While disassembling the same program using OllyDbg and IDA PRO I have one line of code disassembled in different ways.
OllyDBG:
MOVSX EDX,BYTE PTR [ESP+ECX+8]
IDA:
MOVSX EDX, [ESP+ECX+68h+String]
Can someone explain what does IDA PRO mean here? I am frustrated by 68h+String part here. Can I assume that 68h+String always means BYTE PTR?
ida should have declared STRING to be a LOCAL variable with a value of -60h look at
the start of function / procedure
( 68 + STRING ) == ( 68 + (- 60 ) ) == (68-60) == 8 it is same as what ollydbg shows .
IDA's disassembly syntax tends to be confusing
as an example ollydbg will show
00405712 8B4424 30 MOV EAX, DWORD PTR SS:[ESP+30]
while ida would show
text:00405712 mov eax, [esp+1Ch+arg_4]
because at the start of function ida has defined arg_4 as
.text:004056E0 arg_4 = dword ptr 14h
that is
14h + 1ch == 30h
if you do not prefer ida syntax but would like to see a straight [esp+30]
you can run this script
shift +f2 paste and press ok
beware all ida idc functions are too slow for any mass operations instead of MaxEA() curtail it to some smaller block for a faster result in the snippet below
auto i;
for ( i = MinEA() ; i < MaxEA() ; i = NextHead(i, MaxEA()) )
{
OpHex(i,-1);
}