Results 1 to 6 of 6

Thread: newbie Q: far jump?

Hybrid View

  1. #1
    chitech
    Guest

    newbie Q: far jump?

    Alo everybody

    I have use relative jmp in .code/.text sections to jump to my own code and it works just fine.

    Now I have a problem there is not enough space in .code section so I have to jump to the last section -> .rsrc section.

    example I want make a far jump with absolute adresse

    from .text:01002A8A
    to .rsrc:01012948

    Went I use IDA to make the jump to the destination the hexcode will be: EA 48 29 01 01 03 00 ->

    segment= 0003
    offset= 01012948

    When I run the program in ollydbg and set a breakpoint on .text:01002A8A and press F7 (step into) it says: access violation when reading [FFFFFFFF].

    What am I doing wrong? and how do IDA know that rsrc segment=0003?

    Please guide me...Thx

    Chitech
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815

    near...far...

    A "near" jump in 32 bits should be enough.

    A near jump is a displacement from the next instruction, and the opcode "E9" can take a 32 bit offset as its operand. SO....

    You want to go from : 01002A8A

    And get to : 01012948

    The jump instruction itself will take 5 bytes, one for the instruction and a DWORD for the offset. SO now you will be going FROM: 01002A8F.

    01012948 - 01002A8F = FEB9

    So the encoded instruction would be

    E9B9FE0000

    I think that should work.

    -nt20

  3. #3
    chitech
    Guest
    alo nikolatesla20

    It works just fine

    source : 01002A8A (.text)
    destination : 01012948 (.rsrc)

    is it because 01002A8A(source) + FFFF(near 32bit) = 01012A89 < 01012948?

    what if the distance between source and destination is more than FFFF......should i use far jump? How is the segment/offset for the far jump calculated?

    I thought that when you use "near jump" it can only jump within the same code segment but in this case I jump from .text to .rsrc or am I wrong?

    Thx

    Chitech
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    DakienDX
    Guest
    Hello chitech !

    In Win32-PE programs you have no segmented addresses, so your jumps will be always "near" or "short" and never "far".

    The .rsrc section has usually different section attributes than the .code section set.

    .rsrc sections are not executable and are shareable.

    You can probably imagine what happens if you try to execute code in a non-executable section.

    So you have two possibilities. The first would be to increase the size of the .code section and add your code there. The second would be to set the executable and remove the shareable attribute to/from the .rsrc section and add your code there.

    I would prefer the first way. If you want to do a task bigger than just cracking the program in some way (for example adding functions to the program), you should think about writing an external DLL and redirecting your code to this DLL.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    chitech
    Guest
    alo DakienDX


    Now I understand....
    It's because when I set a label in IDA (destination) and want to jump/call to this label it automatic make a far jump/call.


    thx a lot DakienDX


    Chitech
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815

    segments

    Just a quick note regarding segments.

    In a PE file the sections are not the same as "segments". In the 32 bit world, a program will usually reside in one large segment. That's why the addressing mode is called "flat mode".

    The only reason sections exist in a PE is to allow the PE loader to assign different attributes to the area of memory in which the section gets copied. For example, the execute, read, write, bits. Or the shareable bit like DakienDX mentioned. It also allows for a more compact file , because in memory a PE might actually take up a lot of room, but on disk it is contiguous. A section allows you to reference an offset in the PE file where data starting there should be put in a certain memory location by the loader, where in memory for example the sections might be very far apart, or have a different alignment than the file does.

    Just remember segments are a 16 bit application programming term and not needed in 32 bit programming, unless you are doing very low level systems programming.

    -nt20

Similar Threads

  1. About jump over the crc check
    By Ollyxyz in forum OllyDbg Support Forums
    Replies: 10
    Last Post: July 13th, 2007, 00:15
  2. Changing a jump
    By voodoo in forum OllyDbg Support Forums
    Replies: 2
    Last Post: December 15th, 2004, 05:02
  3. How to find the jump???
    By homunculus in forum OllyDbg Support Forums
    Replies: 5
    Last Post: February 17th, 2003, 05:09
  4. How to calculate which jump I want to use...
    By Six Black Roses in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 12th, 2002, 19:28
  5. jump generator
    By amois in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: October 18th, 2001, 09:42

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •