far jmp to the specific address

okli · June 05, 2008, 12:10:27 AM

Hi!
I'm a very beginner in Assembler and I have a problem dealing with this stuff:
I'd like to make a far jump (in a cpp program), something like:

Code Select

_asm jmp 0x004113A0;
I found, that I can do:

Code Select

_asm{
MOV EAX, 0x004113A0;
JMP EAX;
}

, but I need to do this on 5 bytes (or less, if it's possible).
If you can help me, I would be very grateful.
okli

gxm · June 05, 2008, 01:40:53 AM

If you know where you are...means know the eip of

Code Select

JMP EAX;
then you can manually calculate the offset to 0x004113A0...
then use jmp short|jmp near instruction....
notice....the machine code is like EB cb E9 cw E9 cd....cb,cw,cd represent byte,word,dword....
so this set of instruction will work well at any situation...since dword can hold as large as 4gb...
====
anyway please reference to <intel 64 and ia32 architectures software develop's manual>vol 2a

hutch-- · June 05, 2008, 01:50:43 AM

oldi,

The second code will work, its an indirect address jump. From memory win32 does not support the opcode for a FAR jump to an absolute address. A JMP is in fact slow so you are not losing any perrformance by using the indirect jmp.

japheth · June 05, 2008, 07:01:30 AM

Quote from: okli on June 05, 2008, 12:10:27 AM
Hi!
I'm a very beginner in Assembler and I have a problem dealing with this stuff:
I'd like to make a far jump (in a cpp program), something like:
Code Select Expand
_asm jmp 0x004113A0;
I found, that I can do:
Code Select Expand
_asm{ MOV EAX, 0x004113A0; JMP EAX; }
, but I need to do this on 5 bytes (or less, if it's possible).
If you can help me, I would be very grateful.
okli

currently you need 7 bytes. It can be reduced to 6 by

Code Select

_asm{
push 0x004113A0;
ret;
}

but 5 will be "difficult".

okli · June 05, 2008, 08:33:01 AM

Probably because "win32 does not support the opcode for a FAR jump to an absolute address" i couldn't find how to do that :)
If 5 bytes "will be difficult" ;p, i will do it on 6 ...
Thanks for fast answers!

okli · April 27, 2009, 04:47:07 PM

Quote from: gxm on June 05, 2008, 01:40:53 AM
If you know where you are...means know the eip of
Code Select Expand
JMP EAX;
then you can manually calculate the offset to 0x004113A0...
then use jmp short|jmp near instruction....
notice....the machine code is like EB cb E9 cw E9 cd....cb,cw,cd represent byte,word,dword....
so this set of instruction will work well at any situation...since dword can hold as large as 4gb...

"EB cb" takes 2 bytes and both "E9 cw" and "E9 cd" take 5 bytes, because AFAIK "E9 cw" is followed by 2 zero-bytes (0x00), right?

evlncrn8 · April 28, 2009, 12:30:16 AM

e9 xx xx xx xx will do it, all you have to do is calculate the xx xx xx xx part ((destination address - eip of the jmp)+5)

jj2007 · April 28, 2009, 04:09:17 AM

This is still a 2-byte jump:

Code Select

	jmp @F
	repeat 100
	nop
	endm
@@:	mov esi, esi

By the way, that's a very interesting kind of homework. Why are you so strictly limited in space? No access to the code before and after?

dedndave · April 28, 2009, 04:44:11 AM

hmmmmmmmm

sinsi · April 28, 2009, 05:05:48 AM

Quote from: jj2007 on April 28, 2009, 04:09:17 AM
By the way, that's a very interesting kind of homework. Why are you so strictly limited in space? No access to the code before and after?

Trainer? :bdg

hutch-- · April 28, 2009, 12:24:48 PM

Or code insertion to change how an EXE runs ?

okli · April 28, 2009, 07:03:28 PM

Quote from: evlncrn8 on April 28, 2009, 12:30:16 AM
e9 xx xx xx xx will do it, all you have to do is calculate the xx xx xx xx part ((destination address - eip of the jmp)+5)

I know it, but I would like do sth like "e9 xx xx" on 3 bytes, not 5. :)
Of course with a range up to 65535 bytes (0xffff).
Impossible, right? ;]

Quote from: hutch-- on April 28, 2009, 12:24:48 PM
Or code insertion to change how an EXE runs ?

Yes, sth like this. It's a part of my BSc Thesis. I must inject some code from our own debugger into the running program adding some functionality to it without damaging the program flow. I can calculate offset in the debugger and use 5-bytes jump (avoiding 6-bytes solution proposed by japheth) - but still, there are 5 bytes which I have to move to the code-cave and then overwrite by a jump to it. If it would be only 3 bytes, life would be much easier. :)

evlncrn8 · May 01, 2009, 06:20:02 PM

Quote from: evlncrn8 on April 28, 2009, 12:30:16 AM
e9 xx xx xx xx will do it, all you have to do is calculate the xx xx xx xx part ((destination address - eip of the jmp)+5)

Quote from: okli on April 28, 2009, 07:03:28 PM
I know it, but I would like do sth like "e9 xx xx" on 3 bytes, not 5. :)
Of course with a range up to 65535 bytes (0xffff).
Impossible, right? ;]

erm.. nope, e9 xx xx xx xx would be the 32 bit one.. if you're talking 16 bit code then you should have specified that

e9 xx xx xx xx = long jump
eb xx = short jump

dedndave · May 01, 2009, 08:49:31 PM

Okli,
if you are working in 16-bit code, a breakpoint interrupt may be the right answer
- or any of the user-available interrupts, for that matter

build an interrupt handler and instert 2 bytes into the code stream

News:

far jmp to the specific address

okli

gxm

japheth

okli

okli

okli