Code:
.
.
.
mov esi,OFFSET RecordBuffer
.IF word PTR [esi+71] == "16"
jmp cont
.ELSEIF word PTR [esi+71] != "24"
jmp @B
.ENDIF
cont:
.
.
.
In this text, ascii, RecordBuffer, position 71 does, indeed, contain "16". But when using OllyDbg, the code is "3631", which is correct. Olly, in a comparison, does not see that as equal or zero flag = 0, and does a jnz when it should be je.
What am I missing?
Thanks,
Jim
Is my problem because I am using 'word ptr' instead of two separate byte comparisons, '31' with '1' and '36' with '6'?
yes, it would be better to look at them as bytes (to minimise confusion). remember, in memory, it will be arranged in little endian (bytes are arranged from least significant and up for "grouped bytes"). so while the word (2 bytes interpreted "grouped together") represents "16", in memory, they are arranged as if it were '6','1'.
I fixed the problem with:
Code:
mov esi,OFFSET RecordBuffer
.IF ((byte ptr [esi+71] == "1") && (byte ptr [esi+72] == "6"))
jmp cont
.ELSEIF ((byte ptr [esi+71] == "2") && (byte ptr [esi+72] == "4"))
jmp cont
.ENDIF
jmp @B
cont:
Thanks Jeff
Jim