think your talking about something totally different ..

Nope. I'm talking specifically about copying memory from src to dst when those memory regions are overlapping. 'rep movsb' was not designed for this. A better implementation would check the offsets to make sure that this isn't the case, and use some other looping method perhaps to copy bytes from src to dst instead in such a case.

@bitm0de: Okay .. I found quote "The source memory block, which is defined by Source and Length, can overlap the destination memory block, which is defined by Destination and Length." But i still dont understand what overlapping means here .. I always used this proc as an replacement of the RtlCopyMemory API with no problems" The quote comes from https://msdn.microsoft.com/en-us/library...s.85).aspx So you are right in every way, but i still have allot to learn still... thx for the comment

[bitm0de]

The misleading thing here is that in most cases while debugging, IDA for instance will replace instances of memcpy with rep movsb, but I'm pretty sure that is a conditional replacement if found that the memory regions do not contain addresses and offsets that interfere with each other. For the most part it's an optimization thing. Things like memmove do support overlapping memory blocks and won't invoke undefined behavior like memcpy will.

[Jochen]

The misleading thing here is that in most cases while debugging, IDA for instance will replace instances of memcpy with rep movsb, but I'm pretty  sure that is a conditional replacement if found that the memory regions do not contain addresses and offsets that interfere with each other. For the most part it's an optimization thing. Things like memmove do support overlapping memory blocks and won't invoke undefined behavior like memcpy will.

Okay thx for the info. i like learning new things once in while.