JMP - absolute address (op codes)

Question

JMP - absolute address (op codes)

I am trying to code exe packer / protector as a way to learn more about assembler, C ++ and how PE files work. I am currently working, so the section containing the EP has XORed with the key, and a new section is created containing my decryption code. Everything works fine, except when I try to use JMP for the original EP after decryption.

I basically do this:

DWORD originalEntryPoint = optionalHeader->AddressOfEntryPoint;
// -- snip -- //
    crypted.put(0xE9);
 crypted.write((char*)&orginalEntryPoint, sizeof(DWORD));

But instead of going to the entry point, ollydbg shows that this code parses:

00404030   .-E9 00100000    JMP 00405035 ; should be 00401000 =[

and when I try to change it manually, the new opcode is displayed as

00404030    -E9 CBCFFFFF    JMP crypted.00401000

Where did 0xCBCFFFFF come from? How can I generate this from C ++ side?

+3

assembly x86 masm executable opcode

Christopher tarquini Oct 9 '09 at 21:32

3

:

push DESTINATION_VA
ret

mov eax,DESTINATION_VA
jmp eax

E9 jmp :

CURRENT_RVA: jmp (DESTINATION_RVA - CURRENT_RVA - 5 [sizeof(E9 xx xx xx xx)])

push + ret - , VA,

+15

Bartosz Wójcik 12 . '10 14:28

- FF + 4 . jumptables , .

, , . 2 .

Intel’s Optimization Guide states that the processor expects the call and ret to be used in pairs, so ret without the call suggested in answer 2 will result in what they call a “performance penalty”.

In addition, if the code was not downloaded to the same address as the compiler suggested, ret is likely to cause the program to crash. It would be safer to calculate the relative address.

+6

Ann Apr 10 '11 at 2:39

source share

ChrisW · Accepted Answer · 2009-10-09T21:47:54+0000

, E9 - : , , .

, , .

JMP - absolute address (op codes)

More articles: