Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

JMP to absolute address (op codes)

Tags:

x86

assembly

executable

opcode

masm

I'm trying to code a exe packer/protector as a way of learning more about assembler, c++, and how PE files work. I've currently got it working so the section containing the EP is XORed with a key and a new section is created that contains my decryption code. Everything works out great except when I try and JMP to the original EP after decryption.

Basically I do this:

DWORD originalEntryPoint = optionalHeader->AddressOfEntryPoint;
// -- snip -- //
    crypted.put(0xE9);
 crypted.write((char*)&orginalEntryPoint, sizeof(DWORD));

But instead of it jumping to the entry point, ollydbg shows that this code disassembles to:

00404030   .-E9 00100000    JMP 00405035 ; should be 00401000 =[

and when I try to change it manually in olly the new opcode shows up as

00404030    -E9 CBCFFFFF    JMP crypted.00401000

Where did 0xCBCFFFFF come from? How would I generate that from the C++ side?

like image 370
Christopher Tarquini Avatar asked Oct 09 '09 21:10

Christopher Tarquini

People also ask

What does the jmp instruction do?

In the x86 assembly language, the JMP instruction performs an unconditional jump. Such an instruction transfers the flow of execution by changing the program counter.

Does jmp affect the stack?

The stack and frame pointers deal with location of the data. jmp instructions deal with location of the code. Unless something drastic happens, one should not affect the other.

How many bytes is jmp instruction?

With the pointer method, the segment and address of the called procedure is encoded in the instruction, using a 4-byte (16-bit operand size) or 6-byte (32-bit operand size) far address immediate.

1 Answers

opcode for absolute indirect jump is FF + 4byte address. This is most often used for jumptables of addresses stored in data.

Absolute addresses do require relocation when not loaded to the expected address, so relative addresses are generally preferred. Code for relative jumps is also 2 bytes smaller.

Intel optimization manual states that the cpu expects call and ret to be used in pairs, so the ret without a call suggested in answer 2 would cause what they call a "performance penalty".

Also, if the code was not loaded to the same address that the compiler assumed, the ret would probably crash the program. It would be safer to calculate a relative address.

like image 125
Ann Avatar answered Sep 19 '22 14:09

Ann
Sign in to Comment

Related questions

Measure CPU speed by counting assembly instructions
what does "outb" in AT&T asm mean?
Using a virtual machine to learn assembly
How do I decompile a .hex file into C++ for Arduino?
Difference between .equ and .word in ARM Assembly?
Linux kernel assembly and logic
With variable length instructions how does the computer know the length of the instruction being fetched? [duplicate]
Programming Environment for a Motorola 68000 in Linux
LOOP, LOOPE, LOOPNE?
Equivalent for GCC's naked attribute
How does argument passing work?
Why is this inline assembly not working with a separate asm volatile statement for each instruction?
How to make the kernel for my bootloader?
Are programming languages and methods inefficient? (assembler and C knowledge needed)
AND faster than integer modulo operation?
What kind of projects (besides the obvious OS stuff) use assembly language?
Is mov %esi, %esi a no-op or not on x86-64?
GCC C++ Exception Handling Implementation
Understanding MRC on ARM7
Why is 1.0f in C code represented as 1065353216 in the generated assembly?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!