Jump to content

JMP instruction "syntax"

thecreator

By thecreator
in Questions

 Share

Recommended Posts

thecreator Newbie

thecreator

Posted
Posted

Hi guys I'm sorry I'm such a noob and always have to ask these questions.

I've been messing around with Olly Debugger to modify a programs execution flow. I want to be able to automate this process so I will need to understand this thing...

I use a JMP instruction to go from the called function to mine. In ollydbg all i have to do is go to the function and enter "JMP 0040131A" and it will modify the memory accordingly for it to work.

It turns out that in hex "JMP 0040131A" became "E9 D3EEBF83".

I don't get how they get this. The only thing I understand is that E9 is the 'JMP rel32' instruction (from intels documentation). Ill dump the stuff i got from ollydbg.

7C802442 >-E9 D3EEBF83      JMP vic.0040131A

"7C802442" - The memory location I am changing. (its the memory location for Sleep() in windows sp2)

"E9 D3EEBF83" - What ollydbg makes **what i dont understand

"JMP vic.0040131A" - just a summary of what the instruction does i guess

tl/dr - how does "7C802442" + "JMP 0040131A" = "E9 D3EEBF83" ??

Help would be much appreciated.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
Hi guys I'm sorry I'm such a noob and always have to ask these questions.

I've been messing around with Olly Debugger to modify a programs execution flow. I want to be able to automate this process so I will need to understand this thing...

I use a JMP instruction to go from the called function to mine. In ollydbg all i have to do is go to the function and enter "JMP 0040131A" and it will modify the memory accordingly for it to work.

It turns out that in hex "JMP 0040131A" became "E9 D3EEBF83".

I don't get how they get this. The only thing I understand is that E9 is the 'JMP rel32' instruction (from intels documentation). Ill dump the stuff i got from ollydbg.

7C802442 >-E9 D3EEBF83      JMP vic.0040131A

"7C802442" - The memory location I am changing. (its the memory location for Sleep() in windows sp2)

"E9 D3EEBF83" - What ollydbg makes **what i dont understand

"JMP vic.0040131A" - just a summary of what the instruction does i guess

tl/dr - how does "7C802442" + "JMP 0040131A" = "E9 D3EEBF83" ??

Help would be much appreciated.

If you were to edit the program by hand in a hex editor, you would need to know where these values were, and then change the hex value for things like jmp, push, nop, jne, etc, but olly debug does it in assembly, and you see the corresponding hex values for the commands, like the e9 string you have.

Link to comment
Share on other sites
aeturnus Newbie

aeturnus

Posted
Posted
And I quote: "The only thing I understand is that E9 is the 'JMP rel32' instruction".

Meaning I dont need help understanding the E9 part I need to get the "D3EEBF83" part.

Well, it doesn't sound like you understand that either. It's a relative address from where the JMP is taking place. You could use an absolute address to save you from having to do basic arithmetic to get the address. I haven't read the intel docs in awhile, but I'm pretty certain it's fully described (probably on the same page you were reading to get the E9 thing).

It would help when asking questions like this to give all of the required pieces. Jump from where, to where? Not just from here with a disassembled label.

But then you also might try not being a jerk to the first guy that tries to help you even though he decided early on you had no idea what you were talking about and it was tl;dr. Or not.

Good luck.

Link to comment
Share on other sites
thecreator Newbie

thecreator

Posted
  • Author
Posted

sorry about being such a dick before... ya i tried reading intels documentation but i was confused. I also tried reading other links from the ##asm channel with no luck.

so i decided that i would do a binary edit on the D3EEBF83 value to see how it affected that address that it would be jumped to.

the magic formula when using the E9 instruction turns out to be:

0xffffffff - current_address- 4 + dest_address

we do this because we can ONLY JMP forward. So to jump backward we pass a large enough number to overflow the value and go back to 0

the -4 is there because a whole JMP instruction is 5 bytes but "E9" takes 1 of the bytes... leaving 4 bytes

dest_address and current_address are obvious.

When doing memory modifications we have to remember to put our answer in memory backwards

eg: 0x83bfeed3 goes in memmory as 0xd3eebf83

because the stack goes bottom to top.

I feel kinda stupid for posting this because all it took was some playing around with the hex values to understand how the JMP instruction worked... well anywayz PEACE

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...