call a (relative) virtual address

[n00b!]

Hello,
I'm sorry, but I have again some noobish and basic questions:

VA (Virtual Address): This is the address in RAM where some bytes were saved (for an pe executable it starts at IMAGE_BASE + Bytes of opcodes). f.e. 400100 - PUSH EBX

RVA (Relative Virtual Address): This is the address in RAM only within the executable and not the whole 4GB. f.e. 100 - PUSH EBX

1. Can I easily call a VA by typing "call 400100"
Is something similar with a RVA possible?


EIP contains the VA of the current instruction. f.e.

Code Select Expand

400100 - PUSH EBX (1 Byte)
400101 - PUSH 188 (2 Bytes)
400103 - MOV EAX, 1 (5 Bytes)
400108 -...
EIP = 400100

2. Could I add 3 to EIP that it contains 400103 and so I would bypass the "PUSH 188"?

Or could I save the value of EIP in EAX, add 3 to EAX and then jmp there by typing "jmp EAX"?

PS: Thanks and Sorry for my bad English

[Tedd]

.

[n00b!]

I'm sorry, I wont edit the questions anymore :-/
(If you mean that *hem*)

[Mark Jones]

2. Could I add 3 to EIP that it contains 400103 and so I would bypass the "PUSH 188"?

Or could I save the value of EIP in EAX, add 3 to EAX and then jmp there by typing "jmp EAX"?

A: No, EIP is not user-accessible. That has already been said before.

Q: Why would you want to do such a thing? This is not how a newcomer "learns" assembler, by starting their journey by learning how to jump over instructions.

[n00b!]

I want a "jmp" without having labels [...]

[BlackVortex]

I want a "jmp" without having labels [...]

Your questions don't make a lot of sense, so my answers won't either, but if you don't want to use labels you can use short jumps, which are relative to the current instruction. For example, if you want to jump 14h bytes ahead, you need a 2-byte instruction :  EB 14
(using db 0ebh, 14h)

Or if you want to create relocatable code, you can use the "delta offset" trick to get the currect eip, put it in a register and then use it as a fixup to all memory accesses. Google for that.

If you want to jump to a "non-relative to current eip" address, you can push that address and then ret. Because long jumps are relative to the current eip.

EDIT: I think you haven't actually understood some basic assembler concepts, like labels etc. I'd suggest making a small example program that jumps around labels etc and step through it in a debugger.

[jj2007]

A: No, EIP is not user-accessible. That has already been said before.

call @F   ; equivalent to mov EIP, offset @@
@@:
pop eax   ; eax contains EIP of pop instruction

[n00b!]

Ok, da es so scheint, als könne ich mich im Englischen nicht entsprechend artikulieren, sodass der Sinn meiner Frage nicht hervorgeht, versuche ich es einmal auf Deutsch.

Ich möchte folgenden Code ohne Labels schreiben:

Code Select Expand

push ebx
jmp @@1
push eax
@@1:
push edx

Ich habe mir so etwas vorgestellt (Der Code ist nur theoretisch und abstrakt, da EIP ja nicht ansprechbar ist):

Code Select Expand

push ebx
mov eax, eip
add eax, 8
;Soll übersprungen werden:
;MOV EAX, EIP  (2 Bytes)
;ADD EAX, 8     (3 Bytes)
;JMP EAX          (2 Bytes)
;PUSH EAX       (1 Byte)
jmp eax
push eax
push edx    ;<-- Springe hierhin

Nun weiß ich leider nicht, wie das funktionieren soll, da es ja keine Instruktion mit EIP gibt.
Außerdem fände ich es toll, wenn mir jemand sagen könnte, wie ich schnell die Anzahl der Bytes einer Instruktion bekomme.
Gibt es da vielleicht Merksätze, anhand welcher ich mir die Größen schnell ausrechnen kann oder hat jemand ein kleines Tool, dass Instruktionen in Opcodes umwandelt (Oder weiß jemand, wie man ein solches Tool machen könnte)?

Eventuell zeigt sich der Vorteil daran nicht sofort, wobei ich auch sagen muss, dass dieses Beispiel jenen nicht aufweist, dennoch gibt es ihn, was bedeutet, dass Hilfe erwünscht ist, jedoch keine "Das macht keinen Sinn"-Posts  :P

[bozo]

noob, you can calculate relative addresses using LEA
as long as you have value of EIP in some register, subtract/add the number of bytes of the label in your source.

[n00b!]

@jj2007:
Oh, sorry. At first I didn't understand your post, since I didn't know that a call only pushs the EIP of the next instruction to the stack :-/
And since the next instruction simply pops the EIP value from the stack you have the EIP of the current instruction and the stack is corrected.
Thanks, that's exactly what I wanted!  :bg

@Kernel_Gaddafi:
Sorry, but I don't know how to do what you're saying :-(
Could you please give an example code?

[bozo]

Code Select Expand

@geip_label:
        pop ebp
        lea eax,[ebp + (proc_label - geip_label)]
        jmp eax
       
        xor eax,eax
        mov edx,ecx
proc_label:
        nop

you can also use FPU to get EIP

Code Select Expand


        fldz
        fnstenv [esp-12]
        pop ebp
        add ebp,1?

[Mark Jones]

call @F   ; equivalent to mov EIP, offset @@
@@:
pop eax   ; eax contains EIP of pop instruction

This is a hack, again, EIP cannot be accessed directly.

[japheth]

Ich möchte folgenden Code ohne Labels schreiben:

Code Select Expand

push ebx
jmp @@1
push eax
@@1:
push edx
Nun weiß ich leider nicht, wie das funktionieren soll, da es ja keine Instruktion mit EIP gibt.

Es gibt das $ Symbol. Damit geht's auch ohne Label:

Code Select Expand

push ebx
jmp $+3
push eax
push edx

Man muss dann allerdings wissen, dass "jmp $+3" 2 Bytes und "push eax" 1 Byte lang ist.

[n00b!]

@Mark Jones:
I got that, thanks :-)

@japheth:
Das ist mir gestern beides auch noch aufgefallen, aber dennoch danke ich dir für deine Antwort  :P

Btw. Is there a way to easily get the size of an instruction (maybe with the help of a tool or by following some guidelines, etc.)?

[jj2007]

call @F   ; equivalent to mov EIP, offset @@
@@:
pop eax   ; eax contains EIP of pop instruction

This is a hack, again, EIP cannot be accessed directly.

Oh my god, are we again in the "or eax, eax ruthlessly destroys registers" debate??? :dazzled: