Results 1 to 3 of 3

Thread: same codebytes, different meaning ?!

  1. #1

    same codebytes, different meaning ?!

    if i compile this function

    Code:
    void foo()
    {
            printf("bar\n");
    }

    the compiler produces this:
    Code:
    00401090 55               push        ebp  
    00401091 8B EC            mov         ebp,esp 
    00401093 68 10 71 40 00   push        407110h   <--- "bar\n"
    00401098 E8 73 01 00 00   call        00401210   <-- printf
    0040109D 83 C4 04         add         esp,4 
    004010A0 5D               pop         ebp  
    004010A1 C3               ret

    if VirtualAlloc new memory, and cpy all this codebytes to this memory (55, 8B, EC, ... C3), the debugger shows this:

    Code:
    00340000 55               push        ebp  
    00340001 8B EC            mov         ebp,esp 
    00340003 68 10 71 40 00   push        407110h 
    00340008 E8 73 01 00 00   call        00340180     <---- wtf?
    0034000D 83 C4 04         add         esp,4 
    00340010 5D               pop         ebp  
    00340011 C3               ret
    my question: why does the call gets 00340180 and not 00401210 ?

  2. #2
    note that the printf function has been injected into your code (that's ok).

    now, if you look carefully, the instruction used to call printf uses EIP-relative addressing.
    Code:
    00401098 E8 73 01 00 00   call        00401210   <-- printf
    0040109D 83 C4 04         add         esp,4
    the destination (401210) is calculated as follows:
    -> 40109D (next instruction) + 173 = 401210

    in your valloc'd code:
    Code:
    00340008 E8 73 01 00 00   call        00340180     <---- wtf?
    0034000D 83 C4 04         add         esp,4
    -> 34000D + 173 = 340180.

    there are many workarounds for this.
    Ex: Patch the dword after E8 with (00401210 - 34000D = C1203). You can compute these offsets at runtime.

  3. #3
    ah EIP relative, ok
    thx
    Last edited by 0rp; April 3rd, 2004 at 18:44.

Similar Threads

  1. What is Armadillo CC meaning?
    By linhan in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: September 6th, 2005, 12:27
  2. The REAL meaning of opcodes!
    By Zero in forum Off Topic
    Replies: 1
    Last Post: July 10th, 2005, 14:16
  3. What's the meaning of this message???
    By yaa in forum OllyDbg Support Forums
    Replies: 5
    Last Post: November 19th, 2002, 07:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •