I would like to generate the messagebox payload from msfvenom x64 in raw to disassemble it in asm. My goal is to use it as a base and develop on it.

Here is how I generate my payloads:

msfvenom -p windows/x64/messagebox TEXT='Hello, World!' TITLE='Shellcode' -a x64 --platform windows -f raw > orig.bin

echo "BITS 64" > shellcode.asm
ndisasm -b 64 orig.bin | awk '{ $1=""; $2=""; sub(/^  /, ""); print }' >> shellcode.asm
nasm -f bin shellcode.asm -o shellcode.o

Here is disassembly of the original and the disassembled + reassembled version:

orig.bin

shellcode.o

My problem is that shellcode.o, that I can edit, doesn't work (btw the instructions are not exactly the same). As we can see, the first jump to 0xDD is not correct. I tried to fix the jumps with labels and that's fixed, but now there is a problem with searching through the modules:

However, when I generate for C like that:

msfvenom -p windows/x64/messagebox TEXT='Hello, World!' TITLE='Shellcode' -a x64 --platform windows -f c > shellcode.c

It gives an output that works.

c unsigned char shellcode[] =  "\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xcc\x00\x00\x00\x41"
"\x51\x41\x50\x52\x51\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
"\x8b\x52\x18\x48\x8b\x52\x20\x56\x48\x0f\xb7\x4a\x4a\x48"
"\x8b\x72\x50\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02"
"\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51"
"\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18"
"\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00"
"\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x44\x8b\x40\x20\x49"
"\x01\xd0\x8b\x48\x18\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88"
"\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d"
"\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39"
"\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
"\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48"
"\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41"
"\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x4b\xff\xff\xff\x5d\xe8\x0b\x00\x00\x00\x75"
"\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\x59\x41\xba\x4c"
"\x77\x26\x07\xff\xd5\x49\xc7\xc1\x00\x00\x00\x00\xe8\x0e"
"\x00\x00\x00\x48\x65\x6c\x6c\x6f\x2c\x20\x77\x6f\x72\x6c"
"\x64\x20\x00\x5a\xe8\x0a\x00\x00\x00\x53\x68\x65\x6c\x6c"
"\x63\x6f\x64\x65\x00\x41\x58\x48\x31\xc9\x41\xba\x45\x83"
"\x56\x07\xff\xd5\x48\x31\xc9\x41\xba\xf0\xb5\xa2\x56\xff" "\xd5";

1. Does anyone know why it doesn't work?
2. Why is my output different than msfvenom? Is there a way to have the same thing?
3. Anyone has a PIC PEB-Based Lookup in asm that works?

My basic temporary loader.c:

#include <windows.h>
#include <stdio.h>

%SHELLCODE%

void execute_shellcode() {
    void *exec_mem = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(exec_mem, shellcode, sizeof(shellcode));
    ((void(*)())exec_mem)();
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
    // Execute payload
    execute_shellcode();
    return (0);
}

Here are the versions of the utilities:

NASM version 2.16.03 compiled on Apr 17 2024  
NDISASM version 2.16.03 compiled on Apr 17 2024

$ x86_64-w64-mingw32-gcc -v                                                                           Using built-in specs.                                                                                                   COLLECT_GCC=x86_64-w64-mingw32-gcc
...                                                                                                                                                           gcc version 14.2.0 (GCC)