Let's say I have the following:
a pref. Image base of 0x40000 and the fact that ASLR is being used.
am I correct if I say that translation would be done like this:
(OG)
0004232f 8b 45 00 MOV EAX,dword ptr [EBP]
00042332 a3 64 00 6C 00 MOV [006C0064],EAX
00042337 8b 45 04 MOV EAX,dword ptr [EBP + 0x4]
(After ASLR)
0066232f 8b 45 00 MOV EAX,dword ptr [EBP]
00662332 a3 64 20 72 00 MOV [00722064],EAX
00662337 8b 45 04 MOV EAX,dword ptr [EBP + 0x4]
is there anything else I overlook that could change the byte order on load?
In 32-bit Windows all DLL files and many (but not all) EXE files have a so-called "Base Relocation Table".
This table contains a list of all absolute addresses contained in the file.
In your example, there is an absolute address (0x006C0064) stored at address 0x00042333.
The table will contain an entry saying that there is an absolute address stored at 0x00042333.
When the executable file or dynamic library is loaded to another address, the loader will indeed "rewrite" all these addresses.
However, "rewriting" is a quite simple operation: A fixed value must simply be added to all these addresses.
Please note that this concept is completely different from the concept used by Linux and other OSs.