问题
I'm trying to code a exe packer/protector as a way of learning more about assembler, c++, and how PE files work. I've currently got it working so the section containing the EP is XORed with a key and a new section is created that contains my decryption code. Everything works out great except when I try and JMP to the original EP after decryption.
Basically I do this:
DWORD originalEntryPoint = optionalHeader->AddressOfEntryPoint;
// -- snip -- //
crypted.put(0xE9);
crypted.write((char*)&orginalEntryPoint, sizeof(DWORD));
But instead of it jumping to the entry point, ollydbg shows that this code disassembles to:
00404030 .-E9 00100000 JMP 00405035 ; should be 00401000 =[
and when I try to change it manually in olly the new opcode shows up as
00404030 -E9 CBCFFFFF JMP crypted.00401000
Where did 0xCBCFFFFF come from? How would I generate that from the C++ side?
回答1:
I think that E9 is an opcode for a relative jump: its operand specifies a relative distance to be jumped, plus or minus from the start of the next instruction.
If you want the operand to specify an absolute address, you would need a different opcode.
回答2:
you could use:
push DESTINATION_VA
ret
or
mov eax,DESTINATION_VA
jmp eax
relative E9 jmp encoding is used like this:
CURRENT_RVA: jmp (DESTINATION_RVA - CURRENT_RVA - 5 [sizeof(E9 xx xx xx xx)])
push + ret is the best solution if you have VA address and the image is not relocated
回答3:
opcode for absolute indirect jump is FF + 4byte address. This is most often used for jumptables of addresses stored in data.
Absolute addresses do require relocation when not loaded to the expected address, so relative addresses are generally preferred. Code for relative jumps is also 2 bytes smaller.
Intel optimization manual states that the cpu expects call and ret to be used in pairs, so the ret without a call suggested in answer 2 would cause what they call a "performance penalty".
Also, if the code was not loaded to the same address that the compiler assumed, the ret would probably crash the program. It would be safer to calculate a relative address.
来源:https://stackoverflow.com/questions/1546141/jmp-to-absolute-address-op-codes