问题
I am trying to hook a function by replacing its beginning with a JMP instruction which should lead to my function. But the problem is that I don't know how to calculate the JMP offset to target the address of my function. Well, I know how to do it if you jump forward in memory (Destination addr - Current addr), but I haven't got any ideas how to determine it when you jump back in memory.
Could somebody help?
回答1:
Just use negative offset to jump backwards.
And remember to account for the size of the JMP instruction. The offset is relative to the end of the JMP instruction and not the beginning. If the current address is where you are about to write the JMP then you need an offet of 5+dest-current since the size of the JMP instruction plus the offset if 5 bytes.
回答2:
This is basic math that you should be able to figure out. :)
If a JMP forward is Destination - Origin, then a JMP backward would be Origin - Destination
Think about it in plain numbers: If you want to JMP forward from 100 to 110, your JMP would be 110 - 100 = 10. If you want to JMP the same amount backward, it would be 100 - 110 = -10.
回答3:
relative jumps are signed, that is, they have positive and negative displacement using the sign bit. absolute jumps are absolute so it doesn't matter. see volumes 2A & 2B of the intel instruction guide.
回答4:
Be sneaky
Make a dummy call to a location above your function
call location1
.location1
call location2
.location2
pop ax
ret
.yourfunction
You now have the address of location2 in ax
add 3 to ax and you have the memory address of your function
来源:https://stackoverflow.com/questions/7609549/calculating-jmp-instructions-address