Hi!
I'm a very beginner in Assembler and I have a problem dealing with this stuff:
I'd like to make a far jump (in a cpp program), something like:
_asm jmp 0x004113A0;
I found, that I can do:
_asm{
MOV EAX, 0x004113A0;
JMP EAX;
}
, but I need to do this on 5 bytes (or less, if it's possible).
If you can help me, I would be very grateful.
okli
If you know where you are...means know the eip of JMP EAX;
then you can manually calculate the offset to 0x004113A0...
then use jmp short|jmp near instruction....
notice....the machine code is like EB cb E9 cw E9 cd....cb,cw,cd represent byte,word,dword....
so this set of instruction will work well at any situation...since dword can hold as large as 4gb...
====
anyway please reference to <intel 64 and ia32 architectures software develop's manual>vol 2a
oldi,
The second code will work, its an indirect address jump. From memory win32 does not support the opcode for a FAR jump to an absolute address. A JMP is in fact slow so you are not losing any perrformance by using the indirect jmp.
Quote from: okli on June 05, 2008, 12:10:27 AM
Hi!
I'm a very beginner in Assembler and I have a problem dealing with this stuff:
I'd like to make a far jump (in a cpp program), something like:
_asm jmp 0x004113A0;
I found, that I can do:
_asm{
MOV EAX, 0x004113A0;
JMP EAX;
}
, but I need to do this on 5 bytes (or less, if it's possible).
If you can help me, I would be very grateful.
okli
currently you need 7 bytes. It can be reduced to 6 by
_asm{
push 0x004113A0;
ret;
}but 5 will be "difficult".
Probably because "win32 does not support the opcode for a FAR jump to an absolute address" i couldn't find how to do that :)
If 5 bytes "will be difficult" ;p, i will do it on 6 ...
Thanks for fast answers!
Quote from: gxm on June 05, 2008, 01:40:53 AM
If you know where you are...means know the eip of JMP EAX;
then you can manually calculate the offset to 0x004113A0...
then use jmp short|jmp near instruction....
notice....the machine code is like EB cb E9 cw E9 cd....cb,cw,cd represent byte,word,dword....
so this set of instruction will work well at any situation...since dword can hold as large as 4gb...
"EB cb" takes 2 bytes and both "E9 cw" and "E9 cd" take 5 bytes, because AFAIK "E9 cw" is followed by 2 zero-bytes (0x00), right?
e9 xx xx xx xx will do it, all you have to do is calculate the xx xx xx xx part ((destination address - eip of the jmp)+5)
This is still a 2-byte jump:
jmp @F
repeat 100
nop
endm
@@: mov esi, esi
By the way, that's a very interesting kind of homework. Why are you so strictly limited in space? No access to the code before and after?
hmmmmmmmm
Quote from: jj2007 on April 28, 2009, 04:09:17 AM
By the way, that's a very interesting kind of homework. Why are you so strictly limited in space? No access to the code before and after?
Trainer? :bdg
Or code insertion to change how an EXE runs ?
Quote from: evlncrn8 on April 28, 2009, 12:30:16 AM
e9 xx xx xx xx will do it, all you have to do is calculate the xx xx xx xx part ((destination address - eip of the jmp)+5)
I know it, but I would like do sth like "e9 xx xx" on 3 bytes, not 5. :)
Of course with a range up to 65535 bytes (0xffff).
Impossible, right? ;]
Quote from: hutch-- on April 28, 2009, 12:24:48 PM
Or code insertion to change how an EXE runs ?
Yes, sth like this. It's a part of my BSc Thesis. I must inject some code from our own debugger into the running program adding some functionality to it without damaging the program flow. I can calculate offset in the debugger and use 5-bytes jump (avoiding 6-bytes solution proposed by japheth) - but still, there are 5 bytes which I have to move to the code-cave and then overwrite by a jump to it. If it would be only 3 bytes, life would be much easier. :)
Quote from: evlncrn8 on April 28, 2009, 12:30:16 AM
e9 xx xx xx xx will do it, all you have to do is calculate the xx xx xx xx part ((destination address - eip of the jmp)+5)
Quote from: okli on April 28, 2009, 07:03:28 PM
I know it, but I would like do sth like "e9 xx xx" on 3 bytes, not 5. :)
Of course with a range up to 65535 bytes (0xffff).
Impossible, right? ;]
erm.. nope, e9 xx xx xx xx would be the 32 bit one.. if you're talking 16 bit code then you should have specified that
e9 xx xx xx xx = long jump
eb xx = short jump
Okli,
if you are working in 16-bit code, a breakpoint interrupt may be the right answer
- or any of the user-available interrupts, for that matter
build an interrupt handler and instert 2 bytes into the code stream